AI Usage Policy

1. Introduction

October Health integrates Artificial Intelligence (AI) across two interconnected product lines: the October Health employee wellbeing and performance platform, and October People, our Human Capital Management (HCM) / HRIS system. This policy governs how AI is used across both products, setting out our commitments to transparency, privacy, safety, fairness, and regulatory compliance.

October Health is committed to ethical AI that prioritises user trust, data protection, and responsible innovation. This document is intended for clients (employers) and end users (employees) who interact with or are affected by our AI systems.

Important — Non-Clinical Disclaimer

October Health’s AI systems are informational and non-clinical. They do not provide medical advice or diagnosis, and do not create a doctor-patient relationship. Where users interact with AI, this is clearly disclosed. October People’s AI-assisted HR workflows are designed to support, not replace, human HR decision-making. Final employment decisions always rest with authorised human personnel.

2. Scope of This Policy

This policy applies to all AI-powered features across October Health’s product suite, including but not limited to:

Product / System

Description

October Health Platform

Wellbeing, coaching, mental fitness, and organisational insight tools

October People (HRIS/HCM)

HR operations including employee records, leave, compensation, talent management, and analytics

Shared AI Infrastructure

The central AI gateway, PII redaction layer, and third-party model providers used across both products

3. AI in October Health: Wellbeing Platform

3.1 Employee-Facing Solutions

• AI Coaching Courses: Personalised, self-paced wellbeing and performance programmes, available 24/7 in multiple languages.
• Journaling Tools: AI-supported guided self-reflection and habit-building features.
• Luna | AI Chat Support: Real-time personalised wellbeing support, psycho-education, and resource navigation.
• Human-Hosted Group Sessions (The Forest): Co-hosted by Luna, providing transcription, translation, engagement questions, and session summaries.
• Ivy | AI Dietitian: Food analysis, macro and exercise tracking, and 1:1 AI dietary guidance.
• Assessments: AI-assisted feedback after user-completed assessments.

3.2 Organisation-Facing Solutions

• October Companion: AI assistant for drafting HR documentation (job descriptions, performance improvement plans, internal communications).
• Luna in the Forest: Live interactive AI support with personalised feedback, user preference memory, and session recaps.
• Business Intelligence / ThriveMeter: Aggregated, anonymised insights into employee wellbeing, organisational culture, and performance trends. No personally identifiable data is surfaced to employers.

4. AI in October People: HRIS / HCM System

October People is our modern Human Capital Management platform that consolidates HR operations across the full employee lifecycle. AI is embedded throughout the system to automate workflows and support HR decision-making. Because October People processes sensitive employment data, additional governance obligations apply.

4.1 AI-Powered Features in October People (including but not limited to)

Module

AI Application

Core HR & Directory

AI-assisted employee record management, org chart generation, and service request routing.

Leave & Time Management

Automated leave approval workflows, and absence pattern analysis.

Talent Management

AI-assisted job description drafting, candidate screening support, onboarding checklist generation, competency framework suggestions, and succession planning analysis.

Performance & Development

AI-assisted generation of performance improvement plans (PIPs), goal-setting support, and learning recommendations.

Compensation & Benefits

Pay equity analysis, salary benchmarking support, and benefits enrolment guidance.

Analytics & Workforce Planning

Predictive attrition modelling, workforce trend analysis, and custom HR reporting.

Data Import & Migration

AI-assisted data mapping and validation during HRIS data imports.

4.2 Human Oversight in Employment Decisions

Critical Principle: Human in the Loop

AI within October People is a decision-support tool, not a decision-maker. No employment decision, including hiring, dismissal, promotion, performance rating, disciplinary action, or redundancy, is made solely by an AI system. All AI-generated outputs in October People are clearly labelled as AI-assisted drafts or suggestions, and require review, modification, and approval by an authorised human HR professional or manager before any action is taken.

4.3 Integration Between October People and October Health

October People and the October Health wellbeing platform share a common technology infrastructure but maintain strict data segregation to protect employee privacy:

• Wellbeing data, Luna chat conversations, journaling content, and assessment responses collected via October Health are never accessible to October People HR workflows or employer-facing dashboards.
• The AI gateway enforces these data segregation rules at the infrastructure level, independent of application-layer configurations.
• No mental health, wellbeing, or personal support data is used to inform any HR decision, employment record, or People analytics report.

5. Shared AI Infrastructure

5.1 Central AI Gateway

All AI requests across both October Health and October People are routed through a central AI gateway. This system:

• Removes and masks personally identifiable information (PII) before any data is sent to third-party AI model providers.
• Applies content moderation and safety guardrails to both inputs and outputs.
• Selects the appropriate AI model provider based on task type, cost, latency, and availability.
• Logs requests and responses for audit, safety monitoring, and incident response (subject to data retention policies).
• Enforces data segregation rules between October People and October Health.

This infrastructure is hosted in October Health’s SOC 2 Type II certified AWS US East environment and complies with October Health’s standard data retention, Right to Be Forgotten (RTBF), and security policies.

5.2 Third-Party AI Model Providers

October Health uses the following AI model providers, none of whom train their models on October Health client or user data:

Provider

Approximate Usage

OpenAI

~40% of usage

Google

~35% of usage

Anthropic

~15% of usage

Perplexity

~10% of usage

A complete sub-processor register is maintained at october.health/legal/third-party-subcontractors and updated when material changes occur. All providers are assessed against performance benchmarks, bias audits, and security standards. Data processed via these providers is subject to our automated PII redaction system before transmission.

6. Key Principles

6.1 Transparency

• Users are informed when they are interacting with an AI system, not a human.
• Clear descriptions explain the purpose, capabilities, and limitations of each AI feature in both October Health and October People.
• AI-generated outputs in October People are labelled as such to ensure HR professionals treat them as drafts requiring review.

6.2 Fairness and Non-Discrimination

• AI systems are tested for bias across demographic groups, regions, and cultural contexts.
• AI used in talent management and recruitment workflows is subject to fairness assessments to prevent discriminatory screening or scoring.
• Corrective action plans are implemented when bias or unintended discriminatory outcomes are detected.
• October Health does not use protected characteristics (race, gender, age, disability, religion, national origin) as inputs to AI systems that produce employment-relevant outputs.

6.3 Privacy and Data Minimisation

• Compliant with GDPR, POPIA, HIPAA (where applicable), CCPA, and applicable local employment law data obligations.
• Personal data is anonymised, pseudonymised, or minimised wherever possible before AI processing.
• Explicit user consent is obtained before processing sensitive categories of personal data.
• Cross-border data transfers use legally valid safeguards (e.g., Standard Contractual Clauses under GDPR).
• October Health is SOC 2 Type II certified and aligns with WHO AI Ethics Guidelines.

6.4 Accuracy and Accountability

• AI outputs are validated through testing, internal review, and clinical or professional expert evaluation.
• A dedicated AI Safety & Compliance team oversees risk management, quality assurance, and regulatory alignment.
• A structured change-management process governs all AI updates, requiring validation and re-approval before deployment.
• October Health maintains an AI Model Register and AI Governance Policy aligned with the EU AI Act and ISO/IEC 42001:2023.

7. High-Risk AI — EU AI Act Compliance

October Health has identified the following October People / HCM AI use cases as potentially high-risk under the EU AI Act where they are used to materially support or influence employment, worker-management or access-to-employment decisions. These use cases are subject to enhanced governance controls, including documented risk assessment, human oversight, appropriate logging and auditability, transparency to affected individuals where required, and a process for human review or challenge of AI-informed employment outcomes.

High-Risk Application

Product Location

AI-assisted recruitment and candidate screening

October People Talent module

AI-generated performance improvement plans

October People Performance module

Predictive attrition and workforce analytics

October People Analytics module

AI-assisted compensation and pay equity analysis

October People Compensation module

AI outputs that influence succession planning decisions

October People Talent module

For any AI system used in employment, worker management, recruitment, performance evaluation, promotion, termination, task allocation, monitoring, or other HCM-related decision-making, October Health will assess whether the system is classified as “high risk” under applicable AI laws, including the EU AI Act where relevant.

Where an AI system is classified as high risk, or where its outputs may materially influence employment-related decisions, October Health will maintain appropriate governance controls, including:

1. A documented AI risk assessment and risk register entry, including the purpose of the system, affected users, potential risks, mitigations, owner, and review cadence.
2. Human oversight controls to ensure that AI outputs are used only as decision-support and do not produce legal or similarly significant employment effects without meaningful human review.
3. Logging and auditability of relevant AI inputs, outputs, recommendations, decisions, and human review steps, proportionate to the risk and technical feasibility of the system.
4. Transparency to affected employees, candidates, or workers where AI is used in a manner that may materially affect employment-relevant processes.
5. A process for affected individuals to request human review, raise concerns, or challenge an AI-informed employment decision where applicable.

This approach is intended to align with emerging AI governance requirements, including the EU AI Act’s treatment of certain employment and worker-management AI systems as high risk, as well as data protection principles relating to automated decision-making.

8. Data Handling and Security

8.1 Data Classification

October Health processes two distinct categories of sensitive data, each subject to heightened protections:

Data Category

Protections

Wellbeing & Mental Health Data

Collected via Luna, journaling, assessments, and group sessions. Treated as special category data under GDPR and as health information under POPIA and HIPAA. Never shared with employers. Never used in People analytics or employment decisions.

Employment & HR Data

Collected via October People. Includes employee records, compensation, performance, and leave data. Accessible only to authorised HR administrators and managers with role-based access controls. Subject to employment law obligations in each jurisdiction.

8.2 Data Security

• All sensitive and personal data is encrypted at rest and in transit using industry-standard protocols.
• Role-based access controls (RBAC) limit data access to authorised personnel only.
• No personally identifiable employee data is shared with employers via AI-generated insights; only anonymised or aggregated data is surfaced in organisational dashboards.
• Sensitive data is shared with third parties only where legally required or with explicit consent.
• October Health may notify relevant authorities in cases of credible threats to life, consistent with applicable law and our Privacy Policy.

8.3 Data Retention and Deletion

• Personal data is retained only as long as necessary for service delivery or legal compliance obligations.
• Anonymised or aggregated analytics data may be retained for longer periods to support organisational wellbeing and workforce insights.
• Users and employees may request deletion of their personal data; requests are completed within applicable regulatory timelines (30 days under GDPR; as required by POPIA).
• Secure deletion protocols ensure irrecoverable removal from backups and archives.
• October People HR records are subject to statutory retention requirements under applicable employment law, which may override user deletion requests for specific record types.

9. User Rights

All users of October Health and October People have the following rights, exercisable at any time:

Right

Description

Access

Request a copy of personal data held about you.

Correction

Request correction of inaccurate or incomplete data.

Deletion

Request deletion of personal data (subject to legal retention obligations).

Opt-Out

Opt out of AI-based features where functionally possible.

Human Review

Request human review of any AI decision or output that affects you, including in October People employment workflows.

Explanation

Request a high-level explanation of how an AI output relevant to you was generated.

Withdrawal of Consent

Withdraw consent for data processing at any time.

Data Portability

Receive personal data in a structured, machine-readable format (where applicable under GDPR).

Object

Object to processing of personal data for specific purposes.

These rights are honoured in compliance with GDPR, POPIA, CCPA, and applicable local law. Requests should be directed to dpo@october.health.

10. Escalation Protocols for High-Risk Cases

For users of the October Health wellbeing platform expressing suicidal intent, self-harm intent, or intent to harm others, October Health initiates the following:

• Immediate crisis guidance: Sensitive, trauma-informed responses providing local emergency numbers and 24/7 crisis hotline referrals.
• Follow-up communications: Where contact details are available, post-escalation support links and resources are sent to the user.
• Confidentiality: Crisis interactions are handled confidentially and are not shared with employers.

October People — Escalation

October People does not provide mental health or crisis support. If HR administrators or managers identify employee welfare concerns through People analytics or HR workflows, they should follow their organisation’s internal wellbeing referral process, which may include directing employees to October Health or their company’s Employee Assistance Programme (EAP).

11. AI Limitations and Known Failure Modes

October Health’s AI systems are subject to the following known limitations. Users and HR professionals should exercise independent judgement:

• Language and dialect: AI may misinterpret input in non-standard dialects, regional idioms, or lower-resource languages.
• Cultural nuance: AI outputs may not always reflect local cultural norms across October Health’s global markets.
• Mental health risk detection: AI cannot reliably detect all instances of mental health crisis or distress signals. Luna is not a substitute for clinical assessment.
• HR document accuracy: AI-generated HR documents (job descriptions, PIPs, offer letters) require review by qualified HR professionals for accuracy, legal compliance, and context-appropriateness.
• Bias residuals: Despite bias testing, AI systems may produce subtly biased outputs. Fairness monitoring is ongoing.
• Data quality dependency: AI outputs in October People are only as reliable as the HR data entered. Incomplete or inaccurate records will produce lower-quality AI suggestions.

Users are always informed that AI responses are not a substitute for professional medical, legal, or HR advice.

12. Monitoring and Incident Response

12.1 Post-Deployment Monitoring

• Automated systems monitor safety patterns, inappropriate outputs, model drift, and anomalies across both October Health and October People.
• Performance metrics including accuracy, safety, and response quality are reviewed on a regular cycle.
• Fairness and bias assessments are conducted periodically across user demographics and regions.

12.2 Incident Response

• A formal AI incident protocol governs detection, reporting, investigation, and mitigation.
• Users may report AI inaccuracies, unexpected responses, or concerns by emailing help@october.health.
• Serious incidents trigger immediate escalation to the AI Safety & Compliance team.
• Material AI incidents are reported to relevant supervisory authorities where legally required.

13. Enterprise Controls for Organisations

Client organisations using October Health and/or October People have the following administrative controls:

13.1 October Health (Wellbeing Platform)

• Role-based access controls ensure organisational administrators see only anonymised, aggregated wellbeing data.
• Employers cannot access identifiable user messages, Luna conversations, journaling content, or personal wellbeing data.
• Organisations may configure: analytics settings, regions and languages, data retention windows, resource links and escalation pathways, and permissions for specific AI features.

13.2 October People (HRIS/HCM)

• Role-based access controls define five access levels: Super Admin, HR Admin, Manager, Employee, and custom roles. Each role sees only the data necessary for its function.
• HR administrators and managers with access to individual employee records in October People have no access to that employee’s wellbeing data in October Health.
• AI-generated outputs within October People (job descriptions, PIPs, compensation analyses) are marked as drafts and require explicit human approval before any action or record update is executed.
• Audit logs capture all AI-assisted actions, approvals, and modifications within October People for compliance and governance purposes.
• Organisations may configure which AI features are enabled within October People, consistent with their internal HR policies and jurisdictional legal requirements.

14. Regulatory Compliance and Governance

Framework

October Health Commitment

GDPR (EU/UK)

Full compliance including Art. 22 (automated decision-making), Art. 13/14 (transparency), and data subject rights.

POPIA (South Africa)

Full compliance including accountability for automated processing and data subject rights.

EU AI Act (2024)

High-risk AI classification applied to employment-related AI features; human oversight and conformity requirements met.

ISO/IEC 42001:2023

AI management system aligned to the international standard for responsible AI governance.

CCPA (California)

Consumer privacy rights honoured for California-based users.

SOC 2 Type II

Infrastructure and security controls independently certified.

WHO AI Ethics Guidelines

AI design principles aligned to WHO guidance on safe and ethical AI in health contexts.

15. Commitment to Innovation and Continuous Improvement

October Health continuously invests in:

• Ethical AI research and adoption of emerging best practices.
• User-feedback-driven improvements to AI behaviour and outputs.
• Safety upgrades and vulnerability mitigation.
• Bias reduction and fairness testing across all AI systems.
• Security hardening of the AI gateway and third-party provider integrations.
• Clinical and professional expert review of AI guardrails for wellbeing features.
• HR and employment law expert review of AI guardrails for October People.
• Transparent communication with users, employees, and enterprise clients about AI capabilities and limitations.

Our AI Governance resources, including the AI Model Register, Governance Policy, and Transparency Testing results, are publicly available at october.health/ai.

16. Contact and Reporting

Contact Purpose

Details

AI Governance & Data Protection Officer

dpo@october.health

General Support / Report an Issue

help@october.health

Trust Centre (Security)

trust.october.health

AI Governance Resources

october.health/ai

Sub-processor Register

october.health/legal/third-party-subcontractors

October Health Limited • Registered in England & Wales • october.health