Privacy Policy

Last updated: 28 April 2026  ·  Craig Rushworth trading as Rushworth Media, United Kingdom

This Privacy Policy explains how Craig Rushworth trading as Rushworth Media ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the MOS website at mastery-os.com and, when launched, the MOS mobile application. We are committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international privacy legislation.

1. Data Controller

The data controller responsible for your personal data is:

Craig Rushworth trading as Rushworth Media
United Kingdom
Email: info@rushworthmedia.com

As data controller, we determine the purposes and means of processing your personal data. We maintain records of processing activities in accordance with UK GDPR Article 30 and the accountability principle under Article 5(2).

2. Information We Collect

We collect and process the minimum personal data necessary for each stated purpose (data minimisation — UK GDPR Article 5(1)(c)):

• Identity data: your first and last name.
• Contact data: your email address.
• Technical data: IP address, browser type and version, device type, operating system, and referring URLs.
• Usage data: pages visited, time spent on site, and interaction patterns.
• Communications data: content of any messages or enquiries you send us.

We do not collect special category data (UK GDPR Article 9), criminal convictions data (Article 10), or payment card data directly. Any store transactions are handled exclusively by PCI-DSS compliant third-party payment processors.

3. Lawful Basis for Processing

We only process your personal data where we have a valid lawful basis under UK GDPR Article 6:

• Consent (Article 6(1)(a)): marketing communications and app update notifications. Consent may be withdrawn at any time.
• Legitimate interests (Article 6(1)(f)): website improvement, fraud prevention, and responding to enquiries. Legitimate interests assessments have been conducted and documented.
• Legal obligation (Article 6(1)(c)): compliance with applicable law and regulatory requirements.
• Contract (Article 6(1)(b)): fulfilment of store orders or other contractual arrangements.

4. How We Use Your Data

• To send app updates, early access notifications, and newsletters (consent).
• To respond to enquiries and provide support (legitimate interests / contract).
• To analyse and improve website performance (legitimate interests).
• To process and fulfil orders (contract).
• To detect and prevent fraud and malicious activity (legitimate interests / legal obligation).
• To comply with legal and regulatory obligations (legal obligation).

We will never sell, rent, or trade your personal data to third parties. We do not engage in solely automated decision-making with legal or similarly significant effects (UK GDPR Article 22).

5. Information Security

We apply information security controls aligned with ISO/IEC 27001:2022 Annex A controls, including:

• Access control: data access is restricted to authorised persons on a need-to-know basis, with access rights reviewed periodically.
• Encryption: all data transmitted via this website is protected by TLS/SSL. Data at rest is encrypted where technically feasible.
• Asset management: we maintain an information asset register covering personal data assets and their processing purposes.
• Incident management: we maintain a data breach response procedure aligned with UK GDPR Articles 33–34, including 72-hour notification to the ICO where required and direct notification to affected individuals where there is high risk to their rights and freedoms.
• Supplier due diligence: third-party data processors are assessed for security compliance and bound by Article 28-compliant data processing agreements.
• Vulnerability and patch management: systems are reviewed and updated in a timely manner to address known vulnerabilities.
• Business continuity: backup and recovery procedures are maintained to ensure data availability and resilience.
• Risk management: information security risks are identified, assessed, and treated on a regular basis in line with ISO/IEC 27001:2022 Clause 6.1.

While we apply rigorous security measures, no method of internet transmission can be guaranteed as 100% secure. In the event of a breach that is likely to affect your rights and freedoms, we will notify you without undue delay.

6. Privacy by Design

Consistent with UK GDPR Article 25 and ISO/IEC 27701:2019, we embed privacy and data protection into the design of our systems and services from the outset, rather than as an afterthought. This includes conducting data protection impact assessments (DPIAs) where processing is likely to result in high risk to individuals.

7. Data Quality

In line with ISO 9001:2015 quality management principles and UK GDPR Article 5(1)(d), we take reasonable steps to ensure personal data we hold is accurate, complete, and kept up to date. If you believe data we hold about you is inaccurate, please contact us and we will correct it promptly.

8. Cookies

We use cookies in accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR:

• Strictly necessary cookies: essential for website operation. No consent required.
• Analytics cookies: used to understand visitor behaviour and improve our service. Only set with your explicit consent.
• Functional cookies: remember your preferences. Set with consent.

You may withdraw consent for non-essential cookies at any time via your browser settings.

9. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients under Article 28-compliant processing agreements:

• Email marketing platforms (e.g. Mailchimp) — newsletter and update delivery.
• Website hosting providers (e.g. Hostinger) — website infrastructure and hosting.
• Analytics providers (e.g. Google Analytics) — aggregated, anonymised usage analytics.
• Payment processors (PCI-DSS compliant) — store transactions.
• Legal and regulatory authorities — where required by applicable law.

We do not authorise third parties to use your data for their own marketing purposes.

10. International Data Transfers

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place under UK GDPR Chapter V, including UK adequacy regulations, International Data Transfer Agreements (IDTAs), Standard Contractual Clauses (SCCs), or Binding Corporate Rules as applicable.

11. Data Retention

We retain personal data only as long as necessary, in accordance with our documented retention schedule:

• Newsletter / interest registration data: retained until consent is withdrawn or deletion is requested.
• Transaction records: 7 years (UK tax and accounting obligations).
• Analytics data: up to 26 months in aggregated, anonymised form.
• Enquiry / communications data: up to 2 years from last contact.

Upon expiry of the applicable retention period, data is securely deleted or anonymised beyond reconstruction.

12. Your Rights

Under UK GDPR, you have the following rights. We will respond to verified requests within 30 days at no charge (unless requests are manifestly unfounded or excessive):

• Right of access (Article 15): obtain a copy of personal data we hold about you.
• Right to rectification (Article 16): correct inaccurate or incomplete data.
• Right to erasure (Article 17): request deletion where there is no compelling reason to continue processing.
• Right to restrict processing (Article 18): limit processing in specified circumstances.
• Right to data portability (Article 20): receive your data in a structured, machine-readable format.
• Right to object (Article 21): object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent: withdraw at any time without affecting prior lawful processing.
• Rights re: automated decision-making (Article 22): not to be subject to solely automated decisions with significant effects.

To exercise any right, contact us at info@rushworthmedia.com. We may verify your identity before processing requests.

13. Children's Privacy

Our services are not directed at children under 13 (or 16 where applicable under local law). We do not knowingly collect data from children. If you believe we have inadvertently done so, contact us immediately at info@rushworthmedia.com and we will delete it without delay.

14. International Users

If you access this website from outside the United Kingdom, your data may be transferred to and processed in the UK. By using this website you acknowledge this. We honour EU GDPR rights for EEA-based users and CCPA rights for California-based users in full. Please contact us to exercise any applicable rights.

15. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their policies independently.

16. Policy Review and Updates

We review this Privacy Policy at least annually and following any material change to our processing activities, consistent with the continual improvement principle of ISO 9001:2015 and ISO/IEC 27001:2022 Clause 10. Material changes will be reflected in the "Last updated" date above. Where changes are significant, we will notify affected individuals directly where practicable.

17. Complaints

If you are dissatisfied with how we handle your personal data, you may lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

We welcome the opportunity to resolve concerns directly before escalation. Please contact info@rushworthmedia.com in the first instance.

18. Contact

Craig Rushworth trading as Rushworth Media
info@rushworthmedia.com