Last updated: May 2026 · Applies to IPP, Activate, and Calibrate
This policy explains how Module Six Ltd and the Institute of Project Professionals collect, use, and protect your personal data when you use our platforms. We collect only what we need. We do not sell your data. We do not use advertising trackers.
The Institute of Project Professionals (IPP) is operated by Module Six Ltd, a company registered in England and Wales. Our platforms are:
For the purposes of UK data protection law, Module Six Ltd is the data controller responsible for your personal data across all three platforms.
Data enquiries: data@ipp.pro
We collect only the data we need to provide the service.
When you create an account, we collect your name and email address via Clerk, our authentication provider. This is required to identify your account, manage your session, and send you essential communications.
When you join IPP, we record your membership tier (Student, Candidate, Associate, Member, or Fellow), your designation (AIPP, MIPP, or FIPP where applicable), your member number, and the date you joined.
When you purchase the PM for Non-Project Managers course, we collect the information necessary to process your payment and grant access. This includes your name, email address, and payment confirmation from Stripe. We record your enrolment status, completion progress across four modules, and any organisation code used to redeem a B2B seat. Course access records are retained for the duration of your access period.
When you sit a formal assessment through Activate, we record the date, score, pass or fail result, and number of questions answered. For the Foundation Certificate in Project Management, one attempt is permitted per sitting. Resit records are stored alongside original attempt records. These records are used to issue certificates on pass and to determine resit eligibility. They are retained for as long as your account is active.
If you join or are invited to an organisation using Calibrate, your competency record, CPD log, and evidence library become accessible to your organisation's designated reviewer and administrator. When you leave an organisation, your record remains yours — it is not deleted and is not retained by the organisation. The passporting system is designed so that your record follows you, not your employer. Joining an organisation requires your explicit action (accepting an invitation or entering an organisation code).
Calibrate assigns each user a portable reference — a unique identifier that travels with your record regardless of which organisation you are associated with. This reference is stored in our database and displayed in your profile. It does not contain personal information in itself but can be used to locate your record. Your record is tied to your primary email address. If you lose access to that email address, you may lose access to your record — which is why we encourage users to add a backup email address through their account settings.
Activate records which topics you have completed, your practice question scores, your mock assessment results, and your last visited topic. This data powers your personal dashboard and is not shared with third parties.
Calibrate stores your self-assessment scores across eight competency areas, CPD log entries, evidence submissions, reviewer feedback, and your development plan. This data belongs to you and is not shared with third parties except where you explicitly request a reviewer to access it as part of the evidence validation process.
When paid membership tiers open, payments will be processed by Stripe. We will not receive or store your full card number, expiry date, or CVV. Stripe provides us with a transaction reference and the last four digits of your card. Stripe's own privacy policy applies: stripe.com/gb/privacy.
Our infrastructure (Cloudflare) processes your IP address and request data as part of normal web operations. We do not use analytics tools, advertising trackers, or third-party scripts that collect browsing behaviour.
Under UK GDPR, we must have a lawful basis for processing your personal data.
| Data | Purpose | Lawful basis |
|---|---|---|
| Name and email address | Creating and managing your account | Contract: necessary to perform the service you have signed up for |
| Email address | Essential service communications (membership confirmations, assessment results) | Contract: necessary to perform the service |
| Membership tier and status | Controlling access to platform features based on your membership | Contract: necessary to deliver the service |
| Learning progress data | Powering your dashboard, revision queue, and assessment readiness | Contract: necessary to deliver the core functionality of Activate |
| Competency and CPD data | Powering your competency profile, development plan, and evidence record | Contract: necessary to deliver the core functionality of Calibrate |
| Payment transaction reference | Confirming your purchase and unlocking paid membership | Contract: necessary to perform the service |
| Email address | Responding to support and data enquiries | Legitimate interests: responding to direct requests you have made |
We do not use your data for marketing purposes without your explicit consent. We do not send promotional emails unless you have opted in.
We keep your account and platform data for as long as your account is active. If you request deletion of your account, we will delete your personal data within 30 days, except where we are required by law to retain certain records.
Payment records, including transaction references and amounts paid, are retained for six years in accordance with UK tax and accounting obligations.
Learning progress, competency, and CPD data is deleted when your account is deleted.
We share your data only where necessary to provide the service. We do not sell your data. We do not share your data with advertisers.
| Third party | Purpose | Data shared |
|---|---|---|
| Clerk (clerk.ipp.pro) | Authentication, session management, and storing membership metadata | Name, email address, membership tier, member number |
| Cloudflare | Hosting, content delivery, and API infrastructure | IP address and request data as part of normal web infrastructure |
| Stripe | Payment processing (when paid tiers open) | Name, email address, and payment card details processed under Stripe's own privacy policy |
| Resend | Transactional email delivery (membership confirmations, reminders) | Email address and name as required to deliver the email |
No other third parties receive your personal data.
Your account and platform data is stored in Cloudflare's D1 database infrastructure, which operates within the UK and European Economic Area (EEA). Cloudflare contractually commits to GDPR-compliant data handling.
Clerk, our authentication provider, is a US-based company. They are certified under the EU-US Data Privacy Framework and use Standard Contractual Clauses to ensure adequate protection for personal data transferred outside the UK and EEA.
Stripe is a US-based company and is also certified under the EU-US Data Privacy Framework.
Resend is a US-based company. They process only the data strictly necessary to deliver a specific email and retain it only as required to operate the service.
Under UK GDPR you have the following rights. To exercise any of them, contact us at data@ipp.pro. We will respond within one month.
If you are not satisfied with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. ICO website: ico.org.uk · ICO helpline: 0303 123 1113.
We use cookies only where strictly necessary for the platforms to function. This includes session cookies managed by Clerk that keep you logged in while you use the platforms. These cookies are shared across ipp.pro, activate.ipp.pro, and calibrate.ipp.pro to provide a single sign-on experience.
We do not use advertising cookies, analytics cookies, or any cookies from third-party advertising networks.
Because we use only strictly necessary cookies, we are not required to request your consent for them under PECR (Privacy and Electronic Communications Regulations). No cookie banner is shown because there is nothing optional to consent to.
Our platforms are intended for individuals aged 16 and above. Candidate membership is open to sixth form and college students preparing for professional qualifications. We do not knowingly collect personal data from anyone under the age of 16. If you believe a person under 16 has created an account, please contact us at data@ipp.pro and we will delete it promptly.
We may update this policy from time to time. When we do, we will update the date at the top of this page. If we make a significant change that affects how we use your personal data, we will notify you by email.
Continued use of our platforms after a policy update constitutes acceptance of the updated terms.
For any questions about this policy, or to exercise your data rights:
Email: data@ipp.pro
We aim to respond to all data-related requests within one month as required by UK GDPR.