1. Who We Are

Bessie® and the Organisation Wellbeing Index (OWI) are products of Thrive & Shine Ltd, a UK‑based organisation specialising in stress risk assessment and wellbeing insight. Thrive & Shine Ltd acts as the Data Controller and is committed to protecting personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For any queries, contact us at info@thrive-and-shine.co.uk.

2. Scope of This Policy

This policy applies to the use of both Bessie® – a stress risk assessment tool which may include limited, high‑level health‑context questions, and the Organisation Wellbeing Index (OWI) – an organisational wellbeing assessment tool which does not collect medical or health‑related data. It covers how we collect, use, store, and protect all personal data processed through these products.

3. Personal Data We Collect

Across both Bessie and OWI we collect your name, email address, organisation, and role. We also gather account and access details such as login credentials or magic links, along with technical and usage data required to operate the platform securely. Your responses to wellbeing and organisational questions are recorded, and derived scores, indicators, and risk measures generated by the platform are stored accordingly.

4. Bessie – Health‑Context Data

Bessie may collect high‑level responses to questions about health or medical considerations – for example, whether an individual has a medical condition. Bessie does not ask individuals to list, describe, or provide details of medical conditions. We do not collect medical records, diagnoses, treatment information, or clinical notes. OWI does not include medical or health‑related questions of any kind.

5. Consent & Participation

Before starting a Bessie assessment, individuals are shown a Privacy Notice explaining how their data will be used. Participation cannot begin unless the individual actively confirms consent by ticking an agreement box. This consent specifically covers the processing of any health‑context data included in Bessie and is obtained prior to the assessment commencing, in line with Article 9 of the UK GDPR.

6. How Personal Data Is Used

Data collected through Bessie and OWI is used only to provide access to the software, generate individual, team, and organisational wellbeing insights, produce reports and risk indicators, and support organisations in understanding and addressing wellbeing risks. We also use data to maintain platform security, integrity, and performance. Your data is not sold, not shared for advertising, and not used for performance management or disciplinary purposes.

7. Anonymity & Aggregation

Organisational reporting is designed to be aggregated and anonymised wherever possible. Individual responses are not shared with employers in identifiable form unless explicitly agreed, contractually required, and clearly communicated to the individual. Personal identifiers such as email addresses are used for access and administration only and are never used to evaluate individuals.

8. Legal Basis for Processing

For personal data under Article 6 of the UK GDPR, we rely on consent, contractual necessity, and legitimate interests to deliver wellbeing insights responsibly. For health‑context data collected through Bessie only, which falls under Article 9 of the UK GDPR, the legal basis is explicit consent provided by the individual prior to the assessment commencing.

9. Data Storage & Security

All data is stored securely using industry‑standard technical and organisational safeguards. Access is restricted to authorised personnel only. Appropriate measures are in place to protect against unauthorised access, loss, or misuse of your personal information at every stage of its lifecycle within our systems.

10. Data Retention

Personal and wellbeing data is retained only for as long as necessary to fulfil its stated purpose, support reporting cycles, or meet legal and contractual obligations. Retention periods may vary depending on the specific organisational agreements in place. Once data is no longer required, it will be securely deleted or anonymised.

11. Your Rights

Under the UK GDPR, you have the right to access your personal data, request correction or deletion, withdraw consent where processing is based on consent, object to or restrict processing, and request data portability. To exercise any of these rights, simply send a request to info@thrive-and-shine.co.uk and we will respond promptly.

12. Third‑Party Processors

Trusted third‑party service providers, such as hosting or security services, may be used to operate the platform. All such providers are contractually required to meet UK GDPR and data protection standards. We take full responsibility for ensuring that any data shared with these processors is handled in accordance with applicable law.

13. Changes to This Policy

This policy may be updated periodically to reflect legal, technical, or operational changes. The most current version will always be made available within the software. We encourage you to review this policy from time to time so that you remain informed about how we protect your data.

14. Contact Us

For any questions or concerns about privacy or data protection, please do not hesitate to reach out to us at info@thrive-and-shine.co.uk. We are here to help and will respond to all enquiries as quickly as possible.