ReturnWell

Data protection & GDPR

Last updated: June 2026

Return Well handles sensitive information — including employee health information — so we take data protection seriously and build it into how the platform works, not just our policies. This page explains, in plain English, how we look after personal data, how long we keep it, and how we delete it securely when it's no longer needed. It sits alongside our Privacy notice.

How we handle personal data

When an employer refers an employee to us, we collect only what we need to carry out the assessment — things like the employee's name and contact details, their role and workplace context, and health information relevant to supporting them at work. We process this in line with UK GDPR and guidance from the Information Commissioner's Office (ICO).

How special category (health) data is protected

Health information is “special category” data under UK GDPR and gets extra protection. We only collect health information that's relevant to the workplace assessment, we restrict who can see it, and our reports focus on the practical impact on someone's role and the recommendations — not unnecessary clinical or personal detail.

Employee consent

Assessments take place with the employee's knowledge and consent. The employee is told what the assessment is for, what will be shared, and with whom. Where a report is produced, the process respects the employee's right to understand and engage with what is being recommended. Consent and key steps are recorded so there is a clear, auditable trail.

Our GDPR commitments

  • We have a lawful basis for everything we do with personal data.
  • We're transparent about what we collect and why.
  • We keep data accurate and only for as long as it's needed.
  • We keep it secure and limit who can access it.
  • We respect your data-protection rights (see below).

Data minimisation

We ask for the minimum information needed to do the job well. We don't collect health detail “just in case”, and our reports are written to be useful to an employer while sharing only what's necessary to support the employee at work.

Secure storage

Personal and health data is stored on secure, access-controlled UK/EU cloud infrastructure. Access is limited to those who need it, every action on a case is logged, and files (such as assessment reports) are held in protected storage rather than sent around by email.

Clinician confidentiality

Every assessment is carried out by a clinician registered with a recognised UK regulator (such as the HCPC or NMC). They are bound by their professional code of conduct and strict confidentiality obligations, in addition to the contractual confidentiality terms they agree with Return Well.

Retention periods

We keep case data only for as long as it's needed, then delete it. Retention periods are set according to our Data Retention Policy and the relevant legal and professional requirements — they are configurable and reviewed, not arbitrary. For example, a closed clinical case is currently retained for 7 years from the date the case is closed:

  • Case closed: 01/07/2026
  • Retention period: 7 years
  • Scheduled deletion: 01/07/2033

Retention expiry dates

When a case is formally closed, the system automatically calculates its retention-expiry date from the applicable rule. Active or open cases are never deleted — the retention clock only starts once a case is closed.

Legal hold

Sometimes data must be kept beyond its normal retention date — for example because of a complaint, dispute, legal claim, insurance matter, ICO enquiry, tribunal, or safeguarding concern. In those cases we can place a record on legal hold, which pauses deletion until the hold is lifted. Nothing on legal hold is deleted.

Secure deletion

When a record reaches its retention-expiry date, it moves into a 30-day “pending deletion” window before personal data is permanently removed — including health information, assessment reports, attachments and correspondence. After deletion we keep a permanent Deletion Register that records that deletion took place (case reference, dates, and method) but contains no personal or health information. This lets us prove we follow our retention policy without keeping data we no longer need.

Your rights

You have rights over your personal data, including the right to access it, correct it, or ask us to delete it (subject to our legal obligations). To exercise any of these, contact us at support@returnwell.co.uk.

Questions?

If you have any questions about how we handle data, or you'd like a copy of our Data Retention Policy, please get in touch — we're happy to help.

Submit a Referral