Qudo Privacy Notice
Protecting your privacy | January 2023 | V1.1
Who are we
Questionardo Ltd. is a company registered in England and Wales (number 12823944). Our registered address is 3rd Floor, 5-11 Worship Street, London, United Kingdom, EC2A 2BH.
References in this Privacy Notice to ‘Qudo’, ‘we’, ‘us’ or ‘our’ mean ‘Questionardo’.
Information about Qudo and our services can be found on our website: www.qudo.ai
Qudo is a ‘data controller’ for the purposes of the Data Protection Act 2018 (‘DPA 2018’) and the UK General Data Protection Regulation (‘UK GDPR’): we are registered with the Information Commissioner’s Office (ICO), registration number ZB252851.
Our Data Protection Officer (DPO) can be contacted via: email@example.com
This Privacy Notice contains important information about who we are and how and why we collect, store, use and share personal information. It tells you about your data subject rights and how to contact us and/or the UK Regulator if you have a complaint.
We are committed to respecting and protecting your privacy. This Privacy Notice will answer any questions about our processing activities. If not, please contact us using any of the methods shown below in the section entitled “How Do I contact you?”.
What types of information do we collect from you
In this Privacy Notice, the term “personal information” means data relating to you that allows us to identify you directly or in combination with other information we may hold.
Special Categories of Personal Data
The UK GDPR defines special categories of personal data as information about a person’s race and ethnicity, religious or philosophical beliefs, trade union memberships, political opinions, genetic data, biometric and health data, and information concerning a natural person’s sex life or sexual orientation.
Criminal Offence data
Criminal offence data is information relating to criminal convictions and allegations of criminal activity. This includes information disclosed by the Disclosure and Barring Service (DBS) under the Government’s employment vetting scheme.
Lawful bases for processing your personal information
The lawful bases for processing personal information are set out in Article 6 of the GDPR. At least one of these must apply whenever we process personal information:
- Consent: we collect and process your personal information with your consent. This may include when you agree to receive an email about how we can support you or how you would like to receive information about us or our services.
- Contract performance: the processing is necessary for the performance of a contract you have with us, or for the purposes of entering into a contract with us.
- Compliance with legal obligation: the processing is necessary to comply with the law for tax, social security, employment purposes etc. This will include sharing with law enforcement agencies details of people involved in fraud or other criminal activity.
- Protection of vital interests: the processing is vital to an individual’s vital interests.
- Public interest: the processing is necessary to perform a task that is in the public interest or for an official function, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal information that overrides those legitimate interests.
Conditions to process special category personal data
We rely on the following conditions (as appropriate) under Article 9 of the UK GDPR to process special categories of personal data:
- Explicit consent
- Employment, social security, and social protection (if authorised by law)
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest (with a basis in law)
- Health or social care (with a basis in law)
- Public health (with a basis in law)
- Archiving, research, and statistics (with a basis in law)
We collect the least amount of special category data possible for our processing purposes.
The processing of special category data is covered by our policies and procedures and all processing activities involving the processing of special category personal data are listed in our ‘Record of Processing Activity’.
Further legal controls are applied to the processing of criminal offence data. Such data is processed under the substantial public interest conditions listed in Schedule 1, DPA 2018.
The data processing principles
The law requires us to
- process your data in a lawful, fair and transparent way;
- only collect your data for explicit and specified purposes;
- only collect data that is relevant, and limited to the purpose(s) we have told you about;
- ensure your data is accurate and, where necessary, kept up to date;
- keep your data only for as long as necessary for the purpose(s) we have told you about;
- implement appropriate security measures to protect your data.
Personal information we collect
If you choose to participate in one of our surveys, we may collect personal information about your opinions, behaviours, needs, and priorities through the use of anonymous surveys. This information may include demographic information, such as your age, gender, and location, as well as information about your media and aesthetic preferences.
We may also collect information about your device, including its IP address, in order to prevent duplicate responses and ensure that we have a diverse range of respondents from designated countries or regions.
We may also collect personal information from you if you apply for a job with us or use one of our products. This information may include but is not limited to your name, address, telephone number, email address, and date of birth.
How we use the information about you
We use your personal information for the following purposes:
We use your personal information to send you surveys and request feedback. These messages will not include any fundraising requests or direct marketing, and they do not require prior consent when sent by email.
Your responses are collected under the provisions of the UK Data Protection Act 2018, UK GDPR and the Market Research Society’s Code of Conduct, Fair Data Principles and used for statistical and analytical purposes.
It is in our legitimate interest to send these messages as doing so is helping us to render and or improve our services and make them more relevant to our customers. You can opt-out of receiving survey requests if you do not wish to participate.
Your responses will not identify you as an individual, and when you complete the survey, your responses are aggregated to provide anonymous insights.
Providing the Services
Qudo uses your personal information to operate and provide services to our clients. However, we also process your personal information in reliance on our legitimate interests to manage and improve our operations, systems, and services, and to provide you with the content, products, or services you access via our website (e.g., to download content).
Improving and Developing the Services
Qudo uses your personal information to understand and analyse trends to identify future opportunities for developing, promoting, and improving the services we offer to our clients. We do this in our legitimate interests, i.e. to develop and improve their products and services. Alternatively, we process your personal information with your consent, freely given when you complete the survey we send you.
Qudo analyses the personal information we collect from you in a non-identifiable form, to develop new features, capabilities, or products, improve user experiences, assess capability requirements, and identify customer opportunities. We also may send push notifications to your device. You have choices in regard to the communications you receive from us.
Qudo uses the personal information we collect to communicate with you. We do this under the lawful basis of legitimate interests. For instance, to respond to your inquiries by sending e-mails to an e-mail address you provided for customer service or technical-support purposes; to troubleshoot and diagnose technical problems to help us provide, improve, and secure our products, services, and training; and to investigate security incidents.
Securing the Services
Qudo processes your personal information in reliance on our legitimate interest to maintain the safety, integrity and security of our services, including detecting, preventing, or otherwise addressing fraud, verifying accounts and activity, investigating suspicious activity, and enforcing our terms and policies, and protecting our rights and the rights of others.
Qudo uses your personal information to send you promotional communications about Qudo, including product recommendations and other non-transactional communications (e.g. marketing newsletters or push notifications) according to your marketing preferences. Such communications may include information about our products, which are sent for our legitimate interest purposes and yours, or under the lawful basis of consent if you have previously consented to receive direct marketing communications. You can elect to stop receiving direct marketing emails from Qudo by contacting us using any of the methods shown in the ‘How do I contact you?’ section (see below).
Qudo uses your personal information to send you relevant advertisements, provide personalised information about our services, and provide other personalised content based on your activities and interests to the extent that doing so is in our legitimate interest, i.e. to advertise our services, or where necessary, to the extent that you have provided your prior consent. For these purposes, we may link or combine information about you with other personal information we get from third parties to help understand your needs and provide you with a better and more personalised service or content.
Qudo may use your personal information for other legitimate business purposes in reliance on our legitimate interests, such updating, expanding, and analysing our records, identifying new customers, data analysis, to protect, investigate, and deter against fraudulent, unauthorised, or illegal activity, developing new products, enhancing, improving or modifying our services, identifying usage trends, determining the effectiveness of our promotional campaigns, free trials and operating and expanding our business activities.
When you visit our website, we may collect your IP Address, page visited, web browser, any search criteria entered, previous web page visited and other technical information.This information is used solely for web server monitoring and to deliver the best visitor experience.
If, at any time, you do not wish to receive further information about us or our services, contact us by using any of the methods shown below in the section entitled ‘How do I contact you?’.
Sometimes, we need to inform you about certain changes or events that are taking place. For instance, when planned maintenance will be carried out on our website. We do so by using service messages, sent by email, that do not require your prior consent. These messages ensure we comply with our legal obligations and support you by providing excellent ongoing customer service. Service messages do not include any marketing material.
Links To Other Websites
Our website may also contain links to other third-party websites of interest. This Privacy Notice does not cover these websites, and we encourage you to refer to the privacy notices on the third-party website to find out what they do with your personal information.
Sharing Your Personal Data
Your personal information will not be sold to or shared with third-party organisations or published or made available on publicly accessible platforms. However, your responses will be aggregated with other participants’ responses to create summative insights and visualisation that might be published or shared with third-party organisations.
We may disclose your personal information to third parties if we are under a duty to disclose or share your personal information to comply with any legal obligation, enforce or apply any agreements, or protect the rights, property, or safety of the organisation or other individuals. Such disclosures include, but are not limited to, exchanging information with other companies and organisations under statutory regulations for safeguarding purposes.
Qudo may disclose your personal information when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws, to the extent that the processing or disclosure of personal information is done to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
How long will we retain your personal Data
The length of time we retain your personal information in a live environment depends on the type of information collected, the reason it was collected and how it is to be used. Typically, the retention period for personal information collected in relation to a research project is a year from the date the research project ended. If for technical reasons, we are unable to delete your personal information from our systems, we will put in place appropriate measures to prevent any further use of your personal information.
We maintain a retention schedule to help manage our storage limitation responsibilities. However, we may keep your personal information for longer to establish, exercise, or defend our legal rights and yours. Where such a need exists, your personal information will be securely archived with restricted access, and other appropriate safeguards will be applied.
Alternatively, we may completely anonymise your personal information (so that you can no longer be identified) for research and analysis purposes. We may retain this information indefinitely without further notice to you.
For further information about applicable retention periods, please contact us using any of the methods shown below in the ‘How do I contact you?’ section.
The services we offer are not directed at children under the age of 18, and we do not knowingly collect, maintain, or use personal information from children under 18 years of age.
If you learn that your child has provided us with personal information without your consent, you may alert us using any of the methods shown below in the ‘How do I contact you?’.
If we learn that we have unwittingly collected personal information from a child under 18, then we will promptly take steps to delete such information.
Security of your personal information
We take the privacy and security of your personal information very seriously, and accordingly, we have implemented appropriate technical and organisational measures to protect your personal information against unauthorised or unlawful processing and accidental loss, destruction, or damage.
The measures we’ve applied include having clear internal policies and procedures in place and maintaining the physical security of our premises and IT security technologies to prevent unauthorised access, damage, and loss of your personal information. Additionally, we have implemented appropriate security procedures, including access controls, to ensure confidentiality. We limit access to your personal information to only those who genuinely need to know.
It should be noted that the transmission of information via the Internet is not completely secure, and whilst we will do our very best to protect your personal information, we cannot guarantee the security of any personal information transmitted to our website; any such transmission is carried out at your own risk. We do have procedures to deal with any suspected data security breach, and we will notify you and the UK regulator of any actual security breach once the breach is confirmed, and if we are legally required to do so.
Locations of Processing
The personal information we collect from you is processed on our servers located in the UK. We will ensure that your personal information is provided with adequate protection if it becomes necessary to transfer your personal information to a country without a finding of adequacy by the European Commission (EC) or the UK regulator.
Transfers of personal information outside of the European Economic Area (EEA) to a country that has not been granted a finding of adequacy either by the EC or the UK regulator, will be carried out using ‘appropriate safeguards’, i.e. Binding Corporate Rules (BCR), Standard Contract Clauses (SCC) (also known as Model Contract Clauses) supported by the UK Addendum, or an International Data Transfer Agreement (IDTA) supported by a Transfer Risk Assessment (TRA) (as required under UK law). Alternatively, we may rely on approved Codes of Conduct (once published by the UK regulator), or we will seek your consent (where appropriate), on a case-by-case basis.
What are my data subject rights
We support your data subject rights in relation to the processing of your information under the DPA 2018 and the UK GDPR, including your:
- right to be informed (chiefly via this Privacy Notice)
- right of access
- right to rectification
- right to erasure
- right to restrict processing
- right to data portability
- right to object
- rights related to automated decision-making including profiling
You can exercise any of these rights, including your right to request a copy of any information we hold about you (otherwise referred to as a Subject Access Request), by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.
We will usually respond within one month of receiving your request.
To protect the confidentiality of your information and in our interests, we may sometimes ask you to verify your identity before proceeding with any request to access your information.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to request such information.
Updating my information
You may choose to correct, update, or delete your personal information by contacting us at any time using any of the methods shown below in the ‘How do I contact you?’ section.
If you have opted-in to receive communications from us, your preferences will remain in effect until you tell us that you want to opt out of receiving any further communications.
You can change your mind at any time by contacting us using any of the methods shown below in the ‘How do I contact you?’ section.
Withdrawing my consent
Where we process your information based on your consent, you may withdraw your consent at any time. You can do this by contacting us using the methods shown below in the ‘How do I contact you?’ section.
Making a complaint to us
We hope you’ll never need to do so, but if you do want to complain about our use of your personal information, or our facilitation of your data subject rights requests, you can contact us using any of the methods shown below in the ‘How do I contact you?’ section.
Our DPO will investigate your complaint and provide a prompt and appropriate response.
How do I contact you
You may contact us using any of the following methods:
By post: Data Protection Officer, 3rd Floor. 5-11 Worship Street, London, EC2A 2BH
By email: firstname.lastname@example.org
Making a complaint to the Information Commissioner
You can complain to the Information Commissioner at any time. For instance, if you are unhappy with how we are processing your information or we have failed to facilitate your data subject rights.
The Information Commissioner can be contacted as follows:
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By phone: 0844 496 4636 (local rate)
Further information on how to complain to the ICO can be found here: ICO Make a Complaint
Changes to this Privacy Notice
We continuously review the content of our Privacy Notice to ensure it accurately reflects what we do with your information, or we may change this Privacy Notice to reflect changes in the law. We recommend that you check this page regularly to keep up to date.
This Privacy Notice was last updated in January 2023.