Privacy policy

We are committed to protecting and respecting your privacy, personal data and handling it with transparency and care.

This policy explains how we use your data and our commitment is only to use your data in this way.

We may change this policy from time to time and will do so by updating this document and posting the new version on our website www.affinityhealthatwork.com

Affinity Health at Work is a research and consultancy organisation specialising in health at work. We are experts in everything to do with wellbeing and aim to improve the working lives of all. We do this in four ways: through the provision of research, consultancy, development and insight.

We are a limited company registered in England. Company Registration Number: 5754539

Our registered address is 104 Gaskarth Road, London SW12 9NW.

Personal data is data that relates to a living individual who can be identified from that data, or from that data and other information that relates to the individual.

The data that we collect from you may include:

• Information you provide when you become a Client, commissioner or member of our Research Consortium.

• Information you provide when you participate in consultancy and research projects, such as interviews and surveys.

• Information you provide when you sign up to our mailing list, newsletter and recruitment drives.

• Information you provide when you join our Affinity Team as a staff member, associate or intern.

Clients, Commissioners and Research Consortium Members

• Identification & Contact: Name, email, phone number, postal address.

• Organisational Details: Organisation name, sector, work history.

• Communication Preferences: Newsletter sign-up, consent for ongoing contact.

• Notes from engagement: Meeting records.

• Audio/Video Recordings: Coaching sessions, interviews, focus groups (only with explicit consent).Hello@affinityhealthatwork.com

Participants in Consultancy and Research

• Identification & Contact: Name, email, phone number (where necessary for arranging interviews or training delivery).

• Demographic information: Sensitive or demographic data (anonymised or pseudonymised)

• Employment Details: Job title, employer, work history, sector.

• Employment: Job title, employer, work history, sector.

• Work, health and wellbeing: Psychological assessments, health questionnaires, survey responses, training delivery and coaching notes (where consented).

• Audio/Video Recordings: interviews, focus groups, coaching sessions, meetings (where consented).

Employees and Contractors

• Identification & Contact: Name, email, phone number, postal address.

• HR & Payroll: Date of birth, National Insurance (or national ID), salary information, bank details, right to work and proof of identity.

• Employment Details: Job title, responsibility, performance data.

• Health & Safety: Home address, next of kin, medical conditions (if relevant to health and safety).

The legal basis for processing your personal data is explicit consent.

We process your data for the following purposes:

Service Delivery

• To plan, deliver, and evaluate consultancy services, training, coaching and development initiatives.

• To conduct workplace research and produce reports or academic publications.

Contractual & Legal Obligations

• To fulfil contractual commitments under consultancy agreements or employment contracts.

• To comply with UK/EU employment law, health and safety regulations, or professional accreditation requirements.

Consent-Based Activities

• To record, transcribe, and analyse audio/video sessions (e.g., coaching, interviews).

• To administer surveys, assessments, or feedback instruments (e.g., via survey platform to collect data for quantitative & qualitative analysis).

Service Improvement & Internal Reporting

• To analyse aggregated (anonymised) data for benchmarking, quality assurance, research publications, or service design.Hello@affinityhealthatwork.com

• To manage client relationships, send newsletters, and handle marketing communications (e.g., via HubSpot).

• To evaluate reach and impact of services and project.

Security & Compliance

• To maintain secure storage, backup, and audit logs (e.g., via Microsoft 365).

• To monitor for any misuse or breach of data security.

Under UK GDPR, our lawful bases include:

Consent

• For gathering and processing individual and organisational data around work health, wellbeing, personal or sensitive data (e.g., psychosocial questionnaires, contact information for arranging interviews, interview and focus group recordings).

Contractual Necessity

• To perform our consultancy engagements, training delivery, employee and stakeholder or employment agreements.

Legal Obligation

• To comply with employment, tax, professional, and health & safety laws and regulations.

Legitimate Interests

• To improve our services, generate anonymised research insights, and manage business operations.

• We carry out a balancing test to ensure our interests do not override your rights.

Public Interest in Research

• Where processing is necessary for research in the public interest (e.g., workplace wellbeing studies).

Your data will be treated confidentially and will not be mistreated, sold or traded with any third parties. In the case of data provided for consultancy and research projects, only aggregated data will be reported and no names will be provided unless explicit agreement has been given.

We have a managed IT Service Provider 'Client First Solutions' supporting our IT, Device & Cyber Security. Any data accessible to CFS will be solely for the purpose of managing our Affinity data security and maintaining our IT software infrastructure.

Aside from the processors listed below, we may also share personal data with:

Subcontracted Consultants or Psychologists

• Only as necessary—for example, if we engage a subject-matter expert to co-facilitate a workshop or analyse a dataset. Each consultant signs a confidentiality and data protection agreement.

Accredited Research Partners or Academic Institutions

• When collaborating on peer-reviewed publications or multi-organisational studies. Data is shared in anonymised form unless participants have explicitly consented to identifiable sharing.

IT or Cloud Service Providers

• For server hosting, backup, and disaster recovery.

• All such providers are GDPR compliant and bound by DPAs.

We never sell, trade, or rent your personal data to any third parties.

We use the following third-party processors to help deliver our services. Each provider is chosen for its strong data security, compliance certifications (e.g., ISO 27001, SOC 2), and GDPR alignment. We only share the minimum data required for them to perform their function and with a Data Processing Agreement (DPA) in place:

Microsoft 365 (Microsoft Corporation)

Purpose:

Email, document creation (Word, Excel, PowerPoint), secure file storage (OneDrive, SharePoint), calendar scheduling, Teams video calls.

Data Shared:

Names, email addresses, documents (e.g., reports, presentations), meeting recordings.

Retention & Security:

• Microsoft 365 stores data in encrypted form both at rest and in transit.

• We retain Teams recordings in our tenant only for the duration needed (e.g., up to 90 days for project collaboration) before deletion.

• You can request deletion of any documents or emails via our Data Protection Lead.

ZOOM (Zoom Communications, Inc)

Purpose:

Webinars, video conferencing, recording and transcribing.

Data Shared:

Names, email addresses, meeting, interview and focus group recordings, in session messaging and chat.

Retention & Security:

• Zoom stores data in encrypted form both at rest and in transit.

• We retain Zoom recordings in our tenant only for the duration needed (e.g., up to 90 days for project collaboration) before deletion.Hello@affinityhealthatwork.com

• You can request deletion of any recorded video conferencing or audio files via our Data Protection Lead.

Otter.ai (AISense, Inc.)

Purpose:

Transcription of audio recordings (e.g., training sessions, stakeholder interviews, research & employee interviews and focus groups).

Data Shared:

Audio files (voice recordings), speaker names (if provided), transcript text. We pseudonymise interview name and file data prior to transcription.

Retention & Security:

• Otter.ai retains transcripts and recordings for as long as your account is active.

• We configure Otter.ai settings to automatically delete recordings/transcripts 30 days after creation—unless we need to keep them longer for ongoing analysis (with client consent).

• All data is encrypted in transit via TLS and at rest on Otter.ai servers.

HubSpot (HubSpot, Inc.)

Purpose:

Customer Relationship Management (CRM), email marketing, client tracking, lead generation.

Data Shared:

Contact names, email addresses, phone numbers, engagement history (how you interacted with our emails or website), notes from consultations.

Retention & Security:

• HubSpot stores all contact information in compliance with GDPR.

• We only store minimal contact details needed to manage our client relationships and send service-related communications (no marketing personal data without explicit opt-in).

• You can unsubscribe or request data deletion via our privacy preferences page or by emailing privacy@affinityhealthatwork.com.

Brevo

Purpose:

Marketing platform, HTML Newsletter & visual content generator and send-service related communications

Data Shared:

Mailing list subscribed contact names, email addresses, phone numbers, engagement history (how you interacted with our emails or website).

Retention & Security:

• Brevo stores all contact information in compliance with GDPR.

• We only store minimal and up to date contact details to share our newsletter, manage our subscriber relationships and send service-related communications (no marketing personal data without explicit opt-in).

• You can unsubscribe or request data deletion via our privacy preferences page or by emailing privacy@affinityhealthatwork.com.

Qualtrics (Qualtrics, LLC)

Purpose:

Online survey platform for assessments, questionnaires, and feedback forms (e.g., wellbeing assessments, research instruments).

Data Shared:

Survey responses (text, numeric), demographic fields, timestamp of completion.

Retention & Security:

• Qualtrics encrypts data in transit (HTTPS) and at rest.

• By default, Qualtrics retains raw data until we export or delete it from our tenant— usually within six months to one year, depending on the project.

• Aggregate (anonymised) data may be kept indefinitely for longitudinal research purposes, but all personal identifiers are removed.

We aim to keep pace with, and adapt to, the many opportunities presented by AI. We follow ICO's AI Guidance and have a company policy on responsible use of AI tools to ensure security risks are mitigated and appropriate protections are in place for all confidential, proprietary, personal and company data relating to customers, employees or partners. Any AI tool used by employees must meet our security and data protection standards. We will not share confidential or personal data, or give access to AI software without appropriate safeguards in place.

We retain different categories of data only as long as necessary for the stated purpose and in accordance with our Data Retention Policy.

In brief:

• Client & Research Consortium Member details: Contact details are retained during and up to five years after work engagements.

• Participant Records: Retained up to 5 years after final engagement or last contact— whichever is later, or as specified in Client organisation terms of agreement where DP arrangements have been specified.

• Research Data (Raw & Processed): All identifiable data is anonymised as routine; anonymised datasets may be kept for up to 10 years for academic audits or future research (subject to ethical approvals).

• Audio/Video Recordings: Retained up to 1–2 years, or until transcription is complete. Then recordings are deleted or permanently anonymised.

• Job applicants and recruitment records: Used solely for the purpose of specific role opportunities applied for and a maximum period of 6 months. Candidates requesting we maintain records on file for future reference may be kept on file for a period of 2 years.

• HR & Employee Records: Retained up to 6 years after the end of employment (to meet UK Limitation Act requirements). Some financial paperwork (e.g., payroll, tax) is kept for 7 years.

• Marketing & CRM Data (HubSpot): Contact details and engagement history are retained until you unsubscribe or request deletion.Hello@affinityhealthatwork.com

• Backup & Audit Logs (Microsoft 365): Retained for up to 90 days (unless legal hold applies).

Your Data Subject Rights

Under GDPR (and UK GDPR), you have the following rights, subject to certain conditions:

• You can request a copy of all personal data we hold about you.

• You can ask us to correct any inaccuracies or incomplete information.

• You may request deletion of your data if there is no lawful basis for us to retain it (e.g., consent withdrawn).

• You can ask us to suspend processing while a matter is being resolved (e.g., contested accuracy).

• You can request the transfer of your data to another controller in a structured, machine-readable format.

• You can object to processing based on our legitimate interests or for direct marketing.

• If you have given consent (e.g., for recordings or health data), you can withdraw that consent at any time.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK: www.ico.org.uk.

To exercise any of these rights or if you would like to remove your data, please email us at hello@affinityhealthatwork.com. Alternatively, you can click, where applicable, the unsubscribe link in any email or newsletter that you receive from us.

We use a combination of administrative, technical, and physical safeguards, including but not limited to:

• Encryption: All data in transit is encrypted (HTTPS/TLS). Third-party processors (e.g., Microsoft 365, Qualtrics, Otter.ai) encrypt data at rest.

• Access Controls: Role-based access for staff (least privilege principle). Multi-factor authentication (MFA) for all employee accounts.

• Secure Storage: Servers are located in accredited data centres (ISO 27001, SOC 2). Backups are encrypted and stored separately.

• Regular Audits: Annual data protection audits and vulnerability scans.

• Data Minimisation & Anonymisation: We anonymise or pseudonymise personal data whenever possible (especially in research).

If you visit our website, we use cookies and tracking tools (e.g., Google Analytics) to:

• Understand how you navigate our site.

• Improve user experience.

• See aggregated usage statistics.

You can manage or disable cookies via your browser settings.

Some of our third-party processors may transfer or store data outside the UK/EU (e.g., Otter.ai servers, HubSpot servers in the U.S.).

• We ensure appropriate safeguards are in place (Standard Contractual Clauses, Binding Corporate Rules, or UK Adequacy Decisions).

• Where applicable we will ensure UK/EU data centres are used.

Our website or communications may contain links to external sites. This notice does not apply to any third-party website. We encourage you to read their privacy notices before providing any personal data.

We may update this Privacy Notice periodically (e.g., when we add a new data processor or if regulations change). The "Last Updated" date is at the bottom of this document. Whenever material changes occur, we will notify you by email or post a prominent notice on our website. This policy will be reviewed annually in November, and updated versions available on our website: www.affinityhealthatwork.com

If you have any questions about this Privacy Policy or how we handle your personal data, please contact:

Toria Pagan - Data Protection Manager

Affinity Health at Work Ltd

📧 hello@affinityhealthatwork.com

📞 +44 208 129 1779

Last Updated: 23rd June 2025