Privacy Policy

This is the privacy statement for QlessQ Limited (Q<Q or We). Q<Q Limited is a private company (company number 12645734) with its registered office at 1 Pargate Chase, Norden, Rochdale.

For the purpose of the Data Protection Act 2018 and the General Data Protection Regulation 16/679 the data controller is Q<Q Limited.

Q<Q is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data We collect from you, or that you provide to us, directly or indirectly will be processed by us. Please read the following carefully to understand our views and practices regarding personal data and how We treat it.

The Data Protection Officer can be contact at the registered office address or privacy@qlessq.co.uk.

In this statement We have used certain terms which are set out in the EU’s General Data Protection Regulation (GDPR or the Regulation):


Terminology

 Q<Q App refers to the software platform built by Q<Q and made accessible to Clients (as defined below) who have subscribed to use our platform on a free, paid or trial basis, for the purposes of managing their venue level staff and end user customers for the benefit of improving their customer experience and general operations.

Q<Q Website refers to our corporate website used to explain and promote the Q<Q software solution (App available via App Store and Google play) to potential Clients and Reseller Partners (together Clients) and any of their customers or staff who may be interested in learning more about the Q<Q solution and services.


What we do

Q<Q is an App solution provider offering customer experience management solutions that help our Clients including Clients in the retail, health care, public sector, telco, financial services, hospitality, leisure and entertainment sectors, to improve their customer experience, serve more customers and increase their conversion and saving costs.

Our Client’s use the App solution so that their customers can make use of our system to access services provided by our Client. For example, a retailer may allow their customers to pre-book and Fast Track Appointment slot or record “Track and Trace” information for clients visiting their locations.


Our status under GDPR

Depending on the nature of the interaction, We act as a processor in that We are acting upon instructions from our Clients when We provide our services to them; and when We control the purposes and means of the processing of personal data, such as processing our employee’s personal data, We are a controller, as defined under GDPR.

WHAT LAWFUL REASONS DO WE USE TO PROCESS PERSONAL DATA?

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Consent)
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Contract Performance)
  • processing is necessary for compliance with a legal obligation which We are subject to (Legal Obligations)
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child (Legitimate Interest).

Consent

Where We process personal data as a result of data subject consent, We ensure that consent is freely given, specific and informed, and established by a clear affirmative act. Where consent is withdrawn, We have set out (below) how this may be undertaken by the data subject.

Contract Performance

Where We enter into a contract with third parties, processing of personal data may, as a matter of course, be necessary in order to execute such contract or take pre-contract preparation steps.

Legal Obligations

Where We have legal obligations which apply to Q<Q, processing of personal data may be required by law.

Legitimate Interest

Our legal basis for processing personal data in this context is that it is necessary for the performance of a contract between a customer and Client.


Sensitive personal data

Where Q<Q processes sensitive personal data on behalf of a Client, Q<Q does so on the basis that the Client has established a lawful exception to the prohibition on processing sensitive personal data under Article 9 of the Regulation; and where Q<Q is processing sensitive personal data of employees, it does so pursuant to its employment relationship with its personnel and so uses the exception set out in paragraph 2(b) of Article 9 of the Regulation.


Q<Q’s use of personal data

How Q<Q collects and uses personal data differs based on the Site used and the type of user’s details input.


Corporate Subscriber Data

How personal data is collected: data subjects interested in learning more about the Q<Q business, services or software products directly through Q<Q, have the opportunity to enter their details into our website at www.qlessq.co.uk or any landing pages hosted at pages www.qlessq.co.uk  via a “Contact” form; or they may email or call us directly using contact details provided on our website or elsewhere. This will likely be for the purposes of requesting that We contact them, downloading useful information, starting a trial, playing with a demo or requesting support from our support team.

From time-to-time, We may also meet business-relevant connections at events or research individuals using standard online open-source social media platforms. Where these individuals are approached (or approach us) in their capacity as employees of their organisation, the interaction will be regarded as a business to business exchange.

Type of personal data collected: Corporate subscriber data might include a data subject’s name, telephone number, home address, email address, company of work and IP address from the device being used, online identifiers and location data. We will not knowingly collect sensitive personal data. Where a data subject visits our website, We may collect and process information about their website usage (e.g. browsing history and information about your navigation through our website) using “cookies” and other similar technologies. During communications, We may process information about the interactions undertaken with us.

Who controls the data: Corporate subscriber data is controlled by Q<Q

Who processes the data: Corporate subscriber data is processed by our website, email, CRM and marketing platform providers. We have contracted with a number of parties (the precise number varies according to business need) who process personal data on our behalf. This is undertaken in a manner that is consistent with the Regulation and the ePrivacy Directive (the Directive).

Where data is stored; how data is used: Data collected on corporate subscribers may be stored within our CRM platform and used for the purposes of sending news and information about our services and solutions. All messages will provide the recipient with the opportunity to opt-out.

Data will also be used to improve our online services, including format and content, to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes, as part of our efforts to keep our site safe and secure, to measure or understand the effectiveness of any advertising We serve to you and others, and to deliver relevant advertising.


Corporate Payment Data

How data is collected: Business professionals interested in using Q<Q software within their business provide their business’ payment card details or direct debit account details to our portal, under contract or over the phone to Q<Q personnel in order to set-up automatic payments to Q<Q.

Type of Data Collected: Corporate payment card data includes a person’s name, billing address, bank account sort code, bank account number, payment card long number, payment card issue date, payment card expiry date and three-digit security number. During communications, We may process information about the interactions a data subject has with us.

Who controls the data: Corporate payment card data is controlled by Q<Q.

Who processes the data: Corporate payment card data is processed by Q<Q and our third-party payment gateways.

How data is used: Corporate payment data is used to debit our Client’s account on a regular basis for the ongoing use of our software and to enable Clients to easily pay for one-off purchases including professional services, SMS messages and hardware loan or purchase.


Customer Personal Data

How data is collected: Customers of Clients can provide personal details for the purposes of accessing services provided by our Clients through booking an appointment or registering for Track and Trace purposes. Upon providing their details the customer will receive transaction updates on their required service or do capture feedback after their visit. Data is collected by the customer providing their details to an employee of our Client’s organisation or through a self-service interface accessed online via a website, or through an app installed on the customer’s personal mobile device.

Type of data collected: Data collected via the Q<Q App from consumers may include name, telephone number, home address, email address and IP address from the device being used, online identifiers and location data. The Q<Q Online Track and Trace may collect and process information about data subject’s website using “cookies” and other similar technologies. During communications, our Client may process information about the interactions you have with us.

Who controls the data: Customer personal data is controlled by our Client who is using the Q<Q App Site to manager their customer and employees.  {Not sure we want to say this as Q<Q wants to be able to advertise to customer and hence own the data}

Who processes the data: Q<Q processes the Customer personal data on behalf of our Clients. Customer personal data and sensitive personal data is passed to as few sub-processors as necessary to enable our software to perform its necessary functions, this includes only our server data base provider and Amazon Web Services and SMS aggregator providers. Client Derived Data is created to detach the customer’s transaction information from their Personal Data so that this can be processed by separate platforms for analytics purposes.

How data is used: Customer personal data is used at the discretion of our Client (acting as the Data Controller), to whom the customer has provided their Customer Personal Data. It is generally used for the purposes of managing customers requiring service within a fast track  appointment/track and trace registration and the client may send the Customer automated or manual transaction updates by app alert or email, to inform them of their allocated service time. Some Clients may also choose to send survey questionnaires or additional information whilst others will enable their customers to opt-in to their marketing data base. 

The Client collecting the Customer Personal Data will have their own privacy policy and terms of use, which will define how their business uses Customer Personal Data. If you are reading this Privacy Policy as a customer of one of our Clients, we recommend that you look at the Terms of Use and Privacy Policy of our Client to whom you are or have provided data.

How long data is stored: Customer personal data is stored within Q<Q for the timeframe defined by our Client (it may be removed immediately or deleted after a timeframe requested by the client). The timeframe held for will be to a maximum of that defined within the Client’s privacy policy, which should be available on their website or through direct communication. Customer sensitive personal data can be stored separately for a shorter period if required by our Client. Customer derived data, which is transaction data that is detached from the Customer personal data is stored indefinitely solely for commercial analysis.


Customer Payment Card Data

How data is collected: Client’s using the Q<Q software may, at their discretion, require that customers pay to make an appointment, register for Track and Trace purposes. Customers will be required to enter their payment card data or to login through a third-party payment platform in order buy tokens to complete their booking.

Type of data collected: Customer payment card data might include a customer’s name, billing address, payment card long number, payment card issue date, payment card expiry date, three-digit security number.

Who controls the data: Customer payment card data is controlled by Q<Q via third party secure payment providers

How data is used: Customer payment card data is used in order to debit the customer’s account for the fees specified when they purchase tokens to book their fast track appointment with.


Venue Level Employee Personal Data

How data is collected: Venue level employees of our Clients are required to input their personal data in order to gain access the Q<Q App and in order to make use of the Q<Q App  and Software service within a business location owned by the Client, such data will be considered “Venue Level Employee Personal Data”,

Type of data collected: Venue level employee personal data collected in the Q<Q App might include a person’s name, mobile number, email address. We will not collect “special categories” of data on employees (sensitive data).

Who controls the data: Personal data of venue level employees is controlled by the applicable Client who is the employer of the employee using the Q<Q App to manage their customers and employees.

Who processes the data: Q<Q processes the venue level employee personal data on behalf of our clients for the purposes of enabling clients to use our services. Data is also processed within third-party platforms used to help us provide premium services to the users of our platform; and these platforms help us provide support services to customers, marketing platforms and platforms s analyse how us We can analyse how users are using the platform and, from time-to-time, send service information updates.

How data is used: Venue level employee data is used at the discretion of the applicable Client where the employee works, and Client privacy policies and terms of use should be reviewed for further information.

How long data is stored: Venue level employee personal data is stored within Q<Q for the timeframe defined by our Client (it may be removed immediately or deleted after a timeframe requested by the client). The timeframe held for will be to a maximum of that defined within the Client’s employment contracts or related privacy policy.


Head Office Level Employee Personal Data

How data is collected: Head office level employees of our Clients are required to input their personal data in order to gain access to our the Q<Q App and www.qlessq.co.uk back office in order to receive email reports about their businesses use of the Q<Q App data will be considered “Head Office Level Employee Personal Data”

Type of data Collected: Personal data input by head office level employees in the Q<Q App might include a person’s name, mobile number, email address. We will not collect sensitive personal data.

Who controls the data: Personal data of head office level employees is controlled by our Client who is using the Q<Q App Site to manage their customers and employees.

Who processes the data: Q<Q processes the head office level employee personal data on behalf of our clients for the purposes of enabling clients to use our services. Data is also processed within third party platforms used to help us provide premium service to the users of our platform. These help us provide support ticketing services to customers and platforms which help us to analyse how users are using the platform and, from time-to-time, send service information updates.

How data is used by the controller: Head office level employee data is used at the discretion of our Clients and their privacy policies and terms of use should be reviewed for further information.

How data is used by the processor: Head office employee data is also treated as Corporate Subscriber Data and so is imported into our CRM and mailing list tools in order to send the head office level employee useful information about new Q<Q releases, features, training information and other recent news, helping head office level employees to learn how to get the most out of the Q<Q platform (they will at all times have the option to unsubscribe from this news).

How long data is stored: Venue level employee personal data is stored within Q<Q for the timeframe defined by our Client (it may be removed immediately or deleted after a timeframe requested by the client). The timeframe held for will be to a maximum of that defined within the Client’s employment contracts or privacy policy.


Job Candidate Data

How data is collected: Candidates interested in applying for a role at Q<Q may provide their personal details by email or through our job application platform to express their interest in a role.

Type of data collected: Personal data input by job candidates may include: name, email, phone number, home address, place of work, education and work history alongside their skills. We will not collect sensitive personal data.

Who controls the data: Job candidate data is controlled by Q<Q.

Who processes the data: Job candidate data is processed by our software providers and consultants involved in helping us to recruit candidates and manage employees.

How data is used by the controller: Job candidate data is used by the controller to manage and communicate with candidates in relation to the role they have applied for at Q<Q.

How data is used by the processor: Job candidate data is used by our processors to enables us to accept and manage applications and to support decision making processes.

How long data is stored: Job candidate data is stored for as long as necessary. It is then archived or deleted pursuant to or data retention framework.


Sub-processors

A list of the types of types of sub-processors we use for the different categories of data described above can be found on our website at: www.qlessq.co.uk/sub-processors/


General terms

Sharing information

We may share information with third parties so that they can assist us in providing our services; selected third parties could include:

  • Clients, suppliers and sub-contractors for the performance of any contract We enter into with them. For example, so that our platform can work effectively, We may engage with contractors to carry out part of our services.
  • Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but We will provide them with aggregate information about our users for example, We may inform them that a high level of our audience from our website are from the South-East, based on location data.
  • Analytics and search engine providers that assist us in the improvement and optimisation of our site.

We will disclose your personal information to third parties:

  • If Q<Q or substantially all of its assets are acquired by a third party, in which case personal data held by it about its Clients will be one of the transferred assets.
  • If We are under a duty to disclose or share personal data to comply with any legal obligation, or in order to enforce or apply our terms and other agreements; or to protect the rights, property, or safety of Q<Q, our Clients, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Transferring out of the EEA

Storing: We use cloud providers to store our personal data. Personal data may be transferred to and stored at a destination outside of the European Economic Area (EEA).

Processing: We may use third parties to help us deliver our services and they may be based outside the EEA. Where data is transferred outside the EEA, We adhere to compliance mechanisms that are identified by the European Commission, for example, the use of EU model contract clauses or conformity to US Privacy Shield.

Where we are the processor: in general, personal data is stored in the locations required by our Clients. Periodically, our Clients may agree specific terms as to where customer data, venue employee data and head office employee data is stored by us. At all times, We act in accordance with the Regulation. 


Data retention periods

Q<Q has a data retention policy which sets out how long it will store personal data, which is consistent with Article 5 of the Regulation. Q<Q only keeps personal data for as long as is necessary. For example, Q<Q is required to retain certain information in accordance with the general law, where information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices. Personal data may be held in addition to these periods depending on Q<Q business needs, which are balanced against the requirements of the Regulation and the rights of the individual.

Where we are the controller

We will retain personal data for as long as necessary. As described above, in some cases, We will have a legal or statutory obligation to retain information for a set period, such as the limitation period.

Where we are the processor

Data is stored as instructed by our Clients in accordance with their approach to retention of personal data provided that this is within the Regulation. We recommend you view their Terms of Use and Privacy Policy for more information.


Security measures

We have implemented security measures that are designed to help protect the personal data We collect or receive in connection with our services from unauthorised access or disclosure. For example, We use encryption techniques to ensure the security of data; We also use password protection. However, no transmission or storage of data can be guaranteed to be completely secure and We therefore cannot ensure or warrant the security of any information We collect and store. 


Contact you

The personal data We process is subject to rigorous measures and procedures to minimise the risk of unauthorised access or disclosure. We will get in touch with the supervisory authority (which in Q<Q case is the Information Commissioner on the United Kingdom) and with affected data subjects where this is required under the Regulation.


Changes to this privacy statement

If We change this privacy statement, We will let you know about the changes by publishing the updated version on our website.


Your rights

  • Identity and the contact details of the person or organisation that has determined how and why to process your data. In some cases, this will be a representative in the EU.
  • Contact details of the data protection officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Q<Q or a third party, information about those interests.
  • The categories of personal data collected, stored and processed.
  • Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If We intend to transfer the personal data to a third country or international organisation, information about how We ensure this is done securely. The EU has approved sending personal data to some countries because they meet a minimum standard of data protection. In other cases, We will ensure there are specific measures in place to secure information.
  • How long the data will be stored.
  • Details of data subject’s rights to correct, erase, restrict or object to such processing.
  • Information about the data subject’s right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether We are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it wasn’t collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

What forms of ID will I need to provide in order to access this?

Q<Q accepts the following forms of ID when information on your personal data is requested: passport, driving licence, birth certificate, utility bill from the previous 3 months.


Contact details

Q<Q Limited

Contact Name: Data Protection Officer
Address: 1 Pargate Chase, Norden, Rochdale OL115DZ
Email: privacy@qlessq.co.uk