Privacy Policy

This Policy applies to all personal data processed through QS Project websites, platform services, and related applications. QS Project acts as data controller within the meaning of Article 4(7) GDPR in respect of account registration data, billing information, and service usage data. Where a customer organisation determines the purposes and means of processing project data submitted to the platform, QS Project acts as data processor within the meaning of Article 4(8) GDPR and processes such data solely in accordance with the customer's documented instructions and any applicable Data Processing Agreement.

The data controller for the purposes of this Policy is QS Project, a company registered in Ireland with its registered office at Standhouse Road, Newbridge, Co. Kildare, W12 DT21, Ireland. For all enquiries relating to data protection, the exercise of data subject rights, or complaints concerning the processing of personal data, please contact our Data Protection Officer at privacy@qs-project.com.

We process the following categories of personal data:

• Identity and contact details (name, email address, telephone number, postal address)
• Account credentials and authentication records (encrypted passwords, multi-factor authentication events)
• Licence and billing records (subscription tier, payment references, invoicing details)
• Project and contractor records submitted by authorised users
• Technical and device data (IP address, browser type, operating system, access timestamps)
• Service usage and interaction data (pages visited, features used, session duration)
• Support communications (tickets, correspondence, call records where applicable)

We process personal data on one or more of the following lawful bases pursuant to Article 6(1) GDPR:

• (a) Performance of a contract — processing necessary for the performance of a contract to which the data subject is party, or to take steps at the data subject's request prior to entering into a contract (Article 6(1)(b)).
• (b) Legal obligation — processing necessary for compliance with a legal obligation to which the controller is subject, including obligations under Irish tax, employment, and company law (Article 6(1)(c)).
• (c) Legitimate interests — processing necessary for the purposes of the legitimate interests pursued by QS Project, including service security, fraud prevention, and platform reliability, provided such interests are not overridden by the fundamental rights and freedoms of the data subject (Article 6(1)(f)).
• (d) Consent — where no other lawful basis applies, processing is carried out on the basis of the data subject's freely given, specific, informed, and unambiguous consent (Article 6(1)(a)). Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal.

Personal data is processed for the following specified, explicit, and legitimate purposes:

• Provision, operation, and maintenance of platform services
• User account creation, authentication, and access management
• Licence administration and subscription management
• Payment processing, invoicing, and financial record-keeping
• Detection and prevention of fraud, abuse, and unauthorised access
• Customer support and service-related communications
• Service diagnostics, performance monitoring, and improvement
• Compliance with applicable legal, regulatory, and taxation obligations
• Enforcement of contractual rights and dispute resolution

Personal data may be disclosed to the following categories of recipients:

• Vetted sub-processors providing hosting, infrastructure, identity verification, payment processing, and communication services, each bound by written data processing agreements in compliance with Article 28 GDPR
• Professional advisers (legal, audit, accounting) under obligations of confidentiality
• Regulatory authorities and law enforcement bodies where disclosure is required by law or by order of a court of competent jurisdiction
• Successor entities in the event of a merger, acquisition, or reorganisation, subject to equivalent data protection obligations

A current list of sub-processors is available upon request to privacy@qs-project.com.

Where personal data is transferred to a country outside the European Economic Area ("EEA") that has not been the subject of an adequacy decision by the European Commission under Article 45 GDPR, we ensure that appropriate safeguards are in place in accordance with Article 46 GDPR. Such safeguards include, as applicable, Standard Contractual Clauses adopted by the European Commission, supplemented by a transfer impact assessment and any additional technical or organisational measures required to ensure an essentially equivalent level of protection for the personal data transferred.

Personal data shall be retained only for so long as is necessary to fulfil the purposes for which it was collected, in accordance with the principle of storage limitation under Article 5(1)(e) GDPR. Specific retention periods are determined by reference to the nature of the data, the purposes of processing, and applicable statutory retention obligations, including those arising under the Taxes Consolidation Act 1997 (as amended) and the Companies Act 2014. Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

Under Chapter III of the GDPR, as given further effect by Part 3 of the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access (Article 15) — to obtain confirmation of processing and a copy of your personal data
• Right to rectification (Article 16) — to have inaccurate personal data corrected without undue delay
• Right to erasure (Article 17) — to request deletion of personal data where specified grounds apply
• Right to restriction of processing (Article 18) — to request limitation of processing in defined circumstances
• Right to data portability (Article 20) — to receive personal data in a structured, commonly used, and machine-readable format
• Right to object (Article 21) — to object to processing based on legitimate interests or direct marketing
• Right not to be subject to automated decision-making (Article 22) — including profiling producing legal or similarly significant effects

The exercise of these rights is subject to the conditions, limitations, and exemptions set out in the GDPR and the Data Protection Act 2018.

To exercise any of the rights set out above, please submit a written request to privacy@qs-project.com. We may require verification of your identity before acting on a request, in accordance with Article 12(6) GDPR. We shall respond to valid requests without undue delay and in any event within one month of receipt, unless the complexity or volume of requests justifies an extension of up to two further months, in which case you will be informed accordingly.

We use strictly necessary cookies required for the operation of our platform and limited analytics cookies to monitor service performance. All non-essential cookies require your prior informed consent in accordance with Regulation 5 of the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336/2011). You may manage your cookie preferences at any time through the in-app cookie preferences control or your browser settings. For full details, please refer to our Cookie Policy.

In accordance with Article 32 GDPR, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

• Role-based access controls and principle of least privilege
• Encryption of personal data in transit using TLS
• Continuous monitoring, logging, and anomaly detection
• Documented incident response and breach management procedures
• Regular security assessments and vulnerability management

Whilst no system can guarantee absolute security, we maintain and periodically review these measures to ensure they remain proportionate to the nature and sensitivity of the personal data processed.

Our services are intended for professional and business use and are not directed at children. We do not knowingly collect or process personal data from children under the age of 16 (being the age of digital consent applicable in Ireland under Section 31 of the Data Protection Act 2018). If we become aware that personal data has been collected from a child without appropriate parental or guardian consent, we shall take prompt steps to delete such data.

We reserve the right to update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. Where a change is material, we shall notify affected data subjects through service channels or by other appropriate means. The "Last updated" date at the head of this Policy indicates when the most recent revision took effect. We encourage you to review this Policy periodically.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR. In Ireland, the competent supervisory authority is the Data Protection Commission (An Coimisiún um Chosaint Sonraí), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland (www.dataprotection.ie).

This Policy is governed by and construed in accordance with the laws of Ireland. The processing of personal data described herein is designed to comply with:

• Regulation (EU) 2016/679 (General Data Protection Regulation)
• Data Protection Act 2018 (as amended)
• European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (S.I. No. 336/2011)
• Any other applicable Irish and European Union data protection and privacy legislation

QS Project does not, in the ordinary course of service operation, engage in automated decision-making, including profiling, which produces legal effects concerning data subjects or similarly significantly affects them within the meaning of Article 22 GDPR. Should this position change, we shall inform data subjects in advance of the logic involved, the significance, and the envisaged consequences of such processing, and shall implement suitable safeguards including the right to obtain human intervention, to express a point of view, and to contest the decision.

We maintain documented incident response procedures for the detection, assessment, and management of personal data breaches. In the event of a breach likely to result in a risk to the rights and freedoms of natural persons, we shall notify the Data Protection Commission without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with Article 33 GDPR. Where a breach is likely to result in a high risk to the rights and freedoms of the affected data subjects, we shall communicate the breach to those individuals without undue delay in accordance with Article 34 GDPR.

Certain features of the Service incorporate artificial intelligence ("AI") capabilities, including AI-assisted content generation within document editors. When you use these features, the following data processing occurs:

• User-submitted prompts and, where necessary for context, relevant document content are transmitted to third-party AI service providers for the sole purpose of generating the requested output
• QS Project engages AI service providers under written data processing agreements that impose obligations of confidentiality, security, and data protection in accordance with Article 28 GDPR
• Prompts and generated outputs are not used by QS Project or its AI service providers to train or improve AI models, unless you have provided explicit, informed consent for such use
• AI interaction data is retained only for so long as is necessary for service delivery, quality assurance, and the investigation of misuse, and is thereafter deleted in accordance with our data retention policies

AI-assisted features do not involve automated decision-making that produces legal or similarly significant effects on data subjects within the meaning of Article 22 GDPR. The AI-generated output is presented to the user for review, editing, and approval before any use. You remain solely responsible for reviewing, verifying, and approving any AI-generated content before incorporating it into documents or communications.