ShadowQS Privacy Policy (UK)
Last updated: 30 January 2026
1) Who we are
ShadowQS (“we”, “us”) is provided by [LEGAL ENTITY NAME] (company number [●]) of [REGISTERED ADDRESS].
Contact: [privacy@shadowqs.com]
2) What this policy covers
This policy explains how we collect and use personal data when you:
- visit our website
- use the ShadowQS platform; and/or
- contact us or book a demo.
3) The data we collect
We may collect and process:
- Account data: name, work email, role, company, authentication details.
- Usage data: log data, IP address, device/browser information, feature usage.
- Customer content: emails, attachments, and related metadata (e.g. sender, recipients, subject, timestamps) from connected sources, plus any tags or notes added by users.
- Communications: messages you send us, support tickets, and meeting notes.
- Cookies and analytics data: where enabled (see Cookies).
4) How we use your data
We use personal data to:
- provide, operate, and improve ShadowQS;
- surface commercial events and generate notifications, summaries, and exports requested by users;
- authenticate users and administer accounts;
- secure the service and prevent misuse;
- provide support and service communications;
- carry out permitted B2B marketing;
- comply with legal obligations.
5) Lawful bases
Under UK GDPR, we rely on one or more of:
- Contract – to deliver the service you use;
- Legitimate interests – service improvement, security, and B2B communications;
- Consent – where required (e.g. non-essential cookies);
- Legal obligation – where applicable.
6) Customer content and data roles
For most customer content, your organisation is the Data Controller and ShadowQS acts as a Data Processor, processing content only on your documented instructions via the platform.
7) Sharing and sub-processors
We may share data with trusted service providers (e.g. hosting, infrastructure, analytics, security) acting as sub-processors.
A current sub-processor list is available at [URL] or on request.
8) International transfers
Where data is transferred outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or approved contractual addenda.
9) Security
We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit, logging, and least-privilege access.
10) Retention
- Account and usage data is retained for as long as an account is active and as required for security and compliance.
- Customer content is retained according to your organisation’s configuration or until deletion/export is requested, subject to legal requirements.
Default retention: [e.g. 12 or 24 months].
11) Your rights
Individuals may have rights to access, rectify, erase, restrict, object, and request portability of their data. Where ShadowQS acts as a processor, we assist the controller with these requests.
12) Cookies
We use necessary cookies and, where enabled, analytics or marketing cookies. Consent is requested where required by law.
13) Marketing
We may send B2B marketing communications where permitted. You can opt out at any time.
14) Contact and complaints
Contact us at [privacy@shadowqs.com]
You may also complain to the UK Information Commissioner’s Office (ICO).