Data Protection & Privacy Policy

Qmulus Ltd

  1. Purpose of the policy
  2. Scope of the policy
  3. Data protection principles
  4. Data subject rights
  5. Personal data collected
  6. Uses of personal data
  7. Disclosures of personal data
  8. Retention & deletion of personal data
  9. Processing of sensitive data and vulnerable users
  10. Processing unseen by the data subject, including tracking
  11. Contact details
  12. Changes to this policy

Purpose of the policy

The purpose of this data privacy policy is to demonstrate the commitment of Qmulus Ltd to upholding the data protection interests, rights and freedoms of customers, employees and any other data subjects whose personal data we process.

Scope of the policy

The scope of this policy extends to our obligations under the General Data Protection Regulation (GDPR) and The Data Protection Act 2018.  It covers all processing carried out by Qmulus Ltd is a data controller. For the avoidance of doubt, it does not cover processing for which Qmulus Ltd is acting as a data processor to another data controller unless stated otherwise.

For customers of Qmulus Ltd, this policy should be read in conjunction with our Terms & Conditions of business.

For users of the Qmulus Ltd website, this document should be read in conjunction with the website Terms of Use document.

Data protection principles

When processing personal data, Qmulus Ltd will uphold the rights and freedoms of data subjects by adhering to the following principles:

Personal data shall be:

Processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”);

Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (“purpose limitation”);

Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);

Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject (“storage limitation”);

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).


Data subject rights

As a data subject of company name GDPR gives you the following rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure (the right to be forgotten)
  5. The right to restriction of processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

You also have the right to lodge a complaint about our processing of your personal data with the Information Commissioner’s Office (ICO).

To exercise your rights as a data subject you should contact Ian Nicoll at  It will be necessary for you to identify yourself and the nature of your request before we can deal with your enquiry.  All requests related to your rights as a data subject are known as Subject Access Requests (SARs) and we will only deal with them in writing by post or by email.  We will not be able to engage in this by telephone.


Personal data collected

Article 4 of the GDPR defines “personal data” as,

“Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

Qmulus Ltd processes personal data about individuals in the following categories:

  1. Customer
  2. Lapsed Customer
  3. Contractor

The personal data processed in each case is specified by a Privacy Notice at the point of data capture in the case of data supplied directly by the data subject (Article 13) or within 28 days of the use of the personal data if supplied indirectly, not by the data subject but by a third party (Article 14).

Items of personal data processed are (per category):

  • Customer:  Identity information (name); contact information (address, telephone number, place of work, email address, transaction history.
  • Lapsed customer:  Name, email address, address, telephone number, transaction history,
  • Contractor:  Name, email address, address, telephone number, transaction history.
  • Data derived from the consumer’s use of the organisations services and websites.
  • Data derived from the consumer’s use of the internet and devices and any payment services.


Uses of personal data

Providing primary services as a power systems engineering consultancy.  Maintaining contact with clients and contractors and exchanging contract information between Qmulus Ltd, clients and 3rd parties involved in each project.

Disclosures of personal data

Qmulus Ltd uses third party service partners (“data processors”) to assist in the processing of personal data.  As the data controller, Qmulus Ltd discloses certain items of personal data to these data processors. Each of these data processors is bound by contract to process personal data only in the way specified by the data controller and to support the data controller in upholding the rights and freedoms of the data subjects.

These data processors are located within the EEA and operate in accordance with the GDPR.

Website Hosting System:  Allstrat Ltd with Heart Internet as a sub processor.

Email Processor 1:   1and1.

Administrative and operational processing:  Microsoft Office 365.

Inbound call and message handling:  KBVO Ltd.

Retention & deletion of personal data

Qmulus Ltd retains personal data only for as long as the purpose of processing demands (limitation principle).  It is then deleted or destroyed in accordance with the company name Data Retention & Disposal Policy. Qmulus Ltd retains all customer and transaction detail for accounting purposes for a period of 6 years following the conclusion of the financial year in which the transaction occurred.  All data is then securely destroyed using shredding for paper records and secure deletion for electronic records.

Processing of sensitive data and vulnerable users

Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited by GDPR.

Qmulus Ltd does not process sensitive data.

Processing unseen by the data subject, including tracking

The website at Qmulus Ltd uses only essential first party cookies and does not process any of your personal data.

Reporting A Data Breach

To raise a report of a data breach involving processing related to Qmulus Ltd please contact or by telephone at 01463 226717

Contact details

Ian Nicoll, Qmulus Ltd, 8 Crown Drive, Inverness

Changes to the DP policy

Changes to this policy will be made and published on the website at

Effective from date:  1/7/2018