Privacy Policy
Last updated: 12 April 2026
1. Who we are
The HR Health Check platform ("the Platform") is operated by Lab8 Digital Ltd, a company registered in England and Wales (company number 17078500) with its registered office at Unit 3 Icon, Eastern Way, Daventry, England, NN11 0QB ("we", "us", "our").
Our role under UK GDPR depends on whose data is being processed:
- Partner (consultancy) account data — we are the data controller. This includes your registration details, billing information, login credentials, and portal activity.
- Client assessment data — where an assessment is completed via a Partner's branded link, the Partner is the data controller and we act as a data processor on their behalf. The Partner determines the purposes and means of processing their client data; we provide the technology platform.
- Platform operation data — we are the data controller for data we collect to operate, secure, and improve the Platform (such as usage analytics and technical logs).
- Email: contact@hrhealthcheck.co.uk
- ICO registration number: ZC121582
2. What data we collect
The data we collect depends on how you interact with the Platform.
Partners (HR consultancies)
- Account details — name, email address, company name, company number
- Billing information — processed by Stripe; we do not store card numbers
- Portal activity — login history, feature usage, settings changes (for audit and support)
Assessment respondents (clients of Partners)
- Contact details — name, email address, phone number, job title/position
- Company information — company name, employee count, industry sector, business age, employment types, business locations
- Assessment responses — answers to the assessment questions (these relate to company HR practices, not personal circumstances)
Data collected automatically (all users)
- Device and technical data — IP address, browser type, device type, and operating system (collected by our hosting infrastructure)
- Usage data — time spent on each step, session resume events (used to improve the Platform)
3. How and why we use your data
| Purpose | Lawful basis |
|---|---|
| Delivering assessments and generating compliance reports | Performance of a contract |
| Sending results and transactional emails (e.g. verification codes, report links) | Performance of a contract |
| Sharing assessment data with the Partner whose branded link was used | Performance of a contract (between the Partner and us) |
| Email verification to protect returning users' data | Legitimate interest (security) |
| Managing Partner accounts, billing, and subscriptions | Performance of a contract |
| Collecting device and usage data | Legitimate interest (improving the Platform and preventing fraud) |
| Producing anonymised, aggregate statistics and benchmarks | Legitimate interest (product development and business improvement) |
We do not contact assessment respondents for marketing purposes. Any follow-up regarding assessment results is the responsibility of the Partner (data controller) who directed the respondent to the Platform. We only send transactional emails directly related to completing or accessing an assessment (such as verification codes and result links).
4. Communications
Assessment respondents: we send only transactional emails necessary to deliver the service (verification codes, results links). We do not send marketing emails to assessment respondents. If a Partner wishes to follow up with their clients, that is governed by the Partner's own privacy policy and their relationship with you.
Partners: we may send service-related communications about your subscription, Platform updates, or changes to our terms. These are not marketing communications and are necessary to operate the service.
5. Who we share your data with
We do not sell your personal data to third parties. We may share your data with the following categories of recipients, who process it on our behalf under appropriate contractual safeguards:
- Supabase Inc. — database hosting and authentication (data stored in the EU)
- Vercel Inc. — website hosting and delivery
- Stripe Inc. — payment processing (for Partner subscriptions)
- Resend Inc. — transactional and marketing email delivery
We may also disclose your data where required by law, regulation, or court order, or to protect our rights and property.
Assessments completed via a Partner's branded link
If you completed an assessment via an HR consultancy's branded link, that consultancy ("the Partner") is the data controller for your assessment data. We share your assessment results, contact details, and report data with the Partner through their portal so they can provide HR advisory services to you. The Partner's own privacy policy governs how they use your data beyond the Platform.
6. International transfers
Some of our service providers are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, in accordance with UK GDPR requirements.
7. How long we keep your data
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are:
| Data | Retention period | Reason |
|---|---|---|
| Assessment results and responses (active Partner) | 3 years from completion | Service delivery, trend analysis, and follow-up |
| Assessment data after Partner cancellation | 90 days from termination, then anonymised | Allows data export; anonymised data retained for statistics |
| Partner account details | 90 days after account closure | Account administration and dispute resolution |
| Device and usage data | 12 months | Technical improvement and security |
| Email verification codes | 24 hours | Short-lived security purpose |
| Anonymised aggregate data | Indefinitely | Benchmarking, research, and Platform improvement (not personal data) |
What happens when a Partner cancels
If the HR consultancy (Partner) whose branded link you used to complete an assessment cancels their subscription, the following applies to your data:
- The branded assessment link will be deactivated. You will no longer be able to access your results via that link.
- Your personal data is retained for 90 days after the Partner's account is terminated. During this period, you may exercise your data rights (see section 8) by contacting us directly.
- After 90 days, all personal data (names, email addresses, company names, and any other identifying information) is permanently anonymised. Once anonymised, the data cannot be linked back to you and is no longer personal data under UK GDPR.
- Anonymised data is retained indefinitely for aggregate statistical analysis, benchmarking, and Platform improvement.
8. Your rights
Under UK data protection law, you have the following rights in relation to your personal data:
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — ask us to delete your data (subject to legal obligations)
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — receive your data in a structured, commonly used format
- Right to object — object to processing based on legitimate interest
To exercise any of these rights, please contact us at contact@hrhealthcheck.co.uk. We will respond within one month.
If you completed an assessment via a Partner's branded link, the Partner is the data controller for your assessment data. You may also exercise your rights by contacting the Partner directly. If you contact us, we will work with the relevant Partner to fulfil your request.
9. Automated decision-making
The Platform uses automated scoring to generate your compliance report and risk rating. This scoring is based on a rules-based algorithm that evaluates your answers against UK employment law and HR best-practice standards. The output is general guidance intended to highlight areas for review — it is not a binding assessment of your legal obligations, and no solely automated decisions with legal or similarly significant effects are made about you.
10. Cookies and storage technologies
The Platform uses sessionStorage (a browser storage mechanism) to save your assessment progress so you do not lose your answers if you refresh the page. This data is stored only in your browser, is not transmitted to third parties, and is automatically cleared when you close your browser tab.
We use Google Analytics (GA4) to understand how visitors use the Platform. GA4 sets cookies to collect anonymised usage data such as pages visited and time on site. These cookies are only loaded after you give your consent via the cookie banner shown on your first visit. If you decline, no analytics cookies are set and no data is sent to Google.
We do not use advertising cookies. You can change your cookie preference at any time by clearing your browser's local storage for this site.
11. Security
We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), secure database hosting with row-level security, and restricted access to personal data on a need-to-know basis. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Children
The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the policy was last revised. We encourage you to review this page periodically. Material changes will be communicated through a notice on the Platform or by email where appropriate.
14. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
15. Contact us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
- Email: contact@hrhealthcheck.co.uk
- Post: Lab8 Digital Ltd, Unit 3 Icon, Eastern Way, Daventry, NN11 0QB
© 2026 HR Health Check. All rights reserved.