Privacy Policy

Effective Date: 01/11/2025

Version 1.0

1. Who we are and how this notice works

What If HR Ltd (“we”, “us”, “our”) respects your privacy and is committed to protecting personal data. This Privacy Notice explains what personal data we collect, how and why we use it, our lawful bases for doing so, who we share it with, how long we keep it, and the rights you have.

This Privacy Notice applies to:

visitors to www.whatifhr.co.uk and people who contact us about our services (we act as Data Controller); and
personal data we handle on behalf of our clients while delivering HR consultancy services (we act as Data Processor — the client’s privacy notice governs that processing).

This Notice sits alongside:

our Website Terms of Use; and
our Cookies and Tracking Policy (covering cookies, pixels and similar tech under PECR).

We will update this Notice from time to time, including to reflect changes under the Data Protection and Digital Information Act once provisions come into force. We continue to comply with the UK GDPR, Data Protection Act 2018, and PECR.

2. Our roles and contact details

Controller (for website, enquiries, marketing, supplier/contact records):
What If HR Ltd, 21 Dunedin Drive, Caterham, CR3 6BA.
Data Protection Lead: Elena Sukhova, Director
Contact: hello@whatifhr.co.uk | +44 7557 982 407

Processor (for client HR files):

When providing HR consultancy to a client, we process personal data under the client’s written instructions as their Processor. In that case, the client’s privacy notice applies to their staff data.

You can contact us using the details above about any privacy questions. You also have the right to complain to the Information Commissioner’s Office (ICO) (www.ico.org.uk) if you’re unhappy with how we handle personal data.

3. Children

Our website and services are aimed at businesses. We do not knowingly collect data about children, and we ask that children do not submit personal data via our website or contact channels.

4. What data we collect and how we obtain it

We collect, use and store personal data in a number of ways depending on how you interact with us.

4.1 Data you provide directly

You may give us personal data when you:

complete forms or contact us via our website or email;
subscribe to updates, book consultations, purchase a service or package, or download materials;
correspond with us about services, invoices or HR matters; or
participate in surveys, webinars or feedback requests.

This may include:

name, job title and business contact details;
company name and registration information;
correspondence and enquiry details;
billing, transaction and payment details (processed securely via third-party providers—What If HR does not store card information);
marketing and communication preferences.

4.2 Data we receive from clients

When acting as a Data Processor for a client, we may receive employee or applicant information (such as names, job titles, contact details, employment records or performance data) to deliver HR consultancy services.

We handle this information only under the client’s written instructions and in accordance with our Master Terms of Business and data-processing obligations.

4.3 Data we collect automatically

When you visit our website we automatically collect limited technical data through cookies and similar technologies, such as:

IP address, browser type, device type, and operating system;
referring website and pages visited;
date, time and duration of visit.

This helps us maintain site security, measure usage and improve performance. For details, see our separate Cookies and Tracking Policy.

4.4 Data from other sources

We may receive information from:

business partners or suppliers assisting in service delivery (for example, IT support, accountants or marketing platforms);
publicly available sources such as Companies House or LinkedIn, to verify business identity or contact details.

We take reasonable steps to ensure that any third party providing data to us has obtained it lawfully and provided the necessary privacy information to affected individuals.

5. How we use personal data and our lawful bases

We use personal data only where we have a clear and lawful basis for doing so.
Depending on the context, that basis may be contract, legitimate interests, consent, or legal obligation.

5.1 When acting as Data Controller (website, marketing and business contacts)

We may use your personal data to:

respond to enquiries, schedule consultations and deliver requested information;
provide, manage and improve our services, website and user experience;
maintain our client records, invoicing and accounting systems;
send you service updates, policy changes or legal notices;
send optional marketing communications (only where permitted — see Section 8);
protect the security of our website, IT systems and business operations;
comply with our legal and regulatory obligations (for example, tax or record-keeping duties); and
prevent or detect fraud, misuse or other unlawful activity.

Our lawful bases for this processing are typically:

Contract – to perform or take steps at your request before entering a contract with you;

Legitimate interests – for efficient business administration, network security and service development, provided your rights do not override those interests;

Consent – where you opt-in to receive marketing or where the law requires consent (for example, non-essential cookies); and

Legal obligation – where we must retain or disclose data under UK law.

5.2 When acting as Data Processor (client HR data)

When delivering HR consultancy services to a client, we process staff and related personal data solely:

on the client’s written instructions,
for the purposes set out in the Specification or contract, and
in accordance with our Data Processing obligations in the Master Terms of Business.

We do not use client HR data for our own purposes.

5.3 Special-category data

If we ever need to process special-category (sensitive) data — for example, health or equality information contained within HR records — we will do so only:

under a lawful basis such as employment or social-protection law,
for the establishment, exercise or defence of legal claims, or
with the individual’s explicit consent, if required.

5.4 Automated decision-making and AI tools

We do not make decisions that produce legal or similarly significant effects using solely automated means.

If we use AI-assisted tools for drafting or analysis, they are used only to support human judgement.
No personal or confidential data is input into such systems without appropriate safeguards (see Section 10 – Security).

6. Who we share personal data with and international transfers

We treat all personal data as confidential. We share it only where necessary and lawful.

6.1 Service providers and professional advisers

We may share limited personal data with trusted third parties who help us operate our business, including:

IT and cloud-hosting providers (for secure email, storage and document management);
professional advisers (such as accountants, insurers or solicitors);
payment processors and banking providers;
marketing, website-analytics and communications platforms (where consent or another lawful basis exists); and
consultants or associates engaged to deliver parts of our services, under written confidentiality and data-processing terms.

All suppliers who process personal data for us act under written contracts that require them to keep data secure, act only on our instructions and comply with the UK GDPR and Data Protection Act 2018.

6.2 Business transfers or restructuring

If we reorganise or transfer our business, merge, sell or otherwise restructure, personal data may be transferred to a successor entity that agrees in writing to maintain equivalent privacy protections.

6.3 Legal and regulatory disclosures

We may disclose personal data where required to do so by law, regulation, court order or competent authority, or to enforce our contractual rights, protect our property, or defend legal claims.

6.4 Within client projects

When we act as a Data Processor for client HR data, we share data only with the client’s authorised representatives and approved third-party systems named in the Specification or contract (for example, HR or payroll platforms). We do not share client staff data for our own purposes.

6.5 International transfers (including Zoho services)

We primarily store and process personal data within the United Kingdom.

However, some of our technology and communication providers operate or host services outside the UK — for example, Zoho Corporation, which provides our company email and productivity platform and stores certain business contact information on servers located in the United States.

Where personal data is transferred outside the UK, we ensure it receives an adequate level of protection by using approved transfer safeguards under the UK GDPR, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses. These contractual mechanisms oblige the recipient to protect the data to UK-equivalent standards.

We review Zoho’s data-processing and security practices annually and monitor any changes to UK transfer rules or adequacy decisions. Details of current transfer safeguards and sub-processors are available on request at hello@whatifhr.co.uk.

7. How we protect personal data

We take the security of all personal data seriously. We apply appropriate technical and organisational measures to protect it against unauthorised or unlawful processing, accidental loss, destruction, or damage.

7.1 Our security measures

Our measures include:

encryption of data in transit and at rest, where practicable;
secure cloud storage and password-protected systems;
multi-factor authentication for administrator accounts;
role-based access control so data is visible only to those who need it;
confidentiality undertakings for employees, associates and contractors;
regular staff training on data protection and information security;
up-to-date antivirus, malware protection and system patching; and
routine back-ups and business-continuity planning.

We expect the same standards from all service providers who handle personal data for us.

Our key providers—including Zoho Corporation for email and productivity tools—are bound by written agreements incorporating the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, which require them to maintain equivalent safeguards even where servers are located outside the UK.

7.2 Data-breach response

If we become aware of a personal-data breach, we will:

investigate promptly and assess the risk to individuals;
contain and mitigate the incident;
where acting as a Processor, notify the affected client without undue delay and, in any event, within 48 hours of becoming aware; and
where acting as a Controller, notify the Information Commissioner’s Office (ICO) and affected individuals where legally required.

We record all security incidents and review lessons learned to prevent recurrence.

7.3 Use of technology and AI tools

Where we use digital or artificial-intelligence tools to assist with drafting, data analysis or administration, we do so only to support human judgement.

No confidential or personal data is entered into any system unless:

the provider offers contractual data-protection assurances;
the data is encrypted or pseudonymised where appropriate; and
human review is carried out before any advice or output is relied upon.

We maintain an internal register of AI-assisted processes and review them regularly to ensure they remain secure and compliant.

7.4 Transmission of information

While we use appropriate safeguards once information reaches our systems, transmission of data over the internet (including by email) can never be guaranteed as completely secure. You send data at your own risk, and we recommend using secure file-transfer or password-protected attachments for sensitive information.

8. Data retention

We keep personal data only for as long as it is needed for the purpose for which it was collected, or to meet legal, regulatory, accounting, or reporting requirements.

8.1 General retention principles

We apply the following principles to determine how long we retain personal data:

we retain it only for as long as necessary to fulfil the purpose for which it was collected;
where processing is based on consent, we delete the data promptly after consent is withdrawn;
where processing is required for a contract, we keep relevant data for the duration of the contract and a reasonable period afterwards (normally up to seven years) to handle potential queries or legal claims;
where required by law (for example, HMRC records), we retain data for the statutory minimum period; and
we securely delete or anonymise data when it is no longer required.

8.2 Typical retention periods

As a guide:

Client HR project files and correspondence: kept for up to seven years after the project or contract ends, to maintain professional records and cover limitation periods for legal claims.
Business contact data (suppliers, prospects, newsletter subscribers): kept until consent is withdrawn or the relationship ends, and reviewed annually.
Financial and accounting records: kept for seven years from the transaction date to meet HMRC and Companies Act obligations.
Website enquiry forms and support emails: kept for up to twenty-four months from the last contact to maintain an audit trail and customer-service record.
Recruitment data (job applicants): kept for up to twelve months after the recruitment process ends for legitimate-interest and equality-monitoring purposes.
Security logs and system backups: normally retained for up to ninety days (logs) or on a rolling twelve-month basis (backups) for system integrity and incident response.

These periods may be adjusted if law requires a longer period or if necessary to defend legal claims.

8.3 Secure deletion and archiving

When retention periods expire, we either:

securely delete the data from active systems and backups; or
archive it in a restricted area if a continuing legal or regulatory need exists.

8.4 Review and updates

We review our retention schedule annually and update it when business or legal requirements change. A summary of our current retention policy is available on request at hello@whatifhr.co.uk.

9. Your rights and how to exercise them

You have a number of rights under the UK GDPR and Data Protection Act 2018 in relation to your personal data. These rights are not absolute and may depend on the purpose or legal basis for processing, but we will always respond openly and fairly to any request.

9.1 Your data-protection rights

You have the right to:

Access your data – request a copy of the personal data we hold about you.
Correct your data – ask us to update or correct any inaccurate or incomplete information.
Delete your data – request that we delete your personal data where there is no legal reason for us to keep it.
Restrict processing – ask us to suspend or limit the way we use your data in certain circumstances.
Object to processing – object to our processing of your personal data when we rely on legitimate interests or use it for direct marketing.
Data portability – request that we provide your data in a structured, commonly used and machine-readable format, and that we transfer it to another controller where technically possible.
Withdraw consent – where we rely on your consent (for example, for marketing), you may withdraw it at any time by using the unsubscribe link in our emails or by contacting us.

We do not carry out automated decision-making that produces legal or similarly significant effects on individuals.

9.2 Making a request

To exercise any of your rights, please email hello@whatifhr.co.uk with your name, contact details and a clear description of your request.

We will respond within one month of receiving your request and may ask for proof of identity before releasing any personal information.

There is no fee for most requests, although we may charge a reasonable administrative fee if a request is manifestly unfounded or excessive.

9.3 Right to complain

If you are unhappy with how we have handled your personal data, please contact us first so we can try to resolve your concern.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection.

Further information is available at www.ico.org.uk, or you can write to:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

10. Cookies and tracking technologies

Our website uses cookies and similar technologies to help it run efficiently and to improve your experience. Cookies are small text files placed on your device when you visit our site. They allow the website to recognise your device and remember certain information about your visit.

10.1 Types of cookies we use

We use the following categories of cookies:

Strictly necessary cookies – required for the website to function, such as those that enable navigation, security or access to secure areas. These cookies do not store personally identifiable information and cannot be turned off in our systems.
Performance or analytics cookies – help us understand how visitors use our site, so we can measure and improve performance. For example, we use Google Analytics 4 (configured for IP-anonymisation).
Functional cookies – remember your choices and preferences, such as language or region settings.
Marketing or social-media cookies – set by advertising or social-media partners to build a profile of your interests. These are only activated with your consent.

10.2 Your cookie choices

When you first visit our website, you will see a cookie banner that allows you to accept or reject non-essential cookies. You can also change or withdraw your consent at any time by adjusting your browser settings or clearing your cookies. Most browsers let you block or delete cookies under their “Settings” or “Privacy” menus.

Please note that disabling certain cookies may affect how the website functions.

10.3 Third-party technologies

Some cookies and pixels are provided by third parties such as Google Analytics or social-media platforms. These providers may process limited information about how you use our site. You can learn more about how Google uses information from sites and apps that use its services at https://policies.google.com/technologies/partner-sites.

10.4 Legal basis for cookies

Under the Privacy and Electronic Communications Regulations (PECR), we may store cookies on your device if they are strictly necessary for the operation of the site. For all other types of cookies, we ask for your consent. This consent can be withdrawn at any time.

10.5 More information

You can find independent information about cookies and how to manage them at:
www.allaboutcookies.org and www.youronlinechoices.eu.

If you have questions about our use of cookies or other tracking technologies, please contact hello@whatifhr.co.uk.

11. Changes to this policy and contact information

We may update this Privacy Policy from time to time to reflect changes in the law, regulatory guidance, or our business practices. When we do, we will update the effective date at the top of this page and publish the revised version on our website. We encourage you to review this page periodically to stay informed about how we protect your information.

If there are any significant changes to how we collect or use personal data, we will take reasonable steps to notify you in advance — for example, by email (where appropriate) or by a prominent notice on our website.

If you have any questions, comments, or requests about this Privacy Policy or how we handle your personal data, please contact us:

What If HR Ltd
Registered in England and Wales
Email: hello@whatifhr.co.uk
Website: www.whatifhr.co.uk

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). We will update this policy to reflect the Data Protection and Digital Information Act once in force.

End of Privacy Policy.

Privacy Policy​

​