Privacy Policy

This Privacy Policy explains how Multiply Academy Limited ("we", "us", "our", "Multiply Academy") collects, uses, and protects your personal data when you use our training platform at multiply.academy (the "Service").

We are committed to protecting your privacy and being transparent about how we use your data. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Multiply Academy Limited is the data controller for your personal data.

• Company number: 05505845
• Registered office: Available on the Companies House register
• Data protection contact: hello@multiply.academy

This Privacy Policy should be read alongside our Terms and Conditions, which govern your use of the Service.

We collect the following categories of personal data:

Information You Provide

• Account information: Name, email address, and login credentials
• Profile information: Information about your professional context that helps us personalise your training
• Content you submit: Reflections, messages, and other content you provide through the Service
• Payment information: Payment details necessary to process transactions (handled by our payment processor)

Information Collected Automatically

• Usage data: How you interact with the Service, including pages visited and features used
• Device information: Browser type, operating system, and device characteristics
• Network information: IP address and approximate location (country level)
• Cookies: See Section 9 (Cookies)

Information From Third Parties

If you sign in using a third-party authentication provider (such as Google or Microsoft), we receive your name and email address from that provider. We do not receive your password.

We use your data for the following purposes:

To Deliver the Service (Lawful Basis: Contract)

• Creating and managing your account
• Providing access to training modules
• Processing your payments
• Communicating about your subscription and account

This processing is necessary to perform our contract with you.

To Personalise Your Experience (Lawful Basis: Legitimate Interests)

• Using information you provide about your professional context to generate content tailored to your work
• Using content you submit to improve your experience and subsequent interactions
• Adapting the Service to your technical environment

Our legitimate interest is providing effective, personalised training that delivers better learning outcomes. We have assessed that this processing is necessary for our service and does not override your privacy rights. You can object to personalisation at any time (see Section 8).

To Improve the Service (Lawful Basis: Legitimate Interests)

• Analysing usage patterns to understand what works and what doesn't
• Identifying technical issues and fixing bugs
• Developing new features and content

Our legitimate interest is improving our training platform. We use aggregated and anonymised data where possible.

To Create Aggregated Resources (Lawful Basis: Legitimate Interests)

• Analysing patterns across users in similar roles to identify common workflows and challenges
• Creating role-specific resources from aggregated insights
• Improving our curriculum based on what works for different user groups

Our legitimate interest is developing better training materials. Individual contributions are aggregated and anonymised in these resources.

To Communicate With You (Lawful Basis: Legitimate Interests)

• Sending service-related communications (account updates, security notices, subscription reminders)
• Sending marketing communications about our products and services

For marketing emails, we rely on the "soft opt-in" under the Privacy and Electronic Communications Regulations (PECR). This means we may email you about our products and services because you provided your email when signing up. Every marketing email includes an easy unsubscribe option, and you can opt out at any time.

We use artificial intelligence to personalise your experience. This section explains how it works and how we protect your data.

How It Works

1. You provide profile information about your professional context
2. You submit content through the Service
3. This information is processed by our AI service provider to generate personalised responses and content
4. Personalised content is stored in your account for you to access

Our AI Service Providers

We use third-party AI services to generate personalised content. When your data is sent to these providers:

• It is processed solely to generate your personalised content
• It is not used to train their AI models
• Our agreements require them to maintain appropriate security and delete data when no longer needed
• We only use providers who offer data protection terms consistent with UK GDPR

What AI Processing Involves

The AI analyses your profile information and the content you submit to:

• Understand your professional context
• Provide relevant responses and recommendations
• Generate content tailored to your situation

This is automated processing, but it does not make decisions about your access to the Service. It only personalises your experience.

Your Rights Regarding AI Processing

• Right to information: This notice explains how AI processes your data
• Right to object: You can object to AI processing. As personalisation is core to how the Service works, we may not be able to continue providing the Service if you object, in which case we will close your account. Any refund will be at our discretion, taking into account the training content you have already accessed.
• Right to access: You can request copies of all AI-generated content about you
• Right to erasure: You can request deletion of your data and AI-generated content

To exercise these rights, contact us at hello@multiply.academy.

We share your data only as described below. We do not sell your personal data.

Categories of Recipients

We use service providers by category rather than naming specific companies. This allows us to change providers without updating this policy, while maintaining equivalent data protection standards.

Our agreements with these providers require them to:

• Process data only on our instructions
• Maintain appropriate security measures
• Not use your data for their own purposes
• Delete data when no longer needed

When We May Disclose Data

We may also disclose your data:

• To comply with legal obligations or valid legal requests
• To protect our rights, property, or safety, or that of our users
• In connection with a business transfer (merger, acquisition, or sale of assets) - you would be notified of any change in controller
• With your consent

Your data may be transferred to and processed in countries outside the United Kingdom. This may include transfers to the United States or other countries where our service providers operate.

When we transfer data internationally, we ensure it is protected by appropriate safeguards, which may include:

• Adequacy decisions: Transfers to countries the UK has determined provide adequate data protection
• UK-US Data Bridge: For US providers certified under the Data Privacy Framework
• Standard Contractual Clauses (SCCs): UK-approved contractual terms requiring the recipient to protect your data to UK standards

You can contact us for more information about the specific safeguards in place for any transfer.

We retain your data for as long as necessary to fulfil the purposes described in this policy, which includes:

• Providing the Service while your account is active
• Allowing you to return and reactivate your account
• Improving our training based on how users learn
• Creating aggregated resources for users in similar roles
• Complying with legal obligations (e.g., tax records must be kept for 7 years)
• Defending against potential legal claims (the limitation period for most claims is 6 years)

We do not automatically delete your data when your subscription ends or your account becomes inactive. This allows you to reactivate your account in future without losing your progress.

Your control: You can request deletion of your data at any time (see Section 8). We will delete it unless we have a legal obligation to retain it (such as tax records).

Anonymised data (which cannot identify you) may be retained indefinitely for research and analysis.

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption of data in transit and at rest
• Secure authentication systems
• Access controls limiting who can access your data
• Use of reputable service providers with strong security practices

While we take reasonable precautions, no system is completely secure. You are responsible for keeping your login credentials confidential.

In the unlikely event of a data breach affecting your personal data, we will notify you and the relevant authorities as required by law.

Under UK GDPR, you have the following rights:

How to Exercise Your Rights

Contact us at hello@multiply.academy with your request. We will respond within one month. If your request is complex, we may extend this by up to two months (we will let you know).

We may ask you to verify your identity before processing certain requests.

There is no fee for most requests. If a request is manifestly unfounded or excessive, we may charge a reasonable fee or refuse to act.

Right to Complain

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns directly before you contact the ICO.

For Users in Canada

If you are in Canada, you may also complain to the Office of the Privacy Commissioner of Canada:

• Website: priv.gc.ca

For Users in the United States

If California privacy law applies to you (based on residency and our business operations), you may have additional rights including the right to know what personal information we collect and the right to request deletion. Contact us at hello@multiply.academy to exercise these rights.

Cookies are small text files placed on your device when you visit our website. Our Cookie Policy is included in our Terms and Conditions.

Summary

• Strictly necessary cookies: Required for the Service to function (authentication, security). No consent required.
• Analytics cookies: Help us understand how users interact with the Service. Require your consent.
• Functionality cookies: Remember your preferences. Require your consent.
• Marketing cookies: May be used to deliver relevant content. Require your consent.

When you first visit, you will see a cookie consent banner where you can accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings link in our website footer.

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18.

If we become aware that we have collected data from someone under 18, we will delete it promptly. If you believe we may have data about someone under 18, please contact us.

We may update this Privacy Policy from time to time. When we make changes:

• Material changes: We will notify you by email at least 30 days before the changes take effect
• Minor changes: May be made without advance notice; check the "Last updated" date

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy or how we handle your data, please contact us at hello@multiply.academy.

We aim to respond to all enquiries within 5 working days.