Clear, practical information for organisations, practitioners and decision-makers.
Last reviewed: July 2026
Therapeutic Activities Group CIC takes data protection seriously, particularly given the sensitive professional context — supporting people who work with children, young people and vulnerable adults.
For website enquiries and individual accounts, Dragonfly CPD is the data controller. For organisation-managed accounts, the organisation is the controller for its staff's learning records and Dragonfly CPD acts as processor, processing data only on that organisation's documented instructions.
Account details (name, email, role, organisation), learning records (module progress, scores, CPD hours, certificates), and organisation management data (teams, staff codes, licence usage) — collected only where needed to provide the service, issue certificates and evidence packs, and support organisational reporting.
Data is stored and processed via Supabase (database, authentication) and Cloudflare (hosting, delivery), both bound by data processing agreements. Where data is processed outside the UK, this is done under an approved transfer mechanism (such as the UK International Data Transfer Addendum).
Learning records are retained for the duration of an active licence and for a reasonable period after, to support certificate re-issue and audit evidence — see our Privacy Policy for detail. Organisations can request earlier deletion of their staff's data in writing.
We use encrypted connections (HTTPS) throughout, role-based access controls so managers only see their own organisation's data, and named-account access rather than shared logins.
You can request access to, correction of, or deletion of your data at any time via [email protected]. If you're not satisfied with our response, you can complain to the Information Commissioner's Office at ico.org.uk.
Cymraeg