Privacy Policy
Last updated: 13 February 2026
1. Who we are
The HR Health Check tool ("the Tool") is operated by [Company Name], a company registered in England and Wales (company number [number]) with its registered office at [Registered Address] ("we", "us", "our").
We are the data controller for the personal data collected through the Tool. This means we decide how and why your personal data is processed.
- Email: [email address]
- Phone: [phone number]
- ICO registration number: [number]
2. What data we collect
When you use the Tool, we collect the following categories of personal data:
Data you provide directly
- Contact details — name, email address, phone number, job title/position
- Company information — company name, employee count, industry sector, business age, employment types, business locations
- Assessment responses — your answers to the 74 assessment questions
Data collected automatically
- Device information — device type, screen resolution, viewport size, and browser user agent string
- Usage data — time spent on each step of the assessment, answer changes, session resume events
- Technical data — IP address, browser type, and operating system (collected by our hosting infrastructure)
3. How and why we use your data
We process your personal data for the purposes set out below, along with the lawful basis we rely on for each:
| Purpose | Lawful basis |
|---|---|
| Delivering your assessment and generating your compliance report | Performance of a contract (providing the service you requested) |
| Sending your results by email | Performance of a contract |
| Email verification to protect returning users' data | Legitimate interest (security) |
| Following up on your assessment results and offering our HR consultancy services | Legitimate interest (we have a genuine business interest in contacting users who have completed an HR compliance assessment to discuss how we can help address any gaps identified) |
| Sending marketing communications about our wider HR services | Consent (where you have opted in) |
| Collecting device information and usage data | Legitimate interest (improving the Tool, identifying technical issues, and preventing fraud) |
| Analysing assessment trends in aggregate (no individual identification) | Legitimate interest (business improvement and product development) |
| Internal administration and reporting | Legitimate interest (business management) |
Where we rely on legitimate interest, we have conducted a Legitimate Interest Assessment to ensure our interests do not override your rights and freedoms. You can request a copy of this assessment by contacting us.
4. Marketing communications
We may contact you by email or telephone to follow up on your assessment results and discuss how our HR consultancy services could help your business. We consider this a reasonable expectation given that you chose to complete an HR compliance assessment operated by an HR consultancy.
We will only send wider marketing communications (such as newsletters, promotions, or information about services unrelated to your assessment) where you have given us your explicit consent to do so.
You can opt out of any marketing communication at any time by:
- clicking the "unsubscribe" link in any marketing email;
- emailing us at [email address]; or
- calling us on [phone number].
We will action your opt-out request promptly and maintain a suppression list to ensure you do not receive further marketing from us.
5. Who we share your data with
We do not sell your personal data to third parties. We may share your data with the following categories of recipients, who process it on our behalf under appropriate contractual safeguards:
- Supabase Inc. — database hosting and authentication (data stored in the EU)
- Vercel Inc. — website hosting and delivery
- Resend Inc. — transactional and marketing email delivery
We may also disclose your data where required by law, regulation, or court order, or to protect our rights and property.
6. International transfers
Some of our service providers are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, in accordance with UK GDPR requirements.
7. How long we keep your data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:
| Data | Retention period | Reason |
|---|---|---|
| Assessment results and responses | 3 years from completion | Service delivery, trend analysis, and follow-up |
| Contact details for marketing | 2 years from last interaction | We will re-confirm your preferences or delete your data |
| Device and usage data | 12 months | Technical improvement and security |
| Email verification codes | 24 hours | Short-lived security purpose |
| Marketing opt-out records | Indefinitely | Legal requirement to honour opt-outs |
8. Your rights
Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — ask us to delete your data (subject to legal obligations)
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — receive your data in a structured, commonly used format
- Right to object — object to processing based on legitimate interest, including direct marketing
- Right to withdraw consent — where we rely on consent, you can withdraw it at any time without affecting the lawfulness of prior processing
To exercise any of these rights, please contact us at [email address]. We will respond within one month.
9. Automated decision-making
The Tool uses automated scoring to generate your compliance report and risk rating. This scoring is based on a rules-based algorithm that evaluates your answers against UK employment law and HR best-practice standards. The output is general guidance intended to highlight areas for review — it is not a binding assessment of your legal obligations, and no solely automated decisions with legal or similarly significant effects are made about you.
10. Cookies and storage technologies
The Tool uses sessionStorage (a browser storage mechanism) to save your assessment progress so you do not lose your answers if you refresh the page. This data is stored only in your browser, is not transmitted to third parties, and is automatically cleared when you close your browser tab.
We do not currently use advertising or third-party analytics cookies. If this changes, we will update this policy and implement a cookie consent mechanism.
11. Security
We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), secure database hosting with row-level security, and restricted access to personal data on a need-to-know basis. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Children
The Tool is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically. Material changes will be communicated through a notice on the Tool or by email where appropriate.
14. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
15. Contact us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
- Email: [email address]
- Post: [Company Name], [Registered Address]
- Phone: [phone number]
© 2026 HR Health Check. All rights reserved.