Privacy
Policy

The data controller responsible for your personal data is:

Greatness Academy Ltd (Company Number: 16062394), trading as Professional Performance System™
Registered Office: 71–75 Shelton Street, Covent Garden, London WC2H 9JQ

We are registered as a data controller with the Information Commissioner's Office (ICO). Our ICO registration number is [ICO Registration Number — to be inserted before deployment].

For all data protection queries, please contact us at: support@ppsprotocol.com

We have assessed our processing activities and determined that, at this time, the appointment of a Data Protection Officer (DPO) is not mandatory under Article 37 UK GDPR. We will keep this assessment under review.

Identity Data: First name, last name, professional title, organisation name.

Contact Data: Email address, postal address, telephone number.

Professional Data: Job role, professional sector, years of experience, description of professional responsibilities and performance challenges, organisational context, and other professional information you provide in connection with our Services.

Programme Data: Responses to the PPS Index™ diagnostic instrument; domain profile results across the five PPS domains (Governed Source, State Architecture, Attentional Governance, Standardised Execution, Evidence-Based Realignment); profile classification; programme participation records (PPS Performance Audit, Governed Standard Protocol, Governance Intensive); session notes and practitioner records; deliverable documents produced during programme delivery; Alignment Action Report submissions; Constraint Bank records; and any other information you share in the course of receiving our Services.

Financial Data: Payment card details (processed by our third-party payment processor — we do not store card data), billing address, and transaction history.

Communications Data: Records of your correspondence with us, including emails and messages sent through our Platform.

Preferences Data: Your preferences in relation to receiving marketing communications.

Technical Data: IP address, browser type and version, time zone and location, operating system and platform, and other technology on devices you use to access our Services.

Usage Data: Information about how you use our Website and Platform, including pages visited, links clicked, time spent, and navigation patterns.

Cookie Data: Data collected through cookies and similar tracking technologies, as described in our Cookie Policy (Section 11).

Platform Data: Data from third-party platforms we use to deliver our Services (including Ghost, Loops, Stripe, and Vercel), to the extent such data is shared with us in accordance with those platforms' terms and privacy policies.

Referral Data: Where you have been referred to us by a third party, we may receive your name and contact details from that referrer.

We may send you information about our Services, new programmes, and relevant performance content by email and other electronic channels.

We may send you marketing communications on the basis of the PECR soft opt-in and our legitimate interests, subject to all of the following conditions being met: (i) your email address was collected in the course of a sale or negotiations for a sale of our Services; (ii) the marketing relates to our own similar products and services; (iii) we provided you with a clear opportunity to opt out at the point we collected your email address; and (iv) we provide a clear and simple opt-out mechanism in every subsequent marketing communication. You may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting support@ppsprotocol.com. Opt-out requests are processed within 5 business days.

Where you have not previously purchased from us, we will only send you marketing communications with your consent, obtained at the time you complete the PPS Index™ or sign up to receive communications from us.

Where you have completed the PPS Index™, our email communications may be personalised based on your domain profile and programme routing. This personalisation is based on your voluntary completion of the Index and does not involve automated decision-making with legal or similarly significant effects.

We will never sell your personal data to third parties for their marketing purposes.

The PPS Index™ uses an automated scoring algorithm to generate domain profiles and programme routing recommendations. We consider that this processing does not constitute automated decision-making with legal or similarly significant effects within the meaning of Article 22 UK GDPR, because: (a) the outputs are advisory and indicative tools, not binding determinations; (b) all programme routing recommendations are subject to human review; and (c) no individual is denied access to a Service solely on the basis of a PPS Index™ output.

You have the right to request human review of any PPS Index™ output that you consider inaccurate or unfair, by contacting us at support@ppsprotocol.com.

We use email platform segmentation tools (Loops) to tag subscribers by domain profile and send profile-personalised email sequences. This constitutes basic profiling for communications personalisation. We rely on legitimate interests for existing customers and on consent for new prospects. You may opt out of personalised communications at any time.

We do not sell, rent, or trade your personal data to third parties.

We engage third-party service providers who process personal data on our behalf as data processors under Article 28 UK GDPR data processing agreements:

We may disclose personal data to law enforcement agencies, regulatory authorities, courts, or other third parties where we are legally required to do so, or where we believe in good faith that such disclosure is necessary to prevent crime or comply with a legal obligation.

In the event of a merger, acquisition, or sale of all or substantially all of our business assets, personal data held by us may be transferred to the relevant third party. We will notify you of any such transfer where required by applicable law.

Some of our third-party processors may process personal data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V and the International Data Transfer Agreement (IDTA) framework or equivalent mechanisms approved by the Secretary of State.

Transfers to countries that benefit from UK adequacy regulations are permitted without further safeguards. Transfers to other countries are made subject to IDTAs, Standard Contractual Clauses (SCCs) adapted for UK compliance, or other lawful transfer mechanisms. Details of specific transfer mechanisms applicable to each processor are available on request by contacting support@ppsprotocol.com.

We do not make our Content, frameworks, diagnostic instruments, programme architecture, or any other materials available for use as training data, fine-tuning data, or any other input for artificial intelligence systems, large language models, or machine learning models.

Automated scraping, crawling, and systematic extraction of our Website, Platform, or Content is prohibited. We publish robots.txt directives restricting AI crawlers and data harvesting tools. All automated systems are required to comply with these directives.

To the extent that any automated system collects personal data about our users or visitors in contravention of our terms and robots.txt directives, such collection is unauthorised and unlawful. We reserve the right to pursue all available remedies against operators of non-compliant automated systems.

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include: encryption of personal data in transit and at rest where technically feasible; access controls limiting access to authorised personnel on a need-to-know basis; confidentiality obligations on all staff, contractors, and processors; regular review of our security practices; and secure deletion and disposal protocols.

Programme session content and participant records are treated with enhanced confidentiality. Access to programme records and deliverables is restricted to the relevant practitioner and administrative personnel directly responsible for programme delivery.

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with Article 34 UK GDPR.

Our Services are directed at adults and are not intended for individuals under the age of 18. We do not knowingly collect personal data from individuals under 18.

If you believe we have inadvertently collected personal data from a child under 18, please contact us at support@ppsprotocol.com and we will take immediate steps to delete such data.

We reserve the right to update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance.

We will notify existing programme participants and newsletter subscribers of material changes by email with reasonable notice before the changes take effect. We will also update the Last Updated date at the top of this Policy.

Your continued use of our Services after any changes take effect constitutes your acceptance of the revised Policy, subject to any consent requirements for new processing activities.

While our primary operations are in the United Kingdom, we receive enquiries and clients from international jurisdictions. We are committed to processing personal data of all individuals in accordance with the standards set out in UK GDPR and this Privacy Policy, regardless of where the individual is located.

Where we process personal data of individuals in the European Economic Area in connection with the offering of goods or services, we comply with EU GDPR in addition to UK GDPR where applicable. We rely on appropriate transfer mechanisms for any onward transfers of EEA data.

Where local data protection law imposes requirements beyond those set out in this Privacy Policy, we will comply with such requirements to the extent applicable. If you have questions about how your personal data is handled under the laws of your jurisdiction, please contact us.