Legal

Privacy Policy

How One Point Four West collects, uses and protects personal information provided through this website, in accordance with UK GDPR and the Data Protection Act 2018.

Who we are

One Point Four West Ltd is an independent HR consultancy registered in England and Wales (Company No. 17094594).

Registered office: The Commissioners Building, 4 St Thomas Street, Sunderland, SR1 1NW

Data controller: Tim Withnall
Email: dpo@onepointfourwest.com
ICO Registration Number: ZC106734

Scope

This policy covers the following categories of people whose data One Point Four West may process.

Website visitors and enquirers: individuals who submit an enquiry through the contact form on this website. One Point Four West acts as the data controller for this information.

Self-assessment users: individuals who complete a People Function Health Check on this website and submit their details to receive their results. One Point Four West acts as the data controller for this information.

Template download users: individuals who submit their details to download the HR Essentials Pack or individual HR templates from this website. One Point Four West acts as the data controller for this information.

Document pack purchasers: individuals who purchase a paid document pack (such as the Redundancy Process Pack) through this website. Payment is processed by Stripe. One Point Four West acts as the data controller for any personal data it receives in connection with a purchase.

Support plan purchasers: individuals who purchase a document pack with a support or guided tier (such as Toolkit + Support or Guided). These tiers include email correspondence and video calls via Microsoft Teams in addition to the document pack. One Point Four West acts as the data controller for personal data processed in connection with support services, including email addresses, names and any information shared during calls or correspondence.

Diagnostic platform users: consultants and authorised users who access the One Point Four West diagnostic platform to conduct client assessments. One Point Four West acts as the data controller for user account data and as a data processor for client assessment data entered by users on behalf of their organisations.

Clients: individuals, organisations and their representatives who engage One Point Four West for consultancy services. The processing of client data is governed by the terms agreed at the point of engagement and is covered separately in the Client Engagement Data section below. In some circumstances, One Point Four West may act as a data processor on behalf of a client organisation rather than as a controller.

What information we collect

If you complete the contact form on this website, we may collect the following information:

  • Name
  • Email address
  • Phone number (optional)
  • Any information you choose to provide in your message

If you complete a People Function Health Check on this website, we collect the following information:

  • Name
  • Email address
  • Organisation
  • Job title or role
  • Organisation headcount (size band)
  • Assessment topic selected
  • Your answers and resulting scores

If you download the HR Essentials Pack or individual templates from this website, we collect the following information:

  • Name
  • Email address
  • Organisation (optional)
  • Job title or role (optional)

If you purchase a document pack through this website, Stripe (our payment processor) collects the following information directly:

  • Email address
  • Payment card details (held by Stripe, not by One Point Four West)
  • Billing address (where required by Stripe for card verification)

One Point Four West receives confirmation of payment from Stripe, including your email address and the product purchased. One Point Four West does not receive or store your payment card details.

After purchase, you are asked to enter company details (such as company name, address and contact information) to customise your documents. This information is processed entirely within your web browser and is not transmitted to or stored by One Point Four West. Your customised documents are generated on your device and downloaded directly to your computer. After generation, a one-off email is sent to the email address associated with your purchase via Postmark, containing your generator link and related document pack recommendations.

If you arrive at the templates page via the People Function Health Check, the details you already provided during the health check may be used to grant access to the template downloads without requiring you to enter them again. These details are also logged as a template download record.

If you are an authorised user of the diagnostic platform, we collect the following information:

  • Name and email address (as part of your user account)
  • Firm or organisation you are associated with
  • Client records you create within the platform (client name, sector, contact name, contact email, status and notes)
  • Diagnostic assessment data entered against each client, including maturity ratings, notes and red flags
  • Session metadata such as timestamps and completion status

Client assessment data is entered by authorised users on behalf of their organisations. The platform does not collect personal data directly from the individuals being assessed.

Technical data collected automatically: When you submit a form on this website (contact form, health check or template download), your IP address is recorded for the purpose of rate limiting and abuse prevention. IP addresses stored for rate limiting are automatically deleted after one hour. The web server also generates standard access logs which may include your IP address, browser type and pages visited. These logs are managed by IONOS SE and are used solely for security monitoring and troubleshooting.

Providing your personal data through any form on this website is voluntary. However, we may not be able to respond to your enquiry, deliver your assessment results or process your download without the information requested.

How we use your information

Personal information submitted through the contact form is used to:

  • Respond to enquiries
  • Communicate regarding a potential business relationship

Personal information submitted through the People Function Health Check is used to:

  • Provide you with your assessment results
  • Send a one-off email containing your score summary and relevant document pack recommendations
  • Send a single follow-up email approximately five days after submission with practical guidance related to your assessment area. You are informed of this at the point of submission and every follow-up email includes an unsubscribe link.
  • Where appropriate, follow up on how One Point Four West may be able to help

Personal information submitted through the template download form or pack finder quiz is used to:

  • Provide access to the HR Essentials Pack and individual template downloads
  • Where a pack finder quiz is completed, send a one-off email containing your recommendation and relevant document pack links
  • Where a pack finder quiz is completed, send a single follow-up email approximately five days later with relevant guidance. You are informed of this at the point of submission and every follow-up email includes an unsubscribe link.
  • Where appropriate, follow up on how One Point Four West may be able to help

Personal information received in connection with a document pack purchase is used to:

  • Verify payment and provide access to the customisation and download process
  • Send a one-off email containing your generator link and related document pack recommendations
  • Provide purchase-related support if needed

Where you purchase a support or guided tier, your information is also used to:

  • Schedule and conduct video calls via Microsoft Teams
  • Respond to email queries during the support period
  • Provide guidance relevant to your use of the document pack

Personal information processed through the diagnostic platform is used to:

  • Authenticate and manage user access to the platform
  • Store and retrieve client records and diagnostic assessment data
  • Generate portfolio views and reports aggregating data across multiple diagnostics for a given client
  • Scope platform access to the user's firm, ensuring data is only visible to authorised users within the same organisation
  • Where the user selects AI-enhanced analysis, send anonymised diagnostic data to the Anthropic API to generate narrative reports and recommendations (see AI-Enhanced Analysis below)

Your information will not be sold, rented or shared with third parties for marketing purposes. You will not be added to any mailing list.

Unsubscribing from follow-up emails: Every automated follow-up email includes a one-click unsubscribe link. You can also unsubscribe at any time by emailing dpo@onepointfourwest.com. Unsubscribing prevents future automated emails but does not delete your data. To request full deletion, see "Your rights" below.

Lawful basis for processing

Personal data submitted via the contact form, the People Function Health Check or the template download form is processed under the lawful basis of legitimate interest (Article 6(1)(f) UK GDPR), where you have voluntarily provided your details to receive information, assessment results, template downloads, or to explore an engagement. Where processing is based on consent, you have the right to withdraw that consent at any time.

Personal data processed in connection with a document pack purchase is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR), where processing is necessary to fulfil the purchase and provide access to the product.

Personal data processed in connection with a client engagement is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR), where processing is necessary to deliver the agreed services. Where One Point Four West acts as a data processor on behalf of a client organisation, processing is carried out under the client's instructions and lawful basis.

Personal data processed through the diagnostic platform (user account data and client assessment data) is processed under the lawful basis of contract performance (Article 6(1)(b) UK GDPR), where access to the platform is provided as part of a licence or consultancy engagement. Client data entered by users into the platform is processed by One Point Four West as a data processor on behalf of the user's firm.

How your data is stored

Enquiries submitted through the contact form are stored on the web server hosted by IONOS SE, a GDPR-compliant hosting provider with data centres in the EU and UK. A notification email containing your name, email address and message is sent to hello@onepointfourwest.com via Postmark, a transactional email service (see Third-party services below). Email is not end-to-end encrypted. If you would prefer not to use the contact form, you are welcome to email directly at hello@onepointfourwest.com.

Enquiry data is retained for up to 12 months from the date of submission where no client engagement follows. Where an engagement begins, data is retained in accordance with the Client Engagement Data section below. To request deletion of your enquiry data, email dpo@onepointfourwest.com.

Data submitted through the People Function Health Check is stored on the web server hosted by IONOS SE, a GDPR-compliant hosting provider with data centres in the EU and UK. A notification email containing your results is sent to hello@onepointfourwest.com, and a results summary email is sent to the email address you provided. Both emails are delivered via Postmark, a transactional email service provided by ActiveCampaign (see Third-party services below). Email is not end-to-end encrypted.

Self-assessment data is retained for up to 12 months from the date of submission where no client engagement follows. To request deletion of your assessment data, email dpo@onepointfourwest.com.

Data submitted through the template download form or pack finder quiz is stored on the same IONOS-hosted web server. A notification email containing your name, email address and organisation is sent to hello@onepointfourwest.com via Postmark. Where you complete the pack finder quiz, a recommendation email is also sent to the email address you provided via Postmark. Email is not end-to-end encrypted.

Template download data is retained for up to 12 months from the date of submission where no client engagement follows. To request deletion of your download data, email dpo@onepointfourwest.com.

Data relating to document pack purchases is processed by Stripe and stored in accordance with Stripe's data retention policies. One Point Four West retains purchase records (email address, product purchased, date of purchase) for up to six years in line with HMRC record-keeping requirements for business transactions. The company details you enter during the customisation process are not stored by One Point Four West as they are processed entirely within your browser.

To request deletion of purchase data held by One Point Four West, email dpo@onepointfourwest.com. For data held by Stripe, you may also contact Stripe directly via their privacy centre.

Data relating to support and guided tier services, including email correspondence and Microsoft Teams call records, is retained for up to six years from the end of the support period in line with standard limitation periods for contract claims. Video calls are not recorded unless explicitly agreed in advance. To request deletion of support-related data, email dpo@onepointfourwest.com.

Data processed through the diagnostic platform (user accounts, client records and diagnostic session data) is stored in Supabase, a cloud database platform. Supabase hosts data on infrastructure provided by Amazon Web Services (AWS) within the EU (Frankfurt, eu-central-1). Data is encrypted at rest and in transit. Access to diagnostic data is restricted by row-level security policies, ensuring users can only access data belonging to their own firm. User authentication is managed by Supabase Auth, which stores email addresses and hashed passwords.

The diagnostic platform also stores session data temporarily in the user's web browser (localStorage) to support the assessment workflow. This data remains on the user's device and is not transmitted to One Point Four West independently of the Supabase sync described above.

Diagnostic platform data is retained for the duration of the licence or engagement. On termination, client assessment data is deleted within 90 days unless the user's firm requests earlier deletion. User account data is deleted within 30 days of account closure. To request deletion, email dpo@onepointfourwest.com.

AI-Enhanced Analysis

The diagnostic platform includes an optional AI-enhanced analysis feature which uses the Anthropic API (Claude) to generate narrative reports and recommendations based on diagnostic assessment data.

What data is sent: When a user selects AI-enhanced analysis, the platform sends a structured summary of diagnostic maturity ratings, identified patterns, and contextual information (such as sector and organisation size) to the Anthropic API. Before any data is transmitted, the organisation name is replaced with a generic placeholder ("the organisation") so that the identity of the client is not disclosed to Anthropic. The organisation name is restored locally in the user's browser after the response is received.

What data is not sent: No personal data relating to individual employees is sent to the Anthropic API. The diagnostic platform does not collect personal data about individuals being assessed, and the AI analysis feature operates solely on aggregated maturity ratings and organisational-level observations entered by the consultant.

How data is processed: Data is sent to the Anthropic API via a server-side proxy hosted on the One Point Four West web server (IONOS). The API key used to authenticate with Anthropic is stored securely on the server and is never exposed to the user's browser. Anthropic processes the data solely to generate the requested response and does not use API inputs or outputs to train its models. Anthropic's API data usage policy confirms that data submitted via the API is not retained beyond the duration of the request except as required for trust and safety purposes (up to 30 days). Further information is available at anthropic.com/policies/privacy.

Lawful basis: Processing of diagnostic data through the AI-enhanced analysis feature is carried out under the lawful basis of contract performance (Article 6(1)(b) UK GDPR), as part of the diagnostic platform licence or consultancy engagement. The feature is optional and is initiated only when the user explicitly selects AI-enhanced analysis.

User control: AI-enhanced analysis is entirely optional. The platform provides rule-based structured insights and narrative summaries that do not involve any third-party data processing. Users can choose to use these alternatives at any time without any data being sent to external services.

Client Engagement Data

Where One Point Four West is engaged to deliver consultancy services, the following applies to personal data processed in connection with that work.

Data controller and processor roles: In most cases, One Point Four West acts as a data controller in respect of its own business records, such as contact details, correspondence and invoicing. Where work involves processing personal data on behalf of a client organisation (for example, supporting an investigation or reviewing employee records) One Point Four West acts as a data processor and the client remains the controller. A data processing agreement is put in place where this applies.

Storage: Client-related documents and correspondence are stored in Microsoft OneDrive, hosted within the UK. Access is protected by multi-factor authentication (MFA). Microsoft's data processing commitments are set out in the Microsoft Products and Services Data Protection Addendum, available at microsoft.com.

Retention and deletion: Client engagement records are retained for a period appropriate to the nature of the work, typically six years from the end of the engagement in line with standard limitation periods for contract claims. On request, Tim Withnall will confirm what data is held and arrange secure deletion where legally permissible.

Third-party services

This website uses the following third-party services:

Anthropic (Claude API): AI language model service used to generate narrative reports and recommendations within the diagnostic platform's AI-enhanced analysis feature. Anonymised diagnostic data (maturity ratings, patterns and sector context, with the organisation name removed) is sent to the Anthropic API via a server-side proxy. Anthropic does not use API inputs or outputs to train its models. Data submitted via the API is not retained beyond the duration of the request except as required for trust and safety purposes (up to 30 days). Anthropic, PBC is based in the United States; data is processed under their API Terms of Service and data is protected under Standard Contractual Clauses. Further information is available at anthropic.com/policies/privacy.

Google Analytics: web analytics service provided by Google LLC, used to understand how visitors use this website. Google Analytics cookies are only placed on your device if you choose to accept analytics cookies through the cookie banner. If you decline, no information about your visit is collected. Google LLC is based in the United States; data transferred to Google is protected under Standard Contractual Clauses approved by the UK Information Commissioner. Further information is available at policies.google.com/privacy.

IONOS SE: web hosting provider. Contact form submissions, self-assessment data and template download data are stored on IONOS-hosted servers. IONOS is a GDPR-compliant provider with data centres in the EU and UK. Further information is available at ionos.co.uk.

Otter.ai: AI-powered meeting transcription and note-taking service provided by Otter.ai, Inc. (formerly AISense, Inc.), used to generate transcripts and summaries of video calls. Otter.ai processes and stores data on servers located in the United States (AWS US-West). International data transfers from the UK are covered under the UK Extension to the EU-U.S. Data Privacy Framework (UK-US Data Bridge), under which Otter.ai is a certified participant. Otter.ai uses a proprietary de-identification method before using any data for service improvement; audio recordings and transcripts are not manually reviewed by Otter.ai staff. Otter.ai is only used where all meeting participants have given their explicit consent prior to the meeting being transcribed. Transcripts and summaries are retained within the Otter.ai platform and actively managed by One Point Four West; recordings and transcripts relating to a completed engagement or support period are deleted within 30 days of that period ending. Further information is available at otter.ai/privacy-policy.

Microsoft OneDrive: used for the storage of client-related documents and correspondence. Data is hosted within the UK. Microsoft's data protection commitments are available at microsoft.com.

Microsoft Teams: used for video calls with support and guided tier customers and consultancy clients. Microsoft Teams is part of Microsoft 365, hosted within the UK. Video calls are not recorded unless explicitly agreed in advance. Microsoft's data protection commitments are set out in the Microsoft Products and Services Data Protection Addendum, available at microsoft.com.

Postmark (ActiveCampaign, LLC): transactional email delivery service used to send notification emails, assessment results, pack finder recommendations and post-purchase emails. Postmark processes the recipient email address, subject line and email content in order to deliver each message. Postmark retains delivery logs (including the recipient address and delivery status) for 45 days, after which they are automatically deleted. Postmark does not use recipient data for marketing purposes. Postmark is operated by ActiveCampaign, LLC, based in the United States; data transfers are protected under Standard Contractual Clauses. Further information is available at postmarkapp.com/eu-privacy.

Supabase: cloud database and authentication platform used to store user accounts, client records and diagnostic session data for the One Point Four West diagnostic platform. Supabase hosts data on Amazon Web Services (AWS) infrastructure within the EU (Frankfurt, eu-central-1). Data is encrypted at rest and in transit, and access is controlled by row-level security policies scoped to each firm. Supabase Inc. is based in the United States; data processing is governed by their Data Processing Agreement and data is stored in the EU region selected. Further information is available at supabase.com/privacy.

Stripe: payment processor for document pack purchases. Stripe collects and processes payment card details, email addresses and billing information on its own servers. One Point Four West does not receive or store card details. Stripe is certified to PCI DSS Level 1, the highest level of payment security certification. Data transferred to Stripe may be processed in the United States and is protected under Standard Contractual Clauses. Further information is available at stripe.com/gb/privacy.

None of these providers use your data for their own marketing purposes.

Automated decision-making

One Point Four West does not carry out any automated decision-making or profiling based on your personal data.

Your rights

Under UK data protection law you have the right to:

  • Request access to your personal data
  • Request correction of inaccurate data
  • Request deletion of your personal data
  • Object to or restrict processing in certain circumstances
  • Request portability of your personal data in a commonly used format
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, email dpo@onepointfourwest.com.

Complaints

If you are unhappy with how your data has been handled, you have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

Changes to this policy

This policy may be updated from time to time. The most recent version will always be published on this page.

Last updated: April 2026