GoodShape UK Limited as Data Controller

GoodShape is committed to respecting your privacy and protecting your personal information.  Data integrity, security and confidentiality are our highest priority, and we have security programs in place to ensure the safety of your information.  We operate the ISO27001 certified Information Security Management System (ISMS), hold a Cyber Essentials Certification and operate a data protection compliance program.


Our Privacy Promise

  • We will be transparent about the information we are collecting and what we will do with it
  • We will use the information you give us for the purposes described in our Fair Processing Notice
  • We will put measures in place to protect your information and keep it secure
  • We will respect your data protection rights and aim to give you control over your own information

1. Introduction

This Fair Processing Notice explains how and why GoodShape UK Limited, including each of its operating entities (also referred to as “GoodShape”, “we”, “our” and “us”) use personal data concerning employees (referred to as “you”) in the provision of our absence management service (“Service/s”).  

2. GoodShape’s Data Protection Responsibilities

Personal Data is any information that relates to an identified or identifiable living person. Your name, date of birth and contact details are all examples of your Personal Data. 

The term “Process” means any activity relating to personal data including, for example, collection, storage, use, consultation and transmission of data.

This Fair Processing Notice concerns only the Processing of your Personal Data by GoodShape in our capacity as a Data Controller.

3. How does GoodShape collect Personal Data?

GoodShape collects Personal Data for which it is Data Controller directly from you when you use the Service.

4. Types of Personal Data we collect

We collect the following categories of Personal Data from you:

  • Withheld absence reason - this is where you have not allowed us to share your absence reason with your employer
  • Contact telephone number for GoodShape Communications
  • Contact telephone number to invite you to participate in a survey
  • Contact telephone number for identification purposes
  • IP address if you have access to the GoodShape web portal
  • Call recording
  • Security question and answer
  • Personal email address
  • Care plan task log
  • Wellbeing content usage

If you are a GoodShapeHealth customer, the following Special Category Data is also collected:

  • Medications*
  • Allergies*
  • Conditions*
  • Vaccinations*
  • Lifestyle advice (alcohol*, smoking*)
  • Medical advice

* If you have the GoodShape App, you can choose to complete the relevant sections and there is a skip button if you do not wish to provide this information.


5. How we use your Personal Data?

We Process your Personal Data to facilitate the management of your absences from work.

We may convert your Personal Data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you and is used to analyse aggregated absence trends at your employer.

6. Who do we share your Personal Data with?

The only category of Personal Data which we may share with your employer when we act as a Data Controller is your personal email address, and only if you have given us consent to share this with your employer.

In the usual course of our business, we may disclose your Personal Data, limited to the extent reasonably necessary, to certain third-party processors that we use to support the delivery of our Service. This may include the following:

  • Text Message distribution services for the issuing of absence notifications.
  • Overflow contact centres for use in business continuity and disaster recovery plans.
  • Outsourced developers to facilitate the delivery and evolution of services.
  • Information Technology partner to provide infrastructure support services.
  • Cloud hosting partners to provide required computer platforms. 

Where we utilise a third-party processor, we ensure that they operate under contractual restrictions with regards to data protection, confidentiality and security, in addition to their existing obligations under Data Protection Laws.

On extremely rare occasions GoodShape may have cause to be significantly concerned for the immediate health and welfare of an employee. In these scenarios, GoodShape, in the vital interests of the employee, may share any appropriate and necessary Personal Data with an emergency service, or nominated emergency contact within the client organisation.

7. Where in the world is your Personal Data transferred?

Your personal data is stored at rest in the United Kingdom and EEA.

8. How do we keep your Personal Data secure?

We take specific steps to ensure that appropriate security measures are implemented and updated to protect your Personal Data from unlawful or unauthorised processing and accidental loss, destruction or damage. These include ISO 27001 status, Cyber Essentials Certification and a data protection program.

9. How long do we keep your Personal Data for?

Your Personal Data for which GoodShape is a Data Controller will be kept on our system for 1 month following the termination of our Service by your employer, at which point your personal data will be anonymised. 
 
We retain Call recordings for 6 months from the date of the actual call.

10. What are you rights in relation to your Personal Data and how can you exercise them?

You have certain legal rights under Data protection law as follows:  

  • Right of access
  • Right to data portability
  • Right to rectification of inaccurate or incomplete Personal Data
  • Right to object to or restrict our data processing
  • Right to erasure
  • Right to withdrawal of consent

11. Our legal basis for data processing

Our lawful basis for processing your Personal Data for the purposes of the Services is for our legitimate business purposes, expect for any special category data, for which we rely on your explicit consent.

12. Updates to this notice

We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed.

13. Data subject access requests and queries

If you wish to make a Data Subject Access Request or exercise any of the other rights listed above, or have any questions about the fair processing of your data at GoodShape, please direct them to: dpo@goodshape.com.

You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.


Version 38 – Date Updated: March 2025