Helder Insight Privacy Policy

Helder Insight (“we”, “us”, “our”) provides consulting services using a software platform that helps organisations assess workplace culture, psychological safety, and related employee experience metrics.  Depending on the activity, we may act as an independent controller, a processor acting on behalf of a customer organisation, or in limited cases a joint controller. Where we act as a processor, we process personal data only on documented instructions from the relevant controller under a data processing agreement.

Controller details

Helder Insight is the controller for the processing described in this policy unless we state otherwise. Our registered name, address, email address, and, where applicable, our representative and Data Protection Officer (DPO) contact details are set out in the “How to contact us” section below.

Third parties including Organisational Psychologists, Practitioners and Confidential Counsellors (Vertrouwenspersonen) may use our platform to conduct analyses directly with their customers. Practitioners based in The Netherlands are bound by the Code of Professional Conduct and ethical standards set by The Netherlands Institute of Psychology (NIP®). Practitioners in the UK are bound by the Code of Ethics and Conduct set by The British Psychological Society. Practitioners collecting data in other countries are bound by the code of conduct and ethical standards applicable in their respective jurisdictions.

We may collect and process the following categories of personal data:

We do not intentionally collect special category data unless it is voluntarily provided by respondents in free text, interviews, or other survey responses.

We use personal data for the following purposes:

We rely on the following lawful bases under Article 6 GDPR/UK GDPR, depending on the specific activity:

We process individual responses using our internal pre-trained AI model for the Three Factor Model of Psychological Safety™. The model analyses themes related to psychological safety and topics such as leadership, job satisfaction, turnover intentions, employee wellbeing and burnout.  Before any response is passed to the model, all direct identifiers have been removed. The model is securely ringfenced with no access to the internet.

For users in the UK and European Economic Area (EEA), we process personal data only when we have a recognised legal basis under applicable data protection laws. This may include processing that is necessary to provide our services, comply with legal obligations, support our legitimate interests, or where you have given your consent. Where required by law, we will obtain consent before processing sensitive personal data. Where we process special category data, we also identify an Article 9 condition as set out in the next section.

Survey and interview questions relating to psychological safety, leadership behaviours and employee wellbeing may reveal information about mental health, emotional and physical wellbeing, discrimination, bullying or other sensitive topics. This information will be treated with strict confidentiality and redacted or de-identified before it is ingested into the platform to ensure individuals cannot be identified.

Where we process special category data in the UK or EEA, we do so only where a valid lawful basis under Article 6 applies and a condition under Article 9 applies, such as explicit consent, employment-related obligations, or another applicable legal condition under GDPR/UK GDPR. The Article 9 condition we rely on will depend on the processing context and may include explicit consent or another applicable condition permitted by law.

We will use pseudonymization, access controls, role-based permissions, and restricted export functions.

Where special category data are processed for practitioner-led assessments or workplace wellbeing analysis, we implement additional safeguards including access restriction, role separation, redaction before ingestion where feasible, and minimisation of downstream access.

We may share personal data with:

We describe our recipients and categories of recipients as precisely as reasonably possible. Our current categories of processors and service providers, including hosting, transcription, analytics, support, email delivery, and security vendors, are available on request or in an appendix to this policy if you prefer to publish them.

Where we act as a processor for a customer, we may share or disclose personal data to that customer only in accordance with that customer’s instructions or where required by law. Where we act as an independent controller, we may share reports or outputs with the customer organisation as described in our contract and privacy documentation.

Because we serve customers in the UK and Netherlands, personal data may be transferred between countries and stored on cloud infrastructure outside the country of collection. Where data leaves the UK or EEA, we use appropriate transfer safeguards, such as approved contractual clauses and supplementary security measures such as two-factor authentication where required. Where we transfer personal data from the EEA, we rely on the European Commission’s Standard Contractual Clauses or another valid Article 46 mechanism. Where we transfer personal data from the UK, we rely on the UK International Data Transfer Addendum, the UK International Data Transfer Agreement, adequacy regulations, or another valid UK transfer mechanism, as applicable.

If personal data are transferred to a country that has not been found adequate by the UK or EU, we implement additional technical and organisational measures, which may include encryption, access restrictions, pseudonymisation, and contractual controls.

We keep personal data only for as long as necessary for the purposes described in this policy, or as required by law and contract.  Individual survey and interview responses are deleted or irreversibly anonymised at the end of the customer engagement unless we are required to retain them for legal, contractual, audit, dispute, or security purposes. In that case, we retain only the minimum data necessary for the relevant purpose and delete it when that purpose ends.

The retention period for platform account data is generally retained for the duration of the customer relationship and for a limited period thereafter for administration, audit, dispute handling, and legal compliance.

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption where appropriate, logging, segregation of customer data, least-privilege access, and secure backup procedures. Processors are expected to implement appropriate security measures and assist controllers with breaches and rights requests.

These measures are reviewed periodically and may include multi-factor authentication, secure configuration management, vulnerability management, and incident response procedures.

Depending on your location and the legal basis for processing, you may have rights to:

Where we rely on legitimate interests, you have the right to object, and we will stop processing unless we can demonstrate compelling legitimate grounds or the processing is required for legal claims.

If you are in the UK or EEA, you may also have the right to complain to your local data protection authority, including the ICO in the UK and the relevant EU supervisory authority. You may exercise your rights by contacting us using the details in the “How to contact us” section. We will respond within the time limits required by applicable law.

If we use cookies or similar technologies, we will provide a separate cookie notice explaining what we use, why we use it, and how users can manage preferences. Where required by law, we will request consent before setting non-essential cookies or similar tracking technologies.

Our platform does not collect data from children under 16, cannot be used by children under 16, and we do not knowingly collect data from children. If we learn that we have collected personal data from a child contrary to this policy, we will delete it promptly unless we are legally required to retain it.

Most of the personal data we collect (such as your name, email address, and role when creating a platform account, and your responses to surveys or interviews) is provided voluntarily. Providing your email and role is required to create and use a platform account and to receive access to our services. If you choose not to provide this information, you will not be able to use the platform.

Survey and interview participation is also voluntary. If you choose not to participate in a survey or interview, you will not be penalised or treated differently, and this will not affect your employment or contractual relationship with your organisation. However, organisations may still receive aggregated insights based on other participants’ responses.

We use automated processing, including artificial intelligence, as part of the Three Factor Model analysis. This analysis helps identify patterns and themes related to psychological safety, leadership behaviours, and employee wellbeing. However, this analysis is used only to support human-led interpretation and reporting and does not lead to decisions that have legal or similarly significant effects on individuals made solely by automated means.

Individual-level responses are never visible to the customer organisation and are never used to evaluate, manage, or influence an individual’s performance, conduct, pay, promotion, or other employment-related decisions. No decisions that significantly affect your employment, status, or contractual rights are taken based solely on automated processing. All such decisions are made by qualified practitioners, managers, or organisational representatives, who may take our aggregated reports and insights into account alongside other information, but not individual-level survey or interview responses.

All personal data used in our platform is obtained directly from the individual. Platform users provide their own information when registering and using the platform. Survey and interview participants provide their own responses directly through the platform or via direct participation in interviews. We do not obtain personal data from third parties, employers, or practitioners with respect to individual participants, except where the individual is using the platform in the context of a customer-organised engagement and the connection is initiated through that organisation (for example, when invited to complete a survey). Even in such cases, the data itself is collected directly from the individual.

When Helder Insight provides the platform to Organisational Psychologists and Practitioners, those Practitioners act as the controller (or joint controller) for the personal data of individuals participating in their engagements, because they determine the purposes and means of the processing (for example, deciding to run a culture or psychological safety assessment with a particular organisation and identifying the participants). Helder Insight acts as a processor for the processing activities carried out on the platform, in accordance with the Practitioner’s documented instructions under a data processing agreement.

When Helder Insight uses data for its own purposes (for example, to improve the platform or generate industry benchmarks), Helder Insight acts as an independent controller. The customer organisation (the organisation using the Practitioner’s services) is not the controller for these Helder Insight-led activities, and its role is limited to being the context in which the data is originally collected. Any use of data by Helder Insight for its own purposes is governed by this privacy policy and any applicable contractual arrangements.

If you have questions, requests, or complaints about this policy or our handling of personal data, contact:

Helder Insight:
Address: Prinsengracht 217B, Amsterdam 1015 DT
Email: andy@helderinsight.com
Data Protection Officer: andy@helderinsight.com

We may update this policy from time to time. If we make material changes, we will notify users through the platform or by email where appropriate.