Privacy Policy

Last updated: February 2026 · Version 1.0

1. Introduction

Workforce AI ("we", "us", "our"), operated by Healo ("the Company"), provides an AI-driven employee burnout risk assessment platform for small and medium-sized enterprises (SMEs). This Privacy Policy explains how we collect, use, store, and protect personal data in connection with our services.

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and other applicable data protection laws. This policy applies to all users of our platform, including company administrators ("managers") and their employees who participate in burnout risk assessments.

2. Data Controller Identity

The identity of the data controller depends on the context:

  • For employee assessment data: The employer organization (the company that subscribes to Workforce AI) is the data controller. Workforce AI acts as a data processor on behalf of the employer.
  • For manager/administrator account data: Workforce AI (Healo) is the data controller for account registration data, authentication credentials, and platform usage data.

Workforce AI (Healo)

Email: privacy@workforceai.com

Data Protection Officer: dpo@workforceai.com

3. Legal Basis for Processing

We process personal data under the following legal bases as defined in GDPR Article 6 and, for special category data, Article 9:

Employee Health Assessment Data (Special Category Data)

Legal basis: Explicit consent (GDPR Article 9(2)(a)). Employee burnout assessment responses constitute health-related data, which is classified as special category data under GDPR. We obtain explicit, informed, and freely given consent from each employee before collecting any assessment data. Employees are informed of their right to withdraw consent at any time.

Manager/Administrator Account Data

Legal basis: Performance of a contract (GDPR Article 6(1)(b)). Processing is necessary for the performance of the subscription agreement between the employer organization and Workforce AI.

Platform Analytics and Service Improvement

Legal basis: Legitimate interests (GDPR Article 6(1)(f)). We have a legitimate interest in understanding how our platform is used to improve its functionality and reliability. This processing uses aggregated, anonymized data only and does not involve individual health data.

4. Types of Personal Data Collected

4.1 Employee Data

  • Email address (for invitation and identification purposes)
  • Burnout risk assessment responses (special category health data), including answers to questions about work-life balance, stress levels, workload perception, and general wellbeing indicators
  • Consent records (timestamp, IP address, user agent, consent version)
  • Assessment completion dates and participation history

4.2 Manager/Administrator Data

  • Full name and email address
  • Company/organization name
  • Authentication data (OAuth tokens from Google Workspace or Microsoft Entra ID — we do not store passwords)
  • Subscription and billing data (processed by Stripe)
  • Platform usage data (chat conversations with AI agents)

4.3 Technical Data

  • IP addresses and browser user agent strings
  • Session cookies (httpOnly, JWT-based authentication)
  • Device type and browser information

5. How We Use Your Data

  • Burnout risk assessment: Employee responses are analyzed using AI to generate individual and aggregate burnout risk scores.
  • Aggregate reporting: Individual responses are aggregated and anonymized to produce team-level and department-level reports for the employer. Individual employee responses are never shared directly with the employer.
  • AI-powered insights: Our AI agents analyze aggregated data to provide recommendations for improving workplace wellbeing.
  • Service delivery: Account management, authentication, subscription management, and customer support.
  • Legal compliance: Maintaining consent records and audit trails as required by GDPR and other applicable laws.

6. Data Retention Periods

Data TypeRetention PeriodBasis
Employee assessment responses24 monthsFrom date of collection; auto-deleted after period
Consent recordsDuration of account + 5 yearsLegal requirement to demonstrate compliance
GDPR audit logsDuration of account + 5 yearsRegulatory compliance and audit trail
Manager/administrator accountsDuration of subscription + 30 daysContractual necessity; grace period for renewal
Aggregated, anonymized reportsIndefiniteCannot be linked to individuals; used for trend analysis

7. Third-Party Processors and Sub-Processors

We use the following third-party service providers (sub-processors) to deliver our services. Each sub-processor is contractually bound to process personal data only as instructed and to maintain appropriate security measures:

Sub-ProcessorPurposeLocation
Anthropic (Claude)AI analysis of anonymized, aggregated assessment dataUnited States
StripePayment processing and subscription managementUnited States
Google Cloud / Microsoft AzureOAuth authentication providersEU / United States (with SCCs)
Cloud Hosting ProviderInfrastructure hosting (database, application servers)EU (primary) / with geographic redundancy

8. International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses with all sub-processors located outside the EEA, as adopted by the European Commission under Decision 2021/914.
  • EU-U.S. Data Privacy Framework: Where applicable, we rely on sub-processors that are certified under the EU-U.S. Data Privacy Framework.
  • Supplementary measures: We implement additional technical and organizational safeguards, including encryption in transit and at rest, data minimization, and pseudonymization where feasible.

9. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data. You may exercise these rights at any time by contacting us at privacy@workforceai.com or through the Workforce AI platform's built-in data rights features:

Right of Access (Article 15)

You have the right to obtain confirmation of whether your personal data is being processed and to receive a copy of that data. You can request a data export through the platform or by contacting us.

Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17)

You have the right to request the permanent deletion of your personal data. Upon receiving a valid erasure request, we will delete all your personal data within 30 days, except where retention is required by law. Audit logs related to GDPR operations may be retained as required for compliance.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON). You can request a full data export through the platform.

Right to Restrict Processing (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of your data or when processing is unlawful.

Right to Object (Article 21)

You have the right to object to the processing of your personal data where the legal basis is legitimate interests.

Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal. You can withdraw consent through the platform or by contacting us.

Right to Lodge a Complaint

You have the right to lodge a complaint with your local supervisory authority (data protection authority) if you believe your data protection rights have been violated.

10. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Stateless JWT-based authentication with httpOnly cookies
  • OAuth 2.0 with enterprise identity providers (Google Workspace, Microsoft Entra ID) — no password storage
  • Role-based access control (employees, managers, administrators)
  • Database-level access controls with separate read-only and read-write connections
  • Regular security assessments and vulnerability monitoring
  • Employee access to personal data restricted to aggregated, anonymized reports only — individual responses are never exposed to the employer
  • Comprehensive audit logging for all data access and modifications

11. Cookies and Tracking Technologies

We use only essential, strictly necessary cookies for the operation of our platform:

  • Authentication cookie: A secure, httpOnly JWT session cookie that maintains your authenticated session. This cookie is essential for the platform to function and does not require consent under the ePrivacy Directive.

We do not use advertising cookies, analytics tracking pixels, or third-party tracking technologies.

12. Children's Data

Workforce AI is a B2B workplace assessment tool designed for use by adult employees. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected data from a minor, we will promptly delete it.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email (for registered users) or by posting a prominent notice on our platform at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised. Where changes affect the processing of special category data, we will seek renewed consent from affected employees.

14. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a complaint about our data processing practices, please contact us:

Workforce AI (Healo)

General inquiries: privacy@workforceai.com

Data Protection Officer: dpo@workforceai.com

We aim to respond to all data protection inquiries within 30 days, in compliance with GDPR Article 12(3).