Privacy Notice

1. Who We Are

Husu Ltd (“Husu”, “we”, “us”, or “our”) is a company registered in Scotland under company number SC847145. Our registered address is Flat 2/1, 2 Ormonde Court, Glasgow, G44 3RE.

We operate the website at https://husu.co.uk and provide an HR and wellbeing software-as-a-service platform to organisations in the United Kingdom.

For data protection queries, you can contact us by email at hello@husu.co.uk.

2. Scope

This Privacy Notice applies to personal data that we collect and process in connection with:

• visitors to our website;
• prospective and current clients and their nominated contacts;
• employees and other individuals of our clients who use our platform (referred to as “end users”); and
• any other individuals who contact us or whose personal data we receive.

Where we process personal data on behalf of a client organisation (for example, end user survey responses), we act as a data processor and the client acts as the data controller. In those cases, the client’s own privacy policy will also apply. Our controller and processor roles are described further in section 6.

3. Personal Data We Collect

3.1 Contact and account information

When you enquire about our services, create an account, or correspond with us, we collect:

• name;
• work email address;
• telephone number;
• job title and employer name;
• the content of any correspondence you send us.

3.2 Website usage information

When you visit our website, we collect certain technical information automatically, including:

• IP address;
• browser type and version;
• device type and operating system;
• pages viewed and approximate session activity;
• referring website or source;
• approximate geographic location derived from IP address.

3.3 Client and billing information

Where a client enters into an agreement with us, we collect information necessary to administer that agreement, including billing contact details and payment information (processed by our payment provider — we do not store full card details ourselves).

3.4 Survey and platform data

Where end users complete wellbeing surveys or use other features of our platform, we collect and process their responses on behalf of the relevant client organisation. We apply a minimum reporting threshold of five (5) respondents before aggregated results are made available to client administrators, to protect individual anonymity.

Free-text responses may be collected where configured by the client as part of the survey design.

4. How We Use Personal Data

We use personal data to:

• respond to enquiries and communicate with prospective and current clients;
• provide and administer our platform and services;
• manage our contractual relationship with clients;
• process payments and manage billing;
• operate, maintain, and improve our website and platform;
• generate aggregated, anonymised reports and insights for client organisations;
• send service-related communications (for example, account notifications);
• send marketing communications where we have a lawful basis to do so (see section 14);
• comply with our legal and regulatory obligations; and
• protect our legitimate business interests and those of our clients.

5. Lawful Bases for Processing

We rely on the following lawful bases under UK GDPR:

5.1 Contract

Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract. This applies to the administration of client accounts and the provision of our services.

5.2 Legitimate interests

Processing is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your interests or rights. This includes operating and improving our platform, responding to enquiries, maintaining security, and sending direct marketing to existing clients and contacts where they would reasonably expect to hear from us.

5.3 Legal obligation

Processing is necessary to comply with a legal obligation, for example retaining records for tax or regulatory purposes.

5.4 Consent

Where we rely on consent, for example for certain marketing communications to individuals who are not existing clients or contacts, we will obtain your consent before processing and you may withdraw it at any time.

6. Controller and Processor Roles

For data relating to our website visitors, prospective clients, and our own business contacts, Husu acts as the data controller. We determine the purposes and means of processing.

For personal data relating to end users of client organisations (for example, employees completing wellbeing surveys), we act as a data processor on the instructions of the client, who is the data controller. Our processing in this context is governed by a data processing agreement with the relevant client.

Where we act as a processor, we will only process personal data in accordance with the client’s documented instructions unless required to do otherwise by law.

7. Special Category Data

Wellbeing surveys may touch on topics that could indirectly relate to health or other sensitive matters. We take care in the design and operation of our platform to minimise the processing of special category data as defined in UK GDPR.

Where special category data is processed, we will ensure an appropriate additional condition for processing is met (such as explicit consent or the substantial public interest condition) and we will implement appropriate safeguards.

Our aggregated reporting approach and minimum respondent threshold (see section 3.4) are among the safeguards we apply to protect individuals in this context.

8. Cookies

We use a single, strictly necessary cookie to manage authenticated user sessions. This cookie (named user_session) is an httpOnly cookie that expires after seven days and is required for the service to function. It does not track browsing activity and is not used for analytics or advertising.

We do not currently use analytics, advertising, or preference cookies. No cookie consent banner is required at present because only strictly necessary cookies are set. If we introduce non-essential cookies in the future, we will implement appropriate consent controls before those cookies are used.

9. Sharing Personal Data

We may share personal data with:

• our service providers and subprocessors, including hosting, database, authentication, communications, email, and productivity providers;
• client organisations, where we share aggregated reports or act on their instructions as a processor;
• professional advisers (for example, accountants or solicitors) in the ordinary course of business;
• regulators, courts, or law enforcement agencies where required or permitted by law; and
• any third party to whom we transfer or sell our business, in which case the acquirer will be bound by this Privacy Notice or will provide you with a new one.

A current list of subprocessors is set out in Schedule 1 of our Data Processing Addendum at husu.co.uk/legal/dpa, or is available on request.

10. International Transfers

Some of our service providers may process personal data outside the United Kingdom. Where this occurs, we ensure that an appropriate safeguard is in place, such as:

• a UK adequacy regulation covering the destination country;
• UK International Data Transfer Agreements (IDTAs) or equivalent standard contractual clauses; or
• another lawful transfer mechanism under UK GDPR.

Some of our infrastructure and service providers are based in the United States, including our application hosting provider (Render) and feature management provider (LaunchDarkly). Our primary database (MongoDB Atlas), authentication provider (Supabase), and application monitoring provider (SigNoz) are hosted in the European Union and benefit from UK adequacy regulations. Our email provider (SiteGround) is based in the United Kingdom.

11. Retention

We retain personal data only for as long as necessary for the purposes for which it was collected or as required by law. Our standard retention periods are:

• website enquiry records: 12 months;
• prospect and client-contact records: duration of the relationship plus 24 months;
• service administration and support records: duration of the agreement plus 30 days;
• activity and audit logs: 12 months rolling;
• backup data: per hosting provider retention cycle (currently up to 7 days);
• anonymised aggregate data: retained indefinitely where no individual is identifiable.

We may retain data for longer periods where required by law or where there is an ongoing legal dispute or investigation.

12. Security

We implement technical and organisational measures to protect personal data against unauthorised access, loss, or destruction. These measures include:

• role-based access controls with three distinct permission levels;
• two-factor authentication for user accounts;
• session management using secure, httpOnly cookies;
• encryption in transit (HTTPS/TLS);
• application monitoring and logging;
• automated vulnerability scanning and code quality analysis in the development pipeline;
• confidentiality obligations for staff and relevant suppliers.

We do not claim any specific certification, encryption standard, or security measure in this notice unless it is actually in place and can be evidenced.

13. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate data corrected.
• Right to erasure — to request deletion of your personal data in certain circumstances.
• Right to restriction of processing — to restrict how we process your data in certain circumstances.
• Right to data portability — to receive your data in a structured, machine-readable format in certain circumstances.
• Right to object — to object to processing based on legitimate interests or for direct marketing purposes.
• Rights related to automated decision-making — we do not currently make solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at hello@husu.co.uk. We will respond within one month of receiving a valid request.

If you are not satisfied with our response, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

14. Marketing

We may send marketing communications to prospective and existing clients and contacts where we have a lawful basis to do so. Where we rely on legitimate interests for marketing to business contacts, you have the right to object at any time.

To opt out of marketing communications, please click the unsubscribe link in any marketing email or contact us at hello@husu.co.uk.

15. Third-Party Links

Our website may contain links to third-party websites. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies. This Privacy Notice applies only to our website and services.

16. Changes to This Notice

We may update this Privacy Notice from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through the platform.

We encourage you to review this notice periodically. Your continued use of our website or services after any changes constitutes your acknowledgement of the updated notice.

17. Contact Us

If you have any questions about this Privacy Notice or our data protection practices, please contact us: