Privacy Policy

Last updated: 6 April 2026

1. Who We Are

Wellness House Collective (“we”, “us”, “our”) is a United Kingdom-based company that operates a recruitment platform connecting spa and wellness professionals (“Talent”) with luxury hotel and spa employers (“Employers”). Our platform is available at talent.wellnesshousecollective.co.uk.

We are the data controller for the personal data processed through our platform. If you have any questions about how we handle your data, you can reach us at:

2. What Data We Collect

We collect and process the following categories of personal data:

Account Information

  • Full name, email address, and password (encrypted)
  • Account role (Talent or Employer)
  • Authentication tokens and session data

Profile Data

For Talent users:

  • Professional headline, biography, and current job title
  • Location, right to work status, and willingness to relocate
  • Treatment skills, business skills, and proficiency levels
  • Qualifications, certifications, and expiry dates
  • Product house and hotel brand experience
  • Systems knowledge (booking systems, POS, etc.)
  • Day rate expectations, availability dates, and employment type preferences
  • Transport method, commute preferences, shift preferences, and location preferences
  • Accommodation requirements
  • Insurance status and uploaded insurance documents
  • CV, certificates, and profile photographs
  • Languages spoken

For Employer users:

  • Company name, property name, and company type
  • Location, postcode, and contact details
  • Product houses used and systems in use
  • Job listings including role requirements, salary ranges, and descriptions

Usage Data

  • Pages visited, features used, and time spent on the platform
  • Swipe actions, job applications, and match interactions
  • Messages sent and received between users
  • Search queries and filter selections

Cookies and Technical Data

  • IP address, browser type, device type, and operating system
  • Referring URLs and page navigation paths
  • Authentication cookies and session identifiers

3. How We Use Your Data

We use your personal data for the following purposes:

Matching and Recruitment

  • Running our matching algorithm to connect Talent with suitable job listings based on skills, qualifications, experience, location preferences, and other profile data
  • Generating match scores, match explanations, and ranked candidate lists for Employers
  • Powering the swipe-to-match feature and job recommendations

Communication

  • Facilitating messages between Talent and Employers
  • Sending transactional emails (account verification, password resets, application confirmations)
  • Sending platform updates and new role notifications (with your consent)

Payments

  • Processing subscription payments, featured listing purchases, and agency booking commissions
  • Generating invoices and managing billing records

Platform Improvement and Analytics

  • Analysing usage patterns to improve matching accuracy and user experience
  • Monitoring platform performance and diagnosing technical issues
  • Generating anonymised, aggregated statistics about platform usage

Safety and Compliance

  • Verifying professional qualifications and insurance status
  • Preventing fraud, abuse, and unauthorised access
  • Complying with legal obligations

4. Legal Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we process your data on the following legal bases:

  • Contract: Processing necessary to fulfil our contract with you — for example, creating your account, running the matching algorithm, facilitating applications, and processing payments.
  • Consent: Where you have given us specific consent — for example, receiving marketing emails, allowing your profile to appear in Employer search results, or uploading optional documents such as photographs.
  • Legitimate interest: Processing necessary for our legitimate business interests, provided these do not override your rights — for example, improving our matching algorithm, preventing fraud, and analysing platform usage. We carry out a balancing test for each legitimate interest to ensure your rights are protected.
  • Legal obligation: Where we are required by law to process your data — for example, maintaining financial records for tax purposes or responding to lawful data access requests.

5. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy. Our standard retention periods are:

  • Profile data: Retained until you delete your account. You may request account deletion at any time.
  • Messages: Retained for 2 years from the date sent, then permanently deleted.
  • Analytics and usage data: Retained in identifiable form for 1 year, then anonymised for aggregate reporting.
  • Payment records: Retained for 7 years as required by UK tax law (HMRC).
  • Application and match history: Retained for 2 years after the relevant job listing closes.
  • Authentication logs: Retained for 6 months for security purposes.

When your data is no longer required, it is securely deleted or irreversibly anonymised.

6. Third-Party Processors

We use the following third-party services to operate our platform. Each processor has been selected for their security standards and compliance with data protection law:

  • Supabase (database and authentication) — Stores user accounts, profile data, job listings, messages, and application records. Supabase applies row-level security policies and encrypts data at rest and in transit. Data is hosted in the EU.
  • Stripe (payment processing) — Processes subscription payments, one-off purchases, and manages billing. Stripe is PCI DSS Level 1 certified and processes data in accordance with their privacy policy.
  • Resend (transactional email) — Sends account verification emails, password resets, application confirmations, and platform notifications. Email addresses and message content are processed in accordance with their privacy policy.
  • Netlify (hosting and deployment) — Hosts and serves the platform. Netlify processes server logs including IP addresses, request paths, and user agents. Data may be processed in the United States under Standard Contractual Clauses.

We do not sell your personal data to any third party. We do not share your data with third parties for their own marketing purposes.

7. Cookies

Our platform uses cookies and similar technologies. Here is what we set and why:

Strictly Necessary Cookies

These cookies are essential for the platform to function and cannot be switched off.

  • sb-*-auth-token — Supabase authentication session cookie. Keeps you logged in securely. Expires when you log out or after 7 days of inactivity.
  • sb-*-auth-token-code-verifier — Used during the authentication flow (PKCE). Temporary, deleted after login completes.

Functional Cookies

  • theme / user-preferences — Stores your display preferences (if applicable). Persistent, expires after 1 year.

Analytics Cookies

We do not currently use third-party analytics cookies (such as Google Analytics). If this changes, we will update this policy and request your consent before setting any analytics cookies.

Third-Party Cookies

  • Stripe may set cookies when you interact with payment forms, for fraud prevention and PCI compliance. These are governed by Stripe's own cookie policy.

You can manage cookies through your browser settings. Disabling strictly necessary cookies may prevent you from using the platform.

8. Your Rights Under GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

  • Right of access: You can request a copy of all personal data we hold about you.
  • Right to rectification: You can ask us to correct any inaccurate or incomplete data. You can also update most profile data directly through the platform.
  • Right to erasure (“right to be forgotten”): You can request that we delete your personal data. We will comply unless we have a legal obligation to retain it.
  • Right to data portability: You can request your data in a structured, commonly used, machine-readable format (JSON or CSV) so that you can transfer it to another service.
  • Right to restrict processing: You can ask us to limit how we use your data in certain circumstances, for example while we investigate a complaint.
  • Right to object: You can object to processing based on legitimate interest. We will stop processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where we process your data based on consent, you can withdraw that consent at any time. This does not affect the lawfulness of processing carried out before withdrawal.
  • Right not to be subject to automated decision-making: Our matching algorithm generates scores and rankings to assist recruitment decisions, but no hiring decision is made solely by automated means. Employers review all matches before taking action.

We will respond to all data rights requests within one calendar month, as required by law. In complex cases, we may extend this by a further two months, and will inform you if so.

9. How to Make a Data Subject Request

To exercise any of your rights, please contact us at:

Please include your full name and the email address associated with your account so we can verify your identity. We may ask for additional verification before processing your request.

You may also delete your account directly through the platform settings, which will trigger deletion of your profile data in accordance with the retention periods described above.

10. Data Protection Officer

Our Data Protection Officer can be contacted at:

If you are unsatisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. International Data Transfers

Your data is primarily processed within the United Kingdom and European Economic Area. Where data is transferred outside the UK/EEA (for example, to service providers based in the United States), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use EU/UK-approved Standard Contractual Clauses with processors that transfer data outside the UK/EEA.
  • Adequacy decisions: Where applicable, we rely on UK adequacy decisions recognising that the destination country provides an adequate level of data protection.

You may request a copy of the safeguards we use by contacting us at the email address above.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify registered users by email if the changes significantly affect how we process personal data
  • Where required, seek fresh consent before applying new processing activities

We encourage you to review this policy periodically. Your continued use of the platform after changes are published constitutes acceptance of the updated policy.