Privacy policy

Last updated 15th October 2025


This Privacy Policy explains how Nurse Wellbeing Mission Ltd (“NWM”, “we”, “us”) collects and processes your personal data when you use courses.nursewellbeingmission.com (the “Website”) and our related services, including Empatheum™ courses, live sessions and community spaces (the “Services”).

We comply with the UK General Data Protection Regulation (UK GDPR).

Controller: Nurse Wellbeing Mission Ltd
Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK
Company No.: 14051398
Contact: contact@nursewellbeingmission.com

1) Scope & Who this applies to

This Policy applies to:

Participants (individual self-funded users and users funded by an employer/university).

Organisation Customers (e.g., NHS Trusts/ICBs, universities) and their nominated admins.

Visitors to the Website.

Where NWM acts as Processor for an Organisation Customer (e.g., where the organisation determines the purpose of certain reporting), our processing is governed by a Data Processing Agreement (DPA) with that organisation. In other cases we act as Controller. Section 7 explains these roles.

2) Key definitions

Personal Data: information about an identified or identifiable person.

Special Category Data: data revealing health (including mental health/wellbeing), race/ethnicity, religion, sexual orientation, etc.

Empatheum™: NWM’s subscription environment with reflective learning, live sessions and community features.

Organisation Customer: an employer, NHS Trust/ICB, university or similar that purchases access for Participants.

3) What data we collect

3.1 Data you provide to us

Identity & contact: name, email, role, employer/university, cohort/seat details.

Account & profile: username, password (hashed), profile photo, preferences.

Course & community content: posts, comments, uploaded files, messages (metadata), feedback forms.

Wellbeing/reflection inputs (optional): questionnaire responses and reflections that you choose to provide (may include Special Category Data relating to health/wellbeing).

Support communications: enquiries, complaints, appeals.

Marketing preferences: opt-in/opt-out status.

3.2 Data collected automatically

Usage & device: IP address, device type, browser/version, operating system, time zone, clicks, page views, course progress, attendance metadata.

Cookies/SDKs: see our Cookie Policy for details and choices: [link to /cookies].

3.3 Data from third parties

Payment processors (e.g., Stripe/Klarna/Google Pay): payment status and limited transaction metadata (we do not receive or store full card numbers).

Organisation Customers: roster/eligibility info for seat assignment (name, email, role).

Single-sign-on/booking tools (if used): calendar/meeting metadata.

4) Why we use your data (purposes) and lawful bases

We only collect and process personal data when we have a valid lawful basis under the UK GDPR.
The lawful bases we rely on are contract, legitimate interests, consent, and in limited cases legal obligation.
For any special category data (such as health or wellbeing information), we rely on your explicit consent or we anonymise the data so it is no longer personal.

We use your data for the following purposes:

To deliver and administer our services – for example, creating your account, giving you access to courses, sending login links, managing live session invitations, and responding to technical or support enquiries.
Lawful basis: performance of a contract with you.

To operate and secure the platform – including troubleshooting, preventing fraud or misuse, monitoring usage, maintaining backups, and ensuring system security and integrity.
Lawful basis: our legitimate interests in running a safe and reliable service.

To improve learning and service quality – by analysing course completion rates, engagement, and user feedback to enhance content and delivery.
Lawful basis: our legitimate interests in improving our educational services.

To manage Empatheum™ community and reflective activities – such as moderation, enforcing community standards, and ensuring respectful and lawful interactions.
Lawful basis: our legitimate interests in maintaining a professional and safe learning community.

To provide reporting to organisations that fund access – where your employer, NHS Trust, ICB, or university has purchased access, we may share named participation data (enrolments, attendance, completion) if their contract requires it.
Lawful basis: legitimate interests (controller-to-controller sharing) or contract with that organisation.
We do not share the reflective or discussion content of your sessions.

To collect optional wellbeing or reflection inputs – you may choose to complete questionnaires or reflective exercises that reveal health or wellbeing information.
Lawful basis: your explicit consent or anonymisation of data for evaluation purposes.
You may withdraw consent at any time.

To record sessions (if applicable) – some live sessions may be recorded for quality assurance or facilitator training, and we will always notify you before recording.
Lawful basis: your consent (if you appear in a recording) and our legitimate interests in maintaining service quality.

To send marketing communications – such as newsletters or event invitations, but only if you have specifically opted in.
Lawful basis: your consent, and compliance with the Privacy and Electronic Communications Regulations (PECR).

To meet legal and regulatory requirements – including safeguarding, patient-safety concerns, record-keeping, accounting, and compliance with requests from lawful authorities.
Lawful basis: legal obligation or our legitimate interests in protecting individuals and complying with the law.

You can withdraw consent for any activity based on consent at any time by contacting contact@nursewellbeingmission.com. Withdrawal will not affect processing carried out before the withdrawal.

You can withdraw consent at any time (see §11). Withdrawal does not affect prior lawful processing.

5) Special Category Data (health/wellbeing)

Some courses invite optional wellbeing or reflection inputs that may reveal health data.

We collect these only with your explicit consent or we anonymise them promptly for evaluation/impact reporting.

Do not post third-party special category data (e.g., patient/colleague details).

We do not share your identifiable wellbeing/reflection content with your employer/university.

6) Cookies & similar technologies

We use cookies/SDKs for essentials (login, navigation) and, with consent where required by PECR, for analytics/experience. See our Cookie Policy for specific tools, purposes, retention, and how to manage preferences: [link to /cookies].

7) Who is the Controller?

NWM as Controller: for the Website, general service delivery, Empatheum operations, community moderation, platform security, and learning analytics.

Controller-to-Controller sharing: where an Organisation Customer funds your access and their contract requires named participation data (attendance/completion), we may share that with them as independent Controllers (see §10).

NWM as Processor: if an Organisation Customer instructs us to process specified data on their behalf (e.g., custom reporting beyond our standard dashboard), we do so under a DPA.

We can tell you which role applies to a specific activity on request.

8) Who we share data with

We share data only as necessary and subject to appropriate safeguards:

Service providers / sub-processors under contract, including:
LearnWorlds (hosting/LMS), Zoom or Microsoft Teams (live sessions), Calendly (booking), ActiveCampaign (email), payment processors (Stripe/Klarna/Google Pay), analytics tools listed in the Cookie Policy, secure file storage, and vetted IT/developer support.
A current list of sub-processors is maintained in this Policy or linked from it: [link to sub-processor list or section].

Organisation Customers (if they fund your access): named participation data (enrolments, attendance, completion). We do not share the content of your posts, reflections or what you say in sessions (§10).

Legal/safety: where required by law or where necessary to protect vital interests (e.g., immediate risk disclosures, safeguarding/patient-safety concerns).

We do not sell your Personal Data.

9) International transfers

Some providers may process data outside the UK. Where transfers occur:

We rely on UK adequacy regulations (including the UK-US Data Bridge) or

The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, with supplementary measures where appropriate.

Details of transfer mechanisms are available on request.

10) Empatheum & organisational reporting

If your access is funded by an Organisation Customer (e.g., NHS Trust, university) and their contract requires it, we may provide named participation data limited to:

enrolments

session/course attendance

completion status

We do not share your reflective/community content, chat, or what you say in sessions.
For self-funded users, no named data is shared with any organisation.
We may use aggregated/anonymous insights to evidence effectiveness across all users.

11) Your rights

You have the rights to access, rectify, erase, restrict, object, and data portability (where applicable), and to withdraw consent at any time (for consent-based processing). We respond within one month (may extend by two months for complex requests).

To exercise rights, email contact@nursewellbeingmission.com
. If your data is processed as Processor on behalf of an Organisation Customer, we may refer your request to that organisation.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO): www.ico.org.uk
. We encourage contacting us first.

12) Security

We implement appropriate technical and organisational measures including encryption in transit, access controls, least-privilege admin access, staff/contractor confidentiality, monitoring, and vetted sub-processors. LearnWorlds’ security overview is available here: https://www.learnworlds.com/data-security.

13) Retention

We keep Personal Data only as long as necessary for stated purposes, then delete or anonymise it. Typical periods:

Active accounts: for the duration of your access.

Empatheum cohorts: access window + up to 12 months for audit/support, unless a different period is agreed in an Organisation contract.

Invoices/financial records: 6 years (statutory).

Consents/logs (onboarding, recordings): up to 6 years for evidential purposes.

Backups: securely cycled; deletion may be delayed by backup retention windows.

Due to platform constraints, community posts cannot be deleted independently; they are removed when the associated user account is deleted (or anonymised where deletion would break thread integrity).

14) Safety, safeguarding & “immediate risk”

Empatheum is educational and not continuously monitored. If we reasonably believe there is immediate risk of serious harm to you or others, or a patient-safety/safeguarding concern, we may act to protect life or safety (e.g., contact emergency services or an appropriate safeguarding lead). We act proportionately and sensitively.

In an emergency, call 999. For support, contact Samaritans 116 123 (UK).

15) Marketing

We send service/transactional emails necessary to operate your account. We send marketing emails only if you opt-in (you can unsubscribe anytime). Where PECR requires consent, we obtain it via our email provider (ActiveCampaign).

16) Automated decision-making

We do not perform solely automated decision-making that has legal or similarly significant effects on you.

17) Changes to this Policy

We may update this Policy for legal, security or operational reasons. Material changes will be notified by email or in-platform. The effective date is at the top. Continued use after the effective date indicates acknowledgement of the updated Policy.

18) Contact

Questions or requests: contact@nursewellbeingmission.com

Postal: Nurse Wellbeing Mission Ltd, 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, UK.