Privacy Policy

Version 1.0 — October 2025

1. Introduction

This Privacy Policy is between FabricShift Ltd. (“FS”) and you, the individual user (“User”) of our online platform, HabiTrack™ (“Platform”).

FS respects your privacy and is committed to protecting your personal data. We define “personal data” according to the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation 2016/679 (EU GDPR) as information relating to natural persons who:

FS wants to help you reach your goals and build positive work-related habits while providing you the best possible experience. To do this, we need to understand how you use and interact with the Platform, so we can deliver a service that is personalised and relevant to you. This is done by collecting and processing personal data from you, as detailed below.

Your privacy and the security of your personal data are of the utmost importance to us. This Privacy Policy explains how and why we gather, store, share and use your personal data.

Occasionally, changes in law or the addition of new features mean we revise this Privacy Policy. Whenever this happens, you will be informed when you next log in to the Platform. The date of the latest update will always be displayed at the top of the Privacy Policy.

Please be aware that we are not responsible for the privacy policies of other websites or applications to which links are included in the Platform.

2. Our Products & Services

This Privacy Policy refers to data collected strictly for FS products and services that are accessible via the HabiTrack™ Platform. While FS offers further products and services (separate to the Platform) that may require use of personal data, FS’s practices and policies surrounding this data are governed by a business-to-business (“B2B”) licence agreement between your employer and FS.

Your use of products and services within the Platform is administered by your employer pursuant to the B2B licence agreement. According to this agreement, your employer is the controller of your personal data, while FS is the processor, and you (the employee) are a data subject. These definitions are set out in the GDPR as follows:

As processor of your personal data, FS is not responsible for our B2B customers’ (including your employer’s) policies and practices surrounding data privacy and security. While FS is also not responsible for responding to requests concerning the personal data we process on behalf of our B2B customers, we will endeavour to respond to any requests from data subjects in the interest of transparency.

For any personal data where FS acts as an independent controller (for example, Platform diagnostics/telemetry or our public website), FS will handle that data in accordance with this Privacy Policy and applicable law. (This does not change your employer’s role as controller for HabiTrack usage data.)

Your employer retains full responsibility for responding to requests regarding personal data processed through the Platform. We encourage you to refer to your employer’s privacy policy.

3. What Data is Collected?

FS only stores personal data that is strictly necessary for operation of the HabiTrack™ Platform. We also collect data on how you interact with Platform functionality to optimise your experience and to provide reports to authorised administrators at your organisation. These reports are based on aggregated data, meaning no individuals are personally identifiable (except where your organisation enables features designed to show identifiable activity, such as endorsements or leaderboards).

To set up your profile within the Platform, we store basic employee data from your employer’s HR system(s). This includes information such as employee ID number, name, surname, corporate email, job title, department, region, and hours worked. (If your employer provides additional fields, those may also be processed as configured by your employer.)

For the Platform to operate effectively, FS collects technical data related to the device and/or browser you are using (see the Cookies and Technical Data section below for more details).

FS also stores data created as users interact with the Platform. This includes user activity within the Platform, such as any data, content, other materials that a user uploads, submits or otherwise transmits to or through the Platform, as well as habit check-ins, streaks, endorsements, and leaderboard participation.

When analysing usage of the Platform, FS will process certain data for profiling. Profiling means that we process your personal data to analyse or predict aspects of your use of the Platform and your engagement with its features. The data we process includes user habits and actions taken by you—for example, when you take actions on the Platform, move between screens and press buttons. We do this profiling to monitor engagement with different features, to explore ways to make the Platform more effective, and to vary features or content to better match your usage patterns and preferences.

If you have any questions on the type of Platform data we collect, please contact info@fabricshift.com.

4. Why is Data Collected?

We only collect personal data where we have a lawful basis to do so under the UK GDPR and, where applicable, the EU GDPR. Our purposes for collecting personal data are as follows:

We do not use your personal data for third-party marketing purposes.

5. How is Data Collected?

There are two sources through which we collect data associated with users of the Platform:

6. Where is Data Stored?

FS stores personal data on Amazon Web Services (AWS). We store and process data in the UK. Your employer and FS agree that data may be held by AWS on behalf of FS; AWS acts as our sub-processor under a data processing agreement.

Where personal data needs to be transferred between regions or outside the UK/EEA, this is done in accordance with the B2B licence agreement and in compliance with applicable transfer rules (e.g., UK International Data Transfer Addendum or EU Standard Contractual Clauses, plus transfer risk assessments, as required by law).

7. Disclosures of Personal Data

It is important to note, FS does not act as the controller for personal data processed in relation to Platform users. FS acts as the processor on behalf of your employer, which means disclosures and international transfers are governed by your employer’s instructions and the B2B licence/data processing agreement between your employer and FS. (For limited purposes such as service diagnostics/telemetry or our public website, FS may act as an independent controller—this does not change your employer’s role as controller for HabiTrack usage data.)

Our agreement with your employer means we will not disclose to them any personally identifiable confidential information that they do not already hold within their HR systems, except where the feature is designed to be visible (for example, your public profile, comments/endorsements, or leaderboard entries) or where your organisation has explicitly enabled visibility. To protect your privacy, reports provided to your employer are based on aggregated or de-identified data.

By “confidential information” within the Platform, we mean data you provide in a non-public setting (for example, mood or pulse question responses, private goal tracking). Information you choose to post in public or shared spaces (such as endorsements or leaderboards) is not treated as confidential. While aggregated insights from surveys, evaluations or programme progress may be reported to your employer, the individual data points are not shared unless your organisation has enabled a feature that intentionally displays them, in which case you will be informed within that feature.

The Platform relies on several microservices and third-party providers to operate and keep the Platform secure. For the purposes set out in this Privacy Policy, FS shares your personal data with these sub-processors, who process your information on behalf of FS and strictly for those purposes. We require appropriate contractual and technical safeguards (including confidentiality, security, and—where relevant—SCCs/UK IDTA for international transfers).

In the event of a merger, divestiture, restructuring, reorganisation, dissolution, sale, or other transfer of some or all of our assets, we may transfer your personal data to the relevant transferee. We will use reasonable efforts to ensure the transferee uses your personal data consistently with this Privacy Policy.

If required by law, or to protect our legitimate or legal interests, FS may disclose personal data to third parties such as governmental authorities or law enforcement. Where legally permitted, we will notify your employer (as controller) of such requests and handle them in accordance with our agreement with your employer.

8. For How Long Does FS Store Personal Data?

FS operates a data retention process (agreed with your employer and compliant with applicable law) under which we delete or anonymise personal data whenever:

Before we remove personal data from our systems, we may convert certain datasets into aggregated or anonymised form for internal analytics, research and product improvement. This information does not identify you.

In some cases, we may retain limited information for a short period to comply with legal, regulatory or contractual obligations (e.g., records needed for security or audit). Personal data deleted from active systems may remain in backups for a limited time before being overwritten in line with our backup retention schedules.

9. Anonymous Data

Any data we classify as “anonymous” is determined in accordance with Recital 26 of the GDPR (and the equivalent standard under the UK GDPR). Once anonymised, the information does not relate to an identified or identifiable natural person. We take steps to ensure that individuals are not reasonably likely to be re-identified, including where additional information may become available.

FS anonymises data so that we can retain it for research purposes and to improve our products and services offered within the Platform. We take a number of steps to anonymise, including:

Anonymised data is no longer personal data. FS may retain anonymised datasets to analyse usage trends and improve HabiTrack without identifying any individual.

10. Who Has Access to the Data?

As your employer is the controller of the data, rights to access are governed by your employer–employee agreement. The exception is data you provide to FS in a non-public setting (for example, Evaluation Module responses, private habit logs, or personal notes). Your employer will only access this information in aggregated or de-identified form. Information you choose to share in public or shared features (such as your profile, endorsements/comments, or leaderboards) may be visible to others in your organisation by design.

For internal access within FS, data access is segregated between the FS technology team and the FS data team. The technology team is responsible for Platform operation. The data team is responsible for customer reporting and analytics.

Once the data required for Platform operation has been transferred into HabiTrack, day-to-day operational access sits with the technology team. Access within FS is restricted on a need-to-know basis.

11. Personal Data and Your Rights

As FS is the processor of your personal data, your employer (the data controller) retains legal responsibility when you choose to exercise your rights under data protection laws. The following requests should be directed to your employer:

You may also have rights to restrict processing, data portability, object to certain processing (for example, where based on legitimate interests), and to withdraw consent where consent is used. Your employer’s privacy policy will explain how to exercise these rights.

The policy regarding timeframes and any charges associated with these requests will be set out in your employer’s privacy policy.

While the legal responsibility lies with your employer, FS will assist your employer in handling requests and is happy to address any concerns you may have about your rights and personal data. Please submit your enquiries to info@fabricshift.com.

12. Cookies

The Platform uses cookies (and similar technologies) in order to function properly. A cookie is a small text file created by the websites and apps you visit and may contain information that helps recognise you as a user and remember your preferences. These files are stored on your device and can, among other things, keep you signed in. Information from cookies may be used to improve the user experience and/or the Platform.

We use both session cookies (which expire once you close your web browser) and persistent cookies (which stay on your device for a set period of time or until you delete them).

Where required by law, we will ask for your consent before setting any non-essential cookies (for example, analytics or performance cookies). Strictly necessary cookies that are required for the Platform to work will be set without consent.

You can manage your cookie choices at any time using your browser settings and, where provided, the Platform’s cookie controls. You can also delete cookies that have been previously stored. Please refer to your browser’s help section for instructions. If you choose not to accept certain cookies, you can still use the Platform, but some functionality may be limited.

13. Data Security

The security and integrity of your personal data are important to us. FS maintains an information security management approach aligned with ISO/IEC 27001 and uses accepted industry standards, technologies and procedures (including encryption in transit and at rest, access controls, logging and monitoring) to help prevent the loss, misuse or unauthorised disclosure of your personal data. Although we do our best to protect your data, no system is 100% secure. Despite our best efforts, there is always a risk of unauthorised access to your personal data. By using the Platform, you accept this risk.

Internal access is segregated between necessary departments within FS and restricted only to personnel who need it, with protections such as multi-factor authentication. We only process personal data under the instructions of your employer, set out in the B2B licence agreement. We have processes to identify data breaches and will inform your employer and the applicable regulator when legally required to do so.

FS will set all users up with a username for passwordless login (or your organisation may enable single sign-on (SSO)). If you are having issues logging in, please use the in-app reset option or contact info@fabricshift.com.

To minimise the risk of unauthorised access, you should also limit access to your device and/or browser and log out after using the Platform.

Note that the privacy policies of external content or websites linked from within the Platform may differ from those of FS and your employer.

14. Contact Details

For questions or concerns regarding this Privacy Policy, please contact us at:
Email: info@fabricshift.com
Address: Edmund House, 12-22 Newhall Street, Birmingham, England, B3 3AS
Phone: +44 0203 150 0000

Our support desk is operational 24/7 and we are always happy to hear from you. For unresolved concerns or legal issues, please contact your employer.