Legal

Privacy Policy

Effective date: 31 March 2026 | Version 2.0

This Privacy Policy explains how 10X Communities Limited (trading as 10X Managers, and referred to throughout as “10X Managers”, “we”, “us”, “our”) collects, uses, stores and protects personal data in connection with:

  • Our websites (including 10xmanagers.com)
  • The LeadersLab platform
  • The Manager Strength Index (MSI)
  • The Tensai AI coaching assistant
  • Our leadership and management development programmes and related services

We are committed to privacy by design, UK GDPR compliance, and transparent data practices.

1. Who We Are

Controller:

10X Communities Limited (trading as 10X Managers)

Company number: 12628747

Registered office:

Unit 1310, Solihull Parkway, Birmingham Business Park, Solihull, England, B37 7YB

Data protection supervisory authority:

Information Commissioner’s Office (ICO), UK

ICO Registration Number: ZB519074

Contact for privacy queries and data rights requests:

notifications@10xmanagers.com

2. Scope of This Policy

This Policy applies to:

  • Visitors to our websites
  • Users of the LeadersLab platform
  • Participants in programmes delivered by 10X Managers
  • Users of the Manager Strength Index (MSI)
  • Users of our AI tools, including Tensai
  • Client representatives, HR/L&D contacts and other client stakeholders
  • Individuals who contact us, attend events, or access our content and resources

This Policy does not cover how our clients process personal data for their own purposes (e.g. HR, performance management, promotion decisions). Clients remain independent controllers for their own internal processing.

Where we provide additional client-specific documentation (e.g. a programme Data & AI Annex), that documentation should be read together with this Policy.

3. Our Role as Controller and Processor

We act as a data controller where we determine the purposes and means of processing, including for:

  • LeadersLab accounts and platform activity
  • MSI assessment design, scoring, and insights
  • Tensai AI coaching conversations and coaching features
  • Personalised learning journeys and recommendations
  • Platform logs, security and analytics
  • Our own marketing, CRM, and business operations
  • Reporting that originates from our own systems and analytics

We may act as a data processor when processing personal data on behalf of a client who determines the purpose, for example:

  • Processing attendance lists provided by a client
  • Delivering workshops where the client selects participants
  • Processing feedback forms required by the client
  • Exporting data from our systems into the client’s own tools on their instructions

Where we act as a processor, our responsibilities and limitations are governed by the data processing provisions in our agreement with that client.

If you are unsure whether we are acting as controller or processor for a particular activity, you can contact us at notifications@10xmanagers.com.

4. Personal Data We Collect

We collect only the data we reasonably need to deliver and improve our services.

4.1 Identity and Contact Data

  • Name
  • Work email address
  • Job title and level
  • Organisation name
  • Team or department
  • Telephone number (if provided)

4.2 Account & Platform Usage Data

  • Login identifier and authentication logs
  • Account profile information
  • Activity within LeadersLab (e.g. modules viewed, progress, completion status)
  • Dates and times of access
  • Basic usage metrics (e.g. session length, navigation paths)

4.3 Programme & Learning Data

  • Workshop and programme attendance
  • Participation in exercises, simulations and activities
  • Contributions to co-created resources (e.g. playbooks, templates)
  • Feedback and surveys (e.g. satisfaction, perceived impact)
  • Reflections and development planning activities submitted through the platform

4.4 Assessment Data (Manager Strength Index – MSI)

  • Responses to MSI scenarios and questions
  • Scores and behavioural insights derived from responses
  • Developmental recommendations and strengths/areas for focus
  • Derived metrics (e.g. category scores, capability profiles)

4.5 Tensai AI Coach Data

Tensai is a persistent AI coaching assistant. For Tensai we process:

  • Questions, prompts and messages entered by the user
  • Coaching guidance generated in response
  • Persistent chat history, including timestamps
  • Any user ratings or feedback on Tensai’s guidance

Tensai conversations are stored in our own infrastructure so that:

  • Users can review prior conversations
  • We can troubleshoot issues and improve the experience
  • We can support continuity in coaching and learning

We do not use Tensai conversations to train any public AI models.

4.6 Technical & Security Data

  • IP address and approximate region (for security and abuse prevention)
  • Browser type and device information
  • Server and application logs
  • Error logs
  • Security events (e.g. repeated failed logins)

4.7 Optional / Voluntary Data

Individuals may choose to provide additional information, such as:

  • Personal development goals
  • Notes, reflections and action plans
  • Documents or templates uploaded as part of learning activities
  • Preferences and interests (e.g. topics they want to focus on)

We advise users not to submit unnecessary personal or highly sensitive information.

4.8 Special Category Data

We do not design our services to collect special category data (e.g. health data, racial or ethnic origin, political opinions, religious beliefs or union membership), and we do not require such data for any of our services.

We ask users not to enter such data into LeadersLab, Tensai, MSI, or workshop activities. If special category data is submitted, it will be processed with the same security safeguards, but is not needed for service delivery and may be deleted.

5. How We Collect Data

We collect personal data through:

  • Client onboarding– where clients provide participant details (e.g. name, email, job title)
  • Direct user input– when users create accounts, fill in profiles, complete MSI, interact with Tensai, submit forms or upload content
  • Programme activities– such as attendance records, workshop contributions, and feedback surveys
  • Platform logs and cookies– when users interact with our website or LeadersLab
  • Communications– via email, support requests, or other direct contact

6. Purposes and Legal Bases for Processing

We process personal data only where we have a lawful basis under the UK GDPR.

6.1 Delivering Our Services

We process data to:

  • Provide access to LeadersLab and related platforms
  • Deliver workshops, programmes and coaching
  • Administer and score MSI assessments
  • Provide personalised learning journeys and recommendations
  • Support Tensai AI coaching interactions

Legal bases:

  • Performance of a contract (Article 6(1)(b))
  • Legitimate interests (Article 6(1)(f)) where processing benefits both users and clients by improving leadership capability

6.2 Operating, Securing and Improving Our Platform

We process data to:

  • Ensure platform availability and performance
  • Diagnose and resolve technical issues
  • Maintain security, prevent misuse and detect fraud
  • Analyse usage in aggregate to improve our services and content

Legal bases:

  • Legitimate interests (ensuring secure and effective services)
  • Legal obligation (for security logs and incident handling, where applicable)

6.3 Client Reporting and Programme Evaluation

We process data to:

  • Provide clients with attendance and engagement data
  • Provide MSI-based insights at individual and cohort level
  • Produce aggregated analyses and reports on programme outcomes
  • Co-create organisational playbooks and resources using workshop inputs

Where possible, reporting is aggregated or anonymised. Individual-level reporting is agreed with each client as part of programme design.

Legal bases:

  • Performance of a contract
  • Legitimate interests of clients and 10X Managers in evaluating and improving leadership capability and programme impact

6.4 Communications and Support

We process data to:

  • Send service and account-related communications
  • Respond to support queries and feedback
  • Provide programme updates and operational messages
  • Send optional marketing or thought leadership content (with opt-out)

Legal bases:

  • Performance of a contract
  • Legitimate interests in managing customer relationships
  • Consent (for certain marketing communications, where required)

6.5 Legal, Regulatory and Compliance

We process data to:

  • Comply with legal and regulatory obligations
  • Respond to lawful requests from public authorities
  • Establish, exercise or defend legal claims
  • Enforce our terms and protect our rights or safety

Legal basis:

  • Legal obligation
  • Legitimate interests in protecting our business and users

7. Use of AI and Automated Processing

We use Artificial Intelligence (AI) and machine learning in several parts of our offering, including:

  • Analysing MSI responses and generating narrative insights
  • Recommending learning content and journeys
  • Providing Tensai AI coaching conversations
  • Transcribing and summarising workshops to support playbook creation
  • Summarising feedback and generating draft reports for human review
  • Retrieval-Augmented Generation (RAG) using our EU-based Supabase database

7.1 AI Safeguards

To protect privacy and ensure compliance:

  • We use enterprise-grade AI providers with zero data retention configurations, so prompts and responses are not stored or used to train their public models.
  • We store only the inputs/outputs we choose to retain within our own infrastructure (AWS EU and Supabase EU).
  • We implement client-level data segregation, so AI retrieval for a given client is restricted to that client’s data and generic 10X learning content, not other clients.
  • We apply access controls, logging and monitoring to all AI-related data.
  • We conduct Data Protection Impact Assessments (DPIAs) where AI processing presents potential high risk, including for MSI, Tensai and workshop transcript processing.
  • AI outputs are subject to human oversight. We do not rely on AI to make legally significant or employment-related decisions about users.

7.2 Automated Decision-Making

We do not carry out solely automated decision-making that produces legal or similarly significant effects on individuals within the meaning of UK GDPR Article 22. MSI and Tensai provide developmental guidance and insights, not binding decisions.

Further information is provided in our separate AI Usage Policy, which should be read alongside this Privacy Policy.

8. Workshop Recordings and Co-Created Resources

In some programmes, workshops or coaching sessions may be recorded and used to create internal resources (e.g. playbooks, case examples).

Where we record sessions:

  • Participants are clearly informed in advance that recording will take place.
  • Where required, we will obtain explicit consent, or offer reasonable alternatives (e.g. ability to join without being recorded).
  • Recordings are shared with the client(s) for internal use only, not for resale or public publication unless separately agreed.
  • We do not use workshop recordings to train public AI models.
  • Recordings will be retained in line with our retention policy and may be deleted earlier on client request, unless legal obligations require otherwise.

Co-created resources (e.g. playbooks) may incorporate anonymised insights and examples derived from workshop discussions and programme activities. These resources are typically licensed to the client for internal use.

9. User Profiles and Community Directory

LeadersLab includes a community directory feature designed to help members connect with and learn from other managers and leaders on the platform.

9.1 Profile Information

When a user account is created on LeadersLab, a profile page is generated. This profile page displays:

  • The user’s name
  • Job title
  • Organisation name

This information is drawn from the identity and contact data described in section 4.1 of this Policy.

9.2 Community Directory Visibility

Profile pages are visible to other logged-in members of the LeadersLab community. This supports our community learning model, enabling managers to identify and connect with peers across organisations, sectors and roles.

Legal basis: Legitimate interests (Article 6(1)(f)). We have a legitimate interest in facilitating peer learning and professional networking among members of the LeadersLab community, which is a core part of our service. Users benefit from being able to discover and learn from other managers in the community.

9.3 Profile Privacy Settings

Users can control the visibility of their profile through privacy settings available within their LeadersLab account. The following options are available:

  • Private: the profile page is accessible only to other logged-in LeadersLab members. This is the default setting for all new accounts.

Users or their organisation’s authorised representative may request that a profile be made fully private by contacting us at notifications@10xmanagers.com.

9.4 Search Engine Indexing

User profile pages are not indexed by external search engines. We apply technical controls (including noindex directives) to prevent profile pages from appearing in search engine results. No user profile data is made publicly accessible outside the LeadersLab platform.

10. Data Sharing

We do not sell personal data.

We may share personal data in the following limited circumstances:

10.1 With Clients (Your Organisation)

For enterprise programmes, we may share with the client’s authorised representatives:

  • Participant lists and account status
  • Attendance and completion information
  • Engagement indicators (e.g. participation, content completion)
  • MSI scores and associated insights (where agreed with the client)
  • Cohort-level and aggregated reporting
  • Co-created resources and workshop outputs
  • Workshop recordings (where recording has been agreed)

We do not share raw Tensai chat logs with clients.

The exact scope of reporting is agreed programme-by-programme and may be documented in a programme annex.

10.2 With Our Subprocessors

We use carefully selected third-party service providers (“subprocessors”) to host and support our services. These may include:

  • Cloud infrastructure providers (e.g. AWS in EU)
  • Database and storage providers (e.g. Supabase EU)
  • Email and notification platforms (e.g. Customer.io EU)
  • Security and performance services (e.g. Cloudflare)
  • Enterprise AI and transcription providers operating under zero data retention

We:

  • Maintain an up-to-date list of subprocessors supporting our services;
  • Require subprocessors to implement GDPR-equivalent protections;
  • Only engage subprocessors under written contracts;
  • Do not permit subprocessors to use personal data for their own marketing, analytics or model training;
  • Notify clients of material changes to subprocessors where contractually required.

10.3 Legal and Regulatory Disclosures

We may disclose personal data where required to:

  • Comply with applicable law, regulation or legal process
  • Respond to lawful requests from public authorities
  • Protect our rights, property or safety, or those of our users or third parties

In such cases we will disclose only the minimum information necessary.

10.4 Business Transfers

In the event of a merger, acquisition, restructuring or sale of all or part of our business, personal data may be transferred to the acquiring entity as part of the transaction, subject to continued protection consistent with this Policy.

11. International Transfers

Our default approach is to store and process personal data in the UK and European Union.

Where personal data is transferred outside the UK or EEA (for example in connection with certain enterprise AI services):

  • We use appropriate transfer mechanisms such as the EU Standard Contractual Clauses (SCCs) together with the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement (IDTA).
  • We implement additional safeguards such as:
    • zero-data-retention configurations,
    • encryption,
    • strict access controls, and
    • data minimisation.
  • Transfers are made only where necessary and in compliance with applicable data protection law.

12. Data Retention

We keep personal data only for as long as necessary for the purposes set out in this Policy or as required by law.

12.1 Core Programme and Platform Data (Client Contracts)

For users whose data is processed in connection with a client contract:

Identity, contact, programme participation, MSI data, learning activity data and Tensai chat history are retained for the duration of the client contract and up to six (6) years after the contract ends.

This reflects typical contractual limitation periods and enables us to:

  • Evidence services delivered
  • Support follow-on or extended programmes
  • Handle questions, complaints or legal claims
  • Maintain audit trails

12.2 Individual Accounts (Non-Client Contracts)

Where an individual uses our services outside a corporate client agreement:

Account and associated data are retained for the life of the account and up to three (3) years after the last activity, unless deletion is requested sooner.

12.3 Tensai Chat History

  • Tensai chat history is persistent and viewable to the user.
  • Users may request deletion of their chat history at any time.
  • When we delete chat history, it is permanently erased from our live systems and will only remain in backups until those backups naturally cycle out.

12.4 Workshop Recordings

  • Retained and shared with the client for internal use in line with programme scope.
  • Deleted earlier where the client requests deletion and there is no legal obligation to retain.
  • Not used for public AI training or external commercialisation.

12.5 Aggregated and Anonymised Data

We may retain aggregated and anonymised data indefinitely for:

  • Service improvement
  • Research and benchmarking
  • Analytics and trend analysis

“Anonymised” means data has been altered so that individuals are no longer identifiable, in line with ICO guidance and UK GDPR; it is not merely pseudonymised.

12.6 Deletion on Request

Upon a verified request from a client or individual, we will delete relevant personal data unless we are required by law to retain it. We aim to complete deletions within 30 days.

Data is deleted securely and irreversibly.

13. Security

We implement a combination of technical and organisational security measures, including:

  • Encryption in transit (TLS) and at rest
  • Logical separation of client data
  • Role-based access controls and least-privilege principles
  • Multi-factor authentication for privileged access
  • Logging and monitoring of access and key operations
  • Firewalls, intrusion detection and network protections
  • Regular updates and security patching
  • Staff confidentiality obligations and training in data protection
  • Incident response procedures, including breach notification where required

If we become aware of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority and affected clients/users in accordance with legal requirements.

14. Your Rights

Under UK data protection law, individuals have the following rights in relation to their personal data:

  • Right of access– to obtain a copy of personal data we hold about you.
  • Right to rectification– to correct inaccurate or incomplete data.
  • Right to erasure– to request deletion of your data in certain circumstances.
  • Right to restrict processing– to limit how your data is used in certain situations.
  • Right to object– to processing based on legitimate interests, and to direct marketing.
  • Right to data portability– to receive certain data in a commonly used, machine-readable format.
  • Right not to be subject to certain automated decisions – where decisions are made solely by automated means with legal or similarly significant effects (which we do not currently carry out).
  • Right to withdraw consent– where processing is based on consent.

To exercise any of these rights, please contact us at notifications@10xmanagers.com.

We may need to verify your identity before fulfilling a request. We aim to respond within one month, or notify you if additional time is required for complex requests.

You also have the right to lodge a complaint with the ICO or your relevant supervisory authority if you are unhappy with how we process your data.

15. Cookies and Similar Technologies

We use cookies and similar technologies in a privacy-conscious way, primarily to ensure the proper functioning of our website and platform.

We may use:

  • Essential cookies– required for login, session management and core functionality.
  • Functional cookies– to remember preferences (e.g. language).
  • Privacy-friendly analytics– which collect aggregated, non-identifying information about general usage of our site and platform.

We do not use:

  • Third-party advertising cookies
  • Behavioural tracking cookies that follow you across other websites
  • Social media tracking pixels for advertising purposes

You can control cookies through your browser settings. If you disable essential cookies, parts of our website or LeadersLab platform may not function correctly.

16. Children’s Privacy

Our services are aimed at adults in a professional context (e.g. managers, leaders, employees). They are not intended for children under 16.

We do not knowingly collect personal data from children under 16. If you believe we may have collected data about a child, please contact us and we will delete it as required.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in:

  • Our services or technology
  • Applicable laws and guidance
  • Our data processing practices

When we make material changes, we will:

  • Update the “Effective date” at the top of this Policy, and
  • Provide additional notice where appropriate (e.g. via email or within the platform).

Your continued use of our website, platforms or services after the updated Policy takes effect will constitute your acknowledgement of the changes.

18. Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, please contact:

Privacy Officer, 10X Managers
10X Communities Limited
notifications@10xmanagers.com
Unit 1310, Solihull Parkway, Birmingham Business Park, Solihull, England, B37 7YB

We take privacy seriously and will do our best to resolve any concerns promptly and fairly.