Effective date: January 1, 2025
Our core privacy promise
Individual check-in data is never visible to your manager or employer. Managers only see anonymised, aggregated team data. We do not sell personal data. Ever.
Restemb operates the wellness platform at restemb.com. We act as a data processor on behalf of your employer (the "data controller") for employment-related data, and as an independent data controller for account and product data.
Data controller contact: privacy@restemb.com
Data Protection Officer: dpo@restemb.com
| Data | Purpose | Retention |
|---|---|---|
| Name, email address | Account creation, login, notifications | Until account deletion + 30 days |
| Company name | Organisation setup | Duration of subscription |
| Role (employee / manager / HR) | Access control, dashboard routing | Until account deletion |
| Data | Purpose | Who sees it |
|---|---|---|
| Energy, stress, workload scores (1-5) | Burnout risk calculation, personal dashboard | Employee only |
| Optional free-text note | AI coaching personalisation | Employee only |
| AI-derived burnout risk score | Personal insights, trend tracking | Employee only |
| Anonymised team averages | Manager heatmap (≥5 members required) | Manager / HR (aggregated) |
Individual check-in data is never accessible by managers, HR, or administrators. This is enforced at the database level (Row-Level Security), not just in application code.
For India (DPDP Act 2023): Processing is based on consent and contractual necessity. You may withdraw consent at any time without affecting the lawfulness of prior processing.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication | EU / US (configurable) |
| Groq | AI coaching suggestions | US |
| Resend | Transactional email | US |
| Razorpay / Stripe | Payment processing | India / US |
| Vercel | Web hosting, CDN | Global (EU-accessible) |
All processors are bound by Data Processing Agreements (DPAs) and comply with applicable data protection laws. International transfers use Standard Contractual Clauses (EU SCCs) or equivalent mechanisms.
We use AI (large language model API) to generate personalised wellness coaching suggestions. This is not used for automated decision-making that produces legal or similarly significant effects. AI suggestions are informational only.
Burnout risk scores are calculated by a deterministic algorithm based on the Job Demands-Resources model. No decisions about employment, salary, or performance are made based on these scores.
Depending on your jurisdiction, you have the following rights:
Access
Request a copy of your personal data
Rectification
Correct inaccurate personal data
Erasure
Request deletion of your personal data
Portability
Receive your data in a machine-readable format
Objection
Object to processing based on legitimate interests
Restriction
Request restriction of processing in certain circumstances
To exercise any right, email privacy@restemb.com. We will respond within 30 days (or 72 hours for urgent erasure requests where legally required). You also have the right to lodge a complaint with your supervisory authority:
We implement industry-standard security measures including AES-256-GCM encryption for sensitive data at rest, TLS 1.2+ in transit, row-level database security policies, rate limiting, CSRF protection, and regular security audits.
In the event of a data breach affecting your personal data, we will notify you and relevant supervisory authorities within 72 hours as required by GDPR.
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us at privacy@restemb.com and we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated by email or prominent notice within the Service at least 14 days before they take effect. The current version is always available at restemb.com/privacy.
For privacy questions or to exercise your rights: