Privacy Policy

View our Easy Read version

Effective Date: 10.06.2026

Thank you for choosing Multi Me, a product of MULTI-ME LTD. This Privacy Policy outlines how we collect, use, disclose, and safeguard your personal information when you use our software product and visit our websites, including multime.com, my.multime.com, and rixwiki.org. By using our services, you agree to the terms of this Privacy Policy.

This Privacy Policy is applicable to users of the websites multime.com, my.multime.com, and rixwiki.org, covering the use of our services on these online platforms. Furthermore, it extends to include users of the Multi Me smartphone app and the RIX Wiki smartphone app available on both iOS and Android operating systems.

We gather information about you in two main categories: (1) data voluntarily provided by you while using the Multi Me Service, detailed further under "Information you provide to us," and (2) information automatically collected as a consequence of your interaction with the Service, elaborated on in the section titled “Information collected automatically.” The nature and extent of the information collected can vary, contingent upon the user's role—be it a General User, a Buddy, a Supported User, or an Account Holder (e.g., we intentionally collect minimal information from Supported Users). Furthermore, the specifics of how users engage with Multi Me, such as educators joining a school, may necessitate the collection of specific information, for instance, school address details.

  1. UK and European Union Data Protection Compliance

1.1. UK and EU GDPR Compliance

Multi-Me Ltd. provides services to organisations and individuals in both the United Kingdom and the European Union.

We comply with:

  • UK General Data Protection Regulation (UK GDPR)

  • Data Protection Act 2018 (United Kingdom)

  • EU General Data Protection Regulation (EU GDPR)

  • Applicable Irish data protection legislation where services are provided to organisations located in the Republic of Ireland.

Depending on the nature of the service, Multi-Me Ltd. may act as either a Data Controller or Data Processor.

In most deployments for health, social care, disability and education services, the customer organisation acts as the Data Controller and Multi-Me Ltd. acts as the Data Processor on their behalf.

Multi-Me Ltd. processes personal data only in accordance with documented instructions from the Data Controller and applicable data protection legislation.

1.2. Lawful Basis for Processing

Multi-Me Ltd. processes personal information only where there is a lawful basis to do so under UK GDPR and/or EU GDPR.

Depending on the circumstances, lawful bases may include:

  • Consent

  • Performance of a contract

  • Compliance with a legal obligation

  • Protection of vital interests

  • Performance of a task carried out in the public interest

  • Legitimate interests pursued by the Data Controller or Processor

Where special category data is processed, an additional lawful condition under Article 9 UK GDPR or EU GDPR will be identified and documented by the Data Controller.

1.3. Processing Data for Irish Organisations

Multi-Me Ltd. provides services to organisations based in the Republic of Ireland, including health, disability, social care and education providers.

Where personal data relating to individuals located in Ireland is processed, Multi-Me Ltd. complies with EU GDPR requirements and supports customer organisations in meeting their obligations as Data Controllers.

Data Processing Agreements (DPAs) are available for all customer organisations and can be provided upon request.

2. Information We Collect

2.1. Personal Information

  • Contact Information: Name, email address, phone number.

  • Account Information: Usernames, passwords, security questions.

  • Billing Information: Payment details, billing address.

2.2. Usage Information

  • Device Information: Type, model, operating system.

  • Log Data: IP address, browser type, pages visited, time spent.

2.3.  Information collected automatically - Cookies and Similar Technologies

  • We use cookies and similar technologies to enhance your experience and collect additional information. You can manage your cookie preferences through your browser settings.

2.4.  User-Generated Biographical Data

  • Our platform provides users with the ability to voluntarily upload biographical data to create their own stories, share experiences, and engage with the community. This may include personal narratives, historical information, or life events. It is important to note that we do not access or use this user-generated biographical data for any purpose beyond facilitating the intended user interactions.

2.5.  User-Generated Content

  • Users may voluntarily submit various types of data to create their stories and engage with the platform. This includes, but is not limited to:

  • Text-based messages

  • Pictures

  • Videos

  • Audio recordings

  • Documents

  • Stickers

  • Weblinks

  • Location Maps

  • This diverse range of user-generated content is an integral part of the platform's functionality, allowing individuals to express themselves and engage with their Circle of Support.

3. How We Use Your Information

3.1. General Use of Information

We use personal information to:

  • Provide and maintain Multi Me services.

  • Support person-centred planning, communication and collaboration within Circles of Support.

  • Manage user accounts and permissions.

  • Process transactions and administer subscriptions.

  • Provide training, technical support and customer service.

  • Improve the functionality, accessibility and security of our platforms.

  • Comply with legal, regulatory and contractual obligations.

3.2.  User-Generated Biographical Data Usage

  • The user-generated biographical data uploaded to our platform is used solely to enable users to create, manage, and share their own stories within the platform. The handling of this data is tailored to the unique roles defined within our user system:

  • Supported Users:

  • Vulnerable individuals, including people with learning and intellectual disabilities and minors under 18, who use the platform. Their privacy and safety are of paramount importance. Personal data is processed to provide a tailored and supportive environment, ensuring a positive and secure user experience.

  • Buddies:

  • Guardians assigned to Supported Users. Buddies play a crucial role in safeguarding, monitoring, and administrating one or more Supported Users. They are granted access to specific information necessary for their caregiving responsibilities, emphasizing the importance of maintaining a secure and supportive online environment.

  • Portal Admins:

  • Administrators overseeing a Multi Me Portal/network. They are responsible for creating users and defining roles and relationships within their portal. Portal Admins have access to high-level analytics, ensuring the effective management of the platform while upholding privacy and security standards.

  • Circle Members:

  • Circle Members may be granted read/write access to a Supported User's content by the Buddy, facilitating collaboration within the Circle of Support.

3.3.  Bespoke and Third-Party Applications Hosted by Multi-Me Ltd.

Multi-Me Ltd. may develop, host, maintain and support bespoke software applications on behalf of third-party organisations.

In such circumstances, the third-party organisation will typically act as the Data Controller and Multi-Me Ltd. will act as the Data Processor.

Multi-Me Ltd. may provide services including:

  • Secure hosting and infrastructure management

  • Software development and maintenance

  • Technical support and bug fixing

  • Data backup and disaster recovery services

  • Security monitoring and system administration

Multi-Me Ltd. processes personal data only as necessary to provide the contracted service and in accordance with applicable data protection legislation, including UK GDPR and EU GDPR where applicable.

Details of how personal information is used within specific third-party applications will be set out in the privacy policies and data protection documentation provided by the relevant Data Controller.

4. Information Sharing

4.1. General Information Sharing

We may share your information with:

  • Third-party service providers for processing payments, analytics, and support.

  • Law enforcement or government agencies when required by law.

  • We do not sell your personal information to third parties.

4.2.  Third-Party Service Providers for Video and Media Processing

  • In order to enhance and efficiently operate our services, we utilise third-party services for the processing of video and media files. These services are carefully chosen to ensure compliance with GDPR and accredited data standards. While these third-party providers may handle certain aspects of data processing, they are contractually obliged to maintain the confidentiality and security of the information they process on our behalf.

  • Our websites and software may contain links to third-party websites. Please be aware that Multi Me is not responsible for the privacy practices of these external sites. We encourage you to review the privacy policies of these websites, as they may differ from ours. The inclusion of third-party links does not imply endorsement or responsibility for the content or practices of these external sites. Your interactions with these linked websites are subject to their own terms and policies.

4.3. Data Security of Third-Party Services

We take measures to ensure that any third-party services employed for video and media processing adhere to the same stringent data security standards we uphold. These services are regularly reviewed to confirm their continued compliance with relevant data protection regulations.

4.4. Controlled Sharing

Multi-Me Ltd. values user privacy and provides controlled sharing options within specific environments, such as School Communities, Organisations and Circles of Support. The following principles guide our approach to sharing information:

  • Users, such as Supported Users or Group Admins, may control access to information they create or manage.

  • Buddies can disable sharing for a Supported User through the "Manage this User" screen.

  • Multi-Me discourages and restricts the onward sharing of information, placing control in the hands of the information owner or their Buddy where appropriate.

4.5. Sharing and Inviting as a Buddy or Wiki Keeper

  • Buddies or Wiki Keepers can invite key individuals to join a Supported User's Circle, Groups or shared Wiki network, including health professionals, teachers, family members and friends.

  • Invitations may be sent to existing registered users or via email addresses for new users joining the platform.

  • Buddies or Wiki Keepers may also invite individuals to view specific sections of a user's Multi Me account or Wiki using secure email access links.

  • Email addresses collected during these processes are stored and processed in accordance with this Privacy Policy.

5. Objections to Data Processing and Account Deletion

At Multi Me, we believe you should have control over your personal data. If you wish to object to the processing of your data, follow these simple steps:

5.1. Account Managed by an Organisation (e.g. care provider or school):

If your Multi Me account is managed by an organisation, like a care home:

  • Simply contact the organisation's Data Protection Officer (DPO).

  • Ask them to remove your data from their Multi Me dashboard.

  • The organisation will delete your data and confirm this with you directly.

5.2. Account Purchased Directly from Multi Me:

If you bought your Multi Me account directly (e.g., as a parent/carer or individual with a disability):

  • Log in to your Multi Me account.

  • Go to 'My Account Settings.'

  • Click 'Delete Account.'

  • If you do not log in and restore your account, your data will be scheduled to be permanently deleted in 2 weeks.

  • Individuals wishing to request the immediate deletion of their information can contact us directly at privacy@multime.com.

We've made these processes straightforward to respect your right to control your information.

6. Data Security and Compliance

  • Multi-Me Ltd. is committed to maintaining high standards of information security, data protection, governance and interoperability.

  • Multi-Me Ltd. is ISO 27001 certified, reflecting our commitment to maintaining a robust Information Security Management System (ISMS) aligned with international best practice.

  • We also complete the NHS Data Security and Protection Toolkit (DSPT) self-assessment annually, demonstrating our alignment with NHS data security requirements for organisations handling health and care information.

  • Multi-Me incorporates and supports the Professional Record Standards Body (PRSB) About Me Standard and has successfully completed an independent PRSB conformance assessment. This helps ensure that person-centred information can be recorded, shared and understood consistently across health, social care, education and support services.

  • We regularly review our policies, procedures, technical controls and compliance arrangements to ensure ongoing alignment with applicable legal, regulatory and industry standards.

  • Multi-Me Ltd. maintains a Third-Party Services and Sub-Processor Register which provides information about key third-party suppliers used in the delivery and support of our services. The current register can be viewed at here.

6.1. Hosting and Data Security on Amazon Web Services Servers (AWS)

  • Data is hosted within the United Kingdom using Amazon Web Services (AWS).

  • The United Kingdom benefits from an adequacy decision issued by the European Commission under Article 45 of the EU General Data Protection Regulation (EU GDPR), allowing personal data to be transferred from the European Economic Area (EEA) to the United Kingdom without the need for additional transfer safeguards.

  • AWS is a trusted cloud service provider that employs robust physical, technical and organisational security measures to protect the confidentiality, integrity and availability of data. The hosting infrastructure is subject to regular security audits and assessments to support ongoing compliance with recognised industry standards.

  • We strive to maintain a 99.9% uptime for our platform, ensuring reliable access and performance for our users. While we employ robust security measures, redundancy and regular maintenance to uphold this standard, we cannot guarantee uninterrupted service at all times. Scheduled maintenance or unforeseen issues may occasionally result in temporary downtime.

  • In the event of planned or unplanned outages, we will work promptly to restore access and minimise disruption to our users.

6.2. Daily Data Backups

To safeguard against data loss, we perform daily backups of our data hosted on AWS servers. These backups are stored securely and can be restored in the event of any unforeseen incidents. The backup process is an integral part of our commitment to maintaining data integrity and availability.

6.3. Security breaches

While we make concerted good faith efforts to maintain the security of personal information, and we work diligently to ensure the integrity and security of our systems, it's essential to acknowledge that no practices are 100% immune, and we cannot guarantee the absolute security of information. Various factors, including outages, cyber-attacks, human error, system failures, unauthorized use, or other unforeseen circumstances, may compromise the security of user information at any time.

  • In the event of a security breach, we are committed to taking swift action. We will attempt to notify you electronically within 72 hours of detecting the breach, subject to any applicable laws. Notification methods may include posting a notice on our homepage (www.multime.com) or elsewhere on the Service. Additionally, we may send an email to the address you have provided to us.

  • Where required by applicable legislation, Multi-Me Ltd. will notify the relevant supervisory authority, which may include:

  • The Information Commissioner's Office (ICO) in the United Kingdom

  • The Data Protection Commission (DPC) in Ireland

  • Notification will be made without undue delay and, where required, within 72 hours of becoming aware of a reportable personal data breach.

  • We will record all near misses, security incidents and personal data breaches and review these with the Multi-Me Governing Board. Anonymised information may be shared with relevant regulators, customers or oversight bodies where required.

  • It's important to note that depending on your location, you may have a legal right to receive notice of a security breach in writing. We encourage you to take appropriate protective steps upon receiving any notification to safeguard your information.

  • The actions we take in response to a data breach:

  • Immediate Investigation:

  • Launch an immediate investigation to assess the extent and nature of the breach.

  • Identify the specific data compromised and the potential impact on affected individuals.

  • Notification to Authorities:

  • Report the breach to relevant data protection authorities, complying with legal obligations.

  • Timely Notification to Users:

  • Notify affected users within 72 hours, as required by applicable data protection laws.

  • Provide clear and transparent communication regarding the nature of the breach, the information compromised, and steps users can take to mitigate potential risks.

  • Incident Response Team Activation:

  • Activate an incident response team, including a Data Protection Officer (DPO), legal experts, and IT professionals, to coordinate the organization's response.

  • Containment Measures:

  • Implement immediate measures to contain and minimize the impact of the breach.

  • Isolate affected systems and secure vulnerabilities that may have led to the breach.

  • Remediation Steps:

  • Develop and implement a remediation plan to address the root cause of the breach.

  • Apply patches, updates, or additional security measures to prevent similar incidents in the future.

  • Coordination with Law Enforcement:

  • Collaborate with law enforcement agencies when necessary to aid in the investigation and potential prosecution of malicious actors.

  • Offer Support to Affected Individuals:

  • Offer support services to affected individuals, as appropriate.

  • Reevaluation of Security Policies:

  • Conduct a thorough review of existing security policies and procedures.

  • Update and enhance security measures based on lessons learned from the breach.

  • Documentation and Reporting:

  • Document all actions taken in response to the breach for regulatory compliance and internal analysis.

  • Prepare a comprehensive post-incident report to identify areas for improvement in the organisation's security posture.

  • Present action plan to Governing board, evidencing risks, mitigations, responsibility and timescales for any follow up action.

7. Your Rights and Choices

7.1. Managing Your Information

Users can:

  • Access and update personal information through their account settings where available.

  • Manage communication preferences and opt out of marketing communications using the unsubscribe links provided in our emails.

  • Request deletion of their account and personal information, subject to applicable legal, contractual and regulatory obligations.

  • Contact us at privacy@multime.com if they require assistance managing their information or exercising their rights.

7.2. Additional Rights Under UK GDPR and EU GDPR

Individuals may have the following rights under applicable data protection legislation:

  • The right of access to personal data.

  • The right to rectification of inaccurate personal data.

  • The right to erasure ("right to be forgotten").

  • The right to restrict processing.

  • The right to object to processing.

  • The right to data portability.

  • The right to withdraw consent where consent is relied upon as the lawful basis for processing.

  • The right to lodge a complaint with the relevant supervisory authority.

Requests relating to these rights may be submitted to privacy@multime.com.

7.3. Managing User-Generated Biographical Data

Users retain control over the biographical data they upload to our platform and may manage, edit or delete their user-generated content where appropriate. For enquiries regarding the handling of user-generated biographical data, please contact privacy@multime.com.

7.4. National Data Opt-Out Scheme

  • Where applicable, Multi-Me Ltd. supports the NHS National Data Opt-Out Scheme.

  • The National Data Opt-Out allows individuals in England to choose whether their confidential patient information is used for purposes beyond their individual care and treatment, such as research and planning.

  • Where Multi-Me Ltd. acts as a Data Processor, responsibility for determining the applicability of the National Data Opt-Out Scheme and ensuring compliance with associated obligations rests primarily with the customer organisation acting as Data Controller. Multi-Me Ltd. will support customer organisations in meeting these obligations where required.

8. Adults Lacking Mental Capacity

Our services may be utilised by adults who lack the mental capacity to provide valid informed consent. In such cases, caregivers, acting as legal representatives or advocates, play a crucial role in managing the individual's personal information. The following guidelines outline our approach to obtaining necessary consents for such adults:

8.1. Caregiver Responsibilities

  • Legal Representation: Caregivers, serving as legal representatives or advocates for adults lacking mental capacity, are responsible for providing consent on their behalf.

  • Informed Decision-Making: Caregivers should make decisions in the best interests of the individual, considering their preferences, well-being, and any known wishes expressed when they had the mental capacity.

8.2. Consent Process

  • Clear Communication: Caregivers are encouraged to maintain clear communication with the individual, explaining the nature and purpose of data processing to the best of their ability.

  • Documented Consent: Whenever possible, caregivers should document their consent decisions, outlining the reasons behind them.

8.3. Data Access and Management

  • Access to Information: Caregivers may be granted access to and manage personal information on behalf of the adult lacking mental capacity, ensuring their privacy and security.

  • Respecting Individual Privacy: Caregivers should respect the privacy and dignity of the individual when handling their personal information.

8.4. Multi-Me Support

  • Guidance and Assistance: Multi Me provides guidance and assistance to caregivers in navigating the consent process and managing personal information on behalf of adults lacking mental capacity.

  • Contact: For inquiries or support related to obtaining consents for adults lacking mental capacity, caregivers can contact us at privacy@multime.com.

9. Data Retention and Management

At Multi Me, we prioritise the responsible handling of data to ensure privacy, security, and compliance with applicable laws and regulations. Our commitment to effective data retention and management is reflected in the following practices:

9.1. Data Classification:

We classify data based on its sensitivity and regulatory requirements, enabling us to determine appropriate retention periods tailored to the nature of the information

9.2. Documented Retention Policies:

Multi Me develops and maintains clearly documented data retention policies that comprehensively outline specific retention periods for different types of data.

9.3. Regular Audits:

We conduct regular audits of stored data, proactively identifying and addressing obsolete or unnecessary information to facilitate secure disposal.

9.4. Automated Data Deletion Processes:

Multi Me has implemented automated processes for the deletion of data that surpasses its defined retention period. This ensures timely and consistent compliance with our data retention policies.

9.5. Legal and Regulatory Compliance:

We stay abreast of changes in relevant laws and regulations that impact data retention requirements. Multi Me adjusts retention policies and practices to align with legal and regulatory obligations.

9.6. User Consent Monitoring:

Multi Me monitors and respects user consents for data processing and retention. We provide mechanisms for users to manage their preferences and exercise their right to be forgotten.

9.7. Secure Data Disposal:

We establish secure methods for the disposal of data at the end of its retention period, ensuring that sensitive information is irreversibly deleted or anonymised.

9.8. Employee Training:

We train employees on data retention policies and procedures to ensure awareness and compliance throughout the organisation.

9.9. Documentation of Data Lifecycles:

We document the complete lifecycle of data, including creation, storage, access, and eventual deletion, to maintain transparency and accountability.

9.10. Periodic Review and Adjustment:

Multi Me periodically reviews and adjusts data retention policies based on evolving business needs, technology advancements, and changes in the regulatory landscape.

9.11. Notification to Data Subjects:

When applicable, we provide clear and transparent notifications to data subjects regarding the duration for which their data will be retained and the purpose of such retention.

9.12. Exception Handling:

We implement protocols for handling exceptions or legal holds that may temporarily suspend the standard data retention processes in response to legal proceedings or investigations.

10. Third-Party Links

Our websites and software may contain links to third-party websites. We are not responsible for their privacy practices. Please review the privacy policies of these websites.

11. Children's Privacy

Our services may be used by individuals under the age of 13 under the supervision and guidance of a caregiver (a Buddy on our system). In such cases, we recognise the importance of protecting the privacy and safety of children. The following additional information is provided to address the use of our services by children:

11.1. Parental Consent

If you are a caregiver allowing a child under the age of 13 to use our services, you confirm that you are the child's parent or legal guardian and provide consent for the collection and processing of the child's personal information.

11.2.  Information Collection from Children

We may collect limited personal information from children under 13, such as a username and email address, solely for the purpose of providing and improving our services. We do not knowingly collect more information than is reasonably necessary for these purposes.

11.3. Caregiver Rights

Caregivers have the right to review, delete, or refuse further collection of their child's personal information. To exercise these rights, please contact us at privacy@multime.com.

11.4. Educational and Safety Features

We are committed to incorporating educational and safety features into our services to create a secure environment for children. Caregivers are encouraged to guide and monitor their child's use of our services.

12. Changes to this Policy

We may update this Privacy Policy to reflect changes in our practices or for other operational, legal, or regulatory reasons.

12.1. Notification of Changes

We will provide notice of any material changes to this Privacy Policy through our website, platform, or by other means as required by applicable law. We encourage you to periodically review this page for the latest information on our privacy practices.

13. Contact Us

If you have any questions or concerns regarding this Privacy Policy, your personal information, or your rights under UK GDPR or EU GDPR, please contact:

Data Protection Officer
Professor Gosia M. Kwiatkowska
privacy@multime.com


14. Data Controller and Data Processor Responsibilities


14.1. Customer Responsibilities

Where Multi-Me Ltd. acts as a Data Processor, the customer organisation is responsible for determining the lawful basis for processing personal data and for obtaining any consents, authorisations or other legal permissions required under applicable legislation.

Customer organisations acting as Data Controllers are also responsible for ensuring that data subjects are provided with appropriate privacy information and that their rights under applicable data protection legislation are respected.


14.2. Multi-Me Responsibilities

Where Multi-Me Ltd. acts as a Data Processor, we process personal data only under the documented instructions of the Data Controller and in accordance with applicable data protection legislation, including UK GDPR and EU GDPR where applicable.

Multi-Me Ltd. implements appropriate technical and organisational measures to protect personal data and supports customer organisations in meeting their data protection obligations.


Last Updated: 10.06.2026