At NQC, we're committed to protecting and respecting your privacy.
This Policy explains when and why we collect personal information about people who use our website whether on their own account or as employees, agents or otherwise acting on behalf of another organization (hereafter referred to as 'your organization'), how we use it, the conditions under which we may disclose it to others and how we keep it secure. It also explains your rights in relation to your personal data and how to contact us or a relevant regulator in the event you have a complaint.
We may change this Policy from time to time so please check this page occasionally to ensure that you're happy with any changes.
Any questions regarding this Policy and our privacy practices should be sent by email to privacy@nqc.com or by writing to NQC I Ltd, Paragon Mill, Jersey St, Ancoats, Manchester M4 6JA. Alternatively, you can telephone +44 (0) 161 413 7983.
Who are we?
We're NQC I Ltd, we support our clients to manage risk and compliance in global supply chains via our online platforms.
NQC I Ltd is a registered company (no. 09395308). The registered address is 5 Brooklands Place, Brooklands Road, Sale, Cheshire, M33 3SD.
SUPPLIERASSURANCE.com is provided by NQC I Ltd ('we', 'our' or 'us').
We are typically the controller of personal data obtained via our website, meaning we are the organization legally responsible for deciding how and for what purposes it is used and for providing our Privacy Policy to you. However, in certain circumstances, where you or your organization has been referred to our website, or you or your organization has been asked to use our services because they or you are a supplier of a particular customer and that customer has engaged us in a role as its data processor, that customer will be the relevant data controller and it, as the data controller, is obliged to provide you with its own privacy policy or notice. Where this is the case, the terms of that privacy policy or notice take priority over and replace this policy.
How do we collect information from you?
We obtain information about you when you use our website and submit information about you or your organization and its practices, for example, when you register on our platform and complete one of our online assessments as requested by one of your organization's customers. We may also collect your personal information over the telephone when you speak to one of our Support Representatives.
What type of personal data is collected from you?
The general categories of personal data that we may process are provided in detail below. In addition, we may also obtain your personal data from other sources and not directly from you, and this is explained in more detail in this section.
The personal information we collect might include your name, business address, business email address, IP address, and information regarding what pages you access and when.
Further details are as follows:
- We may process your basic contact details ("contact details"). The contact details may include your name, business email address, business address and business telephone number. The source of the contact details will either be you, someone in your organization or one of your customers.
- We may process data about your use of our website and services ("usage data"). The usage data may include your IP address, geographical location, browser type and version, operating system, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system.
- We may process information contained in any inquiry you submit to us regarding our services ("inquiry data").
- We may process information contained in or relating to any communication that you send to us ("correspondence data"). The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms or the live chat services.
- We may process information relating to your interaction with our website ("automated technologies or interactions") As you interact with our website, we will automatically learn about your browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our Cookies page for further details of individual cookies, and to toggle individual cookies on or off.
As part of the completion process of our online assessments, if you are asked to share the personal information of others, you must ensure you or your organization has obtained their permission to add their details into our assessments. Where you have shared such data, we may contact the concerned persons to confirm such permission was granted. Their details may be shared with other users of our website, which may include transfer of data outside the EEA and the UK, as explained below.
If you or your organization purchase an online assessment from us, your card information is not held by us, it is collected by our third party payment processors, who specialize in the secure online capture and processing of credit/debit card transactions, as explained below.
We collect and use this personal data for the purposes described in the section "How is your personal data used?" below.
How is your personal data used?
Under data protection law, we can only use your personal data if we have a proper reason, e.g.:
- where you have given consent.
- to comply with our legal and regulatory obligations.
| What we use your personal data for | Our reasons |
|---|---|
|
To create and manage your or your organization's account with us (Contact Details) |
The contact details data may be processed for the purposes of operating our website, providing our services and communicating with you or your organization. The legal basis for this processing is our legitimate interests, namely providing our services to our customers. Also, depending on the circumstances your consent was gathered during the account registration process (which can be revoked or updated at any time within your User Details on the website). |
|
To respond to 'Contact Us' inquiries relating to our products and services submitted via our website (Inquiry Data) |
The inquiry data may be processed for the purposes of offering, marketing and selling relevant services to you or your organization. The legal basis for this processing is consent. |
|
Providing our services |
The correspondence data may be processed for the purposes of communicating with you or your organization and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and communications with users to ensure we deal with any queries they may have raised with us, or to inform them of the services they are using. |
|
To transfer your personal data outside of the EEA and the UK |
Where you or your organization confirms, via our platform, that you/it wishes to share such personal data with another entity they may process the same outside of the EEA and UK. The legal basis for such processing may, depending on the circumstances, be as follows:
|
|
To enforce legal rights or defend or undertake legal proceedings |
Depending on the circumstances:
|
|
Customise our website and its content to your particular preferences based on a record of your selected preferences or on your use of our website |
Depending on the circumstances:
|
|
Retaining and evaluating information on your recent visits to our website and how you move around different sections of our website for analytics purposes. This helps us to understand how people use our website so that we can make it more intuitive or to check our website is working as intended |
Depending on the circumstances:
|
|
Communications with you or your organization not related to marketing, including changes to our terms or policies, or changes to our products or services or other important notices |
Depending on the circumstances:
|
|
Protecting the security of systems and data |
To comply with our legal and regulatory obligations We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations. In those cases, our reasons are for our legitimate interests or those of a third party, e.g. to protect systems and data and to prevent and detect criminal activity that could be damaging for you/your organization and/or us. |
|
Disclosures and other activities necessary to comply with legal and regulatory obligations that apply to our business, e.g. to record and demonstrate evidence of your consent where relevant |
To comply with our legal and regulatory obligations |
|
Marketing our services to existing and former website users |
For our legitimate interests or those of a third party, i.e. to promote our business to existing and former website users. See "How do we use your personal data for marketing purposes?" below for further information. |
See "Who has access to your personal data?" below for further information on the steps we will take to protect your personal data where we need to share it with others.
How do we use your personal data for marketing purposes?
We may use your personal data to send you updates (by email) about our services, including exclusive offers, promotions or new services. If we are providing services to your organization rather than to you personally, these will usually be directed towards your organization rather than directed towards you in your personal capacity.
We have a legitimate interest in using your personal data for marketing purposes (see above "How is your personal data used?"). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this separately and clearly.
You have the right to opt out of receiving marketing communications at any time by:
- contacting us at privacy@nqc.com, or,
- updating your email preferences on our website via your user account.
You have a choice about whether or not you wish to receive information from us. You will be asked to opt-in to these notifications when you register on our website. If you do not want to receive direct marketing communications from us then you can select your email notification choices within your user account.
Where the current Privacy and Electronic Communications Regulations (PECR) (or similar rule replacing them), so provide, we will not contact you for marketing purposes by email, phone or text message unless you have given your prior consent. However, please note that the PECR does not apply to corporate email addresses. You can change your marketing preferences at any time by updating your email notification choices within your user account. If you need help to do this, you can contact one of our Support Representatives by email at support@nqc.com or by telephone on +44 (0) 161 413 7983.
We may ask you to confirm or update your marketing preferences if you ask us to provide further products or services in the future, or if there are changes in the law, regulation, or the structure of our business.
We will always treat your personal data with the utmost respect and never sell or share it with other organizations for marketing purposes.
For more information on your right to object at any time to your personal data being used for marketing purposes, see "What are your rights in relation to the personal data we hold?" below.
Who has access to your personal data?
We will not sell or rent your personal data to third parties.
We will not share your personal data with third parties for marketing purposes.
Other Organizations registered on our website: Our websites are designed to be collaborative and to enable organizations and their nominated users to share completed online assessments with other organizations. Your personal details (name, business email address etc.) will typically be linked to a completed assessment and therefore we may pass your information to other organizations as part of this sharing process. We share this information for the purposes of fulfilling our contractual obligations. We will only share the contents of a completed assessment where you or someone within your organization has given us permission to do so. This permission is known as "sharing" on our website and can be managed through the Sharing functions within your online account.
Third Party Service Providers working on our behalf: We may pass your information to our third party service providers for the purposes of completing tasks and providing services to you on our behalf (for example to process a payment for an online assessment, to validate a specific assessment response). However, when we use third party service providers, we disclose only the personal information that is necessary for them to deliver their service to us. We have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.
When you are using our secure online payment pages, your payment is processed by a third party payment processor, who specializes in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
We may transfer your personal information to a third party:
- As part of a sale of some or all of our business and assets to any third party or;
- As part of any business restructuring or reorganization, or;
- If we're under a duty to disclose or share your personal data in order to comply with any legal obligation or;
- To enforce or apply our terms of use or to protect the rights, property or safety of our customers.
However, we will take steps with the aim of ensuring that your privacy rights continue to be protected.
If you would like more information about who we share our data with and why, please contact us (see "How can I contact NQC if I have any questions?" below).
How long will your personal data be kept?
We will not keep your personal data for longer than we need it, for the purpose for which it is used.
Unless otherwise agreed with you as part of our specific contractual obligations with you, we will delete or anonymize any personal data we hold about you within 3 years of your account becoming inactive (where inactivity means no account logins for a consecutive 12-month period).
What are your rights in relation to the personal data we hold?
You generally have the following rights, which you can usually exercise free of charge:
|
Access to a copy of your personal data |
The right to be provided with a copy of your personal data. You have the right to ask for a copy of the information NQC holds about you. You can access this information yourself via your online account. To do this, visit your Dashboard, click your profile icon on the top right of the web page and under Options select "Export Personal Data". |
|
Correction (also known as rectification) |
The right to require us to correct any mistakes in your personal data. You can access your online account at any time to view the personal data and change the information we hold about you (business telephone number, business address etc.). As we use your business email address as the primary way to identify and communicate with you, if you specifically need to amend your email address, you can telephone +44 (0) 161 413 7983 or email support@nqc.com. |
|
Erasure (also known as the right to be forgotten) |
The right to require us to delete your personal data in certain situations (usually where we require your consent to process). |
|
Restriction of use |
The right to require us to restrict use of your personal data in certain circumstances, e.g. if you contest the accuracy of the data. |
|
Data portability |
The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party (in certain situations). Our website enables you to export data in a structured, commonly used and machine-readable format and we also have a number of APIs that can be used by another data controller/processor to transfer data between systems. |
|
To object to use |
The right to object:
|
|
Not to be subject to decisions without human involvement |
The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affecting you. We do not make any such decisions based on data collected by our website. |
For further information on each of these rights, including the circumstances in which they do and do not apply, please contact us (see "How can I contact NQC if I have any questions?" below). You may also find it helpful to refer to the guidance from the UK's Information Commissioner on your rights under the UK GDPR or your appropriate local EEA supervisory authority where relevant.
If you would like to exercise any of those rights, please complete a Contact Us form—available on our website or please email or write to us—see the "How can I contact NQC if I have any questions?" section below to find our contact details. When contacting us please:
- provide enough information to identify and any additional identity information we may reasonably request from you, and,
- let us know which right(s) you want to exercise and the information to which your request relates.
What security precautions do we have in place to protect against the loss, misuse or alteration of your information?
When you give us personal information, we take steps to ensure that it's treated securely. We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Any sensitive information is encrypted and protected with up to 256-bit encryption over TLS V1.2. Where we have given (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We are ISO 27001 certified and have a comprehensive Information Security Management System in place within the organization. This ensures we have robust organizational processes and procedures in place to manage our operations. We have also implemented a number of technical security measures to protect your data including Two-Factor Authentication (where required) and data encryption (both in motion and at rest). We undertake regular penetration tests of our websites to simulate potential attacks on our servers to evaluate the security of the system. We also regularly test our business continuity plans and our ability to quickly restore our website and its content, if required.
How does the website use 'cookies'?
Like many other websites, our website uses cookies. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.
Please see our Cookies policy page for further details of individual cookies, and to toggle individual cookies on or off.
Do we have links to other websites?
Our website may contain links to other websites run by other organizations. This Privacy Policy applies only to our website and platform, so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other websites even if you access them using links from our website.
In addition, if you link to our website from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party website and recommend that you check the policy of that third party website.
Will we transfer your personal data between the EEA and the UK?
We will transfer your personal data to our hosting service providers located outside the UK in mainland Europe.
As we are based in the UK, we will also transfer your personal data from the EEA to the UK.
Will we transfer your information outside of Europe?
As part of the services offered to you through this website, the information which you provide to us may be transferred to countries outside the European Economic Area ("EEA") and the UK (together "Europe").
By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA or if your organization has authorized or requested your contact data to be made available to a supplier or customer based outside of Europe.
Also, if you or your organization accesses our services from outside Europe, your information may be transferred outside the EEA in order to provide these services.
If we transfer your information outside of Europe in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy.
The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.
Under data protection laws, we can only transfer your personal data to a country outside the UK/EEA where:
- in the case of transfers subject to UK data protection law, the UK government has decided the particular country ensures an adequate level of protection of personal data (known as an 'adequacy regulation') further to Article 45 of the UK GDPR or the recipient has signed up to legally-approved standard data protection clauses recognized or issued further to Article 46(2) of the UK GDPR.
- in the case of transfers subject to EEA data protection laws, the European Commission has decided that the particular country ensures an adequate level of protection of personal data (known as an 'adequacy decision') further to Article 45 of the EU GDPR or the recipient has signed up to legally-approved standard data protection clauses recognized or issued further to Article 46(2) of the EU GDPR.
- you have given us explicit consent to such transfer of your data; or
- a specific exception applies under relevant data protection law.
Any changes to the types of destinations to which we send personal data or in the transfer mechanisms we use to transfer personal data internationally will be notified to you in accordance with the section on "How will NQC review this Policy?" below.
How will NQC review this Policy?
We keep this Policy under regular review. This Policy was last updated in May 2023.
We reserve the right to change or update this Policy from time to time. If material changes are made, we will place a prominent notice on our Website for at least 30 days prior to the change taking effect, or communicate with you directly by email or through Notifications within your online account, and will update the last revised date at the bottom of this Policy.
How can I contact NQC if I have any questions?
If you have any questions or concerns regarding the use or disclosure of your personal information through the website, about this Privacy Policy or the information we hold about you, to exercise a right under data protection law or to make a complaint, you can contact NQC by email, call or write to us at NQC Ltd, Paragon Mill, Jersey St, Ancoats, Manchester M4 6JA or email privacy@nqc.com, telephone +44 (0) 161 413 7983.
How can I lodge a complaint about your data handling?
We hope that we can resolve any query or concern you raise about our use of your information. If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The supervisory authority in the UK is the Information Commissioner who may be contacted in case of any concerns.
