Privacy policy, terms of service, cookie policy, and a data processing summary — all in one place, governed by Swedish law and the GDPR.
Section 1
Privacy Policy
How WelloWork collects, uses, and protects personal data, under the GDPR and Swedish law.
🇪🇺GDPR compliant🇸🇪Swedish lawEU/EEA data only
What does this privacy policy cover? It explains what personal data WelloWork collects when you use this website or the WelloWork platform, what we do with it, the legal bases we rely on under the GDPR, your rights, and how to reach us about them.
Who is the controller of your data?
WelloWork AB, registered in Sweden and operating from Uppsala, Sweden, is the controller for personal data collected on this website and through enquiries. For data processed inside the WelloWork platform on behalf of a customer organisation, WelloWork AB acts as processor and the customer organisation is the controller — that relationship is governed by a separate Data Processing Agreement.
Who controls your data?
WelloWork AB
Controller
Direct relationship
You
Website visitor
Customer Org
Controller
→
WelloWork AB
Processor
→
You
Platform user
Via DPA
What personal data do we collect?
Contact data
From forms — name, work email, company, role, optional message.
Technical data
IP and user-agent at form submission, for spam control and security.
Platform data
Training, assessment, and biomarker records.
Only if you're a platform end user
What is the legal basis for processing?
Consent
Marketing follow-up after a demo or contact request.
Legitimate Interests
Responding to enquiries, security logging, abuse protection.
Contract
Delivering the contracted platform to your employer.
Legal Obligation
Retention periods imposed by Swedish or EU law.
Where is your data stored?
All personal data is stored on infrastructure resident in the European Union. WelloWork does not transfer personal data outside the EU/EEA without an appropriate transfer mechanism in place.
EU/EEA infrastructure only
No transfers outside the EU/EEA without an appropriate mechanism.
How long do we keep it?
24 months
Enquiry data
per DPA
Platform records
90 days
Backups
What rights do you have?
Under the GDPR you can request access, rectification, erasure, restriction, portability, and the right to object. You can also lodge a complaint with the Swedish data protection authority (IMY).
Access
Get a copy of the data we hold about you.
Rectification
Ask us to correct inaccurate data.
Erasure
Ask us to delete your data.
Restriction
Limit how we process your data.
Portability
Receive your data in a portable format.
Object
Object to processing based on legitimate interests.
Transport encryption, encryption at rest, role-based access, audit logging, and a minimum-team-size threshold for all manager-visible aggregates.
Encryption in transit
Encryption at rest
Role-based access
Audit logging
ISO 27001 in progress
Changes to this policy
Material changes will be posted here with a revision date. Last revision date: this page is dated by its current deploy and will be updated when counsel-reviewed.
To exercise any right, email info@wellowork.net with "privacy request" in the subject.
Section 2
Terms of Service
The terms under which you use this website and the WelloWork platform. Customer agreements supersede this page where applicable.
What do these terms cover? Acceptable use of the WelloWork website, the legal entity behind the service, intellectual property, warranties and disclaimers, limitation of liability, and the governing law. Where you are a paying customer, the order form and master services agreement take precedence.
Who are you contracting with?
WelloWork AB, a Swedish company. These terms govern use of the website at this domain and any demo/trial environments we make available. Use of the production platform under a paid contract is governed by the order form and accompanying agreement.
🇸🇪Contracting entity
WelloWork AB
Registered in Sweden
Swedish law governs.
What is acceptable use?
You may
Use this website to learn about WelloWork and request a demo.
Browse our published content for personal or business research.
Contact us through the forms provided on this site.
You may not
Attempt to gain unauthorised access or interfere with the service.
Exfiltrate, copy, or scrape data beyond normal browsing.
Use the site for competitive intelligence at abnormal volumes.
What about intellectual property?
All content, branding, source code, design, and other materials on this site are owned by WelloWork AB or its licensors. Nothing on the site grants you a licence to those materials except as explicitly stated.
The website is provided on an "as is" basis. We make no warranty as to availability, fitness for a particular purpose, or accuracy of any third-party information linked from the site. Liability for use of the website is limited to the maximum extent allowed by Swedish and applicable EU law.
As-is, no guarantees
This website is provided as-is. We don't guarantee uptime, accuracy, or fitness for a particular purpose.
Governing law
These terms are governed by Swedish law. Disputes arising from the use of this website fall under the exclusive jurisdiction of the Swedish courts unless mandatory law in your jurisdiction provides otherwise.
🇸🇪Swedish courts · Swedish law
Changes
We may update these terms over time. Material changes will be posted here with a revision date.
Section 3
Cookie Policy
We default to minimal cookie use in line with the rest of the privacy stance.
Essential cookies only — no tracking by default
What cookies does the WelloWork website use? The marketing site uses only essential cookies needed to keep the site working (e.g. preserving form state across reload). Analytics and marketing cookies are not enabled by default; if they ever are, they will be opt-in via a consent banner, and itemised below.
What is a cookie?
A cookie is a small text file stored on your device by a website. Cookies are used for things like keeping you logged in, remembering preferences, and (in some cases) tracking usage for analytics or advertising.
What cookies are used here?
Type
Status
Purpose
Essential
Active by default
Required for site operation — e.g. form state on reload.
Analytics
Off by default
Would measure aggregate usage. Opt-in via a future consent banner.
Advertising
Not used
No advertising cookies on this site.
How can you control cookies?
Browser settings
Open your browser's privacy or cookie controls.
→
Clear or block
Remove existing cookies or block new ones.
→
Heads up
Blocking essentials may break form submissions.
Changes
If we add any non-essential cookies, this page will be updated with a revision date and the consent banner will offer an opt-in.
We'll add a consent banner and update this page before enabling any non-essential cookies.
Section 4
Data Processing
A summary of how WelloWork acts as processor for customer organisations under the GDPR. The executed DPA for a given customer takes precedence.
Customer Org
Controller
documented instructions→
WelloWork AB
Processor
service delivery→
End users
Data subjects
What is the data processing relationship? When you use the WelloWork platform as an employee of a customer organisation, your employer is the controller of your data and WelloWork AB is the processor acting on documented instructions. The terms of that processing are set out in a Data Processing Agreement (DPA) executed between WelloWork and your employer.
Subject matter and duration
Scope
End users of the WelloWork platform (typically employees).
Duration
Length of customer agreement + DPA retention period.
Nature, purpose, and categories of data
We process personal data of the customer's end users to deliver the WelloWork platform and produce aggregated, anonymised reporting to authorised admins.
End users of the WelloWork platform — typically employees of the customer.
Sub-processors
Sub-processors are GDPR-compliant, EU-resident where relevant, and listed in your DPA.
Current list provided to customers on request.
Hosting
Email
Lab partners
International transfers
We do not transfer personal data outside the EU/EEA without an appropriate transfer mechanism. Where a transfer is required (e.g. operational support tooling), it is documented in the DPA.
No transfers outside the EU/EEA
Without an appropriate transfer mechanism in place.
Security
Encryption in transit and at rest, role-based access, audit logging, minimum-team-size enforcement on manager-visible aggregates, periodic security review.
