Discover Instant Workplace Inteligence
Get In Touch

Privacy policy

Effective Date: 26May 2025

Last Updated: 05 June 2025

  1. Introduction
    Work Transformers Ltd (“we”, “us”, “our”) is committed to protecting your privacy and handling your data transparently, lawfully, and securely. This Privacy Policy explains how we collect, use, store, and protect personal data when you access or use our AI-powered platform, WorkTransformers.ai (“the Platform”). We believe that your data is your asset, and our responsibility is to ensure it remains safe, private, and fully under your control. This Policy applies to all users, including enterprise clients, contractors, and service partners.
  2. Who We Are
    Work Transformers Ltd is a private limited company incorporated in England and Wales, with its registered office at 128 City Road, London EC1V 2NX, United Kingdom. We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO Registration Number TBC] and fully comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable international privacy standards.
  3. What Data We Collect
    We collect and process the following categories of personal data:
  • Company name and designation (as entered during onboarding);
  • Information submitted via benchmarking tools and assessments;
  • Chat history and notes created by users within the platform interface.
  • Full name, job title, company name, and business function
  • Email address and contact number (optional but recommended)
  • Encrypted account credentials (protected by enforced Two-Factor Authentication)
  • Technical usage data: IP address, location metadata, device/browser specifications, operating system, interaction logs, session length, feature usage frequency
  • Organisational attributes such as sector, headcount, operational regions
  • Behavioural data, user journey mapping, and declared preferences (e.g., preferred communication channels, content interactions)
  • User-submitted content (e.g., uploaded files or strategic queries)
  • Automated decision outputs and audit logs associated with AI interaction

 

 

  1. How We Use Your Data
    We process your personal data to:
  • Create, authenticate, and manage user accounts securely
  • Deliver personalised platform experiences, insights, and content
  • Optimise AI recommendations based on contextual and organisational relevance
  • Monitor service performance, prevent fraud, and ensure system integrity
  • Address support inquiries efficiently through our success team
  • Fulfil legal and contractual requirements, including audit and reporting
  • Deliver marketing content (with clear opt-in only) and usage-based feature updates
  • Improve our AI models and platform functionality (without using your data for external model training)
  • Flag or escalate results where automated outputs are subject to review by a human expert (where applicable)
  • Ensure no fully automated decisions are made with legal or similarly significant effects without meaningful human involvement
  1. Legal Basis for Processing

In particular, personal data is processed to enable proper use of the platform, protect the integrity of the platform and prevent misuse. The primary legal basis remains contractual necessity, while security monitoring may rely on legitimate interests.
Our processing is grounded in the following legal bases:

  • Contractual necessity: to fulfil our agreement with you
  • Legal obligation: to comply with statutory and regulatory duties
  • Legitimate interests: to improve service delivery, security, and user experience
  • Consent: for all non-essential communications or promotional activities
  1. Data Storage and Security
    We implement a range of organizational and technical measures to protect personal data:
  • Access to personal data is restricted to authorized personnel only, primarily to staff assigned superuser roles within the internal administration panel.
  • Role-based access controls and permissions are in place to prevent unauthorized data access.
  • Account credentials are protected using enforced Two-Factor Authentication (2FA).
  • Currently, no automated data backup process is in place. Future backups are planned to be securely stored using private AWS S3 buckets.
  • No formal security incident response plan has been implemented yet. However, any security incidents will be reviewed and addressed in accordance with applicable legal requirements.
  • No data security incidents have occurred in the past 12 months.
  1. Data Retention
    We retain personal data for as long as the user maintains an active account with us and continues to use our services.
    Users may request deletion of their account and associated personal data at any time by contacting us directly.
    Currently, no automated deletion processes for inactive accounts are in place, but manual deletion may be performed upon request or during periodic internal reviews.
    Retention periods may be reviewed and updated in the future in line with applicable data protection regulations.
  2. Sharing of Information
    We will never sell, rent, or commercially exploit your data. We may share limited data:
  • With trusted processors under strict Data Processing Agreements (DPAs)
  • To comply with legal obligations, court orders, or enforcement authority requests (subject to transparency and minimisation principles)
  • As part of mergers, acquisitions, or restructuring (subject to equivalent protection commitments) We evaluate all requests from law enforcement or regulators for proportionality and legality, and where legally permitted, we will notify affected users.
  1. Your Rights
    As a data subject, you have the right to:
  • Access your personal data (subject access requests)
  • Request correction of inaccurate or incomplete data
  • Request deletion (“right to be forgotten”)
  • Restrict or object to specific processing activities
  • Port your data in machine-readable format
  • Withdraw consent at any time where processing is based on consent
  • File a complaint with the UK ICO (www.ico.org.uk) if you believe your rights are violated We verify identity before processing rights requests and respond within one month. Our identity verification process may include confirmation via registered email or use of 2FA.
  1. International Transfers
    Currently, personal data is not transferred outside the United Kingdom or European Union.
    Should international transfers become necessary in the future, appropriate safeguards such as Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms will be implemented to ensure full compliance with data protection laws.
  2. Children’s Data
    Our platform is not intended for individuals under the age of 18.
    We do not knowingly collect personal data from children or minors.
    No active age verification mechanisms are currently implemented.
  3. Processors and Subprocessors
    We use certain third-party service providers to support the operation and delivery of the platform. These subprocessors may process limited personal data as part of technical platform functionality. The subprocessors currently include:
  • External AI service providers supporting language model functionality
  • Vector databases used for search and contextual retrieval (typically without directly identifiable personal data)

We limit data sharing with subprocessors strictly to technical requirements necessary to operate the platform. Where possible, data is processed in a pseudonymized or de-identified format to minimize exposure of directly identifiable personal data.

We are currently in the process of reviewing and evaluating formal Data Processing Agreements (DPAs) with these providers. Third-party processor practices are periodically reviewed to ensure ongoing compliance.

  1. Cookies and Tracking Technologies
    The Platform uses cookies and similar technologies to improve functionality, analyse performance, and enhance user experience. For more detail, please refer to our separate Cookie Policy.
  2. Breach Notification
    In the unlikely event of a data breach, we will notify affected users and relevant authorities within 72 hours in accordance with UK GDPR obligations. We will provide clear information on what occurred, what data is affected, and how we are responding.
  3. Roles and Responsibilities
    For enterprise use cases, Work Transformers Ltd acts as the processor of personal data, while the client organisation acts as the data controller. Each party shall be responsible for its obligations under applicable data protection laws.
  4. Changes to this Policy
    We may revise this Privacy Policy periodically. Significant changes will be clearly communicated via email or Platform notifications. Continued use of the Platform after changes implies acceptance of the revised terms. We encourage users to regularly review this document.
  5. Contact
    To exercise your rights or raise concerns, contact our Data Protection Officer (DPO):
    Email: dpo@worktransformers.ai
    Phone: +44 (0) 203 051 7959
    Postal: Data Protection Officer, Work Transformers Ltd, 128 City Road, London EC1V 2NX, United Kingdom