Privacy Notice
At WorkNest, we are committed to keeping your personal and business information safe. This is our privacy notice, in which we tell you honestly how we use and look after your personal data. This privacy notice tells you what to expect us to do with your personal informationโฏif you choose to share it with us: this could be if you use our services or products or use our website. We will tell you what information we collect about you; how we use this data; with whom we share it; and how we store it and keep it safe.
We may update our privacy notice from time to time. We will communicate significant updates to you via email if we have your email address. You can also check this page for recent updates. If you would like a pdf version of this privacy notice, email dataprotection@worknest.com
We last updated this privacy notice in June 2025.
We are WorkNest. We deliver first-class Employment Law, HR, and Health & Safety support, backed by hands-on consultancy and advanced technology. WorkNest helps organisations of all sizes and industries confidently manage their employment, safety, and wellbeing challenges, all accessible via our user-friendly portal, myWorkNest.
WorkNest is part of a family of specialist companies backed by Inflexion, dedicated to helping businesses thrive by providing expert support across key operational areas.โฏ As part ofโฏ Axiom GRC, we bring together the most gifted practitioners in people management, health, safety and wellbeing, employment law, professional training, and business technology. We are proud to offer a broader range of services to help protect and nurture organisations of every size.
WorkNest Ltd is a company registered in England and Wales with company number (CRN 04382739) and whose registered office is at 2nd Floor, 20 Grosvenor Place, London, England, SW1X 7HN.
WorkNest is the data controller of personal information we collect. WorkNest is registered with the Information Commissionerโs Office as a data controller under reference: โฏZ2442783
For any queries, concerns, or complaints you may have about how WorkNest collects, uses or stores yourโฏpersonal information, you can contact our Data Protection Officer atโฏdataprotection@worknest.com
Or you can write to:
Data Protection Officer
WorkNest
Woodhouse
Church Lane
Aldford
Chester
CH3 6JD
If WorkNest cannot resolve the issue, you can also make a complaint to the Information Commissionerโs Office (ICO: the UK supervisory authority for data protection) if you are unhappy with how we have used your data:
Information Commissionerโs Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ICO helpline number: 0303 123 1113
ICO website:โฏico.org.uk
As aโฏdata subject, under UK data protection law you have the right to:
- Access: ask for copies of all information we have about you
- Rectification: ask us to correct personal information you think is wrong. You also have the right to ask us to complete information you think is incomplete
- Erasure: ask us to delete your personal information
- Restriction of processing: ask us to limit the processing of your personal information
- Objection to processing: say no to the processing of your personal information
- Data portability: ask that we transfer the personal information you gave us to another organisation, or to you
- Withdraw consent: if WorkNest has asked your consent to use your data for a particular reason, you have the right to take back that consent so that WorkNest cannot use your data like that in the future. However if you choose to withdraw your consent this will not change anything that WorkNest has used your data for in the past with your consent.
You can choose to use any of these rightsโฏfor freeโฏby contacting us atโฏdataprotection@worknest.com, or writing to us at our address (see โWho we areโ) with your request.
WorkNest has one calendar month to respond to you from the time we receive your request. WorkNest does not have to agree to your request, but if we do not agree we have to tell you why.
It is your choice to share your personal informationโฏwith us and you do so at your own risk. We take information security seriously at WorkNest. We work hard to make sure that yourโฏpersonal informationโฏis looked after securely, and that we only process data in the ways that we say we do in this privacy notice. We put in place ways to protect personal data against unauthorised access, alteration, or disclosure.
We make sure that yourโฏpersonal information is only seen by people who need to access it to do their job. We check who has access to allโฏpersonal informationโฏregularly.
Our staff complete data protection and cyber security training so that they know how best to look after your personal information.
For more information, please visit our trust centre: worknest.com/about-us/trust-centre
However, even though we are very careful we can never 100% guarantee the security of any information you give to us. If you are not happy or have concerns about how we look after your personal information, please contact ourโฏData Protection Officer at dataprotection@worknest.com.
The WorkNest website contains links to other websites that are not run by us. These websites should have their own privacy and cookie notices for you to read. We do not have any responsibility for how these websites or organisations process your personal information.
Under UK data protection law we must have what is known as a legal basisโฏfor collecting and using your information. There are sixโฏlegal bases, sometimes known as lawful bases:
- Consent: your permission.
- Performance of a contract: when we deliver the services you have requested.
- Legitimate interests: see the next section of our privacy notice.
- Vital interest: to save a life.
- Legal requirement: when we comply with UK law.
- Public interest: when data processing is beneficial for public good.
For business clients
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you, which we have grouped together as follows:
- Identity dataโฏincludes first name, last name, username or similar identifier, title, date of birth and gender.
- Contact dataโฏincludes billing address, email address and telephone numbers.
- Company information: company name, postcode, number of employees.
- Recordings of phone calls and video calls: we record inbound and outbound phone calls. This includes when we speak with you to discuss the purchase of our products and services, you discuss your product or services with our Client Management team, or you receive advice from our employment law, HR or health and safety advisory services.
- Financial dataโฏincludes bank account and/or payment details.
- Transaction dataโฏincludes details of services we have provided to you.
- Engagement data: webinars you have attended, interactions with emails.
- Technical dataโฏincludes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile dataโฏincludesโฏyour username and password, downloads made by you, your interests, preferences, feedback and survey responses.
- Usage dataโฏincludes information about how you use our website and services.
- Marketing and communications dataโฏincludes your preferences in receiving marketing from us and your communication preferences.
We also collect, use and shareโฏaggregated dataโฏsuch as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data doesโฏnotโฏdirectly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
We do not collect anyโฏspecial categories of personal dataโฏabout you via the website (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences via the website. Sometimes, we will ask you to provide special category data to us so that we can provide the best service to you. We will take particular care to process special category data securely and will process it in keeping with the contract in place between us.
We use different methods to collect data from and about you including through:
- Direct interactions.โฏYou may give us your identity, contact and financial data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
- Communicate with us about, or enter into a contract for, our services;
- Create an account on our website;
- Subscribe to our service or publications;
- Download any resource available on our website;
- Request marketing to be sent to you; or
- Give us some feedback.
- Automated technologies or interactions.โฏAs you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see ourโฏcookie notice for further details.
- Third parties or publicly available sources.โฏWe may receive personal data about you from various third parties and public sources as set out below:
- Technical data from analytics providers, such as Google, based inside and outside the EU;
- Contact, financial and transaction data from providers of technical, payment and delivery services based inside the EU;
- Identity and contact data from publicly available sources such as Companies House and the Electoral Register based inside the EU.
- Identity and contact Data from publishers of business information.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
- Where you provide your consent to us.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please email dataprotection@worknest.comโฏif you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity | Type of Data | Lawful basis |
To register you as a new customer |
| Contract |
To process and deliver your order, including:
|
| Contract Legitimate interests (to recover debts due to us) |
To manage our relationship with you, including:
|
| Contract Legal obligation Legitimate interests (to keep our records updated and to study how our customers use our products and services |
To administer and protect our business and this website, including:
|
| Legal obligation Legitimate interests (running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
|
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you |
| Legitimate interests (to study how customers use our products and services, to develop them, to grow our business and to inform our marketing strategy) |
To use data analytics to improve our website, products, services, marketing, customer relationships and experience |
| Legitimate interests (to define customer types for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
To make suggestions and recommendations to you about goods or services that may be of interest to you. We may use insight delivered by artificial intelligence to make suggestions and recommendations based on customer profiles built from aggregated customer data. These customer profiles are created using your client data such as industry, marketing engagement data and advisory case data. |
| Legitimate Interests (to develop our products and services and grow our business) |
To share your contact information with companies within the Axiom GRC Group and to contact you with introductions to companies within the Group to promote our diverse range of products and services to you. |
| Legitimate Interests (to develop our products and services and grow our business) |
Marketing & Promotional offers from us
We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased services from us, or if you provided us with your details and consent when you downloaded resources from our website, and, in each case, you have not opted out of receiving that marketing.
Opting out
You can ask us or third parties to stop sending you marketing messages at any time byโฏcontacting dataprotection@worknest.com Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of any use you make of WorkNestโs services, which we will continue to process pursuant to the contractual obligations between us.
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Your personal information is stored in a database owned by WorkNest, and can only be accessed by WorkNest employees.
We will only keep your personal information for as long as we need it to deliver services to you, and for as long as UK legislation tells us we must keep it.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
WorkNest will never sell, rent or lease your personal information, or insights generated from your information.
We will sometimes share your information within the Axiom GRC Group. These companies are also all backed by Inflexion and provide different, and complementary, aspects of the services that WorkNest as a whole provides to its customers.
We will sometimes share you information with trusted external third parties, including:
- Service providers, acting as processors, based within the European Economic Area who provide IT and system administration services.
- Professional advisers, acting as processors, including lawyers, bankers, auditors and insurers based within the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities in the United Kingdom who require reporting of processing activities in certain circumstances.
These organisations will not use or process your information for any purpose other than what we have asked them to do.
In some exceptional circumstances, we may need to share your personal information to protect you or someone else. We will share as little information as is needed, and we will share it in a way that keeps it safe.
Here are the reasons we may need to share your personal information:
- We are told to by law. We may need to give personal information to the police, legal advisors, professional regulators, or safeguarding agencies.
- You are at risk of serious harm, neglect, death or threat to personal safety.
- You tell us that someone else is at risk of serious harm, neglect, death or threat to personal safety.
- We believe a crime is happening or may happen if nothing is done to stop it. This includes financial fraud.
Where possible, we keep your personal information inside the UK. However, we share your information with companies that work for us as processors that process and store information outside of the UK and Europe.
When this is the case, we make sure that we have a lawful method of transferring your data, and that your personal informationโฏis safe and that the organisation that works for us is obeying UK data protection law, even if it is based outside the UK.
For website users
Types of Cookies Used:
- Analytical Cookies: These track website traffic and usage patterns to help improve the website experience.
- Preference Cookies: These remember your settings and preferences for a personalised experience.
You can read about cookies in more detail, and choose to opt in or out of our use of cookies in our cookie compliance tool: Renew or change your cookie consent
You may also like to visit our Cookie Notice: Cookie Notice
Your browser settings will also allow you to control your personal cookie settings. Further information can be found in the โHelpโ section of your chosen web browser. To find out more about cookies, including details of cookies and how to manage and deleted them, please visit allaboutcookies.org
Definitions
Anonymise: to change data so that it cannot be linked to an individual person.
Cookie: a small file of information โ like a username or password โ that are stored on your device and identify the user. Cookies are used to work out what to show you, improving your web experience.
Consent: permission, usually only valid when you have been told exactly what you are consenting to. One of the ways that processing data can be justified under data protection law.
Contractual performance: the data processing needed to carry out an agreement with an individual. One of the ways that processing data can be justified under data protection law.
Data Controller: an organisation (or person) that makes decisions about how and why data is processed.
Data minimisation: collecting the smallest amount of personal data that you need.
Data Processor(s): an organisation (or a person) that carries out the instructions of the Data Controller and processes data on behalf of the Data Controller.
Data Protection Officer: a person who is an expert in data protection and looks after the interests of the data subject.
Data subject: the individual whose personal data is being processed.
Encrypted: encryption allows information to be hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or cypher. The hidden information is said to be encrypted.
Generative artificial intelligenceโฏ(also generative AI or GenAI): is artificial intelligence capable of generating text, images, or other media, using generative models. Generative AI models learn the patterns and structure of their input training data and then generate new data that has similar characteristics.
Information Commissionerโs Office (ICO): the UKโs independent body set up to uphold information rights. The ICO has the power to investigate organisations which do not obey Data Protection laws.
Joint Controllers: two or more Data Controllers who together decide how and why data is processed.
Legal/lawful basis/bases: six reasons recognised by UK GDPR for processing personal information.
Legitimate interests: a strong reason (or reasons) for a Data Controller to process data for no other reason than that it is beneficial to the Data Controller if it does not have an adverse effect on the data subject. This is one of the ways that processing data can be justified under GDPR law, although whenever a Data Controller relies on it, they should have a written decision called a Legitimate Interest Assessment.
Personal information: any information about a real, living individual. For example, name, telephone number, address, health conditions, or qualifications. Information about organisations, such as annual turnover, is not personal information. Information about individuals working at organisations โ for example, a business email address, or a job title โ is personal information.
Privacy notice: a publicly displayed explanation of how organisations process data.
Purpose limitation: one of the principles of GDPR โ personal data should only be used for the reasons it was collected.
Public interest: beneficial for the public. One of the ways that processing data can be justified under GDPR law.
Retention schedule: a table of how long organisations should store data.
UK GDPR: UK General Data Protection Regulation. This is a law designed to protect personal data stored on computers, or in an organised paper filing system. This law is the UK version of a law that is applied across many European countries.