Privacy

Privacy Policy

UK (ICO)regulatory authority
29 April 2026last reviewed

This Privacy Policy explains how Motivation Digital Ltd (trading as Motivation) accesses, collects, stores, uses, and shares your personal information when you visit motivation.digital, register an account, download or use our mobile application, purchase or use our services, or engage with us through marketing or events. We refer to ourselves below as ‘we’, ‘us’, or ‘our’. This policy also explains your rights and how to exercise them.

Read alongside

🍪 Cookie Policy ⚙️ Data Processors 📄 Terms of Service

1. Introduction

We are responsible for making decisions about how your personal information is processed (the "data controller" under UK data protection law, primarily the UK GDPR and the Data Protection Act 2018), except where we process information on behalf of a customer organisation under a data processing agreement — in which case the customer is the controller and we are the processor.

We do not process special-category or sensitive personal data (such as racial or ethnic origin, religion, sexual orientation, biometric, or health data) unless you voluntarily disclose it through course content or communications.

2. Information we collect

2.1 Information you provide directly

The personal information we collect depends on how you interact with us. It typically includes:

  • Names
  • Email addresses
  • Usernames
  • Passwords (stored as one-way hashes)
  • Contact preferences
  • Debit and credit card numbers, billing addresses, and other payment information
  • Communications you send us through forms, email, or support channels

Payment data. Payment instrument numbers and security codes are passed directly to our payment provider; we do not store full card numbers on our systems. The current payment provider is listed in the Data Processors directory.

2.2 Mobile application data

If you use our mobile application, we may also collect the following with your permission:

  • Geolocation — we may request access to track location-based information from your device, continuously or while you are using the app, to provide certain location-based services. You can change this in your device settings.
  • Mobile device data — device ID, model, manufacturer, operating system and version, system configuration, application identification numbers, browser type and version, hardware model, ISP or mobile carrier, and IP address (or proxy).
  • Push notifications — where you opt in, we send notifications about your account or app features. You can disable these in your device settings.

2.3 Information collected automatically

When you visit, use, or navigate our services, we automatically collect technical and usage information that does not by itself reveal your identity:

  • Log and usage data — IP address, device information, browser type and settings, date/time stamps, pages and files viewed, searches and actions, system activity, error reports (sometimes called "crash dumps"), and hardware settings.
  • Device data — device characteristics; IP address (or proxy); device and application identification numbers; hardware model; ISP or mobile carrier; operating system; system configuration.
  • Location data — precise or imprecise location derived from your device or IP address. You can opt out by disabling Location services on your device, though this may limit some features.

Some of this information is collected through cookies, web beacons, pixels, and similar tracking technologies. The full list of cookies and tracking technologies, the categories they fall under, and how to manage your preferences is in the Cookie Policy.

2.4 Use of third-party APIs

Some of our services consume APIs provided by third parties (for example, infrastructure, payments, course delivery, analytics) to deliver features. Where those APIs return personal data, we comply with each provider's user-data policy and API terms.

The current list of API providers, the purpose each serves, and the user-data policy each one publishes is maintained in the Data Processors directory.

2.5 Information from third parties

We may obtain limited information about you from public databases, joint marketing partners, affiliate programmes, data providers, and social media platforms — including mailing addresses, job titles, email addresses, phone numbers, intent (behavioural) data, IP addresses, social media profiles, social media URLs, and custom profiles — for purposes of targeted advertising and event promotion.

If you interact with us on a social media platform, we receive personal information based on your privacy settings on that platform (typically name, email, and gender). The platform's own use of your information is governed by its own privacy notice, not this one.

3. How we use your information

We process your personal information to:

  • Facilitate account creation, authentication, and account management
  • Deliver and facilitate delivery of services to the user
  • Respond to user enquiries and provide customer support
  • Send administrative information — product changes, terms updates, and similar service notifications
  • Fulfil and manage orders, payments, returns, and exchanges
  • Enable user-to-user communications where you choose to use such features
  • Request feedback and contact you about your use of our services
  • Send marketing and promotional communications, in line with your preferences (you can opt out at any time)
  • Deliver targeted advertising tailored to your interests, location, and other factors
  • Protect our services through fraud monitoring and prevention
  • Identify usage trends so we can improve the services
  • Determine the effectiveness of our marketing and promotional campaigns
  • Save or protect an individual's vital interest, such as to prevent harm
  • Comply with legal obligations and respond to lawful requests from authorities

We only process your personal information when we have a valid legal reason under applicable law. We rely on one or more of the following:

  • Consent — you have given permission for a specific purpose. You can withdraw consent at any time.
  • Performance of a contract — processing necessary to fulfil our agreement with you, such as delivering a course you have purchased.
  • Legitimate interests — reasonable business purposes that do not override your rights, including: sending information about offers, developing personalised advertising, analysing service usage to improve the experience, supporting marketing, diagnosing problems, preventing fraud, and understanding how our products are used.
  • Legal obligations — complying with legal duties, including cooperating with regulators or law enforcement, exercising or defending legal rights, and disclosing information as required in litigation.
  • Vital interests — protecting your vital interests or those of a third party, such as situations involving threats to safety.

Jurisdiction-specific consent requirements and exceptions are in section 13 (Your rights by jurisdiction).

5. Data sharing

We share your personal information only where necessary to deliver our services, comply with the law, or with your consent. We do not sell your personal information.

The full list of third parties we share data with — including payment, infrastructure, analytics, marketing, and AI providers — is published in the Data Processors directory, which shows each provider's category, purpose, location, and the cookies they set. Updates to that list are reflected on this policy automatically through the cross-link.

Beyond our sub-processors, we may also share information in the following situations:

  • Business transfers — in connection with, or during negotiation of, any merger, sale of company assets, financing, or acquisition of all or part of our business.
  • Other users — where you post content to public areas of our services, that information may be viewed by other users and may be publicly available outside the services. If you register through a social network, your contacts on that network may see your name, profile photo, and activity.
  • Offer walls (mobile app) — our mobile application may display third-party hosted "offer walls" that let advertisers offer rewards in return for completing an offer. When you click an offer, you are taken to an external site; a unique identifier (such as your user ID) is shared with the offer-wall provider for fraud prevention and reward attribution.
  • Group companies — we may share information with companies in our corporate group under the same data protection commitments described in this policy.
  • Legal and regulatory — where required by law, court order, or to protect rights, safety, and security.

6. AI-based features

Some of our services use artificial intelligence, machine learning, or similar technologies to power features such as content recommendations, summaries, support assistance, or automation. The current list of AI providers is maintained in the Data Processors directory.

We do not use your personal data to train third-party foundation models without your consent. To opt-out after giving consent, you can update preferences in your account settings or contact us.

7. Social logins

Where you choose to register or sign in using a third-party social account, we receive certain profile information from the provider — typically your name, email address, profile picture, and any information you have made public on that platform.

The list of social login providers we currently support is published in the Data Processors directory. We use this information only for the purposes described in this policy. The provider's own use of your information is governed by its own privacy notice.

8. International transfers

Your information may be transferred to, stored by, and processed by us and our service providers in jurisdictions outside your country, including for example the UK, the EU, and the United States. The current data-centre locations and the country each sub-processor operates from are listed in the Data Processors directory.

For transfers from the EEA, UK, or Switzerland, we rely on appropriate safeguards including:

  • The European Commission's Standard Contractual Clauses (SCCs)
  • The UK International Data Transfer Addendum to the SCCs
  • The EU–US Data Privacy Framework where applicable
  • Adequacy decisions covering the destination country

These safeguards apply equally to transfers within our corporate group and to our sub-processors. You may request a copy of the safeguards in place for any specific transfer by contacting us.

9. Retention

We retain personal data only for as long as necessary for the purposes set out in this policy, unless a longer period is required or permitted by law. In practice this means:

  • Account data — held for as long as you have an account with us, plus a reasonable period after closure to resolve disputes and prevent fraud
  • Financial records — retained for the period required by tax and accounting law in our home jurisdiction
  • Marketing data — held until you unsubscribe or withdraw consent, then removed within 30 days
  • Analytics data — aggregated and anonymised after 14 months
  • Support communications — retained for two years to maintain service quality

When data is no longer needed, we delete or irreversibly anonymise it. Where personal data is held in backup archives, it is isolated from any further processing until the backup expires and deletion is possible.

10. Security

We use appropriate technical and organisational security measures to protect your personal information, including encryption in transit (TLS 1.2 or higher) and at rest, access controls, secure authentication, regular backups, network segmentation, and vulnerability monitoring. Our staff receive privacy and security training, and access to personal data is restricted on a need-to-know basis.

Despite our safeguards, no electronic transmission over the internet or storage technology can be guaranteed 100% secure. You should only access our services within a secure environment, and transmission of personal information to and from our services is at your own risk. We will notify you and the relevant supervisory authority of any personal data breach within the timescales required by law.

11. Children and minors

Our services are not directed to children. We do not knowingly collect, solicit data from, or market to children under 18 years of age (or the equivalent age as specified by law in your jurisdiction), nor do we knowingly sell the personal information of minors. By using our services you confirm that you are at least 18 (or the equivalent age in your jurisdiction), or that you are the parent or guardian consenting to the minor's use of the services.

If we learn that we have collected personal information from a user under 18, we will deactivate the account and take reasonable steps to promptly delete that data. If you believe a child has provided us with personal data, please contact us.

12. Tracking signals

Most browsers and some mobile operating systems include privacy signals you can activate. We respond to them as follows:

  • Do Not Track (DNT) — there is no industry consensus on how DNT signals should be interpreted, so we do not currently respond to DNT browser signals. We will revisit this position if a uniform standard is adopted.
  • Global Privacy Control (GPC) — we recognise and honour Global Privacy Control. If you use a browser or extension that supports GPC, we treat it as a valid request to opt out of the sale or sharing of your personal information for targeted advertising under applicable state privacy laws. The opt-out is applied automatically. Learn more at globalprivacycontrol.org.

Jurisdiction-specific disclosure requirements about how we respond to these signals are addressed in section 13.

13. Your rights by jurisdiction

Data protection rights vary by jurisdiction. Find the rights that apply in your country below.

🇬🇧 United Kingdom — UK GDPR & Data Protection Act 2018

If you are in the United Kingdom, you have the following rights under the UK GDPR and the Data Protection Act 2018:

  • Request access and obtain a copy of your personal information
  • Request rectification of inaccurate or incomplete data
  • Request erasure ("right to be forgotten") in certain circumstances
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests, including for direct marketing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time, without affecting prior lawful processing
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — we will inform you, explain the main factors, and offer human review
  • Lodge a complaint with the Information Commissioner's Office (ICO)
🇪🇺 European Economic Area — GDPR

If you are in the EEA (EU member states plus Iceland, Liechtenstein, and Norway), you have the following rights under the GDPR:

  • Request access and obtain a copy of your personal information
  • Request rectification of inaccurate or incomplete data
  • Request erasure ("right to be forgotten") in certain circumstances
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests, including for direct marketing
  • Data portability — receive your data in a structured, machine-readable format
  • Withdraw consent at any time, without affecting prior lawful processing
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — we will inform you, explain the main factors, and offer human review
  • Lodge a complaint with your country's data protection authority
🇨🇭 Switzerland — Federal Act on Data Protection (revFADP)

You have rights similar to those under the EU GDPR — access, rectify, erase, restrict, and object to processing of your personal data. You may lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC).

🇺🇸 United States — California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the CPRA gives you the right to:

  • Know what categories of personal information we collect, the sources, and the purposes
  • Access the specific pieces of personal information we hold about you
  • Delete personal information we have collected, subject to certain exceptions
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information for cross-context behavioural advertising
  • Limit the use of sensitive personal information
  • Be free from retaliation or discrimination for exercising these rights
  • Designate an authorised agent to make a request on your behalf

Categories of personal information we collect (CCPA categories, last 12 months):

  • A. Identifiers (name, email, IP address, account name) — YES
  • B. California Customer Records information (name, contact, financial information) — YES
  • C. Protected classification characteristics — No
  • D. Commercial information (transactions, purchase history) — YES
  • E. Biometric information — No
  • F. Internet or network activity (browsing, search, ad interactions) — YES
  • G. Geolocation data (device location) — YES
  • H. Audio/electronic/sensory information — No
  • I. Professional or employment-related information — No
  • J. Education information — No
  • K. Inferences drawn from any of the above — No
  • L. Sensitive personal information — No

We have not disclosed, sold, or shared any personal information for a business or commercial purpose in the preceding 12 months, and do not plan to.

"Shine the Light" (Civil Code § 1798.83). California residents may request, once a year and free of charge, information about categories of personal information we disclosed to third parties for direct marketing in the preceding calendar year and the names and addresses of those third parties.

Do Not Track disclosure. California law requires us to disclose how we respond to DNT browser signals. As stated in section 12, we do not currently respond to DNT signals because no uniform standard exists; we do honour Global Privacy Control signals.

California minors who are registered users may request that we remove content they have publicly posted.

🇺🇸 United States — other state privacy laws

Residents of Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia have rights similar to California's under their state laws.

Common rights:

  • Right to know whether we are processing your personal data
  • Right to access your personal data
  • Right to correct inaccuracies
  • Right to delete
  • Right to obtain a copy of personal data you previously shared
  • Right to non-discrimination
  • Right to opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects

State-specific additions:

  • Right to access categories of personal data being processed (Minnesota and others)
  • Right to obtain a list of categories of third parties to whom we have disclosed personal data (California, Delaware, Maryland)
  • Right to obtain a list of specific third parties (Minnesota, Oregon)
  • Right to obtain a list of third parties to whom we have sold personal data (Connecticut)
  • Right to review, understand, question, and correct profiling decisions (Connecticut, Minnesota)
  • Right to limit use and disclosure of sensitive personal data (California)
  • Right to opt out of voice or facial recognition data collection (Florida)

When exercising rights under your state law, please indicate your state of residence so we can apply the correct rules. We honour Global Privacy Control opt-out signals automatically. You may designate an authorised agent with valid written and signed permission. We will verify your identity from information on file, or request additional information for security purposes if needed. Appeals. If we decline a request, you may appeal; we will provide a written explanation. If your appeal is denied, you may submit a complaint to your state attorney general.

🇨🇦 Canada — PIPEDA

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, you have the right to:

  • Access the personal information we hold about you and challenge its accuracy
  • Request correction or annotation if accuracy is disputed
  • Withdraw consent (express or implied), subject to legal and contractual restrictions
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada or your provincial commissioner

Processing without consent. In limited cases, applicable Canadian law permits us to process information without consent, including:

  • Where collection is clearly in the individual's interest and consent cannot be obtained in a timely way
  • For investigations and fraud detection or prevention
  • For business transactions where prescribed conditions are met
  • To identify injured, ill, or deceased persons and communicate with next of kin
  • Where we have reasonable grounds to believe an individual has been a victim of financial abuse
  • To comply with a subpoena, warrant, court order, or rules of court
  • Where the information is publicly available and specified by regulation

We may also disclose de-identified information for approved research or statistics projects subject to ethics oversight and confidentiality.

🇧🇷 Brazil — LGPD

Under the Lei Geral de Proteção de Dados (LGPD), you have the right to:

  • Confirm whether we process your personal data
  • Access your data and request a copy
  • Correct incomplete, inaccurate, or out-of-date data
  • Anonymise, block, or delete data that is unnecessary or processed unlawfully
  • Data portability to another service or product provider
  • Information about public and private entities with whom we have shared your data
  • Withdraw consent at any time
  • Object to processing based on legitimate interests
  • Lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD)
🇦🇺 Australia — Privacy Act 1988

We collect and process your personal information under the Privacy Act 1988 and the Australian Privacy Principles. This policy satisfies notice requirements under that Act.

🇳🇿 New Zealand — Privacy Act 2020

We process personal information under the Privacy Act 2020 and its information privacy principles. You have the right to:

🇿🇦 South Africa — POPIA

Under the Protection of Personal Information Act (POPIA), you have the right to:

  • Be notified when your personal information is collected
  • Access the personal information we hold about you
  • Request correction or deletion of inaccurate, irrelevant, excessive, or unlawfully obtained data
  • Object to processing of personal information, including for direct marketing

If you are unsatisfied with our response, you can contact the Information Regulator (South Africa). POPIA complaints require completion of POPIA / PAIA Form 5.

🇮🇱 Israel — Protection of Privacy Law (PPL)

Under Israel's Protection of Privacy Law 5741-1981 and its implementing regulations, you have the right to:

  • Request access to your personal information held in our databases
  • Request correction or deletion of information that is incorrect, incomplete, unclear, or out of date
  • Object to direct-mailing list use of your personal data
  • Lodge a complaint with the Israeli Privacy Protection Authority (PPA)
🇸🇬 Singapore — Personal Data Protection Act (PDPA)

Under Singapore's Personal Data Protection Act 2012, you have the right to:

  • Withdraw consent to the collection, use, or disclosure of your personal data
  • Request access to your personal data and information about how it has been used or disclosed in the preceding year
  • Request correction of inaccurate or incomplete personal data
  • Lodge a complaint with the Personal Data Protection Commission (PDPC)

We comply with the Do Not Call (DNC) Provisions where applicable.

🇦🇪 United Arab Emirates — PDPL

Under UAE Federal Decree-Law No. 45/2021 on the Protection of Personal Data (PDPL), you have the right to:

  • Request information about how your personal data is processed
  • Request access, transfer, correction, or deletion of your personal data
  • Restrict or object to processing in certain circumstances
  • Withdraw consent at any time
  • Object to automated decisions that significantly affect you
  • Lodge a complaint with the UAE Data Office. If you are in the DIFC or ADGM free zones, the local data protection regulator (DIFC Commissioner of Data Protection or ADGM Office of Data Protection) applies instead.
🇮🇳 India — Digital Personal Data Protection Act 2023 (DPDP Act)

Under the Digital Personal Data Protection Act 2023, you have the right to:

  • Obtain a summary of your personal data being processed and the processing activities
  • Obtain identities of all other Data Fiduciaries and Data Processors with whom your data has been shared
  • Request correction, completion, updating, and erasure of your personal data
  • Nominate another individual to exercise your rights in the event of your death or incapacity
  • Withdraw consent at any time, with the same ease as it was given
  • Have grievances addressed by us within prescribed timelines, and lodge a complaint with the Data Protection Board of India (under the Ministry of Electronics and Information Technology) if unresolved
🇲🇽 Mexico — LFPDPPP

Under Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) you have ARCO rights:

14. How to exercise your rights

To review, update, correct, or delete your personal information, or to terminate your account, you can:

On request to terminate your account, we will deactivate or delete it from our active databases. We may retain limited information to prevent fraud, troubleshoot issues, assist with investigations, enforce our terms, or comply with legal requirements.

Withdrawing consent. Where we rely on your consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, nor processing carried out under another lawful basis.

Marketing opt-out. You can unsubscribe from marketing emails at any time using the link in any email or by contacting us. We may still send service-related messages necessary to administer your account.

Cookies. Cookie preferences are updated via the Cookie Consent button on the Trust Center dashboard.

15. Contact us

Use our contact form for questions about this policy, to exercise your rights, or to make a complaint. For the Data Protection Officer (DPO), indicate "DPO" in the subject of your request. We respond within five working days for general enquiries, and within the statutory timescale for formal data-rights requests.

Motivation

Website: motivation.digital

Contact: Submit a request

We may update this policy from time to time to reflect changes in our services, technology, or applicable law. The “Updated” date in the page header reflects the most recent revision. Where changes are material, we will notify you in advance by email or through a prominent notice on our website.

This policy was last reviewed on 29 April 2026.