Last updated: 08/06/2026
1. Who we are
Habits for Health (“the App”) is provided by Wellbeing People Ltd (“we”, “us”, “our”), a company registered in England and Wales.
- Company number: 07858207
- Registered and trading address: Woodlands, 25 Caring Lane, Bearsted, Maidstone, Kent, ME14 4NJ
- VAT number: GB 328 0697 85
- ICO registration reference: ZA541988
We are the data controller for the personal data described in this policy. That means we decide why and how your personal data is processed.
If you have any questions about this policy or about how we handle your data, contact our Data Protection Lead:
Jacob Neal: data.protection@wellbeingpeople.com
2. Who this policy is for
This policy applies to everyone who uses the App. In the current version, you access the App by entering a Company Access Code provided by a company, employer or organisation that has bought a package on your behalf. Paid individual subscriptions are planned for a future version, and we will update this policy before they go live.
If you access the App through your employer or another organisation, please also read section 9, which explains what that organisation can and cannot see.
The App is intended for users aged 18 and over. We ask for your age when you create your account; you cannot complete signup if you are under 18. It is not directed at children, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
3. The personal data we collect
We collect the following categories of personal data.
Information you give us
- Account details: your first name, last name, email address and password (your password is handled securely by our authentication provider and is not visible to us).
- Display name: a name of your choosing that is shown to other users on leaderboards (see section 9).
- Profile details: your age, which you provide when you create your account, and your gender, which you can choose to provide or leave blank. We use these to personalise your experience in the App. Your age also confirms that you are aged 18 or over (see section 2).
- Access information: if you join through an organisation, the Company Access Code you enter and the user group it places you in.
- Communications: any messages you send us, for example support requests.
Information created as you use the App
- Activity and engagement data: the challenges you activate, your daily check-ins and streaks, points and medals earned, and your answers to in-app quizzes. This is self-reported activity data about your engagement with the App.
- Notification preferences: whether notifications are switched on, your preferred notification time, and a device token used to deliver push notifications.
Information collected automatically
- Usage and analytics data: information about how the App is used (for example, screens viewed, features used, approximate device and app version, and a pseudonymous app-instance identifier), collected through Google Firebase Analytics. We have configured analytics to anonymise IP addresses. [CONFIRM analytics is enabled at launch and the consent or notice mechanism is in place, see section 6.]
- Diagnostic data (future): if and when we enable crash reporting and performance monitoring (Firebase Crashlytics and Performance Monitoring), we will collect technical diagnostic information to keep the App stable. We will update this policy before enabling these.
Payment information
In the current version of the App, the only way to gain access is by entering a Company Access Code provided by an organisation. The App does not take payments from individual users, and we do not collect any payment or card data.
A note on health data
We treat your habit and challenge activity as self-reported engagement data, not as health data. Whether you complete a habit on a given day does not, in our view, reveal information about your state of health. We do not ask for, and the App is not designed to collect, medical information, diagnoses, or other special category data.
4. How we use your data, and our lawful basis
Under UK data protection law we must have a lawful basis for using your personal data. The table below sets out what we do and why.
What we do | Why | Lawful basis (UK GDPR) |
|---|---|---|
Create and manage your account; let you log in | To provide the App you have signed up for | Performance of a contract (Art. 6(1)(b)) |
Deliver challenges, track streaks, award points and medals, run quizzes | Core functionality of the App | Performance of a contract (Art. 6(1)(b)) |
Show leaderboards using your display name | To provide the social features | Contract (Art. 6(1)(b)); and our legitimate interest in engaging features (Art. 6(1)(f)) |
Use your profile details (age and gender) to personalise content and features | To tailor your experience in the App | Your consent, which you can withdraw at any time (Art. 6(1)(a)) |
Confirm you are aged 18 or over at signup | To keep the App restricted to adults | Legitimate interests (Art. 6(1)(f)) |
Apply and validate Company Access Codes | To give you the access your organisation arranged | Performance of a contract (Art. 6(1)(b)) |
Send service and transactional messages | To operate the App and keep you informed | Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) |
Send push notifications | To remind and encourage you | Your consent, via your device and the in-app toggle (Art. 6(1)(a)) |
Analyse usage to understand and improve the App | To make the App better | Consent and/or legitimate interests, depending on the mechanism in place (Art. 6(1)(a)/(f)). See section 6 |
Produce anonymised, aggregated reports for organisations | To give clients insight into overall engagement | Legitimate interest in providing our service (Art. 6(1)(f)); once anonymised, the reports are not personal data |
Keep records of transactions | To meet tax and accounting obligations | Legal obligation (Art. 6(1)(c)) |
Protect the App against fraud, abuse and security threats | To keep the App and users safe | Legitimate interests (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have balanced our interests against your rights and have concluded our processing is proportionate. You can ask us for more detail, and you have the right to object (see section 10).
We do not make any decisions about you that have legal or similarly significant effects using solely automated means.
5. Who we share your data with
We do not sell your personal data. We share it only as set out below.
- Service providers (processors) acting on our instructions: Google (Firebase) for authentication, database storage, push messaging and analytics. The App does not use Stripe in the current version; when paid plans are introduced in a future version, Stripe will process payments.
- App distribution platforms: Apple (App Store) and Google (Google Play), in connection with downloading the App and, where applicable, managing subscriptions.
- Organisations that provide your access: if you joined through an employer or other organisation, we provide that organisation with anonymised, aggregated reporting only. They do not receive your name, email or individual activity data through these reports. See section 9 for what an administrator at your organisation can see in the App itself.
- Professional advisers and authorities: we may disclose data where required by law, regulation, court order, or to establish, exercise or defend legal claims.
- Business transfers: if our business is reorganised, sold or transferred, your data may be disclosed to a successor under the same protections.
Each processor is bound by a contract requiring it to protect your data and use it only as instructed.
6. Analytics and consent
The App uses Google Firebase Analytics to understand how features are used so we can improve the App. We do not use analytics to track you across other companies’ apps or websites, and we do not use your data for third-party advertising.
Where the law requires your consent for analytics, we will ask for it (or provide a clear opt-out) and you can change your choice at any time in the App’s settings. We have enabled IP anonymisation and configured a defined analytics retention window (see section 8).
7. Storage and international transfers
Our primary database (Google Firestore) is hosted in the United Kingdom (London region).
Some of the providers we use operate global infrastructure, so certain processing, for example authentication, push messaging and analytics, may involve transfers of personal data to countries outside the UK, including the United States. Where that happens, the transfer is protected by appropriate safeguards. We rely on the providers’ data processing agreements, which incorporate the UK International Data Transfer Addendum to the EU Standard Contractual Clauses and/or the UK Extension to the EU-US Data Privacy Framework.
You can ask us for more information about these safeguards using the contact details in section 1.
8. How long we keep your data
We keep personal data only as long as we need it. Our retention periods are:
Data | Retention |
|---|---|
Account and identity data (name, display name, email, age, gender, login credentials, push token) | To meet tax and accounting obligations |
Activity and engagement data (streaks, points, quiz answers, challenge history) | Kept while your account is active. On deletion, all identifiers are removed and only irreversibly anonymised, aggregated data is retained for product analytics and client reporting, with no fixed end date. |
Inactive accounts | If you do not log in for 24 months, we will email you a warning and then delete or anonymise the account after a further 30 days if you do not respond. |
Payment and transaction records (held by us, not card numbers) | 6 years, to meet tax and accounting obligations. Applies only once paid plans are introduced; the current version takes no payments. |
Support correspondence | 24 months. |
Analytics data | Retained for 14 months in Firebase Analytics. |
Backups | Personal data is purged from backups within the backup rotation cycle (up to 35 days). |
“Anonymised” means the data has been irreversibly stripped of anything that could identify you, directly or indirectly, so that you can no longer be singled out. Once data is genuinely anonymised it is no longer personal data and this policy’s retention limits no longer apply to it.
9. Leaderboards, display names and organisation administrators
The App includes leaderboards that show how users are progressing.
- Other users in your group see your display name and your points totals, not your email address or other account details.
- If you access the App through an organisation, that organisation may appoint one or more administrators. Administrators can see display names and engagement information (such as challenge participation and points) for the users in the package they manage, in order to run and support the wellbeing programme.
We use your display name, rather than your real name, in leaderboards and in everything an administrator sees.
Organisations use the App to encourage wellbeing. Engagement information visible to administrators is not used by us for any employment, performance, insurance or disciplinary purpose, and our agreements with client organisations restrict such use.
10. Your rights
Under UK data protection law you have the right to:
- be informed about how we use your data (this policy);
- access the personal data we hold about you;
- rectify inaccurate or incomplete data;
- erase your data (“right to be forgotten”) in certain circumstances. You can delete your account in the App at any time (see section 11);
- restrict our processing in certain circumstances;
- data portability, to receive certain data in a portable format;
- object to processing based on our legitimate interests; and
- withdraw consent at any time where we rely on consent (for example, push notifications or analytics).
To exercise any of these rights, contact data.protection@wellbeingpeople.com. We will respond within one month. There is normally no charge.
If you are unhappy with how we have handled your data, you can complain to the UK regulator, the Information Commissioner’s Office (ICO). Website: https://ico.org.uk. Helpline: 0303 123 1113. We would, however, appreciate the chance to address your concerns first.
11. Deleting your account
You can delete your account at any time from within the App (Profile, then Delete account). When you delete your account:
- your account and identity data are removed within 30 days;
- your activity data is anonymised as described in section 8;
- some records may be retained where we are legally required to keep them (for example, transaction records for tax purposes), as set out in section 8.
If you joined through an organisation, deleting your account removes your personal data from our systems but does not affect the anonymised, aggregated figures already included in past reports.
12. Security
We take appropriate technical and organisational measures to protect your data, including encryption of data in transit, access controls, hosting your database in the UK, and using reputable providers who maintain recognised security standards. No system can be guaranteed completely secure, but we work to protect your data and will notify you and the ICO where we are legally required to do so in the event of a personal data breach.
13. Third-party services
The App relies on services provided by Google and the app stores. Your use of those services may also be governed by their own privacy policies:
- Google / Firebase: https://firebase.google.com/support/privacy
- Apple: https://www.apple.com/legal/privacy/
- Google Play: https://policies.google.com/privacy
14. Changes to this policy
We may update this policy from time to time. If we make significant changes, we will notify you in the App or by email. The “last updated” date at the top shows when this policy was last revised.
15. Contact
Wellbeing People Ltd
Woodlands, 25 Caring Lane, Bearsted, Maidstone, Kent, ME14 4NJ
Data Protection Lead: Jacob Neal, data.protection@wellbeingpeople.com