CPD.me
HomePrivacy Policy

Privacy Policy

Last updated: 7 May 2026

1. Who We Are

CPD.me is a CPD accreditation platform for holistic therapy, beauty, wellness, and coaching training providers. The platform is operated by Sacred Skills Ltd, a company registered in England and Wales.

We are committed to protecting your privacy and handling your personal data transparently, lawfully, and securely in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller for personal data collected through cpd.me.uk is:

Sacred Skills Ltd is responsible for deciding how your personal data is collected, stored, and used.

3. What Data We Collect

We may collect and process the following categories of personal data:

Account Data

  • Full name and contact name
  • Email address
  • Phone number
  • Organisation/business name
  • Business type and address

Professional Data

  • Qualifications and credentials
  • Years of experience
  • Areas of expertise
  • Insurance provider details
  • Teaching credentials

Programme Data

  • Programme names, descriptions, and documentation
  • Learning outcomes and assessment criteria
  • CPD hours and delivery methods
  • Supporting evidence and materials

Technical Data

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and interaction data
  • Login timestamps

Payment Data

  • Billing name and address
  • Transaction history
  • Subscription status

Important: We do not store full payment card numbers on our servers. All card details are processed and stored securely by Stripe.

4. Why We Collect Data

We collect personal data for the following purposes:

  • To provide and manage accreditation services
  • To process programme submissions and reviews
  • To manage your account and provide platform access
  • To process payments and manage subscriptions
  • To communicate with you about your account or submissions
  • To maintain the public provider directory
  • To comply with legal and regulatory obligations
  • To improve our platform and services
  • To prevent fraud and protect platform security

We process your personal data under the following lawful bases:

  • Contract: Processing necessary to perform our contract with you (providing accreditation services, managing your account).
  • Legitimate Interests: Processing necessary for our legitimate business interests (platform security, service improvement, fraud prevention) where those interests are not overridden by your rights.
  • Legal Obligation: Processing necessary to comply with legal requirements (tax records, regulatory compliance).
  • Consent: Where you have given clear consent for specific purposes (marketing communications, optional analytics).

6. Account Information

When you create an account, we collect your email address and any profile information you choose to provide. This data is used to authenticate your access, manage your submissions, and communicate with you about your accreditation.

Your password is never stored in plain text. Authentication is handled securely through our infrastructure provider with industry-standard encryption.

7. Payment Information

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. We do not have access to your full card number, CVV, or other sensitive payment details.

We retain:

  • Transaction IDs and amounts
  • Payment dates and status
  • Subscription type and billing cycle
  • Last four digits of your card (for reference only)

For more information about how Stripe handles your data, please refer to Stripe's privacy policy at stripe.com/privacy.

8. Accreditation Submission Data

When you submit programmes for accreditation, we collect and store the programme documentation, supporting materials, and any evidence you provide. This data is:

  • Accessible only to authorised CPD.me administrators and assessors.
  • Used solely for the purpose of accreditation assessment.
  • Stored securely with access controls.
  • Retained for the duration of your accreditation plus a statutory retention period.

Your submission data is never sold, shared with other providers, or used for marketing purposes.

9. Communication Data

We retain records of communications between you and CPD.me, including emails, support messages, and feedback. This helps us maintain context, resolve disputes, and improve our service quality.

10. Cookies

Our platform uses essential cookies to manage your authentication session and remember your preferences. We may also use analytics cookies to understand how the platform is used. See our detailed Cookies Policy section below.

11. Analytics

We may collect anonymised usage data to understand how our platform is used and to identify areas for improvement. This data is aggregated and cannot be used to identify individual users.

Analytics data includes page views, feature usage, session duration, and navigation patterns. This data helps us prioritise development and improve user experience.

12. Email Tracking

Some emails sent from CPD.me may include tracking mechanisms (such as open tracking and click tracking) to help us understand engagement with our communications. This is used solely for the purpose of improving our communication effectiveness.

You may opt out of marketing communications at any time. Transactional emails (related to your account or submissions) will continue to be sent as necessary.

13. Data Retention

We retain personal data for the following periods:

  • Account data: For the duration of your account plus 2 years after closure.
  • Programme submissions: For the duration of accreditation plus 3 years.
  • Payment records: 7 years (as required by UK tax law).
  • Communication records: 3 years from the date of communication.
  • Analytics data: 26 months maximum.

After retention periods expire, data is securely deleted or anonymised. You may request earlier deletion subject to our legal obligations (see Your Rights below).

14. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right to Access

You may request a copy of all personal data we hold about you. We will respond within one calendar month of receiving your request.

Right to Rectification

You may request correction of any inaccurate or incomplete personal data. You can update most information directly through your account settings.

Right to Erasure

You may request deletion of your personal data where there is no compelling reason for continued processing. This right is subject to our legal retention obligations and legitimate business needs.

Right to Restrict Processing

You may request that we restrict processing of your data in certain circumstances, such as while we verify accuracy or assess a deletion request.

Right to Object

You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling grounds that override your interests.

Right to Data Portability

Where processing is based on consent or contract, you may request your data in a structured, commonly used, machine-readable format.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, contact us at support@cpd.me.uk. We will respond within one calendar month and may request identity verification before processing your request.

15. Data Security

We implement appropriate technical and organisational security measures including:

  • Encryption of data in transit (TLS/HTTPS) and at rest.
  • Secure authentication with encrypted password storage.
  • Role-based access controls limiting data access to authorised personnel.
  • Regular security reviews and updates.
  • Secure infrastructure hosted by industry-leading providers.
  • Row-level security on database tables.

While we take all reasonable precautions, no system is completely secure. We cannot guarantee absolute security of your data and you acknowledge this inherent risk.

16. International Transfers

Our infrastructure providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions, to protect your data to UK GDPR standards.

Key processors and their locations are listed in the Third Party Processors section below.

17. Third Party Processors

We use the following third-party data processors:

Stripe

  • Purpose: Payment processing and subscription management
  • Data shared: Billing information, transaction details
  • Privacy policy: stripe.com/privacy

Supabase

  • Purpose: Database hosting, authentication, and file storage
  • Data shared: Account data, programme submissions, platform data
  • Privacy policy: supabase.com/privacy

Resend

  • Purpose: Transactional and communication email delivery
  • Data shared: Email addresses, communication content
  • Privacy policy: resend.com/legal/privacy-policy

Hosting Providers

  • Purpose: Platform hosting and content delivery
  • Data shared: Technical data (IP addresses, request logs)

We never sell your personal data to third parties. Data is only shared with processors as strictly necessary to provide our services.

18. Cookies Policy

Our platform uses the following types of cookies:

Essential Cookies

Required for the platform to function. These manage your login session, security tokens, and basic preferences. They cannot be disabled without breaking core functionality.

Functional Cookies

Remember your preferences and settings (such as display preferences or filter choices) to improve your experience.

Analytics Cookies

Help us understand how the platform is used by collecting anonymised usage data. These are only set with your consent.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core platform functionality.

19. Complaint Rights

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK's data protection authority:

  • Organisation: Information Commissioner's Office (ICO)
  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We encourage you to contact us first at support@cpd.me.uk so we can attempt to resolve your concern directly.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or platform notification.

The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this policy periodically.

21. Contact Details

For any privacy-related questions or to exercise your data rights, contact us:

We aim to respond to all privacy enquiries within 5 working days and to formal data rights requests within one calendar month.