ShadowQS Privacy Policy (UK)

Last updated: 30 January 2026

1) Who we are

ShadowQS (“we”, “us”) is provided by [LEGAL ENTITY NAME] (company number [●]) of [REGISTERED ADDRESS].

Contact: [privacy@shadowqs.com]

2) What this policy covers

This policy explains how we collect and use personal data when you:

  • visit our website
  • use the ShadowQS platform; and/or
  • contact us or book a demo.

3) The data we collect

We may collect and process:

  • Account data: name, work email, role, company, authentication details.
  • Usage data: log data, IP address, device/browser information, feature usage.
  • Customer content: emails, attachments, and related metadata (e.g. sender, recipients, subject, timestamps) from connected sources, plus any tags or notes added by users.
  • Communications: messages you send us, support tickets, and meeting notes.
  • Cookies and analytics data: where enabled (see Cookies).

4) How we use your data

We use personal data to:

  • provide, operate, and improve ShadowQS;
  • surface commercial events and generate notifications, summaries, and exports requested by users;
  • authenticate users and administer accounts;
  • secure the service and prevent misuse;
  • provide support and service communications;
  • carry out permitted B2B marketing;
  • comply with legal obligations.

5) Lawful bases

Under UK GDPR, we rely on one or more of:

  • Contract – to deliver the service you use;
  • Legitimate interests – service improvement, security, and B2B communications;
  • Consent – where required (e.g. non-essential cookies);
  • Legal obligation – where applicable.

6) Customer content and data roles

For most customer content, your organisation is the Data Controller and ShadowQS acts as a Data Processor, processing content only on your documented instructions via the platform.

7) Sharing and sub-processors

We may share data with trusted service providers (e.g. hosting, infrastructure, analytics, security) acting as sub-processors.

A current sub-processor list is available at [URL] or on request.

8) International transfers

Where data is transferred outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or approved contractual addenda.

9) Security

We apply technical and organisational measures appropriate to the risk, including access controls, encryption in transit, logging, and least-privilege access.

10) Retention

  • Account and usage data is retained for as long as an account is active and as required for security and compliance.
  • Customer content is retained according to your organisation’s configuration or until deletion/export is requested, subject to legal requirements.

Default retention: [e.g. 12 or 24 months].

11) Your rights

Individuals may have rights to access, rectify, erase, restrict, object, and request portability of their data. Where ShadowQS acts as a processor, we assist the controller with these requests.

12) Cookies

We use necessary cookies and, where enabled, analytics or marketing cookies. Consent is requested where required by law.

13) Marketing

We may send B2B marketing communications where permitted. You can opt out at any time.

14) Contact and complaints

Contact us at [privacy@shadowqs.com]

You may also complain to the UK Information Commissioner’s Office (ICO).