Privacy Policy
|
This policy applies to everyone who interacts with EHS, whether you are an employee submitting a check-in, a business leader using the platform, or a visitor to our website. We have written separate sections for each, so you can go straight to the part that applies to you. |
1. Who We Are
Employee Happiness Score (“EHS”) is operated by BusinessHub Systems Limited, a company registered in England and Wales.
|
Legal name |
BusinessHub Systems Limited |
|
Company number |
07863143 |
|
Registered office |
Potters Leisure Resort, Coast Road, Great Yarmouth, Norfolk, NR31 9BX |
|
|
info@employeehappinessscore.com |
|
Website |
employeehappinessscore.com |
|
UK trade mark |
UK00003271282 |
BusinessHub Systems Limited is the data controller for personal data collected through the EHS website. When EHS is deployed by an organisation (the “Client”), that Client is the data controller for its employees’ data, and EHS acts as a data processor on the Client’s behalf. This distinction matters and is explained in more detail below.
2. What EHS Does and Why Privacy Matters
EHS is an employee sentiment platform. Organisations use it to measure how their people feel at work through regular, lightweight check-ins. The data collected is sensitive by nature, it reflects how employees feel, and employees need to trust that their responses are handled with care.
Our approach is built around three principles:
- Anonymous by default. Employees’ responses are presented to their employer in anonymised form. The employer sees scores, themes, and aggregated feedback, not individual identities, unless the employee chooses to identify themselves.
- Minimum necessary data. We only collect what is needed to operate the service.
- No selling of data. We do not sell, rent, or trade personal data under any circumstances.
3. If You Are an Employee Submitting a Check-In
This section applies to you if your employer uses EHS and you have received a check-in request through any of the available delivery methods, which may include email, SMS, QR code, or other channels supported by the platform.
3.1 What data we collect
When you submit a check-in, we collect:
- Your sentiment response (a selection from a set of face-based options representing how you feel)
- Any free-text comment you choose to add
- The date and time of your submission
- The method used to submit (email link, SMS link, or QR code)
To send you the check-in invitation, your employer provides us with your name and contact details (such as your email address or mobile number). Your employer may also provide additional organisational information such as your team or location, but this is not always the case and is entirely at your employer’s discretion.
3.2 Anonymity — what your employer can and cannot see
|
Your employer sees your score and any comments in anonymised form. They do not see your name or identity alongside your response, unless you choose to include it yourself. |
EHS holds identity data (your name and contact details) at the infrastructure level only. This is used solely to send you check-in invitations, prevent duplicate submissions, and fulfil data protection obligations such as responding to access or deletion requests. This data is never made available to your employer through the EHS platform.
If you choose to identify yourself in your free-text response, for example, by writing your name or sharing details that identify you, that is entirely your choice. EHS does not prevent this, but it is not prompted or encouraged by the system.
3.3 How we use your data
We use your data to:
- Deliver the check-in service on behalf of your employer
- Generate anonymised sentiment scores and themes for your employer’s dashboard
- Respond to any data subject rights requests you make
- Maintain the security and integrity of the platform
We do not use employee check-in data for our own marketing purposes.
3.4 AI processing
EHS uses AI to analyse patterns in anonymised employee feedback. The “Ask EHS AI” feature allows your employer’s leaders to query themes and sentiment across aggregated responses. This processing operates on anonymised data. Your individual identity is not used in AI analysis or surfaced in AI outputs.
3.5 Lawful basis
EHS processes employee data on behalf of your employer (the data controller). Your employer’s lawful basis for processing is typically legitimate interests, understanding employee sentiment to improve the working environment, or, where applicable, the performance of an employment contract. If you are unsure of the lawful basis your employer relies on, please contact them directly.
EHS, as data processor, processes your data only on documented instructions from your employer and in accordance with our Data Processing Agreement with them.
3.6 How long we keep your data
Your data is held for the duration of your employer’s active relationship with EHS, and for up to 12 months after that relationship ends. After this period, your data is securely deleted. System logs (which do not contain personal data) are retained for up to one month.
If your employer ends their use of EHS, all associated personal data is deleted within 30 days of termination, unless your employer requests an earlier deletion.
3.7 Your rights
Even though your employer is the data controller for your check-in data, you have rights under UK GDPR that you can exercise directly with EHS. These include:
- The right to access the personal data we hold about you
- The right to request correction of inaccurate data
- The right to request deletion of your data
- The right to restrict or object to processing
- The right to data portability
- The right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk
To exercise any of these rights, email us at info@employeehappinessscore.com with the subject line “GDPR Data Subject Request”. We will acknowledge your request within five business days and complete it within 30 days.
4. If You Are a Client or Platform User
This section applies to you if you are a business leader, HR professional, manager, or administrator who has registered to use the EHS platform on behalf of your organisation.
4.1 What data we collect
When you register and use the EHS platform, we collect:
- Your name, job title, and email address
- Your organisation’s name
- Login credentials and account settings
- Platform usage data (pages visited, features used, session duration)
- Billing and payment information, processed via Stripe
- Communication preferences and support requests
- A record of your acceptance of our Terms of Service and Data Processing Agreement, including the date, time, and IP address of acceptance
4.2 How we use your data
- To create and manage your EHS account
- To deliver the EHS platform and associated features
- To process your subscription and handle billing via Stripe
- To send you operational communications (service updates, platform notifications)
- To provide customer support
- To improve the EHS platform based on usage patterns
- To comply with our legal obligations
4.3 Lawful basis
|
Processing activity |
Lawful basis |
|
Account creation and platform delivery |
Performance of a contract |
|
Billing and subscription management |
Performance of a contract |
|
Operational communications |
Performance of a contract |
|
Platform improvement and analytics |
Legitimate interests |
|
Marketing communications (if opted in) |
Consent |
|
Legal and compliance obligations |
Legal obligation |
4.4 Marketing communications
We may send you relevant insights, product updates, and sector content by email. You can unsubscribe at any time via the link in any email, or by contacting info@employeehappinessscore.com. We do not share your contact details with third parties for their marketing purposes.
4.5 How long we keep your data
We retain client account data for the duration of your active subscription and for 12 months following termination. Billing records may be retained for up to 7 years to comply with financial and legal obligations. Marketing contact data is retained until you unsubscribe or after 24 months of inactivity.
5. If You Are a Website Visitor
This section applies to anyone visiting employeehappinessscore.com who is not yet a registered client.
5.1 What data we collect
- Contact form submissions (name, email, company, message)
- Page views, clicks, scroll activity, and session data
- Device type, browser type, operating system
- IP address and approximate location
- Campaign tracking data (e.g. UTM parameters from ads or email links)
This data is collected through tools including HubSpot (CRM and forms) and Google Tag Manager.
5.2 How we use this data
- To respond to enquiries submitted via contact forms
- To understand how visitors use our website and improve its content
- To measure the effectiveness of our marketing campaigns
- To send you information you have requested (such as guides or resources)
5.3 Lawful basis
Where you submit a form or opt in to communications, we rely on consent. For website analytics and performance measurement, we rely on legitimate interests. You can withdraw consent at any time.
5.4 How long we keep this data
Contact and enquiry data is retained for 24 months from the date of submission, or until you ask us to delete it. Analytics data is typically retained for 26 months.
6. Third Parties and Sub-processors
We do not sell personal data. We share data only with trusted third-party providers (“sub-processors”) where necessary to deliver EHS. Each sub-processor is subject to a written agreement requiring them to protect personal data to the same standard as this policy.
|
Provider |
Purpose |
Location |
Transfer basis |
|
Supabase Pte. Ltd. |
Database storage and hosting |
EU (Ireland) |
Adequacy |
|
Vercel Inc. |
Platform hosting and deployment |
EU / US |
IDTA |
|
Google LLC |
Infrastructure and ancillary services |
EU / US |
IDTA |
|
Resend Inc. |
Transactional email delivery |
US |
IDTA |
|
Twilio Inc. |
SMS delivery |
US |
IDTA |
|
Stripe Inc. |
Payment and subscription processing |
US / EU |
IDTA |
|
HubSpot Inc. |
CRM, website forms, marketing email |
US |
IDTA |
Where client organisations configure third-party communication channels (such as their own email or messaging systems), EHS acts solely on the client’s instructions in relation to those integrations and is not responsible for those third parties’ own data practices.
7. International Data Transfers
Some of our sub-processors are based in the United States. Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place. For US-based providers, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms approved by the ICO.
Primary data storage is with Supabase, located in the European Union (Ireland), which benefits from the UK’s adequacy decision for EU-based transfers.
8. Security
We take security seriously. Our technical and organisational measures include:
- Encryption of all personal data in transit (TLS) and at rest
- Access controls based on the principle of least privilege
- Logical separation of client data within the platform
- Regular review of security measures
- Secure cloud infrastructure through Supabase and Vercel
No system is entirely without risk. If you have concerns about the security of your data, please contact us at info@employeehappinessscore.com.
In the event of a personal data breach affecting your data, we will notify affected parties without undue delay and in any case within 72 hours of becoming aware, in accordance with our obligations under UK GDPR Article 33.
9. Cookies
Our website uses cookies to improve performance, understand how visitors use the site, and deliver relevant content. We use a cookie consent banner to obtain your permission before setting non-essential cookies.
For full details of the cookies we use, please see our Cookie Policy at employeehappinessscore.com/cookie-policy.
10. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
|
Right |
What it means |
|
Access |
Request a copy of the personal data we hold about you |
|
Rectification |
Ask us to correct inaccurate or incomplete data |
|
Erasure |
Ask us to delete your data where there is no longer a lawful basis to hold it |
|
Restriction |
Ask us to pause processing of your data in certain circumstances |
|
Objection |
Object to processing based on legitimate interests |
|
Portability |
Request your data in a structured, machine-readable format |
|
Withdraw consent |
Where processing is based on consent, withdraw it at any time without affecting prior processing |
|
Complain |
Lodge a complaint with the ICO at ico.org.uk or 0303 123 1113 |
To exercise any of your rights, contact us at info@employeehappinessscore.com with the subject line “GDPR Data Subject Request”. We will acknowledge within five business days and respond within 30 days. There is no charge for exercising your rights.
11. Children
EHS is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at info@employeehappinessscore.com.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal obligations, or ICO guidance. Any material changes will be notified to registered clients via the EHS platform or by email. The current version will always be published at employeehappinessscore.com/privacy-policy, with the last updated date shown at the top.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, please get in touch:
BusinessHub Systems Limited
Employee Happiness Score
Email: info@employeehappinessscore.com
Website: employeehappinessscore.com
Registered office: Potters Leisure Resort, Coast Road, Great Yarmouth, Norfolk, NR31 9BX