Privacy Policy

1. Who we are

The Global Mayors Academy ("GMA", "we", "us", "our") is a leadership development program operated by Global Mayors Academy Limited, a registered entity at 128 City Road, London, United Kingdom, EC1V 2NX with company number 17106351.

For the purposes of UK GDPR and EU GDPR, Global Mayors Academy Limited is the data controller responsible for your personal data when you interact with the Global Mayors Academy.

GMA is a program of Living Cities Earth, a Swiss charitable association (Verein, CHE-494.695.351). Where Living Cities Earth processes data on our behalf, it acts as a data processor under our instruction.

You can contact us about anything relating to your personal data at:

• Email: contact@globalmayors.academy · subject line "Privacy enquiry"
• Postal address: 128 City Road, London, United Kingdom, EC1V 2NX

If we appoint a Data Protection Officer (DPO), their contact details will be added here.

2. What personal data we collect

We collect different categories of personal data depending on how you interact with us. The categories below are inclusive — not every category applies to every user.

When you visit our website

• Technical data such as your IP address, browser type and version, operating system, device type, and approximate location (derived from IP)
• Usage data such as pages visited, time spent, referral source, and clicks
• Cookie data — see Section 10 and our Cookies Policy

When you fill in a form (Request Info, Contact, Application)

• Identity data: first and last name
• Contact data: email address, optional phone or WhatsApp number
• Professional data: your role, the city and country you work in
• Additional context: your motivations, interests, and any free-text information you choose to share

When you apply for or enrol in the City Leaders Program

• Application data: your statement of motivation, professional background, references where requested
• Financial data: payment details processed through our payment providers (we do not store full payment card numbers ourselves)
• Program data: your participation, work submitted, project details, peer interactions

When you become an affiliate, ambassador, or partner

• Identity and contact data
• Professional and organisational data: your organisation, role, and network
• Financial data: payment details for commission payouts (where applicable), tax identifiers where required
• Performance data: referrals, conversions, commission balances

When you correspond with us

Records of correspondence, including the content of emails and the timestamps and metadata of those messages.

Special categories of personal data

We do not routinely collect "special category" data (such as health, religious beliefs, ethnic origin, sexual orientation, or political views) under UK/EU GDPR. If you voluntarily share such information — for example, in a written application or conversation — we will treat it with extra care and process it only with your explicit consent.

3. How we collect it

We collect personal data in the following ways:

• Directly from you — when you fill in a form on our website, write to us, register for an event, apply for the program, or sign up as an affiliate
• Automatically — through cookies and analytics tools when you visit our website (see Section 10)
• From third parties — for example, from affiliate referrers, from partner organisations, from publicly available professional sources (such as LinkedIn) when we perform basic verification, and from our payment providers when you complete a payment

We will not collect personal data about you that we do not need.

4. Why we collect it and our legal basis

Under UK/EU GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

Performance of a contract

When you register for the City Leaders Program, we process your data to deliver the program to you — sessions, materials, certification, and so on. Without this data, we cannot fulfil the contract.

Legitimate interests

For some processing — such as basic analytics, fraud prevention, follow-up after you submit a Request Info form, and operating our affiliate program — we rely on our legitimate interests, balanced against your rights and reasonable expectations. You can object to processing on this basis at any time (see Section 9).

Consent

For optional activities — such as marketing communications, certain types of cookies, and processing of any special category data you voluntarily share — we rely on your explicit consent. You can withdraw consent at any time.

Legal obligation

Where we are required by law to retain or share data — for example, tax records, anti-money-laundering checks for affiliate payouts, or response to lawful requests — we process data on this basis.

Vital interests and public task

We do not currently rely on these bases.

5. Who we share it with

We share your personal data with a limited number of categories of recipients, only where necessary for the purposes set out in this policy.

Service providers (data processors acting on our behalf)

• Payment providers — Stripe and PayPal, for processing program fees and (in PayPal's case) affiliate payouts
• Email and CRM providers — for sending program communications, marketing emails, and managing our customer relationship records
• Affiliate-tracking platform — CC360, for tracking affiliate referrals and managing commission accounting
• Webinar and event platforms — Zoom and similar, for delivering live sessions and recording them where consent is given
• Cloud hosting and infrastructure providers — for the website, the application, and document storage
• Analytics providers — Google Analytics and similar, in line with your cookie preferences (see Section 10)

A full list of our processors is available on request to the address in Section 14.

Strategic and accreditation partners

• Where we work with accreditation bodies (such as GAC, UWTSD, or UNGLEP), we share the minimum personal data necessary to confirm and certify your participation.
• Where you are referred by an affiliate or partner, we may share confirmation of enrolment with the referring partner for the purpose of administering commission or recognition. We do not share other personal data without your consent.

Public authorities and legal requests

We may share personal data with public authorities where required by law, in response to a valid legal request, or to protect the rights, property, or safety of GMA, our participants, or the public.

In a corporate transaction

If GMA or its operating entity is reorganised, merged, or transferred, your personal data may be transferred as part of that transaction. You will be informed in advance and your rights under this policy will be preserved.

What we do not do

• We do not sell your personal data to third parties
• We do not share your personal data with advertisers
• We do not use your personal data, your work submitted as part of the program, or your communications with us to train AI models — see our Ethical AI Policy

6. International transfers

The Global Mayors Academy is a global program. Some of our service providers and partners are located outside the United Kingdom and the European Economic Area (EEA), including in the United States and Switzerland.

Where we transfer personal data outside the UK or EEA, we ensure that one of the following safeguards is in place:

• Adequacy decisions — where the destination country has been recognised by the UK or EU as providing adequate data protection (Switzerland, for example, benefits from such an adequacy decision under both regimes)
• Standard Contractual Clauses (SCCs) — the standard data-protection clauses approved by the UK and EU regulators
• Other lawful safeguards — such as binding corporate rules, where applicable

You can request a list of the relevant safeguards by writing to us at contact@globalmayors.academy.

7. How long we keep it

We retain personal data for as long as is necessary for the purposes for which it was collected, then we delete or anonymize it. Indicative retention periods are:

• Enquiry and Request-Info data — up to 24 months from your last interaction, unless you opt to remain on our contributor list for longer
• Active participant data — for the duration of your participation in the program, plus seven years after completion (to support certification queries, alumni relations, and accreditation reporting)
• Affiliate and partner data — for the duration of the partnership, plus seven years after the partnership ends (for tax and audit purposes)
• Financial and tax records — for the period required by applicable tax law (typically six to ten years)
• Marketing data — until you unsubscribe or until 36 months of inactivity, whichever is earlier
• Website analytics data — typically up to 26 months in aggregated form

You can request deletion of your data at any time, subject to our legal obligations (see Section 9).

8. How we keep it secure

We take the security of your personal data seriously. Our measures include:

• Encryption of data in transit (HTTPS / TLS)
• Encryption of stored data where appropriate
• Access controls — only team members who need access have it, and only for the purposes of their role
• Regular security reviews of our service providers
• Two-factor authentication on critical systems
• Procedures for notifying you and the relevant regulator within 72 hours in the event of a personal data breach that is likely to result in a risk to your rights

No system is perfectly secure, and we cannot guarantee absolute security. If you suspect a security issue, please write to us immediately at contact@globalmayors.academy.

9. Your rights

Under UK/EU GDPR, you have the following rights in relation to your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can ask us to correct inaccurate or incomplete data
• Right to erasure ("right to be forgotten") — you can ask us to delete your data, subject to our legal obligations
• Right to restriction — you can ask us to limit how we use your data while we resolve a query
• Right to data portability — you can ask us to provide your data in a machine-readable format, or transfer it to another controller
• Right to object — you can object to processing based on our legitimate interests, including direct marketing
• Right to withdraw consent — where we rely on your consent, you can withdraw it at any time, without affecting the lawfulness of prior processing
• Rights in relation to automated decision-making — we do not currently make significant decisions about you using purely automated processing

To exercise any of these rights, write to us at contact@globalmayors.academy with the subject line "Data subject request". We will respond within one month, and may extend this by up to two further months for complex requests, in which case we will let you know.

There is normally no charge for exercising these rights. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive.

10. Cookies and tracking

Our website uses cookies and similar technologies to make the site work, to improve your experience, and to understand how visitors use the site. Some cookies are strictly necessary; others are optional and used only with your consent.

The full list of cookies, their purposes, providers, and durations is set out in our Cookies Policy. You can change your cookie preferences at any time by clicking the "Manage cookies" link in our footer.

11. Marketing communications

If you have opted in to our newsletter or other marketing communications, we will send you occasional updates about the program, events, and the wider Living Cities Earth movement. We aim to send no more than one to two emails per month.

You can unsubscribe at any time by clicking the "unsubscribe" link in any marketing email, or by writing to us at contact@globalmayors.academy. Unsubscribing from marketing does not affect transactional emails relating to your participation in the program.

12. Children's data

The Global Mayors Academy is intended for adults — typically civic leaders, officials, and professionals over the age of 18. We do not knowingly collect personal data from children under the age of 16. If you believe we have collected data from a minor in error, please write to us immediately at contact@globalmayors.academy and we will delete it.

13. Changes to this policy

We may update this policy from time to time, for example to reflect changes in the law, in our service providers, or in our processing practices. The current version is always available at globalmayors.academy/privacy, with the "Last updated" date at the top.

For material changes that affect existing participants — for example, the addition of a new processing purpose or a new category of recipient — we will notify you by email and, where required, request your renewed consent.

A version history is maintained internally and is available on request.

14. How to contact us or complain

For any question, request, or concern about your personal data, please write to us at contact@globalmayors.academy with the subject line "Privacy enquiry".

If you are not satisfied with our response, you have the right to complain to a data-protection regulator:

• In the United Kingdom: the Information Commissioner's Office (ICO) — ico.org.uk
• In the European Union: your national data-protection authority. A list is available at edpb.europa.eu
• In Switzerland: the Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch

We would prefer to address your concern directly first, so please contact us before lodging a complaint where possible. We take privacy seriously and we will engage in good faith.