Legal

Privacy Policy

How One Point Four West collects, uses and protects personal information provided through this website, in accordance with UK GDPR and the Data Protection Act 2018.

Who we are

One Point Four West Ltd is an independent HR consultancy registered in England and Wales (Company No. 17094594).

Registered office: The Commissioners Building, 4 St Thomas Street, Sunderland, SR1 1NW

Data protection contact: Tim Withnall
Email: dpo@onepointfourwest.com
ICO Registration Number: ZC106734

One Point Four West Ltd has not formally appointed a Data Protection Officer under Article 37 UK GDPR. The data protection contact above is the single point of contact for all data protection matters.

Scope

This policy covers the following categories of people whose data One Point Four West may process.

Website visitors and enquirers: individuals who submit an enquiry through the contact form on this website.

Self-assessment users: individuals who complete a People Function Health Check or ERA Audit on this website.

Template download users: individuals who submit their details to download the HR Essentials Pack or individual HR templates, or who complete the pack finder quiz.

Document pack purchasers: individuals who purchase a paid document pack through this website.

Support plan purchasers: individuals who purchase a document pack with a support or guided tier, including email correspondence and Microsoft Teams video calls.

Diagnostic platform users: consultants and authorised users of the One Point Four West diagnostic platform.

Subscribing firms and firm administrators: firms that hold a paid subscription to the diagnostic platform, and the firm administrators responsible for managing that subscription, its users and billing.

Gender Pay Gap Reporter users: employers and consultants who use the Gender Pay Gap Reporter tool to calculate and report statutory gender pay gap metrics.

Clients: individuals, organisations and their representatives who engage One Point Four West for consultancy services.

What information we collect

Contact form

  • Name
  • Email address
  • Phone number (optional)
  • Any information you choose to provide in your message

People Function Health Check and ERA Audit

  • Name
  • Email address
  • Organisation
  • Job title or role
  • Organisation headcount (size band)
  • Assessment topic selected
  • Your answers and resulting scores

Template downloads and pack finder quiz

  • Name
  • Email address
  • Organisation (optional)
  • Job title or role (optional)

The template download form and pack finder quiz tell you at the point of collection that you will receive a one-off delivery email and that we may send follow-up emails with recommendations for related document packs. Every such email carries an unsubscribe link.

Document pack purchases

Stripe (our payment processor) collects the following information directly:

  • Email address
  • Payment card details (held by Stripe, not by One Point Four West)
  • Billing address (where required by Stripe for card verification)

One Point Four West receives confirmation of payment from Stripe, including your email address and the product purchased. One Point Four West does not receive or store your payment card details.

After purchase, you are asked to enter company details (such as company name, address and contact information) to customise your documents. This information is processed entirely within your web browser and is not transmitted to or stored by One Point Four West. Your customised documents are generated on your device and downloaded directly to your computer. After generation, a one-off email is sent to the email address associated with your purchase via Postmark, containing your generator link and related document pack recommendations.

Diagnostic platform

For all authorised users:

  • Name and email address (as part of your user account)
  • Firm or organisation you are associated with, and your role within it (firm administrator or firm consultant)
  • Client records you create within the platform (client name, sector, contact name, contact email, status and notes)
  • Diagnostic assessment data entered against each client, including maturity ratings, notes and red flags
  • Session metadata such as timestamps and completion status

Additionally for firm administrators of subscribing firms:

  • Subscription metadata (licence tier, seat count, renewal date, subscription status)
  • Billing-related identifiers provided by Stripe (customer ID, subscription ID, invoice references) — payment card details are held by Stripe, not by One Point Four West
  • The subdomain assigned to your firm (for example, yourfirm.onepointfourwest.com)
  • A record of acceptance of the Platform Agreement (which includes the Data Processing Agreement at Schedule 1 and the Acceptable Use Policy at Schedule 2), with timestamp

Client assessment data is entered by authorised users on behalf of their organisations. The platform does not collect personal data directly from the individuals being assessed.

Gender Pay Gap Reporter

The Gender Pay Gap Reporter is architected so that your employee data never leaves your browser. When you upload a CSV of payroll data, the tool parses it client-side (in your browser) using PapaParse and a JavaScript calculation engine. The six statutory metrics, quartile distributions and optional extended analyses (ethnicity pay gap, disability pay gap, socio-economic background, job-level analysis) are calculated on your device. The DOCX report is generated on your device. At no point is the CSV file, or any individual employee record, transmitted to One Point Four West or any third party.

Optional authenticated mode: if you choose to sign in (via a magic link sent to your email address), you can save aggregate report data to our Supabase database for year-on-year comparison. Only the following aggregate data is saved:

  • Reporting year and snapshot date
  • The six statutory metrics (mean and median hourly gap, mean and median bonus gap, bonus proportions by gender)
  • Quartile distribution counts
  • Aggregate workforce counts (total, male, female, full-pay, reduced-pay)
  • Extended analysis aggregates where selected
  • Narrative text you enter for the statutory summary (application-level encrypted at rest)
  • A hash of the source CSV (used only to detect accidental duplicate uploads; the CSV itself is not stored)

No individual employee records are stored. No raw CSV data is stored. If you do not sign in, nothing is stored server-side and the tool runs entirely in your browser for that session.

If you sign in, we also collect your account data (email address, the firm you are associated with) and a record of your consent to aggregate data storage. Authentication is handled by Supabase Auth, which stores your email address and an authentication token; no password is set or stored because the tool uses magic-link-only sign-in.

After you download your generated report, a one-off email is sent to the email address associated with your account via Postmark. The email contains the report download link and related product recommendations. Every such email includes an unsubscribe link.

Technical data collected automatically

When you submit a form on this website (contact form, health check, ERA Audit, template download), your IP address is recorded for the purpose of rate limiting and abuse prevention. IP addresses stored for rate limiting are automatically deleted after one hour. The web server also generates standard access logs which may include your IP address, browser type and pages visited. These logs are managed by IONOS SE and are used solely for security monitoring and troubleshooting.

How we use your information

Contact form enquiries are used to respond to your enquiry and communicate regarding a potential business relationship.

People Function Health Check and ERA Audit data is used to deliver your results, send a one-off email containing your score summary and relevant document pack recommendations, and send a single follow-up email approximately five days after submission with practical guidance related to your assessment area. Every follow-up email includes an unsubscribe link.

Template download and pack finder quiz data is used to give you access to the HR Essentials Pack, send a one-off email containing your recommendation and related document pack links, and send a single follow-up email approximately five days later with relevant guidance. Every follow-up email includes an unsubscribe link.

Document pack purchase data is used to verify payment and provide access to the customisation and download process, send a one-off email containing your generator link and related document pack recommendations, and provide purchase-related support.

Support or Guided tier data is used to schedule and conduct video calls via Microsoft Teams, respond to email queries, and provide guidance relevant to your use of the document pack.

Diagnostic platform data is used to authenticate user access; store and retrieve client records and diagnostic assessment data; generate portfolio views and reports; scope access to your firm; and, where you opt in, send anonymised diagnostic data to the Anthropic API for AI-enhanced analysis.

Gender Pay Gap Reporter data is used to calculate statutory metrics in your browser; where you sign in, save aggregate report data for year-on-year comparison; send you a one-off post-download email containing the report link and related product recommendations.

Your information will not be sold, rented or shared with third parties for marketing purposes. You will not be added to any general mailing list.

Is providing your data required? Where personal data is necessary to provide a service (for example, your email address for a diagnostic platform subscription, a document pack purchase, a health check result or a response to a contact enquiry), providing that data is a contractual requirement. If you choose not to provide it, we cannot deliver the service and cannot enter into or perform the contract. Providing personal data to us is never a statutory requirement, except to the extent we are later required to retain that data for HMRC, accountancy or similar legal-obligation purposes once you have received the service.

Unsubscribing from follow-up emails: Every automated follow-up email includes a one-click unsubscribe link. You can also unsubscribe at any time by emailing dpo@onepointfourwest.com. Unsubscribing prevents future automated emails but does not delete your data. To request full deletion, see "Your rights" below.

Lawful basis for processing

Personal data submitted via the contact form, the People Function Health Check, the ERA Audit, or the template download form is processed under the lawful basis of legitimate interest (Article 6(1)(f) UK GDPR), where you have voluntarily provided your details to receive information, assessment results, template downloads, or to explore an engagement.

Follow-up emails containing recommendations for related document packs rely on legitimate interest and the soft opt-in provision under Regulation 22(3) of the Privacy and Electronic Communications Regulations 2003 (PECR). Emails are sent only in respect of products and services similar to those you have requested, you are told about these emails at the point of collection, and every email contains an unsubscribe link.

Personal data processed in connection with a document pack purchase is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR).

Personal data processed in connection with a client engagement is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR). Where One Point Four West acts as a data processor on behalf of a client organisation, processing is carried out under the client's instructions and lawful basis. Where special category data (such as health or ethnicity) is processed in the course of an engagement, the Article 9 basis is typically employment law (Article 9(2)(b)) or the establishment, exercise or defence of legal claims (Article 9(2)(f)), as recorded in the relevant engagement letter.

Personal data processed through the diagnostic platform (user account data) is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR). Client data entered by users into the platform is processed by One Point Four West as a data processor on behalf of the user's firm.

Billing and subscription records for diagnostic platform subscriptions (Stripe customer ID, subscription references, invoice history, payment receipts) are processed under contract performance (Article 6(1)(b) UK GDPR) for the purpose of managing the subscription, and under legal obligation (Article 6(1)(c) UK GDPR) to the extent required for HMRC record-keeping and other statutory retention obligations applicable to business transactions.

Personal data processed through the Gender Pay Gap Reporter aggregate storage feature is processed under the lawful basis of consent (Article 6(1)(a) UK GDPR). Consent is captured explicitly at sign-in and can be withdrawn at any time by deleting your account or emailing dpo@onepointfourwest.com.

How your data is stored

Enquiries and assessment submissions are stored on the web server hosted by IONOS SE, a GDPR-compliant hosting provider with data centres in the EU and UK. Notification emails are sent to hello@onepointfourwest.com via Postmark, a transactional email service (see Third-party services below). Email is not end-to-end encrypted. If you prefer not to use the contact form, email directly at hello@onepointfourwest.com.

Enquiry data, self-assessment data, and template download data are retained for up to 12 months from the date of submission where no engagement follows. Where an engagement begins, data is retained in accordance with the Client Engagement Data section below.

Data relating to document pack purchases is processed by Stripe and stored in accordance with Stripe's data retention policies. One Point Four West retains purchase records (email address, product purchased, date of purchase) for up to six years in line with HMRC record-keeping requirements for business transactions. The company details you enter during the customisation process are not stored by One Point Four West as they are processed entirely within your browser.

Data relating to support and guided tier services, including email correspondence and Microsoft Teams call records, is retained for up to six years from the end of the support period. Video calls are not recorded unless explicitly agreed in advance.

Data processed through the diagnostic platform is stored in Supabase, hosted on Amazon Web Services (AWS) within the UK (London, eu-west-2). Data is encrypted at rest and in transit. Access is restricted by row-level security policies scoped to each firm. User authentication is managed by Supabase Auth.

Each subscribing firm is provisioned a subdomain under onepointfourwest.com (for example, yourfirm.onepointfourwest.com) so its users access the platform under its own brand. The subdomain is operated by One Point Four West; no rights in the onepointfourwest.com domain transfer to the firm. On termination, the subdomain is retired.

The diagnostic platform stores session data temporarily in the user's web browser (localStorage) to support the assessment workflow. This data remains on the user's device and is not transmitted to One Point Four West independently of the Supabase sync described above.

Diagnostic platform data is retained for the duration of the licence or engagement. On termination, client assessment data is deleted within 90 days unless the user's firm requests earlier deletion. User account data is deleted within 30 days of account closure.

Billing records for diagnostic platform subscriptions (Stripe customer ID, subscription references, invoice history) are retained by One Point Four West for up to six years in line with HMRC record-keeping requirements for business transactions. Payment card details are not held by One Point Four West; Stripe retains those under its own retention policies.

Data saved through the Gender Pay Gap Reporter aggregate storage feature is stored in Supabase (London, eu-west-2) under the same security arrangements as the diagnostic platform. Saved aggregate report data is retained for up to seven years from the reporting snapshot date to enable year-on-year comparison, matching the typical limitation period for pay-related employment claims. You can delete saved data at any time from within the tool or by emailing dpo@onepointfourwest.com.

To request deletion of any data held by One Point Four West, email dpo@onepointfourwest.com. For data held by Stripe, contact Stripe directly via their privacy centre.

Use of AI in our services

We use artificial intelligence in two distinct ways: as an optional user-facing feature within the diagnostic platform, and as a controller-side tool supporting our own consultancy and HR delivery work. Both uses rely on the Anthropic Claude API and are documented in a Data Protection Impact Assessment available to client procurement teams on request.

Diagnostic platform AI-enhanced analysis

The diagnostic platform includes an optional AI-enhanced analysis feature which uses the Anthropic API (Claude) to generate narrative reports and recommendations based on diagnostic assessment data.

What data is sent: When a user selects AI-enhanced analysis, the platform sends a structured summary of diagnostic maturity ratings, identified patterns, and contextual information (such as sector and organisation size band) to the Anthropic API. Before any data is transmitted, the organisation name is replaced with a generic placeholder ("the organisation") so that the identity of the client is not disclosed to Anthropic. The organisation name is restored locally in the user's browser after the response is received.

What data is not sent: No personal data relating to individual employees is sent to the Anthropic API. The diagnostic platform does not collect personal data about individuals being assessed, and the AI analysis feature operates solely on aggregated maturity ratings and organisational-level observations entered by the consultant. We note that although the organisation name is redacted, sector and size band are still transmitted; for organisations in a very small sector it is theoretically possible that a recipient with extensive prior knowledge could infer identity. We consider this risk low given the limited retention at Anthropic.

How data is processed: Data is sent to the Anthropic API via a server-side proxy hosted on the One Point Four West web server (IONOS). The API key used to authenticate with Anthropic is stored securely on the server and is never exposed to the user's browser. Anthropic processes the data solely to generate the requested response and does not use API inputs or outputs to train its models. Anthropic's API data usage policy confirms that data submitted via the API is not retained beyond the duration of the request except as required for trust and safety purposes (up to 7 days, with extended retention only where a safety classifier flags the content). Further information is available at anthropic.com/policies/privacy.

Lawful basis: Processing through the AI-enhanced analysis feature is carried out under contract performance (Article 6(1)(b) UK GDPR). The feature is optional and initiated only when the user explicitly selects AI-enhanced analysis.

User control: AI-enhanced analysis is entirely optional. The platform provides rule-based structured insights and narrative summaries that do not involve any third-party data processing. Users can choose the rule-based alternatives at any time.

AI in consultancy and HR delivery

Where One Point Four West delivers consultancy work or supports its own HR operations, AI tools are used to accelerate document analysis, employee relations reviews, subject access request triage, investigation support and narrative drafting. The tooling is configured to minimise what is sent, to avoid training use, and to keep conversation data under our direct control.

Client application (BoltAI): We use BoltAI, a signed native macOS application operated in "bring your own key" (BYOK) mode. In BYOK operation, prompts and responses are sent directly from the application to the Anthropic Claude API; no prompt or response content reaches the BoltAI vendor. Conversation history is stored locally in a sandboxed database on the controller's device, protected by FileVault disk encryption. The API key is held in the macOS Keychain. iCloud sync is disabled for HR processing. Conversation history is deleted once the task is complete.

Model (Anthropic Claude API): Prompts are submitted to the Claude API under Anthropic's Commercial Terms of Service. Anthropic does not use API inputs or outputs to train its models. Data submitted via the API is retained by Anthropic for up to 7 days solely for trust and safety purposes and is then deleted. Retention may be extended only where a safety classifier flags the content (for example, wording that resembles harassment, violence or discrimination); a Data Protection Impact Assessment covering this risk is available to client procurement teams on request.

Data minimisation and safeguards: Before submission, prompts are framed in line with an internal Prompt-Framing Procedure. Identifiers (names of individuals, direct contact details, organisation names) are pseudonymised or removed where they are not strictly necessary for the task. Where special category data is required to progress a task, it is handled under the Article 9 basis set out in the relevant engagement letter and only to the extent proportionate to that task.

Lawful basis and role: Where One Point Four West acts as a controller (for example, its own business operations), the lawful basis for AI-assisted processing is legitimate interest (Article 6(1)(f) UK GDPR), supported by a separate Legitimate Interests Assessment. Where One Point Four West acts as a processor on behalf of a client, AI-assisted analysis is carried out only under the client's instruction and lawful basis, as recorded in the engagement data processing agreement.

No consumer AI tools: Consumer AI products (such as claude.ai or ChatGPT consumer) are not used for client or HR work. Only the Claude API under Commercial Terms, through the BoltAI BYOK client, is used for this processing.

Client Engagement Data

Where One Point Four West is engaged to deliver consultancy services, the following applies to personal data processed in connection with that work.

Data controller and processor roles: In most cases, One Point Four West acts as a data controller in respect of its own business records, such as contact details, correspondence and invoicing. Where work involves processing personal data on behalf of a client organisation (for example, supporting an investigation or reviewing employee records) One Point Four West acts as a data processor and the client remains the controller. A data processing agreement is put in place where this applies.

Storage: Client-related documents and correspondence are stored in Microsoft OneDrive, hosted within the UK. Access is protected by multi-factor authentication (MFA).

Retention and deletion: Client engagement records are retained for a period appropriate to the nature of the work, typically six years from the end of the engagement. On request, Tim Withnall will confirm what data is held and arrange secure deletion where legally permissible.

Third-party services

This website uses the following third-party services. A concise sub-processor register (with locations, data types and transfer mechanisms) is available to client procurement teams on request.

Anthropic (Claude API): AI language model service used in two distinct ways: (i) within the diagnostic platform's optional AI-enhanced analysis feature, where anonymised diagnostic data is sent via a server-side proxy hosted on IONOS; and (ii) as the model behind AI tools used by One Point Four West to support its own consultancy and HR delivery work (see "Use of AI in our services" above). Processing is under Anthropic's Commercial Terms of Service. Anthropic does not use API inputs or outputs to train models. Data retained up to 7 days for trust and safety (reduced from 30 days in September 2025); extended retention only where a safety classifier flags the content. Anthropic, PBC (United States); data transfers covered under the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses with the UK Addendum. anthropic.com/policies/privacy

BoltAI: native macOS "bring your own key" (BYOK) application used by One Point Four West as the client through which prompts are sent to the Anthropic Claude API for consultancy and HR work. In BYOK operation, no prompt or response content is transmitted to the BoltAI vendor; conversation data stays on the controller's device. BoltAI is disclosed here for transparency and because the application is part of the supply chain through which HR-related data is handled; it does not act as a data processor for this processing in BYOK mode. boltai.com/privacy

Google Analytics: web analytics. Cookies placed only if you accept analytics cookies via the cookie banner. Google LLC (United States); transfers covered under Standard Contractual Clauses with the UK Addendum. policies.google.com/privacy

IONOS SE: web hosting. Contact form, self-assessment, template download and Gender Pay Gap Reporter data (where not client-side-only) stored on IONOS-hosted servers. Data centres in the EU and UK. ionos.co.uk

Otter.ai: AI meeting transcription used for video calls where all participants have given explicit consent. Otter.ai, Inc. (United States, AWS US-West); UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge). Transcripts are deleted within 30 days of the relevant engagement ending. otter.ai/privacy-policy

Microsoft OneDrive: storage of client-related documents and correspondence. Data hosted within the UK.

Microsoft Teams: video calls with support and consultancy clients. Hosted within the UK. Not recorded unless explicitly agreed.

Postmark (ActiveCampaign, LLC): transactional email delivery. Processes recipient address, subject and content solely to deliver each message. Used for one-off post-purchase and post-report-download emails; diagnostic platform user invites, password resets and magic-link sign-in; subscription billing notifications (payment receipts, renewal reminders, failed-payment alerts); incident alerts issued under the platform Incident Response Plan; and the Supabase Auth custom email templates which OPFW routes through Postmark. Delivery logs retained for 45 days. ActiveCampaign, LLC (United States); transfers covered under Standard Contractual Clauses with the UK Addendum. postmarkapp.com/eu-privacy

Supabase: cloud database and authentication platform used for the diagnostic platform and Gender Pay Gap Reporter aggregate storage. Hosted on AWS within the UK (London, eu-west-2). Data encrypted at rest and in transit; row-level security. Supabase Inc. (United States); Data Processing Agreement and UK-region storage. supabase.com/privacy

Stripe: payment processor for document pack purchases and diagnostic platform subscriptions. For both, Stripe collects card details, email and billing information directly from the payer. For subscriptions, Stripe additionally manages customer records, recurring billing, subscription lifecycle events (renewals, upgrades, downgrades, cancellations, refunds), invoice history and the self-service Customer Portal through which firm administrators manage their subscription. PCI DSS Level 1 certified. Stripe, Inc. (United States); transfers covered under Standard Contractual Clauses with the UK Addendum. stripe.com/gb/privacy

None of these providers use your data for their own marketing purposes.

Cookies

This website uses the minimum cookies necessary to operate and, with your consent, analytics cookies to understand how the site is used. Cookies are managed via the cookie banner shown on your first visit.

Cookie Purpose Duration Category
opfw_cookie_consent Records your cookie preferences so you are not asked again. 12 months Strictly necessary
_ga, _ga_* Google Analytics. Measures aggregate site usage. Up to 2 years Analytics (consent only)
sb-access-token, sb-refresh-token Authentication for the diagnostic platform and Gender Pay Gap Reporter (only set if you sign in). Session / up to 30 days Strictly necessary

You can change your cookie choices at any time by clicking "Cookie settings" in the site footer.

International transfers

Where personal data is transferred outside the UK (principally to Anthropic, Google, Otter.ai, Postmark, Stripe and Supabase, all of which have a US parent), the transfer is protected by either the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or an equivalent approved transfer mechanism. Where a provider participates in the UK-US Data Bridge, the transfer is protected under that framework. We review our sub-processors annually and retain copies of the relevant transfer agreements.

Automated decision-making

One Point Four West does not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you. Diagnostic and Gender Pay Gap outputs are deterministic calculations based on inputs provided by the user and are provided to the user as a tool; they do not constitute automated decisions under Article 22 UK GDPR.

Data breaches

In the event of a personal data breach, we follow a documented response procedure. Where the breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the Information Commissioner's Office within 72 hours of becoming aware of it, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to affected individuals, we notify those individuals without undue delay as required by Article 34. Where the affected data is held under a processor role for a client, we notify the client without undue delay, typically within 24 hours of detection.

Children's data

This website and the tools operated by One Point Four West are not aimed at children and we do not knowingly collect personal data relating to anyone under the age of 18. If you believe a child's data has been submitted to us, email dpo@onepointfourwest.com and we will delete it promptly.

Your rights

Under UK data protection law you have the right to:

  • Request access to your personal data
  • Request correction of inaccurate data
  • Request deletion of your personal data
  • Object to or restrict processing in certain circumstances
  • Request portability of your personal data in a commonly used format
  • Withdraw consent at any time where processing is based on consent
  • Opt out of direct marketing at any time

To exercise any of these rights, email dpo@onepointfourwest.com. We will respond within one month.

Complaints

If you are unhappy with how your data has been handled, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

Changes to this policy

This policy may be updated from time to time. The most recent version will always be published on this page. Material changes will be summarised in a notice at the top of the page for at least 30 days after the change.

Last updated: 24 April 2026