Privacy Policy

This Privacy Policy explains how we process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Identity of Controller

TAL Marketing Group Limited is the data controller responsible for your personal data.

Registered Address:
TAL Marketing Group Limited t/a qa.ai
Work.Life, Brown Street, Manchester, M2 1DH

Contact Details:
Email: hello@qaai.co.uk
Phone: 0161 706 1710

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.

2. Categories of Data

We collect and process:

Account Information
Name, business details, email address, credentials.

Usage and Technical Data
IP address, browser type, device information, logs, error diagnostics, performance metrics.

Monitoring Data
Synthetic test outputs, necessary test artefacts, configuration files, audit logs, OAuth tokens where integrations are enabled.

Marketing and Analytics Data
Information collected via Google Analytics 4, Google Tag Manager, Mixpanel, Microsoft Clarity, and associated tracking technologies.

3. Lawful Bases

Processing is undertaken pursuant to:

• Performance of contract;
• Legitimate interests (security, fraud prevention, service improvement);
• Consent (marketing and non-essential cookies);
• Compliance with legal obligations.

4. Data Retention

We retain personal data only as long as necessary:

• Account data: duration of account plus six years;
• Billing data: six years;
• Monitoring logs: 90 days;
• Audit logs: subscription duration plus 12 months;
• OAuth tokens: deleted within 30 days of integration removal;
• Backups: up to 60 days.

Backups are retained for disaster recovery purposes only and automatically deleted thereafter.

5. Data Sharing

We may share data with:

• Cloud hosting providers (including UK-based infrastructure);
• Payment processors;
• Analytics providers;
• Integration partners enabled by you (e.g., Slack, webhook recipients).

International transfers are subject to appropriate safeguards, including UK IDTA where applicable.

6. Security Measures

We implement appropriate technical and organisational measures, including:

• Encryption in transit and at rest;
• Role-based access controls;
• Multi-factor authentication;
• Credential hashing;
• Periodic security review and testing.

7. Your Rights

Under data protection law, you have the right to:

• Access: Request a copy of the personal data we hold about you;
• Rectification: Ask us to correct inaccurate or incomplete data;
• Erasure ("Right to be Forgotten"): Request deletion of your data in certain circumstances;
• Restriction: Request that we restrict how we process your data;
• Objection: Object to processing where we rely on legitimate interests (including profiling);
• Withdrawal of Consent: Withdraw consent at any time (e.g. for credit searches or marketing);
• Data Portability: Request transfer of your data to another provider.

To exercise these rights, contact us at hello@qaai.co.uk.

We would appreciate the chance to resolve any concerns before you contact the ICO. However, you also have the right to lodge a complaint with:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

Data Processing Addendum (Annex 1)

1. Scope and Roles

This Addendum forms part of the Terms. Customer acts as Controller. Company acts as Processor.

2. Subject Matter and Duration

Processing relates to provision of synthetic monitoring and operational testing services for the duration of the subscription.

3. Nature and Purpose of Processing

Processing includes hosting, executing, storing, and transmitting monitoring data configured by Customer.

4. Categories of Data Subjects and Data

Data subjects may include end users interacting with monitored journeys. Categories of personal data depend on Customer configuration and may include identifiers entered within synthetic test scripts.

5. Processor Obligations

The Company shall:

• Process personal data only on documented instructions;
• Ensure confidentiality of personnel;
• Implement appropriate security measures;
• Notify Customer without undue delay upon becoming aware of a personal data breach;
• Assist Customer in fulfilling data subject rights;
• Delete or return personal data upon termination, subject to legal retention requirements.

6. Subprocessors

We may share personal data with third-party subprocessors to provide, operate, and maintain the Service. Current subprocessors include:

Infrastructure & Hosting

• DigitalOcean, LLC — cloud hosting, storage, and servers
• Cloudflare, Inc. — DNS, CDN, and security services
• GoDaddy, Inc. — domain registration
• Laravel Holdings Inc. d/b/a Laravel Forge — server provisioning, deployment, and management
• Peaberry Software Inc. d/b/a Customer.io — customer data platform, email delivery

Payment & Billing

• Stripe, Inc. — payment processing and billing

Analytics & Monitoring

• Google, LLC — Google Analytics 4 (website and usage analytics), Google Tag Manager (tag management for analytics and marketing)
• Mixpanel, Inc. — product analytics
• Microsoft Corporation — Clarity (session replay and behaviour analytics)
• Laravel Holdings Inc. d/b/a Laravel Nightwatch — error tracking, performance monitoring, and logging

Integrations

• Slack Technologies, LLC — notifications and integration messages
• Zapier, Inc. — workflow automation
• Webhook recipients — endpoints configured by you

We remain fully responsible for ensuring that all subprocessors comply with equivalent data protection obligations. We may update this list from time to time; any material changes will be communicated in advance via email or notification within the Service.

7. International Transfers

Transfers outside the UK shall be subject to legally recognised safeguards, including UK International Data Transfer Agreements or equivalent mechanisms. Transfers outside the UK will only occur where adequate safeguards exist or with customer consent.