Data Protection and Privacy Policy 

GFI Certificate in Financing Greener Homes

1. Overview and Scope 

This document sets out how GFI Solutions Ltd (‘GFI’) collects, processes, and protects personal data in connection with the delivery of the GFI Certificate in Financing Greener Homes (‘the Programme’). It supplements GFI’s main Privacy Policy (available at www.greenfinanceinstitute.com). 

GFI Solutions Ltd is the data controller in respect of all personal data collected from Programme Delegates. GFI Solutions Ltd is registered in England and Wales (company number 13561294) with registered office at 6 St. Andrew Street, Ground Floor, Farringdon, London, EC4A 3AE.
All personal data is processed in accordance with the UK Data Protection Act 2018, the UK GDPR, and the Privacy and Electronic Communications (EC Directive) Regulations 2003, consistent with GFI's main Privacy Statement which covers all personal data collected by the Green Finance Institute, GFI Solutions Ltd and GFI Europe Operations Ltd.

Both GFI and LBG act as independent data controllers in respect of personal data they each hold. This policy sets out GFI's obligations as data controller. LBG's obligations are governed by its own data protection framework. 

2. Data Collected

2.1 Register of Interest (Mailchimp)

From 16 March 2026, individuals may register interest in the Programme via the GFI website. Data collected:
• Name and work email address.
• Implicit consent to receive Programme-related communications from GFI via Mailchimp.
Legal basis: Consent (individuals have opted in). Purpose: to notify registrants when the application window opens and keep them informed of Programme developments. Individuals may unsubscribe at any time via the link in any Mailchimp email or by contacting info@gfi.green.
Mailchimp acts as a data processor on GFI's behalf. Data is stored on Mailchimp's servers. GFI and Mailchimp have a data processing agreement 

2.2 Scholarship Scheme Application Form 

The formal application window is open from 20 April to 1 May 2026. Data collected via the application form:
• Identity: first name, last name.
• Contact: work email address.
• Professional: firm name, FCA Firm Reference Number (FRN), job title, main advice area, firm type, firm size, employment status, years in role (optional), region.
• Motivational responses (free text, up to 150 words per question).
• Commitment and capacity confirmations (dropdown responses).
• Eligibility confirmations (tick box).
• Equal opportunities acknowledgement (tick box).
• Agreement to Programme Terms and Conditions and this Privacy Policy (tick box).

Legal basis: Performance of a contract (processing is necessary to assess and fulfil the application). Purpose: to assess eligibility, select Scholarship Scheme candidates, and administer enrolment. Application data is stored on the LearnWorlds platform.
Both GFI and LBG act as independent data controllers in respect of application data. GFI shares application data with LBG for the purpose of joint candidate vetting and selection. GFI will be transparent with applicants about LBG's role in the selection process and will only share personal data where there is an appropriate lawful basis.

2.3 LBG Internal Cohort Enrolment 

LBG internal staff (up to 100 Business Development Managers, Trainee BDMs, CAMs, Premier RMs, NAMs and HDMs) are automatically registered and enrolled by LBG without a competitive application process. LBG provides GFI with a staff list prior to the Programme Live Date. Data processed by GFI in respect of the internal cohort is limited to name, work email address, and job role, used solely for platform enrolment and programme administration.
LBG acts as data controller in respect of its own staff data. GFI processes this data on LBG's behalf for enrolment purposes only.

2.4 Pre-Training Self-Assessment Questionnaire (LearnWorlds/Microsoft Forms)

All enrolled Delegates complete a pre-training questionnaire at the start of the Programme. Data collected:
• Knowledge and confidence self-ratings (0-10 scales on three dimensions).
• Behavioural baseline: frequency of client discussions on energy efficiency; green checks embedded in advice process; barriers to raising energy efficiency; compliance team support; T&C referencing; importance assigned to Consumer Duty.
• Learning style preference and training objectives (multi-select).
• Optional: career seniority and free-text professional background.

Legal basis: Legitimate interests (GFI's interest in measuring programme impact and improving programme quality, balanced against Delegates' interests; completing the questionnaire is a programme requirement). Purpose: to establish a knowledge and behavioural baseline for comparison with post-training data and the 12-month recontact survey, and to fulfil LIBF accreditation reporting requirements.
Data is stored on the LearnWorlds platform (where the questionnaire is hosted as a pre-course activity) or Microsoft Forms (interim hosting). It is not shared with LBG in identifiable form; anonymised and aggregated data may be shared with LBG for KPI reporting purposes. 

2.5 Platform Engagement Data (LearnWorlds)

While Delegates use the GFI Academy platform, the following data is automatically generated and processed:
• Module completion status and progress percentage.
• Time spent on each unit and chapter.
• Assessment attempts, scores and outcomes (pass/fail).
• Login activity, access timestamps, browser and device data.
• Discussion forum posts and comments (visible to GFI admins and all enrolled Delegates).

Legal basis: Performance of a contract (processing is necessary to deliver the Programme and issue certification) and legitimate interests (quality monitoring and LIBF reporting). Purpose: to track Delegate progress, administer assessments and certification, monitor programme quality, and report to LIBF.
LearnWorlds (CY) Ltd acts as data processor on GFI's behalf in respect of all platform data. A Data Processing Agreement (DPA) is in place between GFI Solutions Ltd and LearnWorlds (CY) Ltd as required by UK GDPR Article 28. LearnWorlds is registered with the Information Commissioner's Office (ICO Reference: ZA372094). Data is stored on Google Cloud Platform servers (EU and US regions). LearnWorlds holds ISO 27001 and SOC 2/3 certifications. All data is encrypted in transit (TLS 1.2) and at rest. Each GFI Academy school has an isolated database.

LBG has admin access to the LearnWorlds platform for its tagged cohort (LBG tag). LBG can view engagement data (progress, completion status, assessment scores) for its 300 intermediary and 100 internal staff delegates. LBG does not have access to data belonging to self-funded Delegates.

2.6 Post-Training Feedback Form

On completion of the Programme, Delegates are invited to complete a feedback form. Data collected:
• Name (optional).
• Overall enjoyment rating (NPS-style).
• Likelihood to recommend.
• Whether expectations were met.
• Open-text feedback on likes, dislikes, and suggestions.
• Consent to use feedback for marketing purposes (tick box).
Legal basis: Consent (the form is optional; marketing use requires an additional explicit consent tick box). Purpose: programme quality improvement; testimonials and marketing (where consent given). Data is stored on Microsoft Forms / Microsoft 365 (GFI's enterprise environment).
Anonymised and aggregated feedback is shared with LIBF as part of the annual accreditation review. No individually identifiable feedback is shared with LBG without the Delegate's explicit consent.

2.7 Certification Data 

Upon passing the final assessment, the following data is processed to issue the certificate:
• Delegate name (as provided at enrolment).
• Date of completion.
• Unique certificate number (generated by LearnWorlds).
• Digital badge data (for LinkedIn and email footers).
• Certificate issuance is automated via the LearnWorlds platform. Certificate PDFs are available for download from the Delegate's GFI Academy account. Certificate data is retained if GFI's records of programme completers are maintained.

3. Data Sharing 

GFI does not sell Delegate personal data to any third party. Data is shared in the following limited circumstances: 

Lloyds Banking Group (LBG)

Application data (name, email, FRN, job role, motivational responses) is shared for joint candidate vetting and selection. Enrolment and engagement data (name, email, job role, FCA FRN, course progress, assessment scores, and activity logs) is shared for progress monitoring and KPI reporting. Graduation event administration data may also be shared.
Basis: Legitimate interests. Lloyds Banking Group acts as an independent data controller.

LearnWorlds (CY) Ltd

All platform data, including enrolment, progress, assessment, and engagement data, is processed through LearnWorlds as the learning platform provider.
Basis: LearnWorlds acts as a processor only and does not use the data independently.

Mailchimp (Intuit Inc.)

Register of interest data (name, email). Basis: Consent. Data Processing Agreement. Processor only- no independent use.

Microsoft (Microsoft 365)

Feedback form responses. Basis: Legitimate interests / consent. Processor only — no independent use.

LIBF (London Institute of Banking and Finance)

Anonymised and aggregated programme performance data (pass rates, completion rates, average scores, cohort demographics). No individually identifiable Delegate data shared without consent. Basis: Contractual obligation.

ICO or competent authority

Where required by law or regulatory request.

4. International Data Transfers

LearnWorlds stores data on Google Cloud Platform servers in the EU (Frankfurt) and US (South Carolina and Virginia). LearnWorlds is registered with the ICO and has certified under the EU-US Data Privacy Framework. Standard contractual clauses (SCCs) are also in place. GFI has assessed the risks of these transfers as low, consistent with LearnWorlds' own transfer impact assessment, which concludes that its services are unlikely to be of interest to US intelligence services.

Mailchimp (Intuit Inc.) is based in the US and is certified under the EU-US Data Privacy Framework. A Data Processing Agreement is in place.

All transfers are conducted in accordance with UK GDPR Chapter V requirements, including the use of adequacy decisions, SCCs, or other approved transfer mechanisms. Further information on data transfer arrangements is available from info@gfi.green.

This is consistent with the approach set out in GFI's main Privacy Statement, which confirms that data may be transferred outside the UK only where appropriate safeguards are in place.

5. Retention Periods

Data Type      

Retention Period and Basis

Register of interest (Mailchimp)

Until unsubscribed, or maximum 5 years from initial registration. Basis: consent. Deleted on unsubscribe request.

Application form data

6 months from application date for unsuccessful applicants. 7 years from programme completion for successful applicants (for certificate verification and audit purposes).

LBG internal staff enrolment data

Duration of Sponsorship Agreement plus 6 months. LBG data is deleted from GFI systems following completion of contractual obligations under the Sponsorship Agreement.

Platform engagement data (LearnWorlds)

For the duration of GFI's LearnWorlds subscription. GFI has 30 days to export data following termination of the LearnWorlds subscription (per LearnWorlds Terms of Service). Archived copy retained by LearnWorlds for 9 months post-termination.

Pre-training questionnaire data

3 years from the date of collection. Used for programme improvement and 12-month recontact survey.

Post-training feedback

3 years from the date of collection. Where consent to use for marketing was given, until consent is withdrawn.

Certification records

Minimum 7 years from certificate issuance, for verification and compliance purposes.

Assessment data (scores, attempts)

7 years from assessment date. May be used for malpractice investigation or dispute resolution.

6. Delegate Rights

As data subjects, Delegates have the following rights under UK GDPR, consistent with GFI's main Privacy Statement:
• Right of access: to request a copy of personal data held about them.
• Right to rectification: to request correction of inaccurate or incomplete data.
• Right to erasure: to request deletion of personal data, subject to GFI's legal obligations (e.g. retention of certification records).
• Right to restrict processing: to request that processing is limited in certain circumstances.
• Right to data portability: to receive personal data in a structured, machine-readable format where processing is based on consent or contract.
• Right to object: to object to processing based on legitimate interests.
• Right to withdraw consent: where processing is based on consent (e.g. Mailchimp register of interest, marketing use of feedback), consent may be withdrawn at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, Delegates should contact GFI at:

Email: info@gfi.green

Post: Green Finance Institute, 6 St. Andrew Street, Ground Floor, Farringdon, London, EC4A 3AE

GFI will respond to subject access requests within one month. Responses may be extended to three months for complex requests; the Delegate will be informed of this.

Delegates also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113.

For queries about how LBG processes personal data in its capacity 

7. Security

GFI takes appropriate technical and organisational measures to protect personal data from unauthorised access, accidental loss, destruction or damage, consistent with its obligations under UK GDPR and as described in GFI's main Privacy Statement.

The LearnWorlds platform employs the following security measures: isolated databases per school; salted and hashed passwords; HTTPS/TLS 1.2 enforcement; XSS vulnerability controls; PCI-DSS compliant payment processing via Stripe and PayPal (GFI does not store payment card data); Google Cloud Platform infrastructure with ISO 27001 and SOC 2/3 certification; 24/7 monitoring and regular penetration testing. Full details are available at www.learnworlds.com/data-security/.

Notwithstanding these measures, the transmission of information via the internet is not completely secure. GFI cannot guarantee the security of data transmitted to the platform, and any transmission is at the Delegate's own risk. If a security incident occurs affecting Delegate data, GFI will notify affected individuals and the ICO in accordance with its obligations under UK GDPR.

8. Changes to This Policy

GFI reserves the right to update this policy from time to time to reflect changes in the Programme, applicable law, or the platform used for delivery. Material changes will be communicated to Delegates via the GFI Academy platform or by email. Delegates are encouraged to check this policy periodically. The current version will always be available on request from training@gfi.green.

This policy should be read alongside GFI's main Privacy Statement (available at www.greenfinanceinstitute.com), which applies to all personal data collected by GFI, its subsidiaries and its website.

9. Contact

Data Controller: GFI Solutions Ltd
Registered address: 6 St. Andrew Street, Ground Floor, Farringdon, London, EC4A 3AE
Company number: 13561294
General privacy enquiries: info@gfi.green
Programme-specific data queries: training@gfi.green
LearnWorlds (data processor)- GDPR contact: gdpr@learnworlds.com
LearnWorlds ICO registration: ZA372094

Subscribe to our newsletter

Thank you!

Pages

Policy Pages

Copyright © 2026  | All rights reserved.
6 St Andrew Street, Farringdon, London EC4A 3AE
The Green Finance Institute Ltd is a company registered in England and Wales with Company Number: 11963728