Privacy Policy

OpesQ Ltd is a company registered in England and Wales. We provide a cloud-based platform that helps businesses manage employee HR data, training records, compliance documents and employment passports.

For the purposes of UK data protection law:

• We are the data controller for personal data we collect directly from website visitors, leads and individual Passport account holders.
• We are the data processor for employee data that businesses upload to or manage through the platform on behalf of their workforce.

Our data protection contact is: hello@opesq.com

We distinguish between three categories of data on the platform. Each has different ownership and handling rules.

• Personal data belongs to the individual it relates to. This includes names, contact details, employment records, training certificates and Passport profiles. The individual always has rights over this data regardless of who uploaded it.
• Company operational data belongs to the business that created it. This includes organisational structures, team configurations, compliance schedules, internal policies and business-specific settings. We process this on behalf of the business under a data processing agreement.
• Platform infrastructure data belongs to OpesQ. This includes system logs, performance metrics, aggregated analytics and platform configuration data. This data does not identify individuals and is used to operate and improve the service.

Passport holders own and control their own Passport data. Sharing a Passport with an employer or prospective employer is always consent-based. Passport holders can:

• Choose which sections of their Passport to share
• Revoke access at any time
• Download a full copy of their Passport data
• Delete their Passport account and all associated data

When a business views a shared Passport, they see only the sections the holder has consented to share. No data is transferred to the business account without explicit holder consent.

We rely on the following lawful bases under UK GDPR:

• Performance of a contract: Processing data of subscribed businesses and their authorised users to deliver the service they have signed up for.
• Legitimate interests: Website analytics and security monitoring, fraud prevention, and service improvement. We have assessed that these interests do not override individual rights.
• Consent: Marketing communications, non-essential cookies and tracking, Passport sharing with third parties, and interactions with our Ada chatbot.

Where we rely on consent, you can withdraw it at any time by contacting us or using the relevant controls in your account settings.

We collect and process the following categories of data:

• Account information: Name, email address, phone number, company name, job title, billing address and payment details for account holders and authorised users.
• Employee records (processed on behalf of employers): Names, contact details, job roles, employment dates, training records, certifications, compliance documents and other HR data uploaded by the subscribing business.
• Passport profiles: Qualifications, work history, training records, certifications and other professional information that Passport holders choose to add.
• Website analytics: Pages visited, time on site, referring source, device type and browser information. Collected via cookies and similar technologies.
• Ada chatbot conversations: Messages exchanged with our AI-powered chatbot, including questions asked and responses provided. These conversations are processed by our AI provider and may be stored to improve service quality.
• Technical data: IP addresses, login timestamps, browser type, operating system and error logs for security and troubleshooting purposes.

We use cookies and similar technologies on our website and platform. These fall into three categories:

• Strictly necessary cookies: Required for the platform to function. These include authentication tokens and session identifiers. You cannot opt out of these.
• Analytics cookies: Help us understand how visitors use our website. We use these to improve user experience. You can opt out via our cookie banner.
• Marketing cookies: Used to deliver relevant advertising and track campaign effectiveness. Only set with your explicit consent.

You can manage your cookie preferences at any time through the cookie settings link in the website footer.

We retain data for the following periods:

• Active account data: Retained for the duration of the subscription or account, plus 30 days after termination to allow for data export.
• Employee records (processor role): Retained as directed by the subscribing business. When a business terminates their subscription, all employee data is deleted 30 days after termination unless the business requests earlier deletion.
• Passport data: Retained until the Passport holder deletes their account or requests deletion.
• Website analytics: Aggregated data retained for up to 26 months. Individual session data deleted after 14 months.
• Ada chatbot conversations: Retained for up to 12 months, then deleted.
• Billing records: Retained for 7 years after the end of the subscription to comply with UK tax and accounting obligations.
• Security logs: Retained for up to 12 months.

We use a limited number of trusted third-party service providers to operate the platform, covering hosting, database infrastructure, email delivery, media storage and AI-powered features. Each sub-processor processes data on our behalf under appropriate contractual safeguards.

A full list of our current sub-processors is available on request by contacting us at hello@opesq.com. We will notify subscribing businesses of any material changes to our sub-processor list in advance.

Our primary database is hosted in a UK/EU data centre region. However, some of our sub-processors are based in the United States.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. For US-based processors, we rely on Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner, along with supplementary technical and organisational measures where necessary.

You can request a copy of the relevant transfer safeguards by contacting us at hello@opesq.com.

Under UK GDPR, you have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data where there is no compelling reason for continued processing.
• Right to data portability: Request your data in a structured, commonly-used, machine-readable format.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@opesq.com. We will respond within one month. If your request is complex, we may extend this by a further two months and will notify you if so.

Note for employees whose data is managed by their employer: If your employer uses OpesQ to manage your HR records, please direct data access requests to your employer in the first instance. As a data processor, we act on the instructions of the subscribing business. We will assist your employer in fulfilling your request.

OpesQ is not designed for or directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

If you are unhappy with how we have handled your personal data, please contact us first at hello@opesq.com so we can try to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

• Website: ico.org.uk
• Telephone: 0303 123 1113

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a notice on the platform. The "Last updated" date at the top of this page shows when the policy was last revised.

If you have any questions about this Privacy Policy or how we handle your data, contact us at:

• Email: hello@opesq.com
• General support: hello@opesq.com
• OpesQ Ltd, registered in England and Wales