Privacy policy

Last updated: May 22, 2026

1. Introduction & Scope

WORK-SELF Ltd ("WORK-SELF", "we", "us", or "our"), registered in England and Wales, operates the WORK-SELF platform, the SELFWARE product suite, the Maya AI Career Companion, and associated websites, applications, APIs, and physical products (collectively, the "Services"). Our registered address is 138 Liverpool Road, London, N1 1LA, United Kingdom.

This Privacy Policy explains how we collect, use, store, share, and protect personal information across two distinct categories of users:

  • Consumers: individuals who access the Services for personal career development purposes; and

  • Enterprise Customers and their Authorised Users: businesses, organisations, and their employees or contractors who access the Services under a commercial agreement.

Where the Services are hosted on Shopify's infrastructure, Shopify acts as a technology provider and may independently process certain personal information as described in Section 13 below.

This Privacy Policy should be read alongside our Terms & Conditions. In the event of a conflict between this Privacy Policy and our Terms & Conditions with respect to the collection, processing, or disclosure of personal information, this Privacy Policy controls.

By using or accessing any of our Services, you confirm that you have read and understood this Privacy Policy. If you do not agree to the practices described, please discontinue your use of the Services.


2. Data Controller & Data Processor Status

2.1 Consumer Services

For personal information processed in connection with Consumer Services, WORK-SELF acts as the data controller, determining the purposes and means of processing.

2.2 Enterprise Services

Where WORK-SELF processes personal data on behalf of an Enterprise Customer (for example, personal data relating to the Customer's employees, contractors, or other end users), the Enterprise Customer acts as the data controller and WORK-SELF acts as the data processor. In such circumstances, WORK-SELF processes personal data only in accordance with the Enterprise Customer's documented instructions and the terms of a Data Processing Agreement (DPA) executed between the parties.

Enterprise Customers wishing to enter into a DPA should contact: legal@work-self.com. Our standard DPA incorporates the UK International Data Transfer Agreement (IDTA) and EU Standard Contractual Clauses (SCCs) where applicable.

2.3 Joint Controller Arrangements

In limited circumstances, WORK-SELF and an Enterprise Customer may act as joint controllers of certain personal data (for example, where both parties determine the purposes of processing for a shared analytics programme). Any joint controller arrangement will be set out in a written agreement between the parties specifying their respective responsibilities.


3. Personal Information We Collect

The personal information we collect depends on how you interact with us. We collect information across the following categories:

3.1 Information Collected from All Users

  • Contact details: name, email address, postal address, telephone number.

  • Account information: username, password (hashed), security preferences, notification settings.

  • Device and technical information: IP address, browser type and version, operating system, device identifiers, time zone, and referring URLs.

  • Usage information: pages visited, features used, session duration, click-stream data, and interaction with in-platform tools.

  • Communications: content of messages sent to us via support, email, or in-platform chat, including any personal information you choose to include.

  • Financial information (consumer purchases): payment card type and last four digits, billing address, and transaction history. Full payment card data is processed directly by Stripe, Inc. and is not stored by WORK-SELF.

3.2 Additional Information Collected from Consumer Platform Users

  • Career Audit responses: answers to the 49-question Career Audit, including professional background, career aspirations, values, motivators, and personal goals.

  • AI interaction data: prompts, queries, and responses exchanged with Maya AI and other AI-powered tools within the platform.

  • Identity and career profile data: archetype mapping outputs, alignment scores, AI-generated career path recommendations, and Blueprint data.

  • Ritual and goal-tracking data: journal entries, habit tracking data, goal progress, and other content submitted to the platform's personal development tools.

  • Coaching session data: notes, session summaries, and progress records associated with coaching engagements (where applicable, with your consent).

  • Biometric and physiological indicator data: where you opt in to biometric-aware features (such as voice tonality analysis), we may process physiological indicator data. This constitutes special category data under UK GDPR Article 9 and is processed only with your explicit consent. You may withdraw consent at any time.

3.3 Additional Information Collected from Enterprise Customers

  • Organisation details: company name, registered address, company registration number, VAT number, and authorised representative details.

  • Billing and procurement contacts: name, email address, and telephone number of finance, legal, and procurement contacts.

  • Authorised User data: names and work email addresses of employees or contractors granted access to the platform under an enterprise licence.

  • Workforce data submitted by Enterprise Customers: aggregated or individual-level workforce information submitted for the purpose of Workforce Reinvention Assessments or talent analytics, subject to the applicable DPA.

  • API usage data: logs of API calls, endpoints accessed, payload metadata (not content), and rate-limit data, for security, billing, and performance purposes.

  • Contractual and correspondence records: Order Forms, Statements of Work, and communications relating to the commercial relationship.

3.4 Special Category Data

We may process special category personal data (as defined under UK GDPR Article 9) in the following limited circumstances:

  • Biometric and physiological indicator data: processed with explicit consent from individual users who opt in to biometric-aware platform features.

  • Mental health and wellbeing indicators: where users voluntarily disclose information relating to mental health or wellbeing through the platform's career and personal development tools, this is processed on the basis of explicit consent.

  • Data revealing racial or ethnic origin, beliefs, or other protected characteristics: we do not intentionally collect this data. Where an Enterprise Customer's Workforce Assessment data incidentally includes such information, it is processed pursuant to the DPA and applicable employment law exemptions.

We will never use special category data for automated decision-making that produces legal or similarly significant effects without human oversight and, where required, your explicit consent.


4. How We Collect Personal Information

We collect personal information from the following sources:

  • Directly from you: when you create an account, complete the Career Audit, interact with Maya AI, purchase a product or subscription, contact our support team, or correspond with us.

  • Automatically through the Services: via cookies, pixels, log files, and similar tracking technologies when you visit our websites or use our applications. See Section 11 for our Cookie Policy.

  • From Enterprise Customers: when an Enterprise Customer provides us with data relating to its Authorised Users or workforce for the purpose of delivering Enterprise Services, subject to the applicable DPA.

  • From our service providers: including payment processors (Stripe), cloud infrastructure providers (Supabase), AI infrastructure providers (OpenAI), and analytics providers.

  • From third-party integrations: where you connect third-party tools (such as HRIS platforms, LinkedIn, or calendar applications) to the Services, we may receive data from those platforms in accordance with your authorisation.

  • From publicly available sources: for enterprise sales and partnership activities, we may collect professional information about business contacts from public professional directories, LinkedIn, or company websites.


5. How We Use Personal Information

We process personal information on the following lawful bases under UK GDPR: (a) performance of a contract; (b) legitimate interests; (c) compliance with a legal obligation; or (d) explicit consent. The applicable basis is noted for each purpose below.

5.1 Consumer Purposes

Service Delivery: To provide you with access to the platform, Career Audit, Maya AI, coaching tools, ritual features, and any physical products you purchase. Basis: Contract.

Personalisation: To tailor AI recommendations, career paths, and content to your profile, goals, and behaviour on the platform. Basis: Contract; Legitimate Interests.

AI Model Operation: To generate responses from Maya AI and other AI tools using your inputs and profile data, and to maintain conversation context. Basis: Contract.

Account Management: To create, manage, and secure your account, process payments, and fulfil orders. Basis: Contract.

Communications: To send you transactional emails (account notices, order confirmations, security alerts) and, with your consent, marketing communications. Basis: Contract (transactional); Consent (marketing).

Coaching Coordination: To match you with coaches, share relevant profile information with your selected coach (with your consent), and facilitate coaching session administration. Basis: Consent; Contract.

Safety and Fraud Prevention: To detect and prevent fraudulent, illegal, or harmful activity on the platform. Basis: Legitimate Interests; Legal Obligation.

Product Improvement: To analyse usage patterns and improve the Services, using anonymised or aggregated data wherever possible. Basis: Legitimate Interests.

Legal Compliance: To comply with applicable laws, respond to legal process, and enforce our Terms. Basis: Legal Obligation; Legitimate Interests.

5.2 Enterprise Customer Purposes

Enterprise Service Delivery: To provision and operate Enterprise Services including workforce assessments, API access, CHRO analytics dashboards, and Authorised User accounts, in accordance with the applicable Order Form and DPA. Basis: Contract.

Workforce Reinvention Intelligence: To process workforce data submitted by Enterprise Customers to generate Workforce Reinvention Assessments, talent intelligence reports, and related analytics outputs. Processing is strictly as a data processor under the DPA. Basis: Contract (as processor).

Account and Licence Management: To manage enterprise accounts, track Authorised User seat counts, process invoices, and administer the commercial relationship. Basis: Contract; Legitimate Interests.

Security and Access Control: To authenticate Authorised Users (including via SSO), enforce role-based access controls, log access events, and investigate security incidents. Basis: Contract; Legitimate Interests; Legal Obligation.

API Monitoring: To monitor API usage for billing, rate-limiting, performance optimisation, and abuse prevention. Basis: Contract; Legitimate Interests.

Enterprise Communications: To communicate with enterprise contacts regarding account matters, contract renewals, product updates, and support. Basis: Contract; Legitimate Interests.

Compliance and Audit: To maintain records of enterprise data processing activities as required by UK GDPR Article 30 and to respond to regulatory enquiries. Basis: Legal Obligation.

5.3 AI Training — Important Disclosure

WORK-SELF uses anonymised and aggregated platform usage data to improve its AI models and product features. We will not use identifiable Customer Data submitted by Enterprise Customers, or identifiable personal information from individual Consumer users, to train AI models that are made available to third parties, without explicit written consent. Enterprise Customers may opt out of all AI improvement processing by including a specific restriction in their DPA.


6. How We Share Personal Information

We do not sell your personal information. We may share personal information in the following circumstances:

6.1 Service Providers

We share personal information with trusted third-party service providers who process it on our behalf to enable us to operate the Services. These include:

  • Payment processing: Stripe, Inc. (PCI DSS compliant).

  • Cloud infrastructure and database: Supabase, Inc.

  • AI infrastructure: OpenAI, LLC (for language model inference; data is processed under our API agreement with OpenAI and subject to data processing terms).

  • Email and communications: third-party email service providers used for transactional and marketing communications.

  • Analytics: third-party web and product analytics platforms.

  • eCommerce infrastructure: Shopify Inc. (see Section 13).

  • Customer support: CRM and helpdesk platforms used to manage support interactions.

All service providers are subject to data processing agreements requiring them to process personal information only on our instructions, with appropriate security measures, and in compliance with applicable data protection law.

6.2 Enterprise Customer Disclosures

Where we process personal data as a data processor on behalf of an Enterprise Customer, we disclose that data only as directed by the Enterprise Customer or as required by law, in accordance with the DPA. We do not share Enterprise Customer workforce data with other Enterprise Customers or with any third parties other than authorised sub-processors listed in the DPA.

6.3 Coaches

Where you engage with a coach through the platform, we share relevant profile information (including Career Audit results and progress data) with your selected coach. This sharing is subject to your consent, which you may withdraw at any time by contacting support@work-self.com. Coaches are bound by confidentiality obligations and applicable professional standards.

6.4 Business Partners & Marketing

We may share limited contact information with business and marketing partners for co-marketing activities, where you have consented to receive such communications. You have the right to opt out at any time. We do not share your personal information with third parties for their own independent marketing purposes without your explicit consent.

6.5 Corporate Transactions

In the event of a merger, acquisition, reorganisation, or sale of all or substantially all of our assets, personal information may be transferred to the relevant successor entity, subject to equivalent privacy protections. We will provide notice of such a transfer where required by law.

6.6 Legal & Regulatory Disclosures

We may disclose personal information where required to do so by law, court order, or regulatory authority, including to the Information Commissioner's Office (ICO) or other competent supervisory authorities, law enforcement agencies, or in connection with legal proceedings.

6.7 With Your Consent

We may share personal information for other purposes where you have given us explicit consent to do so. You may withdraw consent at any time without affecting the lawfulness of prior processing.


7. Sub-Processors (Enterprise Customers)

As a data processor, WORK-SELF engages the following categories of sub-processors to assist in delivering Enterprise Services:

  • Cloud infrastructure providers (hosting, storage, and compute).

  • AI inference providers (for language model processing).

  • Security and monitoring providers (for intrusion detection, logging, and incident response).

  • Payment and billing providers.

  • Communication and notification providers.

A current list of named sub-processors is maintained and made available to Enterprise Customers upon request and updated at least annually. Enterprise Customers will be notified of material changes to the sub-processor list in accordance with the DPA. Enterprise Customers who reasonably object to the addition of a new sub-processor may exercise their rights under the DPA, including termination rights where the objection cannot be resolved.


8. Retention of Personal Information

We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, and in accordance with our legal obligations. Our general retention principles are:

8.1 Consumer Data

  • Account and profile data: retained for the duration of your account, plus 3 years following account closure (to handle post-closure enquiries and legal claims).

  • Career Audit and AI interaction data: retained for the duration of your subscription, plus 2 years, or as otherwise specified in your account settings.

  • Payment records: retained for 7 years to comply with UK tax and accounting obligations.

  • Marketing consent records: retained for the duration of your consent, plus 3 years.

  • Support records: retained for 3 years following resolution of the support interaction.

8.2 Enterprise Customer Data

  • Customer Data processed as a data processor: retained in accordance with the DPA and the Enterprise Customer's documented instructions. Upon termination of the enterprise agreement, Customer Data will be made available for export for 30 days, after which it will be securely deleted or anonymised, unless longer retention is required by law.

  • Contractual and billing records: retained for 7 years following contract termination to comply with UK legal and regulatory requirements.

  • Security and access logs: retained for 12 months for security monitoring and incident investigation purposes.

8.3 Anonymised Data

Anonymised or aggregated data that cannot identify any individual or Enterprise Customer may be retained indefinitely and used for product improvement, research, and analytics purposes.


9. Security of Personal Information

WORK-SELF implements appropriate technical and organisational measures to protect personal information against unauthorised access, disclosure, alteration, loss, and destruction. Our security measures include:

  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest.

  • Role-based access controls restricting internal access to personal data on a need-to-know basis.

  • Multi-factor authentication for internal systems.

  • Regular security assessments, penetration testing, and vulnerability management.

  • Incident response procedures, including personal data breach notification processes compliant with UK GDPR Article 33.

  • Data minimisation and pseudonymisation where technically feasible.

Enterprise Customers are entitled to request a summary of WORK-SELF's security posture and any relevant security certifications (such as ISO 27001 or SOC 2) by contacting legal@work-self.com.

Please note that no security system is impenetrable. You are responsible for maintaining the security of your account credentials. We recommend using strong, unique passwords and enabling multi-factor authentication where available.


10. International Data Transfers

WORK-SELF is based in the United Kingdom. Some of our service providers and sub-processors are located outside the UK and European Economic Area (EEA), including in the United States. Where we transfer personal information to countries that have not been determined to provide an adequate level of data protection, we implement appropriate safeguards, including:

  • UK International Data Transfer Agreements (IDTAs) with relevant service providers.

  • EU Standard Contractual Clauses (SCCs), as applicable where personal data of EEA residents is processed.

  • Supplementary technical and organisational measures where required by applicable guidance.

Enterprise Customers may request a copy of the relevant transfer mechanisms applicable to the processing of their Customer Data by contacting legal@work-self.com.


11. Cookies & Tracking Technologies

We use cookies and similar tracking technologies on our websites and platform. Cookies are small text files stored on your device that help us recognise you and understand how you use the Services.

11.1 Types of Cookies We Use

Strictly Necessary: Essential for the operation of the Services, including authentication and security. Cannot be disabled.

Functional: Enable enhanced functionality and personalisation, such as remembering your preferences and settings.

Analytics: Help us understand how users interact with the Services so we can improve them (e.g. Google Analytics). Data is typically aggregated and anonymised.

Marketing: Used to deliver relevant advertising and track the effectiveness of marketing campaigns. Activated only with your consent.

11.2 Managing Cookies

You may control cookie preferences through our cookie consent banner on first visit, or by adjusting your browser settings to block or delete cookies. Please note that disabling certain cookies may affect the functionality of the Services. We honour the Global Privacy Control (GPC) signal where technically implemented.

Enterprise Customers accessing the platform via SSO or direct API integration may be subject to different cookie configurations, as set out in the applicable technical documentation.


12. Your Rights & Choices

Depending on where you reside, you may have the following rights with respect to your personal information. These rights are subject to applicable legal exemptions and limitations.

12.1 Rights Available to All Users (UK & EEA)

  • Right of Access (Article 15 UK GDPR): to request a copy of the personal information we hold about you.

  • Right to Rectification (Article 16): to request correction of inaccurate or incomplete personal information.

  • Right to Erasure (Article 17): to request deletion of your personal information, subject to legal retention requirements.

  • Right to Restriction of Processing (Article 18): to request that we limit our use of your personal information in certain circumstances.

  • Right to Data Portability (Article 20): to receive a copy of your personal information in a structured, machine-readable format, and to request transfer to a third party where technically feasible.

  • Right to Object (Article 21): to object to processing based on legitimate interests or for direct marketing purposes.

  • Right not to be subject to automated decision-making (Article 22): to request human review of any automated decision that produces legal or similarly significant effects.

  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

12.2 Exercising Your Rights

To exercise any of the above rights, please contact us at:

  • Email: privacy@work-self.com

  • Post: WORK-SELF Ltd, 138 Liverpool Road, London, N1 1LA, United Kingdom

We will respond to verified requests within one calendar month of receipt, and will not discriminate against you for exercising your rights. We may need to verify your identity before processing your request.

12.3 Authorised Agents

You may designate an authorised agent to submit requests on your behalf. We will require written confirmation of the agent's authority and may verify your identity directly before processing the request.

12.4 Enterprise Authorised User Rights

If you are an employee or contractor of an Enterprise Customer whose personal data WORK-SELF processes as a data processor, please direct your data subject rights requests to your employer (the Enterprise Customer, as data controller) in the first instance. We will cooperate with Enterprise Customers to facilitate responses to data subject requests as required by the DPA.

12.5 Marketing Preferences

You may opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email, or by contacting support@work-self.com. Opting out of marketing does not affect the receipt of transactional or service-related communications.


13. Relationship with Shopify

The WORK-SELF eCommerce store (shop.work-self.com) is hosted on Shopify's platform. Shopify independently collects and processes certain personal information relating to your use of the store in its capacity as a data processor and, in some cases, as an independent data controller. This includes processing for fraud prevention, payment infrastructure, and Shopify's own enhanced features (such as cross-merchant analytics).

For information about how Shopify processes your personal information and how to exercise rights in relation to Shopify-controlled processing, please visit: https://www.shopify.com/legal/privacy and the Shopify Privacy Portal at https://privacy.shopify.com/en.

Where Shopify processes your personal information outside the UK or EEA, it relies on appropriate transfer mechanisms as described in its privacy documentation.


14. Children's Data

The Services are intended for adults aged 18 and over. We do not knowingly collect personal information from individuals under the age of 18. If you are a parent or guardian and believe that a child has provided us with personal information, please contact us at privacy@work-self.com and we will take prompt steps to delete such information. As of the effective date of this Privacy Policy, we do not knowingly sell or share personal information of individuals under 16 years of age.


15. Third-Party Websites & Integrations

The Services may contain links to third-party websites, platforms, or integrations. This Privacy Policy does not apply to any third-party site or service. We are not responsible for the privacy practices or content of third parties, and we encourage you to review their privacy policies before providing any personal information. Our inclusion of any third-party link or integration does not constitute an endorsement of the third party.


16. Enterprise Data Processing Agreement

Enterprise Customers whose use of the Services involves WORK-SELF processing personal data on their behalf are required to execute a Data Processing Agreement (DPA) with WORK-SELF prior to or at the commencement of the Services. The DPA governs:

  • the subject matter, nature, and duration of the processing;

  • the type of personal data processed and the categories of data subjects;

  • WORK-SELF's obligations as a data processor (including security measures, sub-processor management, data subject rights assistance, breach notification, and deletion/return of data);

  • international transfer mechanisms;

  • audit and inspection rights; and

  • specific instructions regarding AI model training and data use restrictions.

To request a copy of WORK-SELF's standard DPA, or to negotiate a bespoke DPA for your organisation, please contact: legal@work-self.com.


17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or business operations. We will post the revised policy on this website and update the "Last Updated" date.

For material changes that significantly affect how we process personal information, we will provide at least 30 days' advance notice to Consumer users by email or prominent in-platform notification, and to Enterprise Customers in writing in accordance with the applicable DPA or commercial agreement. For non-material changes, continued use of the Services following posting of the revised policy constitutes acceptance.


18. Complaints & Supervisory Authority

If you have concerns or complaints about how we process your personal information, please contact us in the first instance at privacy@work-self.com. We will investigate and respond to complaints promptly and in accordance with applicable law.

If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) (www.ico.org.uk) 0303 123 1113.

  • European Economic Area: your local data protection supervisory authority. A list of EEA authorities is available at https://edpb.europa.eu.


19. Contact Us

For any questions, requests, or concerns relating to this Privacy Policy or our data practices, please contact us at:

  • Privacy enquiries: privacy@work-self.com

  • Legal & DPA matters: legal@work-self.com

  • General support: support@work-self.com

  • Orders & returns: orders@work-self.com

  • Post: WORK-SELF Ltd, 138 Liverpool Road, London, N1 1LA, United Kingdom

  • Website: www.work-self.com

As the data controller for Consumer Services, WORK-SELF Ltd is registered with the Information Commissioner's Office (ICO) under the Data Protection Act 2018.