LeapForward

Privacy Policy

1. Introduction

The LeapForward program (“Program”) is provided to you by Leapforward.ai Pty Ltd (ACN 633 082 238) and Leapforward.ai Ltd (company number 15663522, registered in England and Wales), jointly referred to in this Privacy Policy as “we”, “us”, “our” and similar grammatical forms.

The Program may be provided to you at the request of your employer, insurer, health service provider, or other referring organisation (“Referring Organisation”).

By registering for an account with us, you will be asked to provide your explicit consent to our collection, use, disclosure, retention and protection of your personal and other information as described in this Privacy Policy. You will be asked to confirm your consent during the onboarding process before you can access the Program.

The terms of this Privacy Policy should be read in conjunction with the Terms and Conditions of Use.

We appreciate that your privacy is important to you. We will continue to protect the personal information you provide us and we will manage your personal information in compliance with all relevant legislation, including:

  • In the United Kingdom: the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data Use and Access Act 2025
  • In Australia: the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)

We will take all reasonable steps to ensure that all information we collect, use or disclose is accurate, complete, up-to-date and stored in a secure environment.

2. What information do we collect?

We collect five categories of information when you use the Program:

  1. Anonymous non-personal information about how you use the Program
  2. Anonymised written conversations which take place on the Program mobile application between you and Lucy, the Program’s AI-powered conversational assistant
  3. Cookie-based information that makes your use of the Program easier by recording your preferences so that when you return to the Program the cookie re-loads that information into your web browser
  4. Personal information you or your Referring Organisation provides to us, such as your name, date or year of birth, phone number, and postcode that you provide when you register to use the Program or fill out a form related to any customer service feature
  5. Special category data and/or health information (such as information about your physical, emotional, or mental health or wellbeing) that you voluntarily provide through the Program, for example information regarding your personal condition or status that you share during conversations with Lucy

(together “Information”)

Where this policy refers to Personal Information, this includes the definition of Personal Data as set out in the UK GDPR. Where this policy refers to Special Category Data, this includes Sensitive Information as defined under the Privacy Act 1988 (Cth), and Special Category Data as defined under the UK GDPR (Article 9).

3. Personal and Special Category Information

3.1 Consent

We rely on your explicit consent as our lawful basis for processing your personal data and special category data under Article 6(1)(a) and Article 9(2)(a) of the UK GDPR. You will be asked to provide this consent during the onboarding process, and you may withdraw your consent at any time (see Section 11 below).

By providing your explicit consent, you agree to our methods of collection and use, as well as to the other terms and provisions of this Privacy Policy.

3.2 Collection

To operate the Program and to let you use the Program effectively, we collect your personally identifiable information (such as, but not limited to, your name, phone number, postcode, year of birth, and email address), profile information, log data (information such as your device type, IP address, parts of the Program you use, the amount of time spent, actions you take, and other statistics), information related to the content or your use of the Program, and any information which is exchanged between you and the Program (collectively the “Information”).

The Information may be collected from you directly, from your Referring Organisation, or generated through your use of the Program. In some cases, some of the Information that we collect is considered Special Category Data.

You may decide which Information, if any, you would like to share with us, but some functions of the Program may not be available to you without providing us the necessary Information. We do not sell personal information to third parties. We do not transfer personal information to third parties unless we have a lawful basis to do so.

3.3 Use

Protecting this Information is a top priority for us. We will never sell or rent any Information you input in the Program. Other than in the limited ways detailed in this Privacy Policy, we will never use or disclose Special Category Data unless you have specifically and explicitly consented to us doing so.

The Information may be used for the following purposes:

  1. to provide the Program and related services to you, including to create your account and let you log in and use the Program;
  2. to enable and facilitate the Program’s content and features, including AI-powered conversational support (see Section 4 below);
  3. to supervise, administer, and monitor the Program;
  4. to measure and improve the quality, effectiveness, and delivery of the Program;
  5. to conduct research and development in respect of the Program, engagement with the Program, efficacy of the Program, and other user trends;
  6. to monitor conversations for safety purposes, including identifying signs of distress or crisis, in order to protect your wellbeing (see Section 5 below);
  7. to manage your account, provide you with customer support, and ensure you are receiving quality service;
  8. to provide your Referring Organisation with de-identified, aggregate updates concerning use of the Program and relevant outcomes;
  9. to contact you or provide you with information, alerts, and suggestions that are related to the Program;
  10. to invoice your Referring Organisation;
  11. to reach out to you, either ourselves or using the appropriate authorities, if we have a good reason to believe that you or any other person may be in danger or may be either the cause or the victim of a criminal act.

For users in Australia, any Health Information will not be used by us or the Referring Organisation for any purpose other than the Health Purpose or a Permitted Secondary Purpose.

3.4 What other use could we make of your personal information?

We may communicate with you in relation to the management of your account, which will include providing you with information about the Program.

We may also release your personal information when we believe release is appropriate to comply with the law, enforce our terms and conditions, or protect ours or others’ rights, property, or safety.

3.5 Disclosure

Except as otherwise specifically provided in this Privacy Policy, no information generated by your use of the Program will be disclosed by us or the Referring Organisation to any third party in a form whereby you can be personally identified.

4. AI Processing and Anonymisation

4.1 AI-Powered Conversations

The Program uses an AI-powered conversational assistant called Lucy. Your conversations with Lucy are processed by Azure OpenAI, a third-party AI service provided by Microsoft and hosted in the UK South (London) data region. Your messages are sent to this service to generate Lucy’s responses.

4.2 PII Anonymisation

Before your messages are sent to the AI service, personally identifiable information is automatically detected and removed. This includes names, phone numbers, email addresses, postcodes, credit card numbers, government identifiers (such as National Insurance numbers and Tax File Numbers), URLs, and IP addresses. The AI service does not receive or process your real identity. The anonymisation process runs within our own infrastructure before any data leaves our systems.

4.3 AI Training

Your conversations are not used to train or improve the underlying AI models. Azure OpenAI does not use customer data for model training.

5. Safety Monitoring

5.1 Safety Alert Monitor (SAM)

The Program includes a safety monitoring system (“SAM”) that reviews conversations for indicators of distress, crisis, or risk of harm. This is an automated process that runs alongside your conversations with Lucy.

5.2 Clinical Staff Notification

If SAM detects a potential concern, a clinical staff member associated with your Referring Organisation may be notified through the Program’s clinical dashboard. This notification includes the relevant conversation content to allow the staff member to assess the situation and, if appropriate, check in on your wellbeing.

5.3 Automated Decision-Making

The safety monitoring system involves automated decision-making that may have a significant effect on you (for example, triggering a welfare check). Under the UK GDPR (Article 22), you have the right to be informed about such decisions and to request human review. All safety alerts are reviewed by a clinical staff member before any action is taken.

5.4 Emergency Information

The Program is not a crisis service. If you are in immediate danger or experiencing a mental health crisis, please contact emergency services:

  • United Kingdom: 999 (emergency) or Samaritans on 116 123 (24-hour support)
  • Australia: 000 (emergency) or Lifeline on 13 11 14 (24-hour support)

6. Cookies and Anonymous Non-Personal Information

6.1 Use of cookies

Like many online applications, we use cookies to collect information. A “cookie” is a small data file that is transferred to your device for record-keeping purposes. We use cookies to enable the technical operation of the Program and to administer your log-in to your account.

The Program may also include the use of cookies of services owned or provided by third parties that are not covered by our Privacy Policy, and we do not have access or control over these cookies. We may also use third-party cookies for the purposes of web analytics, attribution, and error management.

The anonymous non-personal information that we collect and analyse is not personal information as described in the relevant legislation.

6.2 Refusing cookies

You can change your browser’s settings so it will stop accepting cookies or to prompt you before accepting a cookie. However, if you do not accept cookies, some features of the Program may not function properly.

6.3 Why we use cookies and other tracking technologies

When you access the Program, small files containing a unique identification (ID) number may be downloaded by your web browser and stored in the cache of your device. The purpose is so that the Program can recognise your device when you next visit. The cookies shared with your device cannot be used to discover personal information such as your name, address, or email address; they merely identify your device.

We can also log the internet protocol address (IP address) of users so that we can determine the approximate location of devices.

We collect information using cookies and other tracking technologies to:

  • help us monitor the performance of the Program so that we can improve its operation and the services we offer;
  • provide personalised services to each user to make their experience easier and more rewarding.

7. How We Protect Your Information

7.1 Safeguards

We use a range of technologies and procedures to help protect personal information from unauthorised access, loss, alteration, disclosure, or use. Some of the safeguards we use are physical access controls, information firewalls, and access authorisation controls at the data centres where your personal information is held. We also use data encryption when personal information is transferred to and from our systems. Our commitment to data security means:

  • we have procedures to limit access to personal information within our organisation;
  • we use security measures and technologies to protect your personal information;
  • we use service providers that can establish they have secure controls relating to software security, access security, and network security.

7.2 Third-Party Processors

We use the following third-party processors to operate the Program. We share with them only the minimum necessary information to perform their service, and only after entering into appropriate data processing agreements.

ProcessorServiceData Location
Microsoft AzureUK hosting, database, storage, application servicesUK South (London)
Microsoft AzureAU hosting, database, storage, application servicesAustralia East (New South Wales)
Microsoft Azure OpenAIAI conversation processingUK South (London) / Australia East
Microsoft Azure Communication ServicesSMS and email deliveryUK South (London)
Vultr / EquinixLegacy (V3) AU hostingSydney, Australia
Firebase Cloud Messaging (Google)Android push notificationsUnited States
Apple Push Notification ServiceiOS push notificationsUnited States

We are responsible and remain liable for the processing of personal data we receive, including where this involves an international transfer of personal data or if we subsequently transfer to a third party acting as an agent on our behalf.

7.3 International Data Transfers

For users in the United Kingdom, your data is primarily hosted and processed within the UK South (London) Azure data region.

For users in Australia, your data is primarily hosted and processed within the Microsoft Azure Australia East (New South Wales) data region. Some legacy services may continue to operate on Vultr servers in Sydney, Australia, within the Equinix SY4 data centre facility during the transition period.

Some data may be transferred to and processed in countries outside the UK or Australia. This applies to:

  • Push notification services (Firebase Cloud Messaging and Apple Push Notification Service), which operate from the United States
  • Web traffic analytics data, which may be stored overseas

Where personal data is transferred to a country that has not been deemed to provide an adequate level of data protection, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the relevant authority, to protect your rights.

Your explicit consent to this Privacy Policy, followed by your submission of Information, represents your agreement to such transfers where they are necessary for the provision of the Program.

7.4 Security Standards

We hold ISO 27001:2022 certification, which demonstrates our commitment to robust information security management. We comply with the NHS Data Security and Protection Toolkit (DSPT), which we submit annually with all standards met. Our infrastructure uses FIPS 140-2 Level 2 hardware security modules (HSM) for cryptographic key management and authentication. Private signing keys are generated and stored within the HSM and never leave the hardware boundary.

8. Compliance with Laws and Law Enforcement

We cooperate with government and law enforcement officials to comply with the law. We may disclose information necessary or appropriate to protect the safety of the public or any person, to respond to claims and legal process (including but not limited to subpoenas), and to prevent or stop activity that may be illegal or dangerous.

We may be obliged to disclose information to law enforcement or other authorities to conform with professional and legal responsibilities, including where the law requires mental health professionals to disclose information and/or take action in the following cases:

  • reported or suspected abuse of a child or vulnerable adult;
  • serious suicidal potential;
  • threatened harm to another person;
  • court-ordered presentation of treatment.

9. Phishing

Online identity theft and account hacking, including the practice currently known as “phishing”, are of great concern. You should always be diligent when you are being asked for your account information, and you must always make sure you do that in our secure system. We will never request your login information or your credit card information in any non-secure or unsolicited communication (email, phone, or otherwise).

10. Third-Party Links

The Program may contain links to websites, services, or offers which are owned, operated, or maintained by third parties. If you click on a third-party link, you will be directed to that third-party website or service. The fact that we link to a website or service is not an endorsement, authorisation, or representation of our affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices. We do not have control over third-party websites and services, and we do not have control over their privacy policies and terms of use. We have no responsibility or liability for the content and activities of these linked websites. Nonetheless, we seek to protect the integrity of the Program and welcome any comment about linked websites.

11. Your Rights

We take your rights in respect of your data very seriously and provide you with the facility to exercise them as below.

11.1 Right to be informed

You have the right to be informed about things such as why we collect your information. We do this by providing this Privacy Policy and by giving information in our application forms, in-app screens, web pages, and telephone conversations.

11.2 Right to access your data

You can request copies of the information we hold about you. This process is called a Subject Access Request. We generally do not charge for providing this information but may charge a reasonable admin fee to cover our costs if you request further copies.

11.3 Right to correction

If you ask us to, we will correct and/or update your personal data if we agree that it is inaccurate or incomplete.

11.4 Right to erasure

You can ask us to delete your personal data and wherever possible, we will erase it at the earliest opportunity. However, there may be certain circumstances in which we have to retain your data and cannot erase it immediately. These could include:

  • we have a legal obligation to retain your data for a specified period;
  • we require the data to establish, exercise, or defend a legal claim;
  • reasons of substantial public interest (e.g., public health, archiving, research).

In those circumstances, we will action your erasure request as soon as we are lawfully allowed to do so.

11.5 Right to object

You can object to the collection, use, sharing, and retention of your personal data used to pursue a legitimate interest if you feel it causes you undue detriment, damage, or distress. We will consider the reason for your objection and unless we have a strong enough reason to continue, we will cease the activity you have objected to.

You can object to direct marketing (including profiling for direct marketing purposes).

11.6 Right to portability

You can request a copy of the personal data you have provided to us, to be sent to you and/or another service provider in a common electronic format.

11.7 Right to restriction

You can ask us to put on hold the collection, use, sharing, and holding of personal data when:

  • you have requested rectification until we have assessed if it is accurate;
  • you have objected until we have assessed if we still have a strong enough reason for continuing;
  • it has been collected, used, shared, or kept unlawfully and you have requested that it’s not deleted but want it to be restricted;
  • we no longer need it but you need it to establish, exercise, or defend a legal claim.

11.8 Right to withdraw consent

As we rely on your explicit consent as our lawful basis for processing, you have the right to withdraw your consent at any time. To do so, please contact our Data Protection Officer using the details below. Withdrawal of consent does not affect the lawfulness of processing carried out before you withdrew your consent. If you withdraw your consent, we may not be able to continue providing the Program to you.

11.9 Right to challenge automated decisions

We will inform you of any decisions that are wholly automated and are likely to have a legal or significant impact upon you. You have a right to contest and request a manual review of such decisions. This includes, but is not limited to, decisions made by the Safety Alert Monitor described in Section 5.

The rights as described in Sections 11.2 to 11.9 are those applicable under the UK GDPR.

For users in Australia, we take all reasonable steps to ensure that the information we collect about you is accurate, up to date, and complete. Where we collect that information from you directly, we rely on you to supply accurate information. You have the right to access the personal information we hold about you and to ask us to take reasonable steps to correct any personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. If you would like to exercise any of these rights, please email or write to us using the contact details below. If you believe that your personal information has been misused, you can inform us of your complaint by writing to our address and we will attempt to resolve the matter.

12. Data Retention

We retain personal data for the duration of your participation in the Program, and for a defined period afterwards as set out in our Retention Schedule. These retention periods have been set in accordance with NHS records management requirements (DSPT standard 1.4.1) and clinical governance obligations.

Specific retention periods include:

  • Participant data (account, profile, consent records, programme progress): 10 years from last activity
  • Conversation data (messages, AI responses, mood check-ins): 10 years from last activity
  • Safety alert records and audit logs: 7 years from creation, in line with clinical and legal record-keeping requirements
  • Operational and system logs: 180 days (PII is redacted from logs at the point of collection)
  • Database backups: 35 days on a rolling basis (geo-redundant)
  • Ephemeral data (OTP codes, session tokens): Minutes to days (automatically expired)
  • Deleted accounts: Personal data is anonymised immediately upon a valid deletion request (see Section 11.4)

The 10-year retention period for participant and conversation data supports longitudinal analysis of wellbeing programme outcomes and continuity of care across multiple programme enrolments.

We may retain aggregate, anonymised information beyond these periods for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.

For full details of our retention periods, please refer to our Retention Schedule, available on request from our Data Protection Officer.

13. Children’s Privacy

We do not knowingly collect or solicit any information from anyone under the age of 13, or knowingly allow such persons to become our user. The Program is not directed at and not intended to be used by children under the age of 13. If you are aware that we have collected Information from a child under age 13, please let us know by contacting us using the details below and we will delete that information.

14. Contact Information

We welcome your comments or questions regarding this Privacy Policy or privacy-related practices.

Data Protection Officer: Jonathan Craven
Email: dpo@leapforward.ai

If you are not satisfied that we have resolved your query, concern, or complaint, you may refer the matter to the relevant supervisory authority:

United Kingdom:
Information Commissioner’s Office (ICO)
Telephone: 0303 123 1113
Website: www.ico.org.uk
Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Australia:
Office of the Australian Information Commissioner (OAIC)
Telephone: 1300 363 992
Website: www.oaic.gov.au
Postal Address: GPO Box 5288, Sydney, NSW 2001

15. Terms of Use

Please also visit our Terms and Conditions of Use, which sets out the conditions of use and limitations of liability governing the use of the Program.

16. Changes to the Privacy Policy

We may update this Privacy Policy from time to time. The date of the last revision appears at the top of this document. We encourage you to periodically review this page for the latest information on our privacy practices. Where changes are significant, we will notify you through the Program and, where required, seek your consent to any new processing activities. Regardless of changes to our Privacy Policy, we will never use the information you submit under our current Privacy Policy in a new way without first notifying you and giving you the option to opt out.