Version: 1.1 — May 2026 | Effective date: 1 June 2026 | Last updated: 11 May 2026
1. Who we are
1.1 QS Guidance Notes is operated by Chiao-Lin Chen, trading as "QS Guidance Notes" ("we", "us", "our"). We are the data controller responsible for your personal data under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
1.2 We are a sole-trader publisher. We do not have a UK establishment and operate primarily from Taiwan. Where UK GDPR requires a UK representative, one will be appointed before launch and named here.
1.3 Contact for data protection matters: hello@qsguidancenotes.com.
1.4 Firm/team plans. For firm/team subscriptions, our account record relates to the firm subscriber (the contracting organisation), not to each individual member of staff who uses the shared login. The firm subscriber is responsible for making its staff aware of this Privacy Policy and of any personal data we may incidentally collect through their use of the Service (for example, IP address, login events, support correspondence). Where staff use a personal email address to contact us about a firm account, we treat them as a data subject for that correspondence.
2. Scope of this policy
This policy explains what personal data we collect about you, how we use it, who we share it with, how long we keep it, and your rights under UK GDPR. It applies to all visitors to qsguidancenotes.com, all account holders, and all subscribers.
3. Personal data we collect
We collect only the data we need to operate the Service. Specifically:
3.1 Data you give us directly
| Data | When we collect it | Why |
|---|---|---|
| Name, email address, password (hashed) | On signup | To create and secure your account |
| Organisation name (optional) | On signup | To tailor your dashboard and plan |
| Billing name, billing address, country | At checkout | For tax and payment compliance |
| Support correspondence | When you email us | To answer your enquiry |
3.2 Data collected automatically
| Data | How we collect it | Why |
|---|---|---|
| IP address, device/browser type, pages viewed, timestamps | Server + access logs | To run and secure the Site |
| Subscription status, login events, content accessed | Through Outseta (our auth provider) | To manage your subscription and detect misuse |
| Analytics data (aggregated, privacy-friendly) | Through Plausible Analytics | To understand how the Site is used |
3.3 Data we never collect
- Full payment card details (handled entirely by our payment processor — we only see a transaction ID, last four digits, and status)
- Special-category data (health, biometric, etc.)
- Data about anyone under 18
4. Why we use your data and our lawful bases
Under UK GDPR, we must have a lawful basis for processing your data. We rely on the following:
| Purpose | Lawful basis |
|---|---|
| Creating and operating your account; providing the Service | Performance of a contract with you |
| Processing payments and renewals | Performance of a contract + legal obligation (tax record-keeping) |
| Sending essential service emails (welcome, renewal reminders, billing, security notices, Terms changes) | Performance of a contract + legitimate interests (keeping you informed about your subscription) |
| Sending optional marketing emails (new GNs, tips, offers) | Consent — you opt in and may unsubscribe at any time |
| Security, fraud prevention, enforcing our Terms (including monitoring unusual access patterns) | Legitimate interests (protecting our business and lawful content) |
| Analytics and Site improvement | Legitimate interests — we use privacy-friendly analytics that do not build individual user profiles |
| Responding to your support enquiries | Legitimate interests + (where applicable) performance of a contract |
| Complying with law (tax, accounting, regulator requests) | Legal obligation |
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Marketing
5.1 We will only send you marketing emails if you have opted in. You can unsubscribe from any marketing email using the link at the bottom of that email, or by emailing hello@qsguidancenotes.com.
5.2 Unsubscribing from marketing does not stop us sending you essential service emails (billing, renewals, Terms changes, security notices) for as long as you are a subscriber.
6. Who we share your data with
We do not sell your personal data. We share it only with the processors and parties listed below, and only as needed to run the Service.
6.1 Our processors
| Processor | Purpose | Location |
|---|---|---|
| Outseta (Outseta, Inc.) | Authentication, subscription management, member dashboard, email | United States |
| Lemon Squeezy / Paddle | Payment processing and merchant-of-record services | United States / United Kingdom |
| Netlify (Netlify, Inc.) | Website hosting and content delivery | United States (with global CDN edges) |
| Porkbun (Porkbun LLC) | Domain registration and email forwarding | United States |
| Plausible Analytics (Plausible Insights OÜ) | Privacy-friendly site analytics — aggregate only, no cookies, no personal data | European Union (Estonia / Germany) |
| [Email marketing — to be confirmed at launch] | Optional marketing emails (if and when offered) | TBC |
| Anthropic / AI providers | No personal subscriber data is sent to AI services. Public content only. | — |
Each processor is bound by a data processing agreement and only processes your data on our documented instructions.
6.2 Professional advisers, authorities, and successors
We may share your data with:
- our accountants, lawyers, and other professional advisers where necessary and under confidentiality;
- tax authorities and regulators (HMRC, ICO, or equivalents) where we are legally required to;
- a buyer or successor if we ever sell or restructure the business, subject to the same confidentiality and protections set out here.
6.3 Public information
We never publish your account details. If you post a review or testimonial, we will only use your name or attribution with your explicit permission.
7. Cookies and similar technologies
7.1 We use a small number of cookies and similar technologies, grouped as:
- Strictly necessary (for login, checkout, and security) — always on, no consent required;
- Analytics — only loaded with your consent, unless they qualify as strictly necessary under PECR;
- Preferences — to remember small UI choices (e.g. dismissing a banner).
7.2 A cookie consent banner is shown to first-time visitors. You can change your cookie preferences at any time from the cookie settings link in the site footer.
7.3 No third-party advertising cookies. We do not run ads and do not allow ad-tech companies to track you on our Site.
8. International transfers
8.1 Several of our processors are based in the United States. Where your personal data is transferred outside the UK, we rely on one or more of the following safeguards:
(a) the UK Addendum to the EU Standard Contractual Clauses (UK IDTA); (b) UK adequacy regulations (e.g. the UK Extension to the EU-US Data Privacy Framework, where the receiving organisation is certified); (c) your explicit consent where no other safeguard is available, after being told of the risks.
8.2 You may request a copy of the safeguards that apply to any specific transfer by emailing hello@qsguidancenotes.com.
9. How long we keep your data
We keep your personal data only as long as we need to for the purpose we collected it:
| Data | Retention |
|---|---|
| Account data | For as long as your account is active, plus 12 months after closure |
| Billing and transaction records | 6 years after the tax year in which the transaction was processed (UK tax requirement) |
| Support correspondence | 2 years after the matter is closed |
| Server and security logs | 90 days (longer if needed for an active security investigation) |
| Marketing consent records | As long as your consent is current, plus 2 years as evidence of consent |
| Analytics data | Aggregated / anonymised after 14 months |
After the relevant retention period, we will securely delete or anonymise your data.
10. Security
10.1 We use reasonable technical and organisational measures to protect your data, including TLS encryption in transit, hashed password storage (via our auth provider), access controls, and logging.
10.2 No system is perfectly secure. If we ever learn of a personal data breach affecting you, we will notify you and, where required, the ICO within 72 hours of becoming aware.
10.3 You are responsible for keeping your login credentials confidential. Please contact us immediately if you suspect your account has been compromised.
11. Your rights
Under UK GDPR you have the following rights, which you can exercise free of charge:
| Right | What it means |
|---|---|
| Access | Get a copy of the personal data we hold about you |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure ("right to be forgotten") | Ask us to delete your data where there is no good reason to keep it |
| Restriction | Ask us to pause processing while a concern is investigated |
| Portability | Get your data in a structured, machine-readable format |
| Objection | Object to processing based on legitimate interests, including direct marketing |
| Withdraw consent | Withdraw any consent you gave us, at any time |
| Complain to the ICO | Lodge a complaint with the UK Information Commissioner's Office |
To exercise any of these rights, email hello@qsguidancenotes.com. We will respond within one month and may need to verify your identity first.
If you are unhappy with how we handle your data, you can contact the ICO at ico.org.uk or 0303 123 1113. We would, however, appreciate the chance to address your concerns first.
12. Children
The Service is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.
13. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified to account holders by email and a prominent Site notice at least 14 days before they take effect. The "Last updated" date at the top of this policy always reflects the most recent version.
14. Contact
Questions or requests about your personal data? Email hello@qsguidancenotes.com.
QS Guidance Notes is operated by Chiao-Lin Chen, a sole trader.