Privacy Policy | TrackQUAL

This Privacy Policy explains how Apperley Holdings Ltd. trading as TrackQUAL ("TrackQUAL", "we", "us" or "our") collects, uses, shares, and protects personal data when you use our website, documentation, public forms, customer portals, and the TrackQUAL platform.

This Privacy Policy should be read together with our Terms and Conditions, Cookie Policy, Data Processing Addendum, and Subprocessors page where applicable.

1. Who we are

This section identifies the organisation responsible for this Privacy Policy.

For the purposes of applicable data protection law, the data controller for the processing described in this Privacy Policy is:

Apperley Holdings Ltd. trading as TrackQUAL
Company number: 15798690
Burcombe Road, Chalford, GL6 8BH
Email: info@trackqual.com
Telephone: 01453 374453

2. Scope of this Privacy Policy

This section explains when this policy applies and when it does not.

This Privacy Policy applies where TrackQUAL acts as a controller of personal data, including when we:

operate our public website and documentation pages;
manage waitlist, signup, account administration, support, security, and billing processes;
manage customer and user accounts for access to the TrackQUAL platform;
operate public analytics and cookie consent tools; and
process personal data for our own legal, operational, security, and business administration purposes.

In many cases, TrackQUAL also processes personal data on behalf of its customers when delivering the TrackQUAL platform. In those cases, TrackQUAL generally acts as a processor and the relevant customer is the controller. That processing is governed primarily by the customer's instructions, our agreement with that customer, and our Data Processing Addendum rather than this Privacy Policy alone.

3. Categories of personal data we collect

This section explains the types of personal data we may collect or receive.

Depending on how you interact with TrackQUAL, we may collect or receive the following categories of personal data:

3.1 Identity and contact data

name;
email address;
telephone number;
job title or role;
company, customer, or tenant information; and
postal or business contact details where provided.

3.2 Account and authentication data

login credentials and password-related records;
email verification status;
two-factor authentication status and challenge-related information;
user role, permissions, and tenant/customer access context; and
session identifiers and security-related account metadata.

3.3 Billing and commercial data

billing contact information;
subscription status, plan, and add-on selections;
invoice and transaction metadata;
payment-related records made available through our billing provider; and
account and service configuration linked to billing status.

3.4 Customer platform and operational data

customer, tenant, and user records stored in the platform;
returns, inspections, repairs, approvals, and workflow activity records;
notes, comments, messages, and related operational records;
attachments, uploaded files, images, and branding assets; and
audit logs and activity history associated with use of the service.

3.5 Technical and usage data

IP address and browser information;
device and operating system information;
log data, diagnostic data, and security event data;
locale, route, and request metadata; and
public website and documentation usage information where analytics is enabled.

3.6 Public form and anti-abuse data

waitlist and signup form submissions;
captcha tokens and anti-bot verification signals; and
limited fraud prevention and abuse detection metadata.

4. How we collect personal data

This section explains where the personal data comes from.

We collect personal data in the following ways:

directly from you when you contact us, sign up, join a waitlist, create an account, request support, or otherwise submit information to us;
from your employer, organisation, or the TrackQUAL customer that provides you with access to the platform;
automatically through your use of our website, documentation pages, login flows, and platform;
from cookies and similar technologies, subject to applicable consent choices;
from our payment, hosting, email, analytics, and security providers; and
from other authorised users or administrators within a customer account who create, manage, or update user records.

5. How we use personal data

This section explains the main purposes for which we use personal data.

We use personal data for the following purposes:

to provide, operate, maintain, and secure the TrackQUAL platform and related services;
to create and manage accounts, user access, tenant access, and customer portal access;
to authenticate users and support login, password reset, email verification, and two-factor authentication;
to process customer workflows such as returns, inspections, approvals, repairs, and related communications;
to send transactional emails and service notifications;
to manage subscriptions, invoicing, billing, and commercial administration;
to respond to support requests, product enquiries, and waitlist submissions;
to monitor usage, troubleshoot issues, and improve service reliability and performance;
to protect the security, integrity, and resilience of our systems and services;
to detect, prevent, and investigate fraud, abuse, and other misuse;
to comply with legal and regulatory obligations; and
to analyse use of our public website and brochure pages where analytics is enabled and permitted.

6. Lawful bases for processing

This section explains the legal bases we rely on under UK GDPR / EU GDPR where applicable.

Where applicable under data protection law, we rely on one or more of the following lawful bases:

Performance of a contract: where processing is necessary to provide the TrackQUAL services, manage access, or fulfil our obligations under an agreement.
Legitimate interests: where processing is necessary for our legitimate interests, such as operating and improving the platform, securing our systems, preventing abuse, managing support, administering our business, and understanding public-site usage.
Consent: where we rely on consent, including for certain analytics or cookie-related activities on public pages.
Legal obligation: where processing is necessary to comply with applicable law, regulation, court order, or lawful request from an authority.

Where we rely on legitimate interests, we do so only where those interests are not overridden by your rights and interests.

7. When TrackQUAL acts as processor

This section explains the controller/processor split for customer platform data.

Where TrackQUAL processes personal data within the platform on behalf of a customer, such as customer-submitted operational records, workflow data, user records, attachments, and related business content, TrackQUAL generally acts as a processor and the relevant customer acts as the controller.

In those cases:

the customer determines the purposes for which that personal data is processed;
TrackQUAL processes that data on the customer's instructions;
our Data Processing Addendum applies where relevant; and
if you are using TrackQUAL through a customer organisation, you may need to contact that organisation directly to exercise certain privacy rights relating to that data.

8. Cookies and similar technologies

This section explains our use of cookies and related technologies at a high level.

TrackQUAL uses cookies and similar technologies for purposes including:

maintaining secure sessions and authenticated access;
storing language and locale preferences;
supporting tenant context and security flows;
recording public-page cookie consent choices; and
enabling public-page analytics where the relevant consent has been given.

Examples of cookies and similar values identified in the current codebase include:

trackqual_session for signed-in session handling;
trackqual_active_tenant for tenant context where relevant;
trackqual_2fa_challenge for temporary two-factor authentication challenge handling;
NEXT_LOCALE and app_locale for locale and language routing; and
tq_cookie_consent_v1 for brochure-page analytics consent preferences.

For more detail, please see our Cookie Policy.

9. Public analytics and tags

This section explains our current public analytics setup.

TrackQUAL currently uses Google Tag Manager on public-facing layouts where the relevant public navigation or public header components are used and where a GTM ID has been configured.

Based on the current codebase, GTM is used on brochure-style public pages, legal pages, documentation/public resources layouts, and certain public authentication-related pages, rather than being globally mounted across every authenticated area of the platform.

GTM currently contains a Google tag and a Metricool tag. Additional tags may be added from time to time.

Analytics-related processing on public pages is intended to be governed by our cookie consent controls, with analytics storage denied by default unless the visitor accepts analytics cookies.

This section explains when we share personal data with others.

We may share personal data with:

our hosting, infrastructure, database, storage, and email service providers;
our billing and payment provider;
analytics, anti-bot, and security service providers where relevant;
professional advisers such as lawyers, accountants, auditors, and insurers where necessary;
courts, regulators, law enforcement, or other public authorities where required by law or to protect our rights and interests; and

Where TrackQUAL uses subprocessors to process customer personal data on behalf of customers, those subprocessors are described on our Subprocessors page.

11. Third party service providers

This section summarises key third party providers identified in the current service stack.

Based on the current codebase and operating model, TrackQUAL may use providers such as:

Microsoft Azure for hosting, application infrastructure, database, blob storage, and email-related services;
Stripe for billing, subscriptions, invoicing, and related payment administration;
Google services for GTM, public analytics-related tags, and reCAPTCHA where enabled;
Metricool where enabled through GTM or public-page analytics configuration; and

These providers may process personal data in accordance with their own terms and privacy documentation where applicable - please see the subprocessors section for more information.

12. International transfers

This section explains that personal data may be processed outside the UK or EEA.

Some of our service providers may process personal data outside the UK or European Economic Area. Where we make or permit such transfers, we take steps designed to ensure that appropriate safeguards are in place as required by applicable data protection law.

Those safeguards may include adequacy decisions, Standard Contractual Clauses, the UK International Data Transfer Agreement, the UK Addendum, or other recognised transfer mechanisms.

Please see the subprocessors section for more information.

13. Data retention

This section explains how long we keep personal data.

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including for service delivery, support, security, legal compliance, dispute resolution, enforcement of our agreements, and legitimate business record-keeping.

Retention periods vary depending on the nature of the data and the reason we hold it. For example:

account and service records may be retained for the duration of the relationship and a reasonable period afterwards;
billing and financial records may be retained for longer where required for tax, accounting, or compliance reasons;
security logs and authentication records may be retained for a limited period consistent with security and audit needs; and
backup copies may persist for a limited period in line with our backup and recovery practices.

14. Security

This section explains how we protect personal data.

We use technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or unauthorised access.

These measures may include:

role-based access controls;
authentication and session controls;
logging and monitoring;
transport and storage protections where appropriate;
secure development and operational controls; and
vendor and infrastructure safeguards provided by our service providers.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

15. Your rights

This section explains the privacy rights available under applicable law.

Depending on your location and the circumstances of the processing, you may have rights to:

access personal data we hold about you;
request correction of inaccurate or incomplete personal data;
request deletion of personal data;
request restriction of processing;
object to certain processing;
request portability of certain personal data; and
withdraw consent where processing is based on consent.

If TrackQUAL processes your personal data as a processor on behalf of one of our customers, you may need to contact that customer directly first so they can assess and respond to your request as controller.

To exercise rights relating to personal data for which TrackQUAL is the controller, please contact info@trackqual.com.

16. Complaints

This section explains your right to complain to a regulator.

If you have concerns about how we handle personal data, we would appreciate the opportunity to address them first. You may contact us using the details in this Privacy Policy.

If you are in the UK, you also have the right to lodge a complaint with the Information Commissioner's Office (ICO). If you are in the EEA, you may have the right to complain to your local supervisory authority.

17. Children's privacy

This section explains that our services are not intended for children.

TrackQUAL is not intended for children, and we do not knowingly collect personal data from children for our own purposes through the website or services. If you believe that a child has provided personal data to us inappropriately, please contact us.

18. Changes to this Privacy Policy

This section explains that the policy may change over time.

We may update this Privacy Policy from time to time to reflect changes to our services, legal obligations, operational practices, or data processing activities. When we do, we will publish the updated version and revise the date at the top of this page.

19. Contact us

If you have any questions about this Privacy Policy or how we handle personal data, please contact: