Privacy Policy

    Last updated:

    About This Policy

    1. This Privacy Policy explains how QDEX AI Ltd (“QDEX”, “we”, “us”) collects, uses and shares personal data when you visit qdexai.com or interact with us, and how we handle certain personal data in the Service. It also explains your privacy rights and how the law protects you.
    2. The Site and Service are not intended for children under 18 years old.

    Who We Are

    1. For website and account administration data, QDEX AI Ltd acts as the Controller. Company number 15829147. Registered office: 6–12 Tabard Street, London, SE1 4JU.
    2. For privacy queries or data-rights requests, email legal@qdexai.com.
    3. No Data Protection Officer is appointed.

    Scope and Roles

    1. This policy covers the public website (qdexai.com and subdomains), marketing communications, support interactions, and account administration for the Service.
    2. If you are a Customer using the Service: for borrower and case data you upload (“Active Case Data”), QDEX acts as Processor and the DPA governs roles, purposes, transfers, sub-processors and deletion. For your firm’s account, billing and administrative data, QDEX acts as Controller.
    3. If there is any conflict between this policy and the DPA regarding data protection for Active Case Data, the DPA prevails.
    4. For a list of sub-processors processing data on behalf of Customers, see /legal/subprocessors.

    Personal Data We Collect

    1. Data you provide: enquiries, wait-lists, support requests and meetings, including names, business contact details, role, firm, message content and any attachments.
    2. Account and billing: names, business contact details, login and seat assignment data, plan and billing information, payment confirmations (processed by our payment processor).
    3. Automatically collected data: device and browser data, IP address, general location, site/app activity logs, error and performance telemetry, cookie identifiers and similar technologies (see Cookies Policy).
    4. From your organisation: where your employer or principal sets up your seat, we receive your business contact details and role.
    5. From service providers: analytics, communications, support and hosting providers may supply derived metrics and diagnostic data.
    6. We use different methods to collect data from and about you including your interactions with us; automated technologies or interactions; third parties or publicly available sources.

    Legal basis

    1. The law requires us to have a legal basis for collecting and using your personal data. We rely on one or more of the following legal bases:
    2. Performance of a contract with you: Where we need to perform the contract we are about to enter into or have entered into with you.
    3. Legitimate interests: We may use your personal data where it is necessary to conduct our business and pursue our legitimate interests, for example, to prevent fraud and enable us to give you the best and most secure customer experience. We make sure we consider and balance any potential impact on you and your rights (both positive and negative) before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
    4. Legal obligation: We may use your personal data where it is necessary for compliance with a legal obligation that we are subject to. We will identify the relevant legal obligation when we rely on this legal basis.
    5. Consent: We rely on consent only where we have obtained your active agreement to use your personal data for a specified purpose, for example if you subscribe to an email newsletter.

    How We Use Personal Data

    1. Provide and operate the Site and Service: to set up accounts, provide access, maintain security, fix issues and deliver support. Legal basis: performance of a contract or legitimate interests in operating our services.
    2. Communicate with you: to respond to enquiries and provide updates. Legal basis: performance of a contract or legitimate interests in responding to business contacts.
    3. Improve and secure the Service by analysing usage and telemetry, monitoring performance and security, and developing features. Legal basis: legitimate interests in improving and securing the Service.
    4. Session Recording: We use PostHog to record your interactions with the Service, including clicks, scrolls, and navigation. Input fields are automatically masked. We link session recordings to your email address so our support and product teams can investigate issues and improve the Service. These recordings do not capture the borrower’s personal data.
    5. Marketing: to send product news and invitations where you have consented, and to measure campaign performance. Legal basis: consent (you can withdraw at any time via unsubscribe links or by contacting us).
    6. Legal and compliance: to keep records, prevent fraud and comply with legal obligations. Legal basis: legal obligation and legitimate interests in protecting our rights.

    Cookies

    1. We use cookies and similar technologies for essential functions, analytics and, where you consent, for marketing measurement. See the Cookies Policy at /legal/cookies for details of types, purposes and retention, and to manage preferences via our consent banner.

    Sharing Your Personal Data

    1. Service providers: hosting, security, analytics, communications, payment processing and customer support providers.
    2. Professional advisers and auditors: accountants, lawyers and auditors under confidentiality obligations.
    3. Corporate transactions: in connection with a merger, acquisition, reorganisation or sale of assets, subject to appropriate protections.
    4. Legal and compliance: regulators, law enforcement or courts where required by law or to protect our rights or those of others.
    5. Customers: where your employer or principal is our Customer, certain account and usage information may be visible to that Customer’s administrators.

    International Transfers

    1. Your personal data may be processed outside the UK by our service providers. Where transfers occur, we rely on an adequacy decision or on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, with supplementary measures where appropriate.

    Retention

    1. We will only retain your personal data for as long as reasonably necessary to fulfil the purpose we collected it for, including for the purpose os satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
    2. Website enquiries and support tickets: kept for up to 24 months after closure unless needed longer for a dispute or legal obligation.
    3. Marketing contacts: kept until you withdraw consent or your email bounces, plus a short period to maintain suppression lists.
    4. Account and billing records: kept for the life of the contract and then for up to six years to meet tax and record-keeping requirements.
    5. Telemetry and logs: high-level metrics retained up to 12 months with shorter raw log retention where feasible for performance and security analysis.
    6. Active Case Data: retention and deletion are governed by the DPA and your instructions as Controller.

    Security

    1. We apply appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, network security monitoring, and staff training. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

    Your Rights

    1. You have rights under data-protection law, including:

    a)         Request access to your personal data (commonly known as a ‘subject access request’) to receive a copy of the personal data we hold about you;

    b)         Request correction of any incomplete or inaccurate personal data we hold about you

    c)         Request erasure of your personal data where there is no good reason for us continuing to process it, or where you have exercised your right to object (see below);

    d)         Request restriction of processing of your personal data in certain circumstances, for example if you contest its accuracy;

    e)         Object to processing of your personal data where we are relying on legitimate interests; and there is something about your particular situation which makes you want to object, or where we are processing your personal data for direct marketing purposes;

    f)          Request transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format (data portability); and

    g)         Withdraw consent at any time where we are relying on consent to process your personal data, without affecting the lawfulness of processing before consent is withdrawn.

    1. Exercise rights by emailing legal@qdexai.com. We may need to verify your identity and aim to respond within one month.
    2. If you are unhappy with our response, you can complain to the UK Information Commissioner’s Office (ico.org.uk). We would appreciate the chance to resolve your concerns first.

    Automated Decision-Making

    1. We do not make decisions about you that have legal or similarly significant effects solely on the basis of automated processing. Service outputs are assistive tools for professionals and are not decisions about website visitors or account holders.
    2. For borrower and case decisions made by our Customers, please contact the relevant brokerage; QDEX acts as Processor for such data under the DPA.

    Third-Party Sites

    1. The Site may contain links to third-party websites. QDEX is not responsible for the privacy practices or content of third parties. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

    Changes to This Policy

    1. We may update this policy from time to time. The latest version is posted at /legal/privacy. If we make material changes, we will give notice by email or in-product message where appropriate.

    Contact Us

    1. Email legal@qdexai.com or write to QDEX AI Ltd, 6–12 Tabard Street, London, SE1 4JU.

    Version History

    Version: 4.0

    Effective date: 06 February 2026

    Document owner: COO

    Last review: 05 February 2026

    Next review: 31 July 2026

    Previous versions available on request to legal@qdexai.com