WorkplaceHero

Privacy Policy

Last updated: 8 June 2026

This privacy notice explains how WorkplaceHero ("we", "us", "our") collects, uses, shares and protects personal information when you visit our website (workplacehero.co.uk and workplacehero.lovable.app), contact us, subscribe to our communications, use our quizzes and interactive tools, log CPD, book or attend our courses, or engage us for consultancy and support services.

We are committed to handling your personal data lawfully, fairly and transparently in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

1. Who we are

WorkplaceHero is the data controller for the personal information described in this notice. You can contact us at:

If you have a question about this notice, want to exercise your rights, or wish to raise a complaint, please contact us using the details above.

2. The information we collect

Depending on how you interact with us, we may collect:

  • Identity and contact data - name, job title, organisation, email address, phone number and postal address.
  • Account data - login credentials, profile details and authentication tokens when you create an account (for example to log CPD).
  • Enquiry and correspondence data - the content of messages you send us via contact forms, email, the "Book a chat" link or social channels.
  • Service delivery data - information you share during consultancy, CPD, coaching, governance or inspection-support engagements, including notes, attendance records, certificates and feedback.
  • Quiz and interactive content data - answers and results from optional on-site quizzes (for example the Belbin team-role and Handy culture quizzes). These are processed in your browser and are not stored against your identity unless you choose to share them with us.
  • Marketing preferences - the topics you have opted in to receive communications about, and your subscription status.
  • Technical and usage data - IP address, device type, browser type and version, operating system, referring URL, pages viewed, time on page and approximate location (city/country level).
  • Cookie data - identifiers set by cookies and similar technologies, as described in our cookie policy.

We do not knowingly collect special category data (such as health, ethnicity or religious beliefs) through the website. Where this is relevant to a consultancy engagement (for example safeguarding casework), we will agree the lawful basis and handling in writing before processing it.

Our services are not directed at children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

3. How we collect your information

  • Directly from you - when you fill in a form, email us, book a chat, sign up for CPD or engage us professionally.
  • Automatically - through cookies, server logs and analytics when you use the site.
  • From third parties - for example LinkedIn or a referrer who introduces you to us, and from authentication providers (such as Google) if you sign in with them.

4. Why we use your information and our lawful basis

Under UK GDPR we must have a lawful basis to process your personal data. The bases we rely on are set out below.

  • To respond to enquiries and deliver services you have requested - lawful basis: performance of a contract, or our legitimate interests in responding to pre-contract enquiries.
  • To provide accounts, CPD logging and interactive tools - lawful basis: performance of a contract and our legitimate interest in operating the service securely.
  • To send service emails (for example booking confirmations, password resets, account notifications) - lawful basis: performance of a contract.
  • To send marketing emails, newsletters and updates - lawful basis: your consent (which you can withdraw at any time), or our legitimate interest in marketing to existing business customers about similar services (the PECR "soft opt-in"), with an easy unsubscribe in every message.
  • To improve the site and understand how it is used - lawful basis: your consent for non-essential analytics cookies, otherwise our legitimate interest in maintaining and improving our website.
  • To keep records, raise invoices and meet tax, accounting and other legal obligations - lawful basis: legal obligation and our legitimate interest in running our business.
  • To protect our site and users from fraud, abuse and security threats - lawful basis: legitimate interests in keeping the service safe.

Where we rely on legitimate interests, we have carried out a balancing test to make sure our interests do not override your rights and freedoms. You can ask us for more information about that assessment at any time.

5. Cookies and tracking

We use a small number of strictly necessary cookies that are required for the site to work, and (with your consent) analytics cookies that help us understand how visitors use the site. You can accept, reject or change your cookie preferences at any time using the cookie banner or by visiting our cookie policy.

6. Who we share your information with

We do not sell your personal information. We share it only with carefully chosen providers who help us run our business, and where we are legally required to do so. Our processors and recipients include:

  • Hosting, infrastructure and database providers that run this site and our backend.
  • Email delivery providers used to send service and marketing emails.
  • Analytics providers (only where you have consented to non-essential cookies).
  • Authentication providers (for example Google) when you choose to sign in with them.
  • AI service providers we use to generate and review content on our behalf, processing only the data needed for that task.
  • Accountants, auditors, insurers and professional advisers.
  • Law enforcement, regulators or other authorities where we are legally required to disclose information.
  • A buyer or successor entity in the event of a sale, merger or reorganisation, subject to equivalent protections.

All processors are bound by written contracts that require them to protect your data and only process it on our instructions.

7. International transfers

Some of our providers are based outside the United Kingdom, including in the European Economic Area and the United States. Where personal data is transferred outside the UK, we make sure an appropriate safeguard is in place, such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or a country covered by UK adequacy regulations. You can request a copy of the safeguards we rely on by contacting us.

8. How long we keep your information

We only keep personal data for as long as we need it for the purposes set out in this notice, or to meet our legal, regulatory, tax and accounting obligations. Typical retention periods are:

  • Enquiries that do not become engagements: up to 24 months from your last contact.
  • Client and engagement records: 7 years after the end of the engagement, in line with HMRC and professional indemnity requirements.
  • Marketing subscribers: until you unsubscribe or are inactive for 24 months.
  • Accounts and CPD logs: while your account is active, plus a reasonable wind-down period.
  • Website analytics: usually 14 months at most.
  • Server, security and backup logs: typically up to 90 days.

When we no longer need your data, we securely delete or anonymise it.

9. How we protect your information

We use appropriate technical and organisational measures to protect your personal data, including encryption in transit, access controls, role-based permissions, secure authentication, regular backups, vulnerability monitoring and staff training. No method of transmission or storage is 100% secure, but we work to reduce risk and respond quickly to any incidents.

10. Your rights

Under UK data protection law you have the right to:

  • Be informed about how we use your personal data (this notice).
  • Access a copy of the personal data we hold about you.
  • Have inaccurate or incomplete personal data corrected.
  • Have your personal data erased in certain circumstances ("the right to be forgotten").
  • Restrict or object to how we process your personal data, including for direct marketing.
  • Data portability - receive your data in a structured, commonly used format and have it transferred where technically feasible.
  • Withdraw consent at any time where we are relying on it (this will not affect processing carried out before withdrawal).
  • Not be subject to a decision based solely on automated processing that has a legal or similarly significant effect on you. We do not currently make such decisions.

To exercise any of these rights, email hello@workplacehero.co.uk or write to us at the postal address above. We will respond within one month and may need to verify your identity before doing so.

11. Marketing and unsubscribe

You can unsubscribe from marketing emails at any time using the link at the bottom of any message, by updating your preferences in your account, or by contacting us. We will continue to send essential service messages (such as security and account notifications) where these are necessary for the service you have asked for.

12. Complaints

We hope to resolve any concern directly. If you are not satisfied with how we have handled your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

13. Changes to this notice

We may update this notice from time to time to reflect changes to our services or the law. The "Last updated" date at the top of this page shows when it was last changed. Where changes are significant, we will tell you by email or a prominent notice on the site.

14. Contact us

For any questions about this notice or your personal data, please contact us at hello@workplacehero.co.uk or by post at WorkplaceHero, 20 Wenlock Road, London, N1 7GU, United Kingdom.