Privacy Policy
1. Who we are
The platform is operated by Virtuopo Ltd, 111 Summers Road, Liverpool, L3 4BL, company number 12842179 ("CID", "we", "us"). For privacy questions, contact cid@example.org.
2. Our role (controller vs processor)
When a consultancy or firm (a "provider") runs a diagnostic through the platform, the provider is the data controller for the respondents' data and CID is a data processor, acting only on the provider's documented instructions (see our Data Processing Agreement). For our own website visitors and admin account holders, CID is the controller.
3. What we process
- Respondents: name, email, role/team, self-assessment scores, and free-text reflections — processed on behalf of the provider to deliver the diagnostic and readouts.
- Admin account holders: name, email, and a hashed password.
- Website: essential cookies only (sign-in/session). We do not use analytics or advertising cookies. See our Cookie Policy.
4. Lawful basis
For respondent data, the lawful basis is set by the provider (as controller) in its own privacy notice — typically legitimate interests (development of its people) or consent. For admin accounts and running the platform, our basis is performance of a contract and our legitimate interests in operating the service securely.
5. How data is used
To capture responses, generate each respondent's confidential personal readout, and produce aggregated, pattern-level reporting for the provider/firm. Individual scores and words are never shown to a respondent's firm in identifiable form (unless a provider has explicitly configured, and disclosed to respondents, an individually-visible engagement).
6. Sharing & sub-processors
We share data only with the sub-processors needed to run the service (hosting, transactional email). See the sub-processor list. We do not sell data.
7. International transfers
We host in the UK/EU. Where a sub-processor is outside the UK/EU (e.g. our email provider), the transfer is covered by appropriate safeguards such as the UK/EU Standard Contractual Clauses or an adequacy decision.
8. Retention
Respondent data is retained for 12 months or as instructed by the provider, then deleted. Admin account data is kept while the account is active.
9. Security
Data is encrypted in transit and at rest, isolated per provider at the database level, and access is restricted and logged. See our Terms for the full service commitments.
10. Your rights
You have rights of access, rectification, erasure, restriction, portability and objection. If you are a respondent, please raise these with the provider that invited you (the controller); we will assist them. For our own data (e.g. admin accounts), contact cid@example.org. You may also complain to the UK Information Commissioner's Office (ico.org.uk).
11. Changes
We may update this policy; the "last updated" date shows the current version.