TrackQUAL logo
  • Industries
  • Pricing
Login

Documentation

Policies

  • Terms
  • Privacy Policy
  • Cookie Policy
  • DPA
  • Data Protection and Data Flows
  • Subprocessors
  • Modern Slavery Act
  • Legal notice

Security

  • Security Overview

Architecture

  • Architecture Overview
  • Availability, Backup and Incident Response

Documentation

Data Protection and Data Flows

Created: 19 Mar 2026

Last updated: 19 Mar 2026

Policies

This page provides a high-level overview of how Apperley Holdings Ltd. trading as TrackQUAL ("TrackQUAL", "we", "us" or "our") approaches data protection, data flows, data residency, international transfers, and the roles of controller and processor within the TrackQUAL service.

This page is intended as a practical trust and transparency summary. It should be read alongside our Privacy Policy, Data Processing Addendum, Subprocessors page, and relevant customer contract documents.

1. Scope of This Page

This section explains what this page is intended to cover.

TrackQUAL is a software platform used by customers to manage operational, quality, compliance, and related workflow information. Depending on the context, TrackQUAL may process personal data on behalf of customers, or may process personal data for its own business purposes.

This page explains, at a high level:

  • our UK data residency position;
  • when TrackQUAL acts as a processor and when it acts as a controller;
  • the high-level flow of customer and service data through the platform;
  • the role of key subprocessors and service providers;
  • our approach to cross-border transfers; and
  • how this page relates to our DPA and related documents.

2. UK Data Residency Position

This section explains our general hosting and residency position.

TrackQUAL's primary service and core customer data environment are intended to be hosted using UK-based Microsoft Azure services. Our aim is to keep core application and customer data within the United Kingdom wherever reasonably practicable for the operation of the platform.

This UK-focused approach applies principally to the core platform environment, including application hosting, primary database services, and related storage used to operate the TrackQUAL service.

However, some supporting service providers and operational functions may involve processing outside the UK, depending on the service used, the provider's infrastructure model, the customer's own configuration choices, or the nature of the relevant support, billing, communication, analytics, or anti-abuse services.

For that reason, this page should not be read as a statement that no personal data ever leaves the UK. Instead, it reflects our general position that TrackQUAL is designed and operated with a UK hosting focus for core service data, while recognising that some limited processing or transfers may occur in other locations where necessary to provide, secure, support, or improve the service.

3. Controller and Processor Split

This section explains the main legal roles TrackQUAL performs.

TrackQUAL does not act in a single role for all personal data. Our role depends on the nature of the data and the purpose for which it is processed.

In general:

  • TrackQUAL acts as a processor where we process customer content and related personal data on behalf of a customer in order to provide the TrackQUAL platform and related services.
  • TrackQUAL acts as an independent controller where we process personal data for our own legitimate business purposes, such as account administration, billing, service security, fraud prevention, support management, legal compliance, and business operations.

Examples of data that customers may control include personal data that customers or their authorised users upload, enter, import, or manage within the TrackQUAL platform as part of their own operational use of the service.

Examples of data that TrackQUAL may control directly include:

  • customer account and contact details;
  • subscription, invoicing, and billing records;
  • support correspondence and operational communications;
  • authentication, access, and security-related records;
  • service administration and audit-related information; and
  • website interaction data processed under our Privacy Policy and cookie settings where applicable.

Where TrackQUAL acts as a processor, the applicable processing terms are addressed through our customer contracts and our Data Processing Addendum.

4. High-Level Data Flow

This section explains, in simple terms, how data typically moves through the service.

At a high level, the flow of data within TrackQUAL typically works as follows:

  1. Customer users access the TrackQUAL service and submit, view, update, or manage information through the application.
  2. That information is processed by the TrackQUAL application environment hosted on Microsoft Azure.
  3. Core application data is stored within the platform's managed database and storage services used to operate the service.
  4. Certain operational events, system records, and service activity data may be logged or monitored for security, support, reliability, and incident response purposes.
  5. Where needed for service communications, TrackQUAL may use email or notification providers to send operational or account-related messages.
  6. Where customers purchase or manage subscriptions, billing-related information is processed through Stripe and related billing workflows.
  7. Where specific product functionality requires it, specialist service providers may support defined features, such as language translation or anti-abuse controls.

In most cases, customer content remains within the core TrackQUAL service environment and is only shared with supporting providers where needed to operate, secure, support, or maintain the service.

5. Key Subprocessors and Service Providers

This section summarises the main categories of supporting providers.

TrackQUAL uses a limited set of third party providers to support platform delivery, communications, billing, security, and related operations. Key providers may include:

  • Microsoft Azure, for core hosting, application infrastructure, database, storage, and related cloud services;
  • Stripe, for payment processing, subscription billing, and related financial transaction handling;
  • Microsoft Azure Communication Services Email and/or Twilio SendGrid, for service-related email delivery and operational communications;
  • Google reCAPTCHA, for anti-abuse and bot protection on relevant public-facing forms or interactions; and
  • Microsoft Azure Translation Services, where used to support relevant translation functionality.

Some additional providers may be used in connection with the public website, analytics, consent management, or other supporting business operations. A fuller and more current description of relevant providers is set out separately on our Subprocessors page.

Not every provider processes the same types of data, and not every provider is involved in every customer workflow. Provider involvement depends on the feature used and the operational context.

6. Cross-Border Transfer Position

This section explains how we approach international transfers.

Because TrackQUAL uses third party providers and supporting services, some personal data may be accessed from, processed in, or transferred to countries outside the United Kingdom.

Where such transfers occur, TrackQUAL seeks to ensure that they are supported by an appropriate lawful transfer mechanism and suitable safeguards, taking into account the nature of the data, the countries involved, and the provider relationship.

Depending on the circumstances, those safeguards may include:

  • transfers to jurisdictions that benefit from a recognised adequacy framework;
  • contractual safeguards such as standard contractual clauses or the UK addendum where appropriate;
  • provider commitments relating to security, confidentiality, and restricted processing; and
  • vendor due diligence and contractual controls proportionate to the relevant service.

Where TrackQUAL acts as a processor, our DPA addresses the framework for subprocessing and international transfers in more detail.

7. Data Protection Measures

This section summarises the broader protection approach around the service.

TrackQUAL approaches data protection through a combination of contractual controls, technical measures, operational processes, and access restrictions appropriate to the nature of the service.

These measures include, at a high level:

  • role-based access controls and tenant-aware application design;
  • authentication and account security controls, including support for two-factor authentication capability where enabled;
  • encryption in transit and use of managed infrastructure security controls;
  • logging and monitoring to support service security and operational response;
  • backup and recovery practices for key service components; and
  • review and improvement of controls over time as the platform evolves.

Further detail is provided separately in our Security Overview and related trust documentation.

8. Relationship to the DPA

This section explains how this page links to the contractual processor terms.

This page is a summary document and does not replace the contractual terms that apply when TrackQUAL processes personal data on behalf of customers.

Where TrackQUAL acts as a processor, the detailed processor obligations are addressed in our Data Processing Addendum, including matters such as:

  • the subject matter and duration of processing;
  • the nature and purpose of processing;
  • the categories of personal data and data subjects involved;
  • confidentiality and security obligations;
  • subprocessor controls;
  • international transfer provisions; and
  • deletion or return of data at the end of services, where applicable.

If there is any inconsistency between this overview page and an executed customer contract or DPA, the relevant contract or DPA will take precedence.

9. Customer Responsibilities

This section clarifies that customers also have a role in compliance.

Customers remain responsible for their own use of the TrackQUAL platform, including determining what information they upload, the lawful basis on which they use personal data, how they configure internal access, and whether their own notices, policies, or retention practices meet their legal obligations.

Customers should ensure that they do not use the service in a way that is unlawful or inconsistent with their own compliance obligations.

10. Further Information

This section explains where to look for related documents.

This page should be read together with the following documents where relevant:

  • Privacy Policy;
  • Cookie Policy;
  • Data Processing Addendum;
  • Subprocessors;
  • Security Overview; and
  • Availability, Backup and Incident Response.

11. Contact

If you require additional information about TrackQUAL's data protection approach, processing roles, subprocessors, or international transfer position, please contact us.

Apperley Holdings Ltd. trading as TrackQUAL
Company number: 15798690
Burcombe Road, Chalford, GL6 8BH
Email: info@trackqual.com
Telephone: 01453 374453

Available languages

English (UK)

On this page

  • 1. Scope of This Page
  • 2. UK Data Residency Position
  • 3. Controller and Processor Split
  • 4. High-Level Data Flow
  • 5. Key Subprocessors and Service Providers
  • 6. Cross-Border Transfer Position
  • 7. Data Protection Measures
  • 8. Relationship to the DPA
  • 9. Customer Responsibilities
  • 10. Further Information
  • 11. Contact
TrackQUAL logo

TrackQUAL - Returns and repair workflow platform.

Product

FeaturesPricingIndustries

Resources

DocumentationFAQBlogLogin

Legal

Terms & conditionsPrivacy policyWebsite terms of use
Cookie policy
Modern Slavery Act

Copyright © 2026 Apperley Holdings Ltd. (no. 15798690) t/a TrackQUAL - All rights reserved.