Privacy Policy

1. Introduction

We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we use it, how long we keep it, and how you can exercise your rights when using qepacko.co.uk and related services (the "Service").

Controller: NEEDRATE LIMITED (Company No. 15638427), Academy House, 11 Dunraven Place, Bridgend, Mid Glamorgan, United Kingdom, CF31 1JF ("Qepacko", "we", "us", "our").

Contact: info@qepacko.co.uk

Scope & age: This Policy applies to all users of the Service (including business customers and their authorised staff). The Service is intended for individuals aged 18 and over.

By using the Service, you acknowledge that your personal data will be processed in accordance with this Privacy Policy and applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.

2. Personal data we collect

We collect only the data we need to operate, secure and improve the Service.

2.1 Data you provide directly

• Account & identity: name (or display name), company name, role, email address, telephone number, preferred language.
• Document inputs: PDF files and other documents you upload for conversion (for example, PDFs to be converted to Word or Excel), file names, filenames in archives, and any text, tables, images or other content those files contain.
• Conversion preferences: selected output format (e.g. Word, Excel), language or layout options, and other settings you choose for a given task.
• Access grants (optional): where available, limited access tokens or keys for third-party tools or platforms that you choose to connect (for example storage or collaboration platforms) for import, export or diagnostics; you can revoke access at any time.
• Billing: billing name and address, VAT details (if applicable), and other information needed for invoicing.
• Wallet & Tokens: top-up amounts, chosen currency, usage records and history of Token consumption.
• Support & communications: messages and attachments you send to us (including support tickets, feedback forms, surveys or emails).
• Special-category data: We do not intentionally seek special-category data (such as health information, political views, religious beliefs or biometric data). If you voluntarily include such data in any document, free-text field or communication, we will process it only as necessary to provide the requested Service and only on the basis of your explicit consent (see section 3.2). Please avoid including special-category data where it is not strictly necessary.

2.2 Data collected automatically

• Technical data: IP address, device and browser type, operating system, timezone, language, user agent, and session identifiers.
• Security telemetry: login attempts, authentication events, rate-limiting and anomaly logs, abuse/fraud signals and similar security-related information.
• Usage & diagnostics: page views, clicks, navigation paths, feature usage (for example, which conversion tools you use), Token top-ups and deductions, task run identifiers, error traces and performance metrics.

2.3 Data from third parties

Where necessary to provide and secure the Service, we may receive limited personal data from:

• Payment processors: transaction references, status codes, partial card data (e.g. last 4 digits, card type) and fraud-prevention signals. We do not receive or store full card numbers or CVV codes.
• Connected platforms: where you authorise integrations, we may receive limited metrics or configuration data from those platforms to enable the Service (for example, to import or export documents or to troubleshoot connectivity issues).
• Fraud-prevention and verification providers: risk scores, checks and alerts.
• Professional advisers and insurers: information necessary for legal, tax, compliance or insurance purposes.

2.4 User-Generated Content (UGC)

User-Generated Content (for example, uploaded PDFs, Word/Excel files, compressed archives, descriptions or notes) may contain personal data about you or third parties. You are responsible for ensuring that you have an appropriate lawful basis, notices and permissions to include any third-party personal data in your UGC.

3. Why we process your data & legal bases (UK GDPR)

We process personal data under the UK GDPR and the Data Protection Act 2018 on the following legal bases:

3.1 Performance of a contract

To enter into and perform our contract with you, we process personal data to:

• create, maintain and secure your Account;
• provide the Service, including converting your documents and making Outputs available for download;
• operate Wallets and Tokens, process payments and issue invoices/receipts;
• communicate with you about your use of the Service, Orders and support requests.

3.2 Consent (including marketing & special-category data)

We may rely on your consent to:

• process any special-category data that you voluntarily provide in UGC or communications;
• send marketing emails and newsletters where you opt in;
• use your feedback, testimonials or content for marketing or product-improvement purposes where you explicitly agree.

You may withdraw your consent at any time via the settings (where available) or by contacting us (see section 12). Withdrawal does not affect the lawfulness of processing prior to withdrawal.

3.3 Legitimate interests

We may process personal data where necessary for our legitimate interests, provided that your interests and fundamental rights do not override those interests. This includes:

• keeping the Service secure (fraud detection, abuse prevention, logging, rate-limiting and incident response);
• measuring and improving performance, usability and user experience (using aggregated or pseudonymised analytics where feasible);
• sending essential, non-marketing communications (for example, service, security or policy updates);
• B2B outreach to existing or potential business customers about products or services related to the Service, subject to your right to object at any time (see section 8).

3.4 Legal obligation

We may process personal data where necessary to comply with legal obligations, including:

• tax, accounting and corporate record-keeping;
• responding to lawful requests from public authorities, courts or regulators;
• fulfilling our obligations under applicable consumer protection and data protection laws.

4. Automated processing, profiling and AI

The Service uses automated processing and algorithms to handle your inputs (for example, converting PDF files into Word or Excel, optimising processing flows, or aggregating data for usage statistics).

Limited profiling may be used to tailor aspects of the Service (for example, detecting unusual usage patterns for fraud-prevention, applying usage limits, or suggesting relevant features).

We do not make decisions with legal or similarly significant effects solely based on automated decision-making. You may request human review of any decision that you believe has been taken solely by automated means by contacting us.

5. Sharing and international transfers

We share personal data only as necessary to operate, secure and improve the Service or to comply with legal obligations. This may include:

• Payment processing: providers that process Visa and Mastercard payments and related anti-fraud measures.
• Hosting & IT: secure cloud infrastructure, content delivery networks, storage/backups, monitoring and error-tracking services.
• Product & support tooling: analytics platforms (aggregated or pseudonymised where feasible), helpdesk ticketing, email or SMS delivery, customer feedback and A/B testing tools.
• Professional advisers & insurers: legal, accounting, compliance and insurance providers.
• Corporate transactions: if we are involved in a merger, acquisition, financing, or sale of all or part of our business, personal data may be transferred as part of that transaction, subject to appropriate safeguards.

Some of our service providers are located outside the UK/EEA. Where personal data is transferred internationally, we implement appropriate safeguards such as:

• UK adequacy regulations (where the destination country has been recognised as providing an adequate level of protection);
• the UK or EU Standard Contractual Clauses (SCCs); and
• additional technical and organisational measures where appropriate.

We do not sell your personal data.

6. Cookies and similar technologies

We use cookies and similar technologies (including localStorage and sessionStorage) to:

• run essential functions of the Service (for example, login sessions, security and preferences);
• remember your settings (such as language or currency);
• measure performance and reliability;
• where you consent, enable analytics and, if applicable, marketing or attribution.

Essential cookies are necessary for core functionality and security and cannot be disabled through our consent tools. For more details on the types of cookies we use and how you can manage your preferences, please see our Cookies Policy (linked in the footer of the website).

7. Retention

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law. In particular:

• Wallet, Tokens & transactions: at least 24 months and up to 6 years where needed for disputes, tax, accounting or enterprise records.
• Account & profile data: for as long as your Account is active and for a reasonable period after closure (typically up to 24 months), unless a longer period is required for legal, security or business continuity reasons.
• Logs & security telemetry: typically 6–24 months, depending on the purpose and risk level.
• Document inputs & Outputs: for as long as necessary to provide the Service (for example, to allow you to re-download a recent conversion), subject to storage limits and your deletion choices. We may shorten these periods for security or capacity reasons.

Where feasible, we minimise, pseudonymise or anonymise data as early as possible and then securely delete or irreversibly anonymise it once it is no longer needed.

8. Your rights

Subject to certain legal conditions and limitations, you have the following rights regarding your personal data:

• Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy.
• Right to rectification – to request correction of inaccurate or incomplete personal data.
• Right to erasure ("right to be forgotten") – to request deletion of your personal data where there is no longer a legal basis for us to retain it.
• Right to restriction of processing – to request that we restrict processing in certain circumstances.
• Right to data portability – to receive certain personal data in a structured, commonly used and machine-readable format and to transmit it to another controller where technically feasible.
• Right to object – to object, on grounds relating to your particular situation, to processing based on our legitimate interests, and to object at any time to processing for direct marketing.
• Right to withdraw consent – where processing is based on your consent, you have the right to withdraw that consent at any time (for example, for marketing communications or special-category data).

How to exercise your rights:
You can exercise your rights by emailing info@qepacko.co.uk from your Account email address. We may need to request additional information to verify your identity.

We aim to respond within one month of receiving your request. This period may be extended by up to two further months for complex or numerous requests, in which case we will inform you of the extension and reasons.

9. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse or alteration. These measures include, where appropriate:

• access controls, role-based permissions and multi-factor authentication for administrative interfaces;
• encryption in transit (HTTPS/TLS) and, where appropriate, at rest;
• network segregation, firewalls and regular backups;
• logging, monitoring and incident-response procedures;
• vendor due diligence and contractual obligations for processors.

No system can be guaranteed to be 100% secure, but we continuously improve our controls and will promptly investigate and, where required, notify you and relevant authorities of any personal data breach.

10. Children's data

The Service is intended for users aged 18+. We do not knowingly collect personal data from children. If you believe that a child has provided personal data to us, please contact info@qepacko.co.uk so that we can investigate and, where appropriate, delete the data and close any related Account.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, applicable law or our data protection practices.

Material changes will be notified by email (where appropriate) and/or via a prominent notice within the Service. Updated versions will be effective from the date indicated at the top of this Policy and will apply prospectively.

12. Contact & complaints