Privacy and Cookie Policy | MHScot Workplace Wellbeing CIC

Privacy and Cookie Policy


MHScot Workplace Wellbeing C.I.C. (MHScot) needs to gather and use certain information about individuals.


These can include customers, suppliers, business associates and other individuals/organisations which MHScot has a relationship with or may need to contact.


This Privacy and Cookie Policy sets out how this personal data must be collected, handled and stored to meet the organisation’s data protection standards — and to comply with the law.


If you have queries about how we use your data, or comments or questions about this Policy, please do email us.  The email address to use is set out in section 2 below.

Why this Policy Exists


This Data Protection Policy ensures MHScot:

• Complies with data protection law and follow good practice
• Protects the rights of staff, customers and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

Policy updates: We keep this Policy under regular review, and this page may be updated from time to time.  Please come back here to check the latest version.  This Policy was last updated on the date given in the final box in the table in section 2 below.

Who Are We?

MHScot Workplace Wellbeing CIC (or just MHScot for short) is a Social Enterprise registered on Companies House and with the Office of the Regulator of Community Interest Companies.

Although registered in 2013, we starting trading towards the end of 2014.  Our registered business address is 101 Rose Street South Lane, Edinburgh, EH2 3JG.  This is used as a postal address only.

This policy applies to:

• The MHScot Board and Management Team.
• All staff and volunteers of MHScot Workplace Wellbeing
• All suppliers, contractors and other people working on behalf of MHScot Workplace Wellbeing


It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:


• Names of individuals
• Postal addresses
• Email addresses
• Telephone numbers
• Any other personal information relating to individuals

Data Protection Officer

The data protection officer is Catherine Eadie and is responsible for:

As required by the GDPR, MHScot Workplace Wellbeing CIC is registered with the Information Commissioner’s Office (ICO) as a data controller, registration number ZA187968.

  • Keeping the board updated about data protection responsibilities, risks and issues
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from the people covered by this policy.
  • Dealing with requests from individuals to see the data MHScot Workplace Wellbeing holds about them (also called ‘subject access requests’).
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
  • Ensuring that accurate backups and recovery processes are in place at both MHScot and any service providers used.
  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.


We use cookies (small bits of code that are sent to your pc) to:

  • Speed up how quickly the site loads if you come back (caching)
  • Analyse how popular our pages and posts are (analytics)
  • Track the user journey from arriving on site to leaving – so we can see what is popular and what content is working
  • Identify if our advertising and/or social media brought you to visit us
  • Work out which sites are sending visitors to us
  • Remember returning visitors and customers

If you turn off all cookies, some or all of our site may not perform properly.  You can turn them off by using the settings in your browser.


For further guidance about cookies, see and

What Information do we Process and Why?

1.  Prospect

Most of the information we process comes from you. We process it so we can reply to you, and when you contact us again we know what you asked before, what you were sent, and what you told us.


Typically, we are collecting name, contact details, how you came across us, and background information from you relevant to that particular enquiry or published by you on social media or freely accessible on the internet, on why you might be interested in our products or services or a relevant contact from our business.


You are not automatically subscribed to any other lists, but may be invited to join an appropriate one.


If we email you individually using our own email system, or respond to an email sent to us at any of our business email addresses, a copy of that email will also be stored.


If you make an enquiry via our website, we will keep details of that enquiry and response for our data retention period for up to 2 years.


We do not routinely keep special category (opens up ICO website) data. To the extent we hold this, it was supplied or made publicly available by you.

2. Customer


Once you buy something from us, we will collect information from you at the point of sale.


This will include the information we collect from Prospects (above). We collect your email address, phone number and postal address so we can provide what we have contracted to, invoice you and keep proper records of our business relationship.


We process your data to support the delivery the goods and services you have bought. We keep records of the goods/services provided to you, and information you give us, so we can support you when needed and advise you of any additional services you may need.

Financial and credit card details


We do not receive or store your debit/credit card details. Debit/credit card payments are handled by Stripe, an external secure processor, in accordance with their data security policies.


We receive limited information from our processor for us to tie up your payment with your online booking.


If you pay us by BACS or direct transfer, we know only what the bank tells us, which is usually the name of the person who paid us and how much and the invoice number.


We do not routinely keep credit scores nor use credit reference agencies.


When we are processing data about you on behalf of a customer, we are operating under the banner of our customer’s data privacy policy. We will refer any enquiry from you to them, as they are the ‘data controller’ responsible for dealing with your query. But we will support that by providing relevant information to our customer for passing to you.

3. Suppliers and Associates


We collect information on potential and actual suppliers and associates. This is mostly provided by you, but we do add to it the same kind of data we use for Prospects (see above).


If you become a supplier or associate we keep a copy of the contract between us and your bank details so we can pay you. We also keep a record of invoices/payments for accounting purposes.


We keep a record of the work you undertook for us/our clients along with any comments, reviews or suggestions about that work including complaints (if any) and their resolution.


This information is all needed to manage our customer relationships and our supply chain.

Data Sharing - 3rd Parties

We do not sell or exchange your personal data with organisations who may want to sell you something or use your data for research or other purposes.

  1. Platforms


We keep a list of the software platforms we use to run our business. If you would like a list of all the platforms we use, please email us.

2. People


We have an outsourced support team for our own business which may include Virtual Assistants, Web Designers, Accounting and more.  They have limited access to your data, where the service they provide to us means they need it.



Your information/advice is held in the strictest confidence. Our team are all contracted to strict confidentiality clauses and use 2-step authentication to keep your data safe.

Where is Your Data Located?

Like most small businesses, we do not have any tailor-made software – we use mainstream packages for everything from our customer records, to email, to accounting.


This means that some of your data may be held in the EEA, and some may be held in services in the USA (with suitable data privacy shields) or elsewhere. We have picked mainstream suppliers with appropriate security standards.

Retention Periods

Any non-financial information will be kept for approximately 2 years and this retention period will be reviewed and updated regularly.


We need to keep financial customer and contractual records long enough to satisfy HMRC and our insurers which is 7  years from the end of the last company financial year they relate to.


We keep information on prospective customers long enough to make our sales enquiry system effective.

Subject Access Requests

All individuals who are the subject of personal data held by MHScot are entitled to:

• Ask what information the company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the company is meeting its data protection obligations.


It is the responsibility of all Management, Staff, Volunteers and Contractors who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.


Data will be held in as few places as necessary. Management, Staff, Volunteers and Contractors should not create any unnecessary additional data sets.


Management, Staff, Volunteers and Contractors should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.


MHScot will make it easy for data subjects to update the information MHScot holds about them. For instance, via the company website.


Data should be updated as inaccuracies are discovered. For example, if a customer can no longer be reached on their telephone number held, it should be removed from the database.


If an individual contacts the company requesting this information, this is called a Subject Access Request.


Subject Access Requests from individuals should be made by email, addressed to the data controller at The data controller can supply a standard request form, although individuals do not have to use this.


Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days.


The data controller will always verify the identity of anyone making a subject access request before handing over any information.


You have a “right to be forgotten” – but that does have some legal limits to it.  If you want us to remove information about you, let us know.  If you have been a customer, we may not be able to remove all data as we will have to ensure that we can continue to comply with legal, accounting, taxation and our insurer’s requirements.


If you have a complaint about the way we are handling your information or how we have responded to a request for information or removal, you can take this up in the first instance by emailing us at the email address set out above.


If we can’t sort it out, the relevant supervisory authority for us is the Information Commissioner for the UK.  You can contact them here.