Privacy Policy

Last Updated on 28.01.26
Effective Date 28.01.26

Welfare Together (“we”, “us”, “our”) is committed to protecting the privacy and security of personal data. This Privacy Notice explains how we collect, use, share, store and safeguard personal data in accordance with the UK GDPR, Data Protection Act 2018, and other applicable laws.

This Notice covers all individuals whose data we handle, including employees, candidates, customers, councils, vulnerable debtors, suppliers and other stakeholders.

1. Who We Are (Data Controller)

Welfare Together
1st Floor, Plant House
Royal Oak Way
Daventry
NN11 8PQ
Email: hello@welfaretogether.co.uk
Tel: 01327 220880
We do not currently need to appoint a Data Protection Officer or EU/UK Representative.

2. What Personal Data We Process

The data we process varies depending on the relationship we have with you. Categories of data include:

Identification data (name, date of birth, address)
Contact details (email, phone number, postal address)
Employment-related information (pay details, bank details, pension details, performance data, leave and sickness records, qualifications, employment history)
Financial information (bank details, payment information, financial circumstances)
Vulnerability indicators (where required for public task work with councils)
Communication and case records
Call recordings (for service quality, training and monitoring)
Technical information (IP addresses related to encrypted email services)

Where special category data is processed (e.g., sickness information, vulnerability indicators), we do so under conditions approved by law such as substantial public interest or employment-related obligations.

3. How We Obtain Personal Data

Depending on the context, data is obtained from:

You directly
Your employer (for employees and candidates)
Councils and enforcement agencies
Referees (for recruitment)
Third‑party platforms such as case management or IT support providers
Payment platforms

4. Purposes and Legal Bases for Processing

We only process data where lawful and necessary. The main purposes and corresponding legal bases include:

Recruitment

Assessment of suitability, background checks, communication with candidates
Lawful bases: Contract; Legitimate interest; Employment condition (where relevant)

Direct Marketing

Communicating with customers or prospective customers
Lawful bases:

Contract (existing customers)
Legitimate interest (prospective customers)

Assisting Vulnerable Debtors (Working with Councils)

Case management, assessing vulnerability, communication, processing payments
Lawful bases:

Public task (Art. 6(1)(e))
Substantial public interest (Art. 9(2)(g))

IT and Security Operations

IT support, encrypted communications, call recording, service monitoring
Lawful bases: Legitimate interest (security, ensuring service quality)

5. Who We Share Personal Data With

Depending on the processing activity, we may share data with:

HMRC
Accountants
Microsoft (cloud and HR systems)
Case management software
Payment providers (WorldPay / Pay360)
IT support provider
Encrypted email service
Councils and enforcement agencies

We only share the minimum necessary data and ensure appropriate safeguards.

6. International Transfers

Some systems (e.g., Microsoft, payment providers) involve transfers to the USA.
All such transfers are protected using Standard Contractual Clauses (SCCs).

7. How Long We Keep Personal Data

Retention varies depending on the processing activity and legal requirement, for example:

Recruitment (unsuccessful candidates): 6 months
Marketing (prospects): 1 year post‑campaign
Vulnerable debtor case information: 6 years
Call recordings: 3 months

Where a council sets a different retention period, that period applies.

8. Security Measures

We take appropriate technical and organisational measures, including:

Encryption of data in storage and transit
Access controls and role‑based permissions
Two‑factor authentication
Secure case management and IT systems
Encrypted email transfers

9. Automated Decision‑Making

We do not use automated decision‑making or profiling that produces legal or significant effects.

10. Your Data Protection Rights

Depending on the lawful basis, you may have the right to:

Be informed
Access your data
Rectify inaccuracies
Erase personal data
Restrict processing
Data portability
Object to processing
Withdraw consent (where consent is used)
Not be subject to solely automated decision‑making

To exercise any right, contact us at: hello@welfaretogether.co.uk

11. Data Protection Impact Assessments (DPIAs)

We carry out DPIAs where required, particularly for:

Assisting vulnerable debtors
High‑risk processing involving councils

12. Personal Data Breaches

We maintain a breach‑reporting process and will notify the ICO and affected individuals where legally required.

13. Cookies

To learn more about how we use these and your choices in relation to these tracking technologies, please refer to ourCookie Policy.

14. Third Party Links & Use Of Your Information:

Our Service may contain links to other websites that are not operated by us. This Privacy Policy does not address the privacy policy and other practices of any third parties, including any third party operating any website or service that may be accessible via a link on the Service. We strongly advise you to review the privacy policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

15. Contact and Complaints

If you have concerns about how we process your data, please contact us first at:

hello@welfaretogether.co.uk

You may also lodge a complaint with the Information Commissioner’s Office (ICO):
www.ico.org.uk