Privacy Policy

Last updated: June 2026

1. Introduction

Atherio Ltd (“Atherio”, “we”, “us”, or “our”) provides an AI-powered leadership coaching platform that integrates with workplace tools to help managers improve. We are committed to protecting your personal data and respecting your privacy rights.

This Privacy Policy explains how we collect, use, share, and protect personal data when you visit getatherio.com (the “Site”), when your organisation uses the Atherio platform (the “Service”), and when you interact with us. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Because Atherio is typically purchased by an employer for its managers, this policy distinguishes between data we process as a controller (e.g. website visitors, prospects, and account administrators) and data we process as a processor on behalf of a customer organisation (e.g. coaching and behavioural data about that organisation’s managers). Where we act as a processor, the customer organisation is the controller and its own privacy notice governs how your data is used.

2. Who we are (data controller)

For the purposes covered by this policy where we act as controller:

  • Controller: Atherio Ltd
  • Company number: 16434061 (registered in England & Wales)
  • Registered office: C/O RPGCC, 40 Gracechurch Street, London, England, EC3V 0BT
  • ICO registration number: ZC064276
  • Data protection lead: Ben Stocken, CEO
  • Privacy contact: privacy@atheriohq.com

3. The personal data we collect

Website visitors and prospects. Name, work email, company, job role, message content when you submit a form or book a demo; newsletter subscription details; and technical data such as IP address, browser type, device information, and usage data collected via cookies and similar technologies.

Account administrators and platform users. Account credentials and profile details, authentication identifiers, and settings.

Coaching and behavioural data (processed on behalf of customers). To deliver coaching and measure behaviour change, the Service integrates, with the customer’s authorisation, with tools such as Microsoft 365 and Slack (and, where enabled, HRIS and CRM systems). Depending on the customer’s configuration, this may include metadata and content signals relating to workplace communication and collaboration, engagement metrics, HR attributes, performance-related indicators, and the interactions a manager has with the Atherio coach (e.g. questions asked and nudges acted on). We process this data only on the documented instructions of the customer organisation and only to provide and improve the Service as permitted by our agreement with that customer.

Communications. Records of your correspondence with us (support, sales, email).

We do not seek to collect special category data. Where any sensitive information could be inferred from workplace data, we apply additional safeguards and minimisation, and rely on the customer’s lawful basis as controller.

4. What we do not do

To be clear about the limits of our processing:

  • We do not sell your personal data, or share it for third-party marketing.
  • We do not use your data to train general-purpose AI models, and we contractually prohibit our AI sub-processor from doing so.
  • We do not make automated decisions that produce legal or similarly significant effects about an individual without human involvement.
  • We do not collect more workplace data than the customer configures, and the customer can narrow the scope of integrations at any time.
  • We do not knowingly collect data from anyone under 16.

5. How we use personal data and our lawful bases

Responding to enquiries and demo requests

Legitimate interests / steps prior to a contract

Providing and operating the Service

Performance of a contract; processor instructions

Sending the weekly newsletter and marketing

Consent (withdrawable at any time)

Improving and securing our Site and Service

Legitimate interests

Aggregated, de-identified analytics and benchmarking

Legitimate interests; data aggregated/anonymised

Complying with legal obligations

Legal obligation

Where we rely on legitimate interests, we have balanced those interests against your rights and concluded our processing is proportionate. You can object at any time (see Section 10).

6. AI and automated processing

Atherio uses artificial intelligence (the Microsoft Azure OpenAI Service) to generate coaching guidance, nudges, and insights. We design the Service to be privacy-first: we apply data minimisation, and our agreement with our AI provider prohibits the use of customer data to train its general models. Atherio does not make decisions that produce legal or similarly significant effects about an individual without human involvement. Coaching outputs are guidance for the manager, who remains responsible for their own decisions.

7. Sharing your data

  • Service providers (sub-processors) who host our infrastructure, provide AI processing, and support communications. The current list is in our Trust Centre. All are bound by data protection terms.
  • Your organisation, where we process data on its behalf as a processor.
  • Professional advisers, auditors, and authorities where required by law.
  • A successor entity in a merger, acquisition, or reorganisation, subject to this policy.

We do not sell personal data.

8. International transfers

Our core platform and coaching data are hosted in the United Kingdom on Microsoft Azure. Some sub-processors operate infrastructure outside the UK; where personal data is transferred outside the UK, we rely on appropriate safeguards such as UK adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses. Details are in our Trust Centre.

9. Data retention

We keep personal data only as long as necessary for the purposes set out in this policy, including legal, accounting, or reporting requirements. Coaching and platform data processed on behalf of a customer is retained in line with our agreement with that customer and deleted or returned on termination. Marketing data is kept until you unsubscribe.

10. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or object to processing of your personal data, the right to data portability, and the right to withdraw consent. Where we process your data on behalf of your employer, please direct requests to your employer; we will assist them as required.

To exercise your rights with us as controller, contact privacy@atheriohq.com. You also have the right to complain to the Information Commissioner’s Office (ico.org.uk), though we’d appreciate the chance to resolve concerns first.

11. Cookies

Our Site uses cookies and similar technologies for essential functionality and, with your consent, for marketing and CRM (via HubSpot). You can accept or reject non-essential cookies using our cookie banner, and manage preferences via your browser settings at any time.

12. Security

We implement technical and organisational measures to protect personal data, including encryption in transit and at rest, role-based access controls, multi-factor authentication, monitoring, and a documented incident response process. See our Trust Centre for detail. No system is perfectly secure, but we work continuously to protect your data.

13. Children

Atherio is a workplace product not directed at children, and we do not knowingly collect data from anyone under 16.

14. Changes to this policy

We may update this policy from time to time. We will post the updated version here and revise the “Last updated” date. Material changes will be communicated where appropriate.

15. Contact

Questions about this policy or your data: privacy@atheriohq.com, or write to Atherio Ltd, C/O RPGCC, 40 Gracechurch Street, London, England, EC3V 0BT.