Privacy Policy

People Alchemy Ltd – Privacy Policy
Version 5 – September 2025

Who this notice applies to
This Privacy Policy applies to all users of the People Alchemy Learning Workflow Platform and related services, including staff from our NHS customers, public sector organisations (such as government departments and agencies), and private sector clients.

It explains how People Alchemy Ltd uses personal data, the lawful bases for doing so, and your rights under the UK GDPR and Data Protection Act 2018.

We do not process NHS patient or clinical data.

Introduction
This Privacy Policy explains how People Alchemy Ltd (“we”, “us”, “our”) collects, uses, stores, and shares personal data. It applies to:
– Users of our People Alchemy Learning Workflow Platform (the “Platform”) provided to NHS organisations, public sector bodies (such as government departments and agencies), and private sector customers.
– Visitors to our websites.
– Contacts of our customers, prospects, and suppliers.
– Our employees and job applicants.

We are committed to protecting your personal information and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What data we process
Depending on your relationship with us, we may process:
– Customer staff data: name, work email, job role, learning records.
– CRM data (prospects and customer contacts): name, role, work contact details, correspondence.
– Support data: name, email, ticket details.
– Employee and applicant data: contact, payroll, bank details, application materials.
– Website usage data: IP address, cookies, and online behaviour.

We do not process patient or special category health records. Our services are designed for organisations and their staff.

How we collect data
We may collect data from:
– Your employer (as part of a customer contract).
– You directly (e.g. via our website, CRM, or support desk).
– Automated collection through our systems (e.g. cookies, logs).

Purposes and lawful bases
We process personal data for the following purposes:
– Contract delivery (Art. 6(1)(b)): to provide the Platform and services to customers.
– Legitimate interests (Art. 6(1)(f)): to manage customer relationships, maintain system security, improve our services, and maintain sales records.
– Legal obligation (Art. 6(1)(c)): to meet HR, tax, and regulatory requirements.
– Consent (Art. 6(1)(a)): for marketing activities where you have opted in.

Sharing and transfers
We only share data with:
– Our secure hosting and backup providers (acting as sub-processors).
– Our professional advisers and regulators where legally required.

International transfers
Our offshore development partner in Ukraine may access the system several times a week to provide technical support and maintenance. This can involve access to customer staff data (e.g. names, emails, learning records) where required to resolve issues.

We safeguard these transfers by:
– A written agreement with the developer incorporating the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses.
– A completed Transfer Risk Assessment (TRA) supporting the arrangement.
– Access restricted to authorised individuals on a least-privilege basis.
– Regular monitoring and logging of access.

All other customer platform data is hosted within the UK.

Retention
– Platform data: retained for the duration of the customer contract plus up to 12 months in backups, unless otherwise required by contract.
– CRM (prospects): retained for 2 years from last contact.
– CRM (customers): duration of contract plus 6 years.
– Support tickets: 3 years.
– HR records: 6 years after employment ends.

Your rights
You have rights under UK GDPR, including:
– Access to your data.
– Correction of inaccuracies.
– Erasure (right to be forgotten).
– Restriction of processing.
– Data portability.
– Objection to processing.

Customer staff should normally make requests via their employer (the data controller), but you may also contact us directly.

Cookies
We use cookies and similar technologies on our websites to improve functionality and analyse usage. See our Cookies Notice for details.

Children
We do not knowingly collect data about children under 16.

Contact details
Data Protection Lead: Paul Matthews, CEO (legal name: Frederick Paul Matthews)
Email: data.pal@peoplealchemy.com
Address: People Alchemy Ltd, 85 Great Portland Street, London, W1W 7LT, UK

You also have the right to complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/concerns

Updates
We may update this policy from time to time. Any significant changes will be communicated via our website or the Platform.

Last updated: September 2025