OPRaaS Privacy Policy (UK)

Last updated: 8 October 2025

This Privacy Policy explains how OPRaaS Limited (“OPRaaS”, “we”, “us”, “our”) collects and uses personal data when you visit opraas.co.uk, attend our LSCA training, or use our self-certification and evidence-review services.

Who we are (Controller). OPRaaS Limited, Suite 10, Harefield House, Alderley Road, Wilmslow, Cheshire, SK9 1RA. Contact: privacy@opraas.co.uk

1. Scope

This policy covers:

• Website visitors, account holders and trainees, and
• Customers using LSCA self-certification and (optional) evidence-review services.

Our services are for business users; they are not intended for under-16s.

2. Roles: Controller vs Processor

We act as controller for website analytics, accounts, training and marketing.
Where a customer uploads documents for LSCA verification/evidence review (e.g., payslips, CIS evidence, onboarding files) and instructs us to review them, we act as the customer’s processor and process such personal data only on documented instructions under a Data Processing Addendum (DPA) (security, confidentiality, sub-processors, deletion/return).

3. Categories of personal data we collect

• Account & profile: name, work email, employer, role, preferences.
• Training/LMS: enrolments, progress, assessment scores, certificates.
• Communications: support tickets, feedback, call/meeting metadata.
• Verification uploads (customer-provided): documents needed to support self-certification/evidence checks (which may include worker/supplier identifiers).
• Payments: transaction metadata (handled by our payment providers; we do not store full card data).
• Device & usage: log data, IP, pages, referring URLs, cookie identifiers.
• Marketing: newsletter preferences, campaign interactions.

4. How we use data and lawful bases

Purpose	Examples	Lawful basis
Provide services & accounts	Training access, certificates, self-cert forms	Contract
Verification/evidence review	Review of uploaded artefacts per your instructions	Contract (processor role when applicable)
Billing & tax	Invoicing, refunds, tax records	Contract; Legal obligation
Support & service improvement	Troubleshooting, product analytics using aggregated/essential data	Legitimate interests
Security & fraud prevention	Access controls, MFA, abuse detection	Legitimate interests
Marketing communications	Product updates, newsletters	Consent / soft opt-in (PECR)
Cookies/analytics/ads	GA4/LinkedIn etc. (non-essential)	Consent (via CMP)

5. Sharing and recipients

We use trusted providers for hosting, storage/backup, conferencing, analytics, marketing and payments (e.g., AWS/Ionos, Google/GA4, Zoom, Zapier, PayPal, LinkedIn Ads). We ensure appropriate contracts and safeguards are in place. We disclose data where required by law or to protect rights, safety or security.

6. International transfers

Where personal data is transferred outside the UK, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, plus transfer risk assessments and technical/organisational measures. For EEA data (if applicable), we rely on EU adequacy or SCCs.

7. Retention

We keep data only as long as necessary for the purposes set out above or to meet legal/accounting requirements. Typical periods:

• Account/LMS: 24 months after last activity.
• Verification uploads: 3–6 years (depending on legal/audit needs), then securely deleted or returned per contract.
• Payments/finance: 6 years.
• Support tickets: 24 months.
• Marketing lists: until you unsubscribe (we refresh/suppress routinely).
  See also our customer DPA for processor-role deletion/return.

8. Security

We use industry-standard security: TLS in transit; encryption at rest for stored documents; role-based access with MFA; audit logging; least-privilege administration; supplier due-diligence and contractual safeguards; and secure deletion on retention expiry. We maintain incident-response procedures.

9. Cookies & similar technologies

We use essential cookies for the site to function. Non-essential analytics/advertising cookies run only with your consent via our cookie banner/CMP. See our Cookie Policy for details.

10. Marketing

We may send B2B emails about similar products to existing customers under the soft opt-in; every message includes unsubscribe. For new subscribers or where required, we rely on consent.

11. Your rights (UK GDPR)

You can request access, rectification, erasure, restriction, objection (including to direct marketing), and data portability. Where we rely on consent, you may withdraw it at any time.
Contact us at privacy@opraas.co.uk. You can also complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.

12. Automated decision-making

We do not make decisions based solely on automated processing (including profiling) that have legal or similarly significant effects.

13. Children

Our services are intended for business users. We do not knowingly collect data relating to under-16s.

14. Changes to this policy

We may update this policy to reflect legal or technical changes. We will post the new version with a new “Last updated” date and, where appropriate, notify you via the service or by email.