Skip to main content
When your clients invite you into their organisation, they place their most sensitive people data in your hands. Wenite is built around that responsibility. Every architectural and policy decision we make starts from the assumption that client trust is non-negotiable — and GDPR compliance is the baseline, not the ceiling.

Data ownership — your data stays yours

Your client data belongs to you, full stop. Whatever you collect, upload, or create inside Wenite lives within your account and is never shared with other consultants, third parties, or Wenite itself for any commercial purpose. When you build a dossier, run a scan, or record an observation, that content is yours to control, export, and delete. Wenite does not mine your client data, sell it, or use it to train models. You are the custodian of the information your clients trust you with, and we keep it that way.

EU processing — no data leaves Europe

All data you store and process through Wenite is handled exclusively within the European Union. There are no transfers to third countries, no sub-processors outside the EU, and no content delivery or analytics pipelines that route your client data beyond EU borders. This means your Belgian, Dutch, or broader European clients can rely on the same legal framework you operate under.

What Wenite processes

To deliver the platform, Wenite processes a small, well-defined set of data categories on your behalf:
  • Your consultant profile — your name, email address, practice details, and billing information
  • Client organisation information — the names, sectors, and project metadata you enter when setting up a client dossier
  • Employee survey responses — the answers collected through scans you run within a client project; these are stored in anonymised or pseudonymised form by default and are never linked to individually identifiable employees unless you explicitly configure otherwise
  • Usage and system data — standard application logs used to maintain reliability and security; this data does not include the content of your client dossiers

Your responsibilities as a data controller

Because you decide what data to collect, from whom, and for what purpose, you are the data controller under GDPR. Wenite acts as your data processor — we follow your instructions and provide the infrastructure that makes your work possible. In practice this means:
  • You are responsible for having a lawful basis to collect employee data from your clients’ organisations
  • You determine how long data is retained and when it should be deleted
  • You are the point of contact for any data subject rights requests from employees who participated in your scans
  • You decide what information to share with your clients through Wenite’s client portal
Wenite supports you in meeting these obligations by giving you full control over your dossiers, straightforward data deletion tools, and clear audit trails of what data exists in your account.

Employee anonymity

Scans run through Wenite are designed with employee anonymity as the default. Individual employees are not identified to you as a consultant — you receive aggregated, pattern-level insights rather than individually attributed responses. This protects employees from feeling surveilled and increases the honesty and quality of the data you collect. If your methodology or a specific client engagement requires a different configuration, you can adjust this within the platform — but the default always errs on the side of protecting the individual.
If you have specific compliance questions, need a Data Processing Agreement (DPA), or want to discuss how Wenite fits into your own GDPR obligations, reach out directly at contact@wenite.io. We’re happy to work through the specifics with you.
Wenite is actively pursuing ISO 27001 certification to back up our GDPR commitments with independently audited security controls. See ISO 27001 certification status for the current timeline and what it means for your practice.