Privacy Policy & Data Protection

Everything you need to know about how we treat your data

At Quarterdeck we take privacy and security incredibly seriously and we're delighted that lawmakers are finally catching up to the values and standards we've long held ourselves.

Rest assured that we take curation of your data as seriously as if it were our own.

We support not only the letter of the law of the General Data Protection Regulation and other data protection laws but also their spirit and will ensure all services not only comply with its ordinances but go beyond where we feel more security and privacy is required.

We do everything within our power and intellect to ensure we comply with the law in whichever jurisdictions are appropriate.

This privacy policy is a living document and we will ensure that it is always as up to date as possible and that our policies are continually reviewed to ensure the highest possible standards.

If you have any questions or requests not covered by this privacy policy please contact Kris Northfield, Operations Director, who is the currently appointed Data Protection Officer.

Why is data collected?

We collect data to provide our clients and course participants with the best possible service. We only ever collect and use the minimum amount of data required to delight and exceed expectations.

Like all companies we also have a responsibility to market and sell our services. We collect and process data on companies and people who we reasonably believe would be interested in our services.

Who is collecting data?

Information is collected by Quarterdeck Ltd via any of its employees or agents. An agent is a person or legal entity not directly employed by us but contracted to fulfil part of our operating procedures. Any employee or agent working on our behalf is always fully audited and briefed about data security to ensure they are compliant with the data protection standards we uphold and laws in the jurisdictions in which we operate or which cover citizens with which we interact.

How is data collected?

We live in a complicated world and we can stumble across information about companies and people in a thousand places.

Like all companies in the world we use analytics software to guide the development of our website to ensure it's providing the best possible experience to users and that any errors and bugs are found and fixed as quickly as possible. This is standard operating procedure across the globe, your company's website will almost certainly be collecting similar information. In actual fact most companies will collect significantly more than us as we like to minimise the data we collect.

The data collected by analytics software can include: pages viewed, time spent viewing pages, buttons clicked, links clicked etc.

Data could be collected via any communication channel including (but not limited to): email, phone, website, verbal, photography, hand writing and publicly available information from sources including: your website, social media profiles, third party websites, search engines, newspapers etc.

For a full list of data being collected please refer to the section "What information is collected?"

How will data be used?

Data will be used to fulfil our contractual obligations to provide you with a product or service in a transactional manner. Or to operate our legitimate interest in marketing our services.

As said previously we like to go beyond purely transactional relationships to exceed expectations and provide meaningful experiences. For legal purposes this could be described as "segmenting" or "personalisation".

If you opt-in to our email list, you will occasionally receive training articles and, even more rarely, an email letting you know about an upcoming event we think might interest you.

We occasionally profile data in aggregate to test or validate the design of services or for research purposes.

We don’t keep data around if there is no point, we don’t hoard data for no reason and of course we don’t retain it if there is no lawful basis. We will retain data until we no longer require it in the execution of our duties or it is requested to be deleted by the data subject.

Please contact the appointed Data Protection Officer identified in the summary of this document if you wish to exercise any of your rights under GDPR or any other relevant regulations, for example if you wish to:

They will deal with your request expeditiously.

Who will it be shared with?

We will never share or sell your data to any third parties. Data will only ever be accessible to employees or agents of Quarterdeck Ltd to fulfil our operating procedures.

What information is collected?

Here is a breakdown of the information we might store.

In the Execution of our Training

As part of our standard operating procedures we will retain the data needed to execute the contract we have agreed with a client. This may include: name, name of company, address of company, email, phone number, industry of company, personal development information, feedback you provide about our performance, and photographs of our events which you attend.

Outbound Sales

There are six lawful bases for data processing set out in Article 6 of the UK GDPR: Consent, Contract, Legal obligation, Vital interests, Public task, and Legitimate interests.

No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.


All companies have a legitimate interest in the growth of their business by marketing and selling their products or services. While sending cold email to personal email addresses without consent may not compliant under the GDPR, B2B companies dealing with corporate clients have different rules.

Direct Marketing is recognised as a legitimate interest under Recital 47 of the GDPR and is deemed a legal basis for processing data. This means that the GDPR defers to the existing Data Protection Act in respect of B2B email.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.


The ICO, which is responsible for upholding GDPR in the UK, say this in its direct marketing guidance:

These rules on consent, the soft opt-in and the right to opt out do not apply to electronic marketing messages sent to ‘corporate subscribers’ which means companies and other corporate bodies eg limited liability partnerships, Scottish partnerships, and government bodies. The only requirement is that the sender must identify itself and provide contact details.


Furthermore, the ICO’s direct marketing checklist reveals that as long as individual employees can opt-out then you can email them, without a confirmed opt-in.

Having considered purpose and necessity we assesses that the balance favours processing as it is reasonable for people publishing a website or social media profile to expect that their business contact details will be processed, and the impact on them will be low.

We of course provide an instant opt-out link for any automated emails and any emails sent by a human you have the ability to reply and request to be opted-out.

If we email you it is because we reasonably assume that you or your company would use our services. This could be for many reasons, among them:

We won't give an exhaustive list here.

If we contact you it may not mean that you are on a database or we are storing your contact details. One of our people may have just emailed you using publicly available data on your website or LinkedIn profile for example.

Please note that if you request to be "Removed from our database" or similar we will delete all your data as required by law. This may have unintended consequences as we cannot retain your preference to be opted-out. This means at some point in the future if someone comes across your details they may well contact you again.

If you ask not to be contacted we will retain your contact information and your preference to ensure you are not contacted in the future. After a reasonable amount of time this data may also be deleted however as we automatically delete data of a certain age in order to comply with the GDPR.

Website Analytics

None of our analytics software records any personal information.

For details review the documentation of our analytics provider, Fathom.

Unrequested Data or Voluntarily Supplied Information

As described in the "Why is it being collected?" & "How is it collected?" sections the information you send us via email is essentially totally open ended and infinite. People are free to send us all kinds of data about themselves which on the surface is innocent but may reveal personal information like. There is literally no limit to this and therefore impossible to scope within this privacy policy.

Our email servers are set to delete all email after one year.

Our employees and agents are trained to deal with sensitive data with the highest possible standards of privacy and security and treat it as though it were their own.

For more technical information about how our email is handled review the policies of our email service providers: Fastmail and Postmark.

Data Processors

Like any sophisticated modern business we make use of internet providers and cloud services to enable us to give our customers the best possible experience. We choose providers who have a strong commitment to privacy and stay away from services whose business practices rely on data harvesting (e.g. Google, Facebook). We complete a full privacy audit of all our Data Processors in order to ensure they live up to and operate under our high standards.

Digital Ocean

We use Digital Ocean for provision of VPS to host our websites and web apps. We use a Digital Ocean data centre located in the United Kingdom.


We use FastMail for hosting our corporate (@quarterdeck.co.uk) email. FastMail is an Australian company.


We use Gandi for some of our other minor domain email addresses.


We use Postmark for automated transactional emails. Postmark is an American company.


We use a Synology NAS as our office file server and Synology C2 as an offsite backup mechanism.

Our data centre is located in Frankfurt and meets the high privacy standards required by EU regulations. The security of data being transmitted and stored on C2 can be ensured with the support of our rigorous encryption technologies.

Website Analytics: Flare, Fathom Analytics

We use Flare and Fathom for website analytics and bug catching. Flare is run in the EU and Fathom is Canadian.

Office Computers/Devices

All our company devices have full-disk encryption using XTS-AES-128 encryption with a 256-bit key and are protected with passphrase, passcodes or biometric measures to prevent unauthorised access.