Privacy Policy

In-House Wellbeing Privacy Notice
Last updated: March 2026

1. Introduction

In-House Wellbeing (“we”, "us", “our”) is committed to protecting the privacy and security of the personal data we collect about our users.  This privacy notice explains how we collect, use, and protect personal data when delivering our services.

Please read this privacy notice carefully as it provides important information about how we handle personal information and the rights of our users. If you have any questions about any aspect of this privacy notice, you can contact us using the information provided below or at admin@in-housewellbeing.com.

2. Who We Are

In-House Wellbeing provides a corporate wellbeing service to organisations ("the customer") to help improve the physical and mental wellbeing of their employees ("the user"/"users"). We act as the data controller for the personal data we collect and process as part of delivering our services.

3. Personal Data We Collect

We collect, use and are responsible for certain personal data about our users. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The personal data we collect includes;

• First name

• Last name

• Work email address

• Any other personal information the customer or the user discloses to us, including through the forms on our website.

4. How We Collect Personal Data

We will only collect this personal data directly from the customer or the user via email, our website or mobile application. We do not collect personal data from any third parties.

5. How We Use Personal Data

When providing our service, we may use personal data for the following purposes:

• To manage and administer user accounts

• To fulfil our obligations to the customer and provide the user with access to our service

• Communicate with users about the service

• Ensure proper functioning of the platform

6. How We Collect Personal Data

We process personal data under the following lawful bases:

• Legitimate Interest - to provide and manage our service as a corporate wellbeing provider.

• Legitimate Interest - to respond to messages we receive from users and website visitors.

• Contractual Necessity - to fulfil our agreement with the customer.

7. Data Sharing

• With a third-party software provider - we share users' personal data with a third-party software provider that help us to deliver our service and comply with our contractual obligations to the customer. This software provider processes data in accordance with the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). You can find their privacy policy here. We are not responsible for the privacy practices of our third-party provider.

• With the customer - we do not share any personal data with the customer. We only provide aggregated, anonymised, non-identifiable participation and engagement data.

8. Data Retention

We retain personal data only for as long as necessary to:

• Provide the service

• Fulfil contractual obligations

• Comply with legal requirements

When data is no longer required, it will be securely deleted or anonymised.

9. Data Security

We have implemented appropriate technical and organisational measures to safeguard  personal data and protect it from accidental or unlawful destruction, loss or alteration and from unauthorised disclosure and access.

10. International Transfers

When we collect personal data, it may be processed outside the UK. This is because the organisations we use to provide our services to the users are located in other countries.

We have taken appropriate steps to ensure that where personal data is processed outside the UK, it has an essentially equivalent level of protection as it has within the UK. We do this by ensuring that:

• Your personal data is only processed in a country which the Secretary of State has confirmed an adequate level of protection (an adequacy regulation); or

• We enter into either International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) (with the UK Addendum) with the receiving organisations and ensure that supplementary measures are also applied, where necessary.

11. Data Protection Rights

Under UKGDPR, individuals have certain rights in relation to the processing of their personal data, including to:

• Request access to their personal data (commonly known as a "Subject Access Request"). This enables individuals to receive a copy of the personal data we hold about them. 

• Request rectification of the personal data that we hold about them. This enables individuals to have any incomplete or inaccurate information we hold about them corrected.

• Request erasure of their personal data. This enables individuals to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have exercised their right to object to processing (see below).

• Object to processing of their personal data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this ground. If they object to us using their personal data for marketing purposes we will stop sending them marketing material.

• Request the restriction of processing of their personal data. This enables individuals to ask us to suspend the processing of their personal data, for example, if they want us to establish its accuracy or the reason for processing it.

• Request the transfer of their personal data to another party (data portability). 

• Automated decision making. Individuals have the right not to be subject to a decision based solely on automated processing which will significantly affect them. We do not use automated decision-making.

Right to withdraw consent:
In the circumstances where an individual has provided their consent to the processing of their personal data for a specific purpose, they have the right to withdraw their consent for that processing at any time. Once we have received notification that they have withdrawn their consent, we will no longer process their information for the purpose or purposes they originally agreed to, unless we are permitted by law to do so.

How to exercise rights:
An individual will not usually need to pay a fee to access their personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if their request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. If an individual wishes to exercise their rights, they can contact us at admin@in-housewellbeing.com.

12. How to Complain

Individuals have the right to lodge a complaint with the supervisory authority, if they believe we are infringing the UK data protection laws or they are concerned about the way in which we are handling their personal data. The supervisory authority in the UK is the Information Commissioner's Office which can be contacted online at:

 • https://ico.org.uk/global/contact-us/
 • Or by telephone on 0303 123 1113

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on our website with an updated “Last updated” date.

14. Contact Us

If an individual wishes to contact us in relation to this privacy notice or they wish to exercise any of their rights outlined above, then please address all correspondence to:

In-House Wellbeing
Email: admin@in-housewellbeing.com