Trust & Governance

Privacy Policy

Clear, practical information for organisations, practitioners and decision-makers.

Privacy Policy

Last reviewed: July 2026

Therapeutic Activities Group CIC ("Dragonfly CPD", "we", "us") is the data controller for personal information collected through this website and the Dragonfly CPD learning platform. This notice explains what we collect, why, and the rights you have over it.

What we collect

Depending on how you use Dragonfly CPD, we may collect: contact details you give us (name, email, organisation) when you enquire, register, or create an account; learner account and progress data (module completions, assessment scores, CPD hours, certificates) where the platform is used for training; manager and organisation data (team structure, staff registration codes, assigned pathways) for organisation accounts; and basic technical data (IP address, browser type, pages visited) collected automatically for security and site performance.

Why we use it

We use this information to provide and maintain accounts and CPD records, issue certificates and evidence packs, respond to enquiries, process payments and licences, and improve the platform. Our lawful bases are: performance of a contract (providing the service you've signed up for), legitimate interests (site security, service improvement), and consent (where you've opted in, e.g. marketing emails, which you can withdraw at any time).

Who we share it with

We use third-party processors to run the platform, principally Supabase (database and authentication) and Cloudflare (hosting and content delivery). These providers process data under their own data processing agreements and may store data outside the UK with appropriate safeguards (such as the UK's International Data Transfer Addendum or equivalent). We do not sell personal data to third parties.

How long we keep it

Learner and organisation account data is retained for the duration of an active licence and for a reasonable period afterwards to support certificate re-issue and compliance evidence, typically up to 6 years in line with common CPD record-keeping practice, unless an organisation requests earlier deletion. Enquiry data not converted to an account is deleted or anonymised within 12 months.

Your rights

Under UK GDPR you have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. To exercise any of these rights, email info@dragonflycpd.com. You also have the right to complain to the Information Commissioner's Office (ico.org.uk) if you believe your data has been mishandled.

Organisations using the platform

Where an organisation (school, charity, employer) sets up managed accounts for its staff, that organisation acts as controller for its staff's learning records and Dragonfly CPD acts as processor under the organisation's instructions. Organisations are responsible for having a lawful basis to enrol their staff and for their own internal data protection obligations.

For any privacy question not covered here, email info@dragonflycpd.com.

CymraegCymraeg