ReturnWell

Privacy policy

Last updated: April 2025

1. Who we are

ReturnWell Ltd (“ReturnWell”, “we”, “us”, “our”) is a company registered in England and Wales. We operate the ReturnWell platform, which connects employers with occupational health professionals to support return-to-work processes.

For the purposes of UK data protection law, ReturnWell Ltd is the data controller in respect of personal data collected through this website and our platform.

Contact us at: hello@returnwell.co.uk

2. What data we collect

We collect the following categories of personal data:

  • Account data: Name, email address, phone number, job title, and organisation details provided on registration.
  • Case data: Information about employees referred for assessment, including employment details, health information, and the content of assessments and reports. This may include special category data (health data).
  • Provider data: Professional qualifications, registration numbers, compliance documents, and banking information for payment purposes.
  • Usage data: Log data, IP addresses, browser type, pages visited, and other standard web analytics data.
  • Communication data: Records of emails and messages sent through the platform.

3. How we use your data

We use personal data for the following purposes:

  • To provide and operate the ReturnWell platform and services
  • To match referrals with appropriate occupational health professionals
  • To verify provider credentials against regulatory registers
  • To communicate with you about your account and cases
  • To process payments to providers
  • To comply with our legal obligations
  • To improve our platform and services

4. Legal basis for processing

We process personal data on the following legal bases:

  • Contract: Processing necessary to perform our contract with you or to take steps before entering into a contract.
  • Legitimate interests: Processing necessary for our legitimate interests in operating and improving our platform, where these are not overridden by your rights.
  • Legal obligation: Processing necessary to comply with our legal and regulatory obligations.
  • Consent: Where we rely on consent, you have the right to withdraw it at any time.

For special category data (health information), we rely on explicit consent from the employee being assessed, and on the processing being necessary for the purposes of occupational medicine under Article 9(2)(h) UK GDPR.

5. Who we share data with

We may share personal data with:

  • Occupational health providers on our platform — to conduct assessments and produce reports
  • Supabase — our database and authentication infrastructure provider
  • Resend — our email delivery service
  • Vercel — our hosting infrastructure provider
  • HCPC and other regulatory bodies — for the purpose of verifying provider registration
  • Legal and regulatory authorities — where required by law

We do not sell personal data to third parties.

6. Data retention

We retain personal data for as long as necessary to provide our services and comply with our legal obligations. Case data, including health information, is retained for a minimum of 7 years in accordance with standard clinical record-keeping guidelines. Account data is retained for the duration of the account and for a period of 3 years after closure.

7. Your rights

Under UK data protection law, you have the following rights:

  • The right to access your personal data
  • The right to rectification of inaccurate data
  • The right to erasure (“right to be forgotten”) in certain circumstances
  • The right to restrict processing in certain circumstances
  • The right to data portability
  • The right to object to processing based on legitimate interests
  • Rights in relation to automated decision-making and profiling

To exercise any of these rights, contact us at hello@returnwell.co.uk. We will respond within one calendar month.

8. Cookies

We use cookies and similar technologies to operate the platform and analyse usage. These include:

  • Essential cookies: Required for authentication and platform operation. These cannot be disabled.
  • Analytics cookies: Used to understand how the platform is used, in order to improve it. These are anonymised where possible.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encryption of data in transit and at rest, role-based access controls, and regular security reviews.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify registered users of material changes by email. The date at the top of this page indicates when the policy was last updated.

11. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.