Skip to content
All governance documents

Data and Security

Data Protection Policy

Version
2.0
Status
Live
Effective Date
13 July 2026
Review Date
13 July 2027
Policy Owner
Compliance and Accreditation Lead
Approved By
Chief Executive Officer

1. Purpose and Scope

This Data Protection Policy establishes Qualitect Ltd's commitment to protecting in accordance with the UK General Data Protection Regulation and the Data Protection Act 2018. The policy applies to all personal data processing activities conducted through the Qualitect platform and by Qualitect Ltd. Qualitect Limited is registered with the Information Commissioner's Office under registration reference ZC182035.

2. Data Protection Principles

2.1 Lawfulness, Fairness and Transparency

Qualitect processes personal data lawfully, fairly and transparently with clear legal bases for all processing activities.

2.2 Purpose Limitation

Personal data is collected for specified, explicit and legitimate purposes.

2.3 Data Minimisation

Only adequate, relevant and necessary personal data is collected and processed.

2.4 Accuracy

Personal data is kept accurate and up to date.

2.5 Storage Limitation

data is retained for seven years minimum to support Platform Users' compliance with the documentation requirements of the relevant and regulatory frameworks and to meet Qualitect's own legal and contractual obligations.

2.6 Integrity and Confidentiality

Personal data is processed securely using AES-256 encryption at rest and 1.3 in transit.

2.7 Accountability

Our accountability framework is designed to align with the requirements of ISO 27001. Qualitect is working towards formal accreditation against ISO standards relevant to its operations. References to ISO alignment describe the framework adopted and do not indicate current certification.

3. Lawful Bases for Processing

3.1 Contract Performance

Delivering services, user authentication, generation, where applicable management and service delivery communications.

3.2 Legitimate Interests

Platform security monitoring, service improvement, fraud prevention and business analytics.

Maintaining audit trail data to support Platform Users' compliance with documentation requirements, responding to lawful requests from regulatory or law enforcement authorities and financial record-keeping obligations.

Optional marketing communications and cookies.

4. Categories of Personal Data Processed

4.1 User Registration Data

Names, email addresses, job titles, organisation details, professional credentials.

4.2 Assessment and Qualification Data

Qualification content, compliance checks and audit findings, where applicable assessment submissions and reports.

4.3 Evidence Files

Training records, witness statements, where applicable assessment evidence and portfolio submissions.

4.4 Audit Trail Data

User actions, timestamps, IP addresses and system interactions.

4.5 AI Generation Logs

Prompts, model responses, and generation parameters for service delivery and improvement.

4.6 Learning Services Data

Where customer organisations use learning services provided by Qualitect, enrolment, progress and achievement records are processed on the organisation's behalf under the .

5. Data Protection by Design

The platform implements privacy by design through database , and role-based access controls.

6. Data Protection Impact Assessments

Qualitect conducts DPIAs for processing activities likely to result in high risk including new AI processing features and novel data processing activities.

7. Data Processor Relationships

7.1 Cloud Hosting

Amazon Web Services UK regions under comprehensive data processing agreements.

7.2 AI Model Providers

Relationships are governed by data processing agreements that limit data use, provide that data is retained only for a limited period for abuse monitoring and is then deleted except where retention is required by law, and prohibit model training on submitted data.

7.3 Third-Party Integrations

Email delivery is provided by Postmark as our processor under a data processing agreement, handling account and service email only. Qualitect does not currently use a third-party payment processor or analytics service that processes personal data. This section is updated before any such provider is introduced.

8. International Data Transfers

Transfers to countries without UK adequacy decisions rely on an approved UK transfer mechanism, the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. AI model providers are subject to additional safeguards including encryption, data minimisation and time-limited retention with deletion.

9. Data Breach Procedures

Continuous monitoring detects potential personal data breaches. Initial response activates within one hour of detection. Breaches likely to result in high risk trigger notification to the ICO within 72 hours.

10. Data Subject Rights

Under UK , data subjects have rights of access, rectification, erasure, restriction, portability and the right to object. All requests are acknowledged within 48 hours.

Privacy Policy, Information Security Policy, AI Use and Transparency Policy, Data Processing Agreement.

12. Contact Information

Data protection contact: dataprotection@qualitect.co.uk
General: hello@qualitect.co.uk
Complaints: complaints@qualitect.co.uk
Registered office: Qualitect Limited, 32 Willoughby Road, London, N8 0JG
Trading address: 8a Stafford Street, London, W1S 4RU
Website: qualitect.co.uk