Last updated: 27 December 2025
Data Controller: Topsail Software Limited, 2 Jardine House Barber & Co, Bessborough Road, London, England, HA1 3EX
Contact: info@qualifico.app

1. Scope
This Privacy Policy applies to:
• the Qualifico website (the “Website”), and
• the Qualifico apps and related services (the “App” and together with the Website, the “Services”).

2. What data we collect
A) Website data
Depending on how you use the Website, we may collect:
• Analytics and usage data: pages viewed, approximate location (derived from IP), referrer/source, timestamps, and interaction events (e.g., clicks).
• Device and technical data: browser type, device type, operating system, language, and similar technical signals.
• Form/contact data: information you submit (e.g., email address and message contents).
B) App and account data
Depending on how you use the App, we may collect:
• Account data: email, profile details you provide, region preferences.
• Usage and diagnostics: app interactions, feature usage, diagnostics, crash reports (where enabled).
• Learning data: answers, progress, performance, mock results, and related learning interactions.
• Device data: device type, OS version, and identifiers where applicable.
• Support data: messages you send us and related metadata.
C) Payments and subscription data
If you purchase a subscription or paid features, we may receive:
• Purchase status and entitlement information (e.g., whether you have an active subscription),
• Transaction metadata (e.g., transaction/receipt identifiers and timestamps),
so we can grant access and provide billing support.
Payment details (such as full card numbers) are handled by the relevant app store or payment provider and are not stored by us.

3. How we use your data
We use personal data to:
• provide the Services (accounts, progress tracking, learning features and insights)
• personalise learning and recommendations
• maintain security, prevent fraud/abuse, and troubleshoot issues
• improve performance, reliability, and usability
• communicate service updates and respond to support requests
• administer subscriptions (access control, billing support, refunds/chargebacks where applicable)
• send marketing messages only where you opt in

4. Cookies and similar technologies (Website)
We may use analytics tools to understand Website usage (e.g., which pages are most visited and where visitors come from).
• If we use cookie-free analytics (including Framer’s built-in analytics), consent banners may not be required for analytics alone.
• If we enable cookie-based analytics or marketing tags in the future, we will seek consent where required and provide a way to manage preferences.
You can also control cookies through your browser settings. Some features may not work properly if you disable certain technologies.

5. Lawful bases (UK) — mapped to activities
We rely on the following lawful bases under UK data protection law:
• Contract (to provide what you request):
o creating and managing your account
o providing learning features, saving progress, and delivering requested insights (including AI-assisted features you choose to use)
o providing subscription access and core customer support
• Legitimate interests (balanced against your rights):
o securing the Services, preventing abuse/fraud, and maintaining service integrity
o maintaining and analysing limited logs for reliability and debugging
o improving features, performance, and usability (including aggregated analytics)
• Consent:
o marketing emails (when you opt in)
o optional cookies/trackers where required (particularly if we enable cookie-based analytics/marketing tags)
• Legal obligation:
o where we must retain certain records or respond to lawful requests

6. Marketing
We send marketing emails only if you opt in (for example via a signup form or preference setting). You can unsubscribe at any time using the unsubscribe link in the email (handled by our email delivery provider) or by contacting us.

7. AI features
We use AI features for things like weekly reports, personalised tuition, and learning insights.
To provide these features, we may send pseudonymous identifiers (for example, an internal user ID) and relevant learning interactions to AI service providers. We aim not to send direct identifiers (such as your email address) as part of AI feature requests.
We may also produce aggregated insights (e.g., usage patterns by qualification or region) to improve the Services.
No automated decisions: We do not use AI to make solely automated decisions that produce legal or similarly significant effects for you (for example, decisions about eligibility, access termination, pricing, credit, or legal rights).

8. Sharing your data
We may share personal data with trusted service providers that help us operate the Services (for example: hosting, databases, analytics, monitoring, customer support tooling, and AI feature delivery). These providers act on our instructions and are required to protect your data.
Selling data: We do not currently sell personal data. If this changes, we will update this policy and, where required, provide notice and choice and/or obtain consent.

9. International transfers
Your data may be processed outside the UK (for example, where service providers operate internationally). Where this happens, we use appropriate safeguards designed to protect your data (such as approved contractual safeguards) and assess transfer risks where required.

10. Data retention
We keep personal data only as long as necessary for the purposes described in this policy.
Account deletion: If you request account deletion, we will deactivate your account and aim to delete or anonymise personal data within a reasonable period. Because systems use backups for resilience and security, deletion from backups may take longer.
Current approach (recovery-friendly):
• account deactivation: typically immediate on request
• primary deletion/anonymisation: typically within 30 days
• backup expiry/overwrite: typically within up to 90 days
• we may retain aggregated/de-identified statistics that cannot reasonably identify you
Security logs: We may retain limited logs for a short period to protect the Services, investigate abuse, and maintain reliability.
Transaction/subscription records: We retain limited purchase/subscription records as needed to provide access, support billing enquiries, and handle refunds/chargebacks and related requirements.

11. Your rights (UK)
You may have rights including:
• access to your data
• correction
• deletion
• restriction and objection
• data portability
• withdrawing consent (where consent is the basis)
To exercise your rights, contact us at info@qualifico.app. We may need to verify your identity before fulfilling certain requests.

12. Children
The Services are intended for users aged 13+. You must also meet any applicable minimum age requirements imposed by app stores and payment providers.

13. Security
We use appropriate technical and organisational measures to protect personal data. No system is perfectly secure, but we work to minimise risk.

14. Changes to this policy
We may update this policy from time to time. We will revise the “Last updated” date above, and if changes are material we will take reasonable steps to notify you (for example, via the Services or email).

15. Contact
For privacy questions or requests: info@qualifico.app