WeChange.ai logo white transparent

Data Processing Statement

WeChange.AI Data Processing Statement

1. Purpose and Scope

WeChange.AI processes customer data to deliver technology adoption, assessment, and support services. This statement applies to all customer engagements and covers the handling of personal data in accordance with UK GDPR and the Data Protection Act 2018.

2. Categories of Data Processed

WeChange.AI collects and processes limited personal data, all of which is optional and provided by the data subject. Categories include:

  • Name
  • Email address
  • Age and sex (these questions are optional and can be removed at the customer’s request; they are sometimes included to support specific organisational needs)
  • Technology use details
  • Time spent on activities
  • Suggestions for technology use or areas needing support
  • Accessibility needs (to help individuals and organisations)

All data is collected via customer-approved questionnaires and is used solely to support organisational improvement and individual enablement.

3. Lawful Basis and Data Minimisation

Data is processed on the basis of customer contract and legitimate interests, with explicit consent where required. Only data necessary for service delivery is collected and processed. Data submissions are always optional, and customers may choose which questions to include or exclude.

4. Data Sharing and Access

Customer data is only accessible to:

  • The customer organisation
  • WeChange.AI staff and contractors who need access to support the customer

No data is shared with third parties except where required by law or with explicit customer consent. Subcontractors are bound by equivalent confidentiality and data protection obligations.

5. Security and Storage

Data is stored securely using Microsoft cloud services, with encryption at rest and in transit. Access is restricted to authorised personnel only. No paper copies are retained; any incidental hard copies are destroyed immediately as confidential waste.

6. Retention and Deletion

  • Personal information is retained for three years from the date of collection, to provide services and comply with legal obligations.
  • Anonymised data, which cannot be used to identify individuals, is retained permanently to help improve services and conduct research.
  • Customers can request access to their data at any time and may also request the deletion of their data.
  • These requests will be honoured promptly, in line with UK GDPR requirements. If you have any questions about our data retention practices, please contact us.

7. Data Subject Rights

Individuals may exercise their rights under UK GDPR, including access, rectification, erasure, and objection. Requests should be directed to the customer organisation or WeChange.AI via the contact details in the privacy statement.

8. Data Protection Impact Assessment (DPIA)

A DPIA is conducted for all new services or significant changes to processing activities, in line with ICO guidance. WeChange.AI provide customers with a templated DPIA based on the work with other customers, this is shared as part of customer onboarding and available on the Customer Teams site.

9. Transparency and Complaints

WeChange.AI is committed to transparency in data processing. Individuals may raise concerns or complaints about data handling directly with WeChange.AI or the customer organisation. Further details are available in the privacy statement.