- Version
- 2.0
- Status
- Live
- Effective Date
- 13 July 2026
- Review Date
- 13 July 2027
- Policy Owner
- Compliance and Accreditation Lead
- Approved By
- Chief Executive Officer
1. Purpose and Scope
This Data Protection Policy establishes Qualitect Ltd's commitment to protecting in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018. The policy applies to all personal data processing activities conducted through the Qualitect platform and by Qualitect Ltd. Qualitect Limited is registered with the Information Commissioner's Office under registration reference ZC182035.
2. Data Protection Principles
2.1 Lawfulness, Fairness and Transparency
Qualitect processes personal data lawfully, fairly and transparently with clear legal bases for all processing activities.
2.2 Purpose Limitation
Personal data is collected for specified, explicit and legitimate purposes.
2.3 Data Minimisation
Only adequate, relevant and necessary personal data is collected and processed.
2.4 Accuracy
Personal data is kept accurate and up to date.
2.5 Storage Limitation
data is retained for seven years minimum to support Platform Users' compliance with the documentation requirements of the relevant and regulatory frameworks and to meet Qualitect's own legal and contractual obligations.
2.6 Integrity and Confidentiality
Personal data is processed securely using AES-256 encryption at rest and 1.3 in transit.
2.7 Accountability
Our accountability framework is designed to align with the requirements of ISO 27001. Qualitect is working towards formal accreditation against ISO standards relevant to its operations. References to ISO alignment describe the framework adopted and do not indicate current certification.
3. Lawful Bases for Processing
3.1 Contract Performance
Delivering services, user authentication, generation, where applicable management and service delivery communications.
3.2 Legitimate Interests
Platform security monitoring, service improvement, fraud prevention and business analytics.
3.3 Legal Obligations
Maintaining audit trail data to support Platform Users' compliance with documentation requirements, responding to lawful requests from regulatory or law enforcement authorities and financial record-keeping obligations.
3.4 Consent
Optional marketing communications and cookies.
4. Categories of Personal Data Processed
4.1 User Registration Data
Names, email addresses, job titles, organisation details, professional credentials.
4.2 Assessment and Qualification Data
Qualification content, compliance checks and audit findings, where applicable assessment submissions and reports.
4.3 Evidence Files
Training records, witness statements, where applicable assessment evidence and portfolio submissions.
4.4 Audit Trail Data
User actions, timestamps, IP addresses and system interactions.
4.5 AI Generation Logs
Prompts, model responses, and generation parameters for service delivery and improvement.
4.6 Learning Services Data
Where customer organisations use learning services provided by Qualitect, enrolment, progress and achievement records are processed on the organisation's behalf under the .
5. Data Protection by Design
The platform implements privacy by design through database , and role-based access controls.
6. Data Protection Impact Assessments
Qualitect conducts DPIAs for processing activities likely to result in high risk including new AI processing features and novel data processing activities.
7. Data Processor Relationships
7.1 Cloud Hosting
Amazon Web Services UK regions under comprehensive data processing agreements.
7.2 AI Model Providers
Relationships are governed by data processing agreements that limit data use, provide that data is retained only for a limited period for abuse monitoring and is then deleted except where retention is required by law, and prohibit model training on submitted data.
7.3 Third-Party Integrations
Email delivery is provided by Postmark as our processor under a data processing agreement, handling account and service email only. Qualitect does not currently use a third-party payment processor or analytics service that processes personal data. This section is updated before any such provider is introduced.
8. International Data Transfers
Transfers to countries without UK adequacy decisions rely on an approved UK transfer mechanism, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. AI model providers are subject to additional safeguards including encryption, data minimisation and time-limited retention with deletion.
9. Data Breach Procedures
Continuous monitoring detects potential personal data breaches. Initial response activates within one hour of detection. Breaches likely to result in high risk trigger notification to the ICO within 72 hours.
10. Data Subject Rights
Under UK , data subjects have rights of access, rectification, erasure, restriction, portability and the right to object. All requests are acknowledged within 48 hours.
11. Related Policies
Privacy Policy, Information Security Policy, AI Use and Transparency Policy, Data Processing Agreement.
12. Contact Information
Data protection contact: dataprotection@qualitect.co.uk
General: hello@qualitect.co.uk
Complaints: complaints@qualitect.co.uk
Registered office: Qualitect Limited, 32 Willoughby Road, London, N8 0JG
Trading address: 8a Stafford Street, London, W1S 4RU
Website: qualitect.co.uk