Your privacy matters.
HealthPass helps employers and agencies manage worker compliance.
When you use HealthPass, your employer or agency is usually the data controller, and we act as their data processor — meaning we only handle your information on their instructions.
The Controller may select the region in which its data is hosted (e.g., Australia, United Kingdom). HealthPass will process data only in the selected region unless otherwise instructed by the Controller.
To exercise your data rights (such as accessing, correcting, deleting, or moving your information), please contact your employer or agency, who is the Data Controller for your data. If you contact us directly, we’ll ask you to direct your request to the relevant organisation (your employer or agency), and we’ll support them in responding to your query.
This policy is always available on our website and can be updated to reflect changes we have made through our governance and review process. It is important that you regularly check our policy to make sure you are up to date with any changes.
This summary is just the highlights — the full details are below.
Privacy Notice
Last updated: 11 Jun 2026
HealthPass is a service provided by Flows2Forms Ltd (“we”, “us”, “our”). We are committed to protecting your privacy and handling personal information responsibly, transparently, and in line with applicable laws, including the UK GDPR, EU GDPR, and the Australian Privacy Act 1988 (Cth).
This policy explains what information we collect, how we use it, who we share it with, and the rights available to you.
-
When we act as a Data Processor:
For most information processed through the HealthPass platform — including candidate credentials, compliance documents, onboarding information, and employment‑related data — your employer, recruitment agency, or labour‑hire provider is the Data Controller.
We act as their Data Processor, meaning we only process your information:
on their documented instructions
for the purposes they determine
under a Data Processing Agreement (DPA)
When we act as a Data Controller:
We act as a Data Controller for:
information collected through our website
analytics and cookies
support enquiries
HealthPass user accounts (administrators, agency staff)
our own business records and compliance obligations
-
Information processed as a Data Processor (candidate data)
This may include:
identity information (name, date of birth, contact details)
right‑to‑work documents
licences, certifications, and credentials
visa and work eligibility information
employment history and references
onboarding forms and declarations
compliance status and audit logs
documents uploaded by you or your employer/agency
Information processed as a Data Controller
This may include:
website usage data (IP address, browser type, device information)
cookie and analytics data
account login details for agency/employer staff
support requests and correspondence
marketing preferences (if you opt in)
We do not knowingly collect children’s data. If you believe a child’s information has been submitted, contact us immediately.
-
As a Data Processor (on behalf of controllers)
We process candidate data to:
verify credentials and compliance
support onboarding workflows
generate compliance summaries and reports
notify agencies/employers of expiring documents
maintain audit trails and security logs
provide technical support
operate and improve the HealthPass platform
As a Data Controller
We use controller‑level data to:
operate and secure our website
provide customer support
manage user accounts
analyse service performance
comply with legal obligations
send service‑related communications
We do not sell personal information.
-
Where we act as a Data Controller, we rely on:
Contract – to provide access to HealthPass for agency/employer staff
Legitimate Interests – to secure our systems, prevent fraud, and improve the platform
Legal Obligation – to maintain business records and comply with law enforcement
Consent – for marketing (where applicable)
Where we act as a Data Processor, the Data Controller determines the legal basis.
-
We may share information with:
your employer or recruitment agency (as the Data Controller)
trusted service providers such as hosting, email, analytics, and identity verification partners
legal or regulatory authorities when required
professional advisers (e.g., auditors)
All third‑party processors are bound by strict contractual obligations, including confidentiality, security, and GDPR‑compliant processing terms.
-
Personal data is stored and processed in the region selected by the Data Controller (for example, Australia or the United Kingdom). HealthPass does not transfer personal data outside the selected region as part of its service.
If the Data Controller accesses the service from another country, this constitutes an international transfer determined and governed solely by the Controller, who is responsible for ensuring appropriate safeguards are in place.
-
We use industry‑standard security measures, including:
encryption in transit and at rest
strict access controls
audit logging
secure development practices
regular penetration testing
data minimisation and retention controls
-
As a Data Processor
We retain candidate data only for the duration of the contract with the Data Controller. When the contract ends, we delete the data from our active systems as soon as reasonably possible.
We maintain immutable system backups for up to 3 months. These backups cannot be altered or selectively deleted, but any restored data would be deleted again in line with the Controller’s instructions.
As a Data Controller
We retain:
website analytics: typically 90-120 days
support correspondence: up to 7 years
account records: for the duration of the contract + 7 years
cookies: according to their expiry settings
-
Under GDPR, you have the right to:
access your personal data
correct inaccurate information
request deletion
request restriction of processing
object to processing (including legitimate interests)
request data portability
withdraw consent (where applicable)
lodge a complaint with a supervisory authority
How to exercise your rights
If you contact us with a rights request and we are acting as a Data Processor, we will let you know that your request must be directed to the Data Controller. We may not be able to identify the Controller on your behalf.
Where required, we will support the Data Controller in responding to your request.
-
We use essential cookies to operate the site and optional analytics cookies (only with consent). You can manage your preferences through our cookie banner or browser settings.
A full cookie list is available in our Cookie Policy.
-
Flows2Forms Ltd
Email: 23 LR, 23 Lisburn Road, Hillsborough, BT26 6AA
Address: privacy@healthpass.io
For UK/EU data subjects, you may also contact the ICO or your local supervisory authority.
-
We may update this policy from time to time. The “Last updated” date at the top will reflect the most recent version.