WelloWork LogoWelloWorkBook a demo
Privacy by design

Privacy is the architecture.

How WelloWork separates employee-private cognitive and biomarker data from the manager-aggregated view — not as a policy promise, but as an architectural decision.

What does privacy by design mean at WelloWork? The platform's data model splits employee-visible records from manager-visible aggregates. Individual cognitive results, biomarker reports, and assessment scores are scoped to the employee and their account; manager views are computed from aggregates that enforce a minimum team size and weekly smoothing. There is no policy override; the architecture is what enforces it.

What can an employee see?

  • Every cognitive training session they have completed, with per-domain detail.
  • Their own assessment results from Wellowize, including hiring-stage and any internal re-runs.
  • Their own biomarker reports, with the option to share them with their physician.
  • Their own longitudinal trend across all the above.
  • Export and erasure of all of the above on request, under the GDPR.

What can a manager see?

  • Anonymised, aggregated team trends — minimum team size enforced.
  • Workshop attendance and biomarker participation, aggregated.
  • Team-composition recommendations from cognitive profiles, with the underlying values not exposed.
  • Sprint-review and on-call-rotation annotations on the team trend.

What can a manager not see?

  • Any individual employee's cognitive scores, training sessions, or biomarker values.
  • Any aggregate that falls below the minimum team-size threshold.
  • Any data the employee has chosen not to share at the team level.

Where is data stored?

All customer and employee data is stored on EU-resident infrastructure. The platform is built to be GDPR-native — that means lawful basis, data minimisation, purpose limitation, and erasure are first-class concepts in the schema rather than features bolted on at the end.

Why architecture instead of policy?

Policy-only privacy depends on the people running the system. Architectural privacy depends on what the system makes possible to query. The latter is what we ship — so even a determined admin cannot pull an individual employee's cognitive score from a dashboard query path.

Compliance posture

GDPR-native today. ISO 27001 certification is in progress. SOC 2 readiness is on the near-term roadmap for customers who require it. See privacy policy and data processing for the legal surface.

See the privacy model wired up live.

In the demo we open the same record on the employee side and the manager side, so you can see exactly what each role does — and does not — see.