Privacy Policy — QuietStaff Ltd
1. Who we are
QuietStaff Ltd ("QuietStaff", "we", "us", "our") is a UK-incorporated AI consulting business.
- Registered office: 66 Paul Street, London, EC2A 4NE, United Kingdom
- Company registration number: 17171308
- ICO registration number: ZC130484
- Data protection contact: privacy@quietstaff.com
QuietStaff has voluntarily designated a Data Protection Officer under UK GDPR Article 37(4), even though designation is not statutorily required for our processing activities. The current DPO is the CEO of QuietStaff Ltd, designated under Director's Resolution dated 29 April 2026, reachable at privacy@quietstaff.com.
This Privacy Policy describes how we collect, use, share, and protect personal data when you visit our website at quietstaff.co.uk, contact us, request information, or engage QuietStaff for AI consulting services. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and the Privacy and Electronic Communications Regulations 2003 (PECR).
2. The personal data we collect
We collect different categories of personal data depending on how you interact with us.
Whether providing personal data is required: You are not statutorily obliged to provide personal data to use our website. Providing personal data when you contact us or request information is voluntary — without it, we cannot respond to your enquiry or onboard you as a Customer. Providing personal data under a signed engagement is a contractual requirement under that engagement — failure to provide such data may prevent us from delivering the Services.
2.1 When you visit our website
Our hosting provider (GitHub Pages, operated by GitHub Inc.) logs standard request data for security, abuse prevention, and basic operational diagnostics:
- IP address (used briefly by the host for abuse prevention; not retained by QuietStaff in our own systems)
- User-agent string (browser type, device type, operating system)
- Referring URL
- Request URL (which page on the site you requested)
We do not currently use website analytics, marketing tools, or any third-party tracking on this site. If we add such tools in the future, we will update this section and obtain consent before setting any non-essential cookies or similar technologies (see §9).
Client-side storage: the site uses your browser's localStorage to remember your dark/light theme preference. See §9 for details.
2.2 When you contact us or request information
- Identifiers: name, email address, phone number (if provided)
- Business context: company name, role, industry, size band
- Communication content: the substance of your enquiry, attachments you send
- Marketing preferences: whether you have consented to receive further communications
2.3 When you engage QuietStaff for services
In addition to the above:
- Commercial information: signed agreements, invoices, payment confirmations
- Project information: stakeholder names, system access credentials you authorise, business process descriptions
- Customer Personal Data that you (as Data Controller) instruct us (as Data Processor) to process on your behalf as part of the Services. This is governed by our Data Processing Agreement.
We do not knowingly collect personal data of children under 16.
3. How we use your personal data and our legal basis
| Purpose | Legal basis (UK GDPR Article 6) |
|---|---|
| Responding to your enquiry or request | Article 6(1)(b) — performance of pre-contractual measures at your request |
| Delivering Services under a signed engagement | Article 6(1)(b) — performance of contract |
| Sending direct marketing about similar services to existing or prospective customers (B2B) | Article 6(1)(f) — legitimate interests, balanced against your interests, with a clear opt-out |
| Complying with legal, accounting, and regulatory obligations | Article 6(1)(c) — legal obligation |
| Maintaining and improving our website and services | Article 6(1)(f) — legitimate interests in operating our business |
| Protecting our legal rights, including in connection with disputes | Article 6(1)(f) — legitimate interests in defence of legal claims |
We do not use personal data for automated decision-making that produces legal or similarly significant effects. We do not process special-category personal data unless you provide it voluntarily and we have obtained your explicit consent.
4. Who we share personal data with
We share personal data only with the following categories of recipients, and only to the extent necessary:
4.1 Sub-processors
When delivering Services under a signed engagement, we use Sub-processors listed at quietstaff.co.uk/sub-processors. Each Sub-processor is bound by a written Data Processing Agreement.
4.2 Operational service providers
To run our business, we share limited personal data with:
- Cloud infrastructure and AI model providers (Amazon Web Services EMEA SARL — UK / EU regions; includes Customer-instructed access to AI foundation models via AWS Bedrock, AWS's managed AI inference service)
- Email and document infrastructure (Google Workspace — EU/global)
- Banking and payment providers (Tide, Wise — for invoicing and payment processing of QuietStaff's own data, not Customer Personal Data)
- Professional advisers (accountants, legal advisers, insurers) — when relevant to a specific matter, on a confidential basis
4.3 Legal disclosures
We may disclose personal data when required by law, court order, or regulator (including the Information Commissioner's Office), or when necessary to protect our legal rights or the rights of others.
5. International transfers
Some of our service providers process personal data outside the UK. Where this involves a Restricted Transfer under UK GDPR, we rely on:
- EU Standard Contractual Clauses + UK International Data Transfer Addendum for transfers to Google (multi-region) under Google's standard DPA
- UK adequacy for transfers within the UK and to EEA countries
Customer-instructed access to AI foundation models (including Anthropic Claude) is delivered via AWS Bedrock within our cloud sub-processor (AWS EMEA SARL, eu-west-2 London) — see our Sub-processor List. Customer Personal Data does not transit to Anthropic's own infrastructure; AI inference is performed by AWS within eu-west-2 using AWS-licensed model weights.
All transfers are subject to safeguards required by UK GDPR Articles 44–49. You may request a copy of the relevant transfer mechanism by emailing privacy@quietstaff.com.
6. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention is required by law.
| Category | Retention period |
|---|---|
| Server request logs | Controlled by GitHub Pages (our host) under GitHub's own policy; QuietStaff does not retain server logs in its own systems |
| Marketing enquiries (no engagement) | Up to 24 months from last contact, then deleted |
| Engaged Customer records (contracts, invoices, project files) | 7 years from end of engagement (UK accounting and tax requirements) |
| Customer Personal Data processed on Customer's behalf | Within 30 days of expiry or termination of the engagement, per the signed Data Processing Agreement (delete or return). Retention beyond that point only where compelled by applicable legal obligation. |
| Email correspondence not associated with a specific engagement | Up to 24 months, then deleted or archived in accordance with internal retention policy |
7. Your rights
Under UK GDPR you have the following rights, free of charge in most cases:
- Right of access (Article 15) — receive a copy of personal data we hold about you
- Right to rectification (Article 16) — correct inaccurate or incomplete data
- Right to erasure (Article 17, "right to be forgotten") — delete personal data in defined circumstances
- Right to restrict processing (Article 18) — limit how we use your data
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format
- Right to object (Article 21) — including the right to object to direct marketing at any time
- Right not to be subject to solely-automated decisions (Article 22) — though we do not currently rely on such decisions
- Right to withdraw consent at any time, where processing is based on consent
To exercise any right, email privacy@quietstaff.com. We respond within one calendar month under UK GDPR Article 12(3) (extendable to three months for complex requests, with notification).
If you are unhappy with how QuietStaff has handled a privacy request or complaint, please first contact us at privacy@quietstaff.com so we can attempt to resolve the matter. We aim to respond to internal complaints within 14 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by phone on 0303 123 1113.
8. Security
We implement appropriate technical and organisational measures (TOMs) to protect personal data against unauthorised access, loss, alteration, or disclosure. These include:
- Multi-factor authentication on administrator accounts
- Full-disk encryption on company devices
- Centrally-managed credential vault with no plaintext sharing
- Access on a least-privilege basis, with quarterly access reviews
- A data minimisation principle — we prefer anonymised, redacted, synthetic, or representative-sample data where practical
Data hosting and regions. Customer Personal Data processed by QuietStaff is hosted in UK/EU regions only (AWS EMEA SARL, eu-west-2 London). Operational data handled via Google Workspace is processed under Google's standard regional commitments — see the Sub-processor List for details. All data hosting providers apply encryption at rest and in transit under their published security standards.
The full QuietStaff Information Security Policy is available on request from privacy@quietstaff.com.
9. Cookies and similar technologies
This website does not use analytics, marketing, or third-party tracking cookies.
What we use today
We use only strictly necessary cookies and similar technologies (specifically: browser localStorage) under PECR Regulation 6(4):
- Theme preference (browser
localStorage) — stores your dark/light mode choice so the site renders consistently across visits. No personal data. Not shared with any third party. Can be cleared at any time via your browser settings.
What our host logs
Our hosting provider (GitHub Pages, operated by GitHub Inc.) may log standard request data (IP address, user-agent, request URL) for security, abuse prevention, and operational diagnostics. This is described in §2.1 above and is governed by GitHub's own privacy policy at docs.github.com/en/site-policy/privacy-policies/github-privacy-statement.
GitHub Inc. is a US-based entity. The international transfer mechanism for any personal data inferred from server-side logs is described in §5 (International transfers).
What we don't use
- No analytics cookies (Google Analytics, Plausible, Fathom, etc.)
- No marketing or advertising cookies
- No third-party tracking pixels
- No session-replay tools
- No cross-site tracking
If we add non-essential cookies in the future
If we introduce analytics, marketing, or any non-essential client-side tracking in the future, we will:
- Update this Privacy Policy to disclose the new categories, lawful basis, and retention,
- Implement a consent banner under PECR Regulation 6,
- Not set any non-essential cookie or similar technology before obtaining your prior consent.
10. Direct marketing
We may send marketing communications about our services to existing or prospective business contacts where you have provided your business email address in a business context. You can opt out at any time by clicking "unsubscribe" in any email, or by emailing privacy@quietstaff.com. We rely on the "soft opt-in" under PECR Regulation 22 for existing customers, and on legitimate interests for B2B prospects, in each case with an immediate opt-out.
11. Children
Our services are aimed at businesses, not children. We do not knowingly collect personal data from anyone under 16. If we become aware we hold such data, we will delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Effective date" at the top reflects the latest material update. Material changes will be notified to existing customers by email and posted on this page for at least 60 days before taking effect.
13. Contact us
For any privacy or data protection question, request, or complaint:
Email: privacy@quietstaff.com
Post: Data Protection Contact, QuietStaff Ltd, 66 Paul Street, London, EC2A 4NE, United Kingdom
ICO: You may also complain to the Information Commissioner's Office at ico.org.uk