Privacy Policy

Effective date: October 2025
Version: 1.0
Reviewed: October 2025

1.0 Who We Are

This Privacy Notice explains how ALM Performance Ltd (“ALM”, “we”, “our”, “us”) handles personal data collected through our Health & Wellbeing Application (“the App”).

Company number: 14291906
Registered office: 4 Stadium Close, Stotfold, Bedfordshire, SG5 4TJ, United Kingdom
ICO registration: ZB562401
Contact: privacy@almperformance.co.uk

ALM acts as a Data Processor on behalf of each participating Police Force (the “Data Controller”).

2.0 Purpose of Processing

The App provides access to employee health and wellbeing content, resources, and interactive features designed to support nutrition, sleep, stress, resilience, and similar topics.

We process limited personal data to:

  • enable user registration and secure access;
  • deliver app content and notifications;
  • integrate with optional third-party wellness platforms (e.g. Apple Fit / Google Fit);
  • support anonymised usage analytics and technical maintenance;
  • manage user deletion requests at the end of employment.

3.0 Personal Data We Process

Category Examples Purpose Legal Basis (UK GDPR Art.)
Identification Name, work email address Account creation & authentication Art 6(1)(b) – contractual necessity
Technical Device ID, IP address, log data Security & performance monitoring Art 6(1)(f) – legitimate interests
Optional Integrations Fitness data from Apple Fit / Google Fit (if enabled) Enhanced wellbeing insights Art 6(1)(a) – consent (Art 9(2)(a) if special category applies)
Analytics (anonymised) App usage patterns and crash data Service improvement & reporting Art 6(1)(f) – legitimate interests

No health or special category data is processed unless an optional future feature is activated by you with explicit consent.

4.0 Lawful Bases for Processing

Processing is carried out under:

  • UK GDPR Art. 6(1)(b) – performance of a contract (to provide the App service);
  • UK GDPR Art. 6(1)(f) – legitimate interest (security, analytics, support);
  • UK GDPR Art. 6(1)(a) / Art. 9(2)(a) – explicit consent (for optional integrations).

Controllers (Police Forces) may also rely on Art. 6(1)(e) (public task) when the App is provided as part of their employee welfare programme.

5.0 Data Retention

Personal data will be retained only for the duration of your employment with the relevant Police Force. Upon notification that employment has ended, your record will be securely deleted from our systems within 30 days, subject to minimal system-backup retention in accordance with DUAA 2025 s. 24 (secure erasure duty).

6.0 Data Storage and Security

All data are stored and processed on Amazon Web Services (AWS) cloud servers located in the UK.

Technical and organisational measures include:

  • AES-256 encryption at rest and in transit;
  • pseudonymisation and restricted access controls;
  • MFA authentication and security auditing;
  • ISO 27001-aligned controls.

7.0 Data Sharing and Third-Party Processors

ALM does not sell or disclose personal data for marketing.

Limited data may be shared with:

Recipient Purpose Location
AWS (UK) Secure hosting & storage United Kingdom
Apple Inc. / Google LLC Optional fitness integration UK / EEA / US
Relevant Police Force Account verification & employment management United Kingdom

Where transfers occur outside the UK/EEA, we use UK International Data Transfer Agreements (IDTA) or Addendum clauses (DUAA 2025 ss. 42–45) to ensure equivalent protection.

8.0 Your Rights

Under UK GDPR, DPA 2018, and DUAA 2025, you have the right to:

  • access your data (Art. 15);
  • rectify inaccuracies (Art. 16);
  • erase data (Art. 17);
  • restrict processing (Art. 18);
  • object to processing (Art. 21);
  • data portability (Art. 20);
  • withdraw consent at any time (Art. 7(3));
  • not be subject to automated decisions (Art. 22).

Requests should be made through your Police Force Data Protection Team (the Controller). ALM will support them in fulfilling your request.

9.0 Children’s Data

The App is not intended for individuals under 16. No data are knowingly collected from minors.

10.0 Cookies and Analytics

Where the App uses cookies or analytics SDKs, we comply with PECR 2003 reg. 6 and DUAA 2025 Part 5 Digital Communications, using consent banners or in-app prompts where required.

11.0 Future Developments

As ALM expands App functionality, further data types may be introduced. This Notice will be updated in line with relevant DUAA provisions. Users will be notified of material changes and prompted to re-consent if required.

12.0 Complaints

If you are unhappy with how your data are processed:

  • Raise your concern with your Police Force DPO;
  • If unresolved, contact the Information Commissioner’s Office (ICO).

ICO website: https://ico.org.uk/make-a-complaint/
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

13.0 Contact Us

For any queries about this Notice or the App’s data processing, please email: privacy@almperformance.co.uk

14.0 Version Control

Version Date Summary of Changes
1.0 October 2025 Initial publication for Police Force deployment

Note on Responsibility

This app is provided by ALM Performance Ltd under contract with your Police Force. While ALM operates the app and ensures its secure functioning, your Police Force is the legal Data Controller for any personal data processed through the app.

Therefore, if you have a complaint, question, or wish to exercise your data rights, please contact your Force’s Data Protection Officer (DPO). ALM will fully support them in addressing your request.