Data Practices

How we protect your team's wellbeing data while delivering powerful insights

Last updated: September 26, 2025

TL;DR (Short Version)

  • We analyze group patterns only; managers never see individual responses
  • Minimum-group thresholds (default: 5+) prevent singling anyone out
  • No medical diagnoses are collected; we do not require PHI for the assessment
  • Data is encrypted in transit and at rest; access is role-based and logged
  • We align our controls to HIPAA Security Rule safeguards and can sign a BAA where appropriate
  • You can request export or deletion of your data anytime: privacy@zenworkspace.ai

1 What We Collect

Account & coordination data (for the sponsoring org or team lead):

  • Name, work email, company, role, optional phone

Assessment data (from team members):

  • Answers about work experience (e.g., workload balance, clarity, psychological safety)
  • Optional open-ended comments
  • We do not ask for diagnoses, treatment details, or other clinical records

Operational data (product analytics):

  • Basic device/browser info, page views, and session events to keep things running smoothly
  • We avoid unnecessary tracking and never sell data

PHI: Our assessment is designed to operate without Protected Health Information. If a customer relationship requires PHI handling, we operate under a Business Associate Agreement (BAA) and apply HIPAA-aligned safeguards.

2 Anonymity & Reporting Safeguards

To keep people safe and candid:

  • Minimum respondents: Metrics are only shown when a group has ≥ 5 responses
  • No small slices: We suppress sub-groups (e.g., by role or tenure) if any slice falls < 5
  • Aggregation by design: Managers see team-level scores and trends (e.g., Team Energy Index, Burnout Risk, Presenteeism, Quiet Quitting), not raw answers
  • Comment protection: Free-text comments may be redacted for names or identifiers before any summary is shared
  • Therapist review: Licensed clinicians review patterns and phrasing to avoid accidental re-identification in summaries

3 HIPAA-Aligned Safeguards

We align our program to the HIPAA Security Rule (administrative, physical, technical safeguards):

  • Encryption: TLS in transit; AES-256 at rest
  • Access control: Role-based access (RBAC), least privilege, SSO for internal tools, session timeouts
  • Audit logging: Access and administrative actions are logged and reviewed
  • Hardening & backups: Hardened cloud environment, regular backups, separated environments
  • Vendor diligence: Sub-processors are vetted for security posture and contractual protections
  • Policies & training: Security, privacy, and incident response policies; staff training and confidentiality agreements

Important: ZenWorkspace is not itself a covered entity. When we serve covered entities as a Business Associate, we can execute a BAA and apply the stricter controls that agreement requires. During the pilot, the assessment does not require PHI.

4 Where Data Lives & Who Can Access It

Data Storage & Access:

  • Hosting: Reputable cloud providers (primarily U.S. regions)
  • Internal access: Limited to personnel who need it (e.g., assigned therapist reviewers and platform engineers)
  • Customer access: Managers and HR sponsors see aggregated findings only

Third parties:

  • Email & notifications (e.g., transactional email provider)
  • Product analytics (limited, privacy-aware)
  • Payment processor (when you pay later; we don't store card numbers)

We maintain a current list of sub-processors upon request.

5 Reports & Links

  • Unique links: Assessment summaries are shared as unique, access-controlled URLs
  • Link hygiene: Links can be rotated or revoked on request
  • No login required (pilot): During pilot, we keep the access flow simple while preserving link security

6 Retention & Deletion

  • Default retention: 12 months after your engagement ends (for longitudinal benchmarks), unless your contract specifies otherwise
  • Deletion: You can request deletion of identifiable data at any time; we retain only fully anonymized aggregates for research and quality improvement, if permitted
  • Exports: We'll provide an export of your organization's aggregated results on request
  • Contact: privacy@zenworkspace.ai

7 Your Choices & Rights

  • Access/Correction/Deletion: Email privacy@zenworkspace.ai with your request
  • Opt-out of marketing: Click "unsubscribe" in any non-transactional email
  • Cookies/analytics: You can block analytics cookies in your browser; core features will continue to work

If your organization requires a DPA or BAA, let us know at security@zenworkspace.ai.

8 Incident Response

We monitor for security events and follow a documented incident response plan. In the event of a material incident affecting your data, we will notify the customer promptly and cooperate on any required regulatory notices.

9 Changes to This Page

We may update these practices as the product evolves. Material changes will be posted here with a new "Last updated" date, and we'll notify customers when appropriate.

📧 Contact

Privacy
privacy@zenworkspace.ai
Security/BAA
security@zenworkspace.ai
General
hello@zenworkspace.ai