This notice explains what we do with your personal information, why we want to use it, how we protect it, and what rights you have to control our use of your personal data.

We have complete respect for your rights over your personal data and we will only use it where necessary to deliver our services to you or your employer, or to keep you up to date about developments in circular economy and sustainability that we think you’ll find interesting and useful.

The data controller

The data controller is QSA Partners LLP (“QSA”). Our company number is OC386681 and our registration number with the Information Commissioner’s Office is ZA371769.

If you want to contact us about any of the points on this notice, or just generally about how we protect your privacy, please email us at We use this email address for all data protection and data access matters.

The purpose and lawful basis for processing your personal data

We use information for a few different purposes and these each have a different lawful basis. This section describes these in detail and, although it’s technical, we’re required by law to explain this to you.

If work for a company that is a QSA client or project partner, we hold your name and contact details because we have a legitimate interest in delivering consulting services to you. We need your contact details to deliver our services (such as send you update emails when you need to take actions, send you invoices and so on.) We will also contact you after project completion to ask about post-project progress and identify any further requirements you may have for our services.

We will hold your information for six years from the end of our project with you, for legal records.

If you are a supplier or other business associated with QSA’s field of work, we will hold your contact details because we have a legitimate interest in doing business with your company. We will hold this information for three years since we were last in contact with you. It’s possible we picked this information up from public directories (such as LinkedIn and internet searches) or that you passed your details to us with a business card.

If you visit our website, we may record your computer’s IP address so we can tell how each user and repeat visitor is using our site (your IP address is also a piece of your personal data). We have a legitimate interestin tracking user journeys on the site so that we can improve our site. We will hold IP information for a maximum of three years from the time of your last visit to our site or application.

Who receives your personal data?

We use a small range of service providers to do our day-to-day work. These include:

  • An accountant and bookkeeper
  • Email service provider
  • Software and web service providers such as CRMs and bookkeeping applications,
  • Associates and subcontractors

We have arrangements in place with each organisation to protect the personal data under our control. If you’d like more information about our suppliers please contact us at

International transfers of personal data, and their safeguarding measures

We use some cloud-based systems, which means the information is held in information data centres in different locations.

All the cloud-based systems we use reserve the right to hold copies of your personal information outside the European Economic Area (EEA.) Our service providers may transfer your personal information to cloud data centres in the USA. The personal privacy laws and safeguards in the USA aren’t as good, so the European Commission has approved a system called “EU-US Privacy Shield” to help ensure sure the personal information of European citizens is properly protected if held by companies in the USA. QSA uses Privacy Shield for all the companies listed in this section through standard contractual clauses approved by the EC.

Your personal data rights

The personal data we hold about you is yourdata, so you have certain rights over them. You can exercise any or all these rights when you choose, and the easiest way is by dropping us an email at

You have the right to request a copy of all personal data we hold relating to you and we must provide this within 30 days. You also have the right to require us to correct any records that are wrong.

You have the right to require us to erase personal data and we must comply unless we need it for one of the purposes described above (for example, this might include the fact that we need to deliver certain work to your employer.) We also retain the right to keep data that is needed to establish, exercise or defend a legal claim.

Where we process your data based on a “legitimate interest” you still have the right to object to our processing of that data. From that point, we must stop processing your data until we have determined whether your rights override our interests.

Finally, you have the right to have your personal data transferred to another organisation, and we’re obliged to provide it to you in a clear and reasonable format.

Your rights to lodge a complaint with the Regulator

At all times, you have the right to report a concern or lodge a complaint with the Information Commissioner’s Office. Please refer to the ICO at by calling them on 0303 123 1113.

Of course, we hope that we can resolve your issue quickly and fairly – you can contact us at

Our contractual requirements to use your personal data

If you work for a QSA client or partner organisation, it’s a requirement that we collect personal information from you so that we can enter into a contract with your employer.

If you’re an employee (or temporary or associated worker) at a client or partner company, we have a legitimate interest in using your personal data so we can deliver services to your employer or our client. They will require us to do this through our contract with them or with someone that we have a contract with (like a non-governmental organisation). If you ask us to restrict processing of your personal data, we may not be able to deliver our agreed work and this could affect your or your employer’s participation in our projects.

Other purposes for processing personal data

We don’t perform any automated processing or decision making using personal data.

We don’t process your personal data for any other purpose than we’ve described here. We won’t sell your personal data to other companies.

Should we decide that we want to develop a new processing purpose, we will contact you to let you know what we intend to do, the lawful basis we will use, and your rights over our intended new processing. We’ll also publish information about it here.

If you have any questions, concerns or just want some more information about our privacy management, drop us a line at