Privacy & Cookie Policy
Effective date: 6 May 2026 · Last reviewed: 6 May 2026 · Version 1.0
1. Introduction
QMC4 Group Limited (“QMC4”, “we”, “us”, or “our”) is committed to protecting the privacy of visitors to our website at qmc4.com (the “Site”) and the personal data of individuals we engage with in the course of our business.
This Privacy & Cookie Policy (the “Policy”) explains how we collect, use, store, share, and protect personal data, your rights under data protection law, and how we use cookies and similar technologies on the Site. It applies to anyone who visits the Site, submits an enquiry, subscribes to our communications, or otherwise interacts with us online.
This Policy is issued in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
2. Who we are (Data Controller)
For the purposes of UK data protection law, the data controller is:
QMC4 Group Limited
Registered office: Ohana, Hougues Magues Lane, St Sampson,
Guernsey GY2 4WA
Company number: 77766
Email: privacy@qmc4.com
3. Personal data we collect
We collect personal data in three ways: information you provide directly to us, information collected automatically when you use the Site, and information we receive from third parties.
3.1 Information you provide to us
- Identity and contact details: name, job title, employer, email address, telephone number, and postal address (e.g. when you complete a contact, demo, or download form, or when you correspond with us).
- Enquiry content: the message, files, or attachments you send us, and any context you choose to provide about your business or requirements.
- Marketing preferences: your choices about receiving marketing communications and the channels through which you wish to be contacted.
- Live chat content: messages you send via the chat widget on the Site, and any contact details you choose to share within a chat conversation.
3.2 Information collected automatically
- Technical data: IP address, browser type and version, operating system, device type, and screen resolution.
- Usage data: pages visited, time spent on pages, links clicked, referring URL, search terms used to find the Site, and other interaction data.
- Location data: approximate geographic location derived from your IP address (typically at city / region level).
- Cookie and identifier data: information stored in or read from cookies and similar technologies (see Section 9).
3.3 Information from third parties
- Business intelligence and enrichment: where you submit a corporate email address, we and our processors (notably HubSpot’s Breeze Intelligence) may match this to publicly available business information about you and your employer (e.g. company name, sector, size, role).
- Referrals and partners: information shared with us by mutual contacts, partners, or introducers, where you have authorised that disclosure.
4. How we use your personal data and our lawful bases
Under UK GDPR we must have a lawful basis for processing your personal data. The table below summarises the main purposes for which we process your data and the lawful basis we rely on for each.
| Purpose | Lawful basis |
|---|---|
| Responding to enquiries and providing information you have requested | Performance of a contract or steps taken at your request prior to entering into a contract (UK GDPR Art. 6(1)(b)); or our legitimate interest (UK GDPR Art. 6(1)(f)) in responding to business enquiries. |
| Operating, securing, and improving the Site | Our legitimate interest (UK GDPR Art. 6(1)(f)) in maintaining a functioning, secure, and effective online presence and protecting the Site against fraud, abuse, and security threats. |
| Sending marketing communications and newsletters | Your consent (UK GDPR Art. 6(1)(a) and PECR reg. 22), or our legitimate interest (UK GDPR Art. 6(1)(f)) under the “soft opt-in” rule where you are an existing or prospective business customer, you have not objected, and we are marketing similar services. You can withdraw consent or object at any time by using the unsubscribe link in any marketing email or by contacting us. |
| Analytics and measurement | Your consent (UK GDPR Art. 6(1)(a) and PECR reg. 6) given via the cookie consent banner. Analytics cookies are not set unless you accept them. |
| Compliance with our legal and regulatory obligations | Compliance with our legal obligations (UK GDPR Art. 6(1)(c)), e.g. tax, accounting, fraud prevention, and responding to lawful regulatory or law-enforcement requests. |
| Establishment, exercise, or defence of legal claims | Our legitimate interest (UK GDPR Art. 6(1)(f)) in protecting our business from legal claims and pursuing remedies where appropriate. |
5. Sharing your personal data
We do not sell your personal data. We share personal data only with the categories of recipients described below, and only to the extent necessary for the purposes set out in this Policy.
5.1 Service providers (data processors)
We use third-party service providers to help us operate the Site and our business. These providers act as our data processors and process personal data on our instructions and under written agreements that include UK GDPR-compliant data processing terms.
| Service / Processor | Purpose | Country / Safeguard |
|---|---|---|
| HubSpot, Inc. | CRM, marketing automation, website analytics, forms, live chat, email marketing. | United States. Transfers safeguarded by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, supplemented by HubSpot’s organisational and technical measures. See HubSpot’s Data Processing Agreement and Sub-Processor list. |
| Cloudflare, Inc. | Content delivery network, DDoS protection, and bot management used by HubSpot to serve the Site. | United States. Transfers safeguarded by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. |
| [TBC: Hosting provider, if other than HubSpot CMS] | Website hosting and content delivery. | [TBC: Country and transfer safeguard] |
| [TBC: Email provider, e.g. Google Workspace / Microsoft 365] | Receipt and storage of emails sent via the Site contact forms. | [TBC: Country and transfer safeguard] |
5.2 Group companies and partners
Where appropriate, we may share your personal data with members of our corporate group for the purposes of providing services, internal administration, and where you have specifically engaged us in the context of a joint product or initiative.
5.3 Professional advisers
We may share personal data with our legal, accounting, audit, insurance, and other professional advisers as required for the proper administration of our business.
5.4 Authorities
We may disclose personal data to regulators, courts, law-enforcement, or other authorities where we are required or permitted to do so by law.
5.5 Business transfers
If QMC4 is involved in a merger, acquisition, restructuring, or sale of assets, personal data may be transferred to a successor or acquirer subject to the same protections as set out in this Policy.
6. International transfers of personal data
Some of our service providers are located outside the United Kingdom, principally in the United States. Where we transfer personal data outside the UK we ensure that appropriate safeguards are in place as required by UK GDPR Chapter V, including:
- transfers to countries the UK government has determined to provide an adequate level of protection (“adequacy regulations”); or
- transfers under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (“IDTA”) or the UK Addendum to the EU SCCs, supplemented by additional technical and organisational measures where appropriate.
You can request a copy of the safeguards we use for a specific transfer by contacting us using the details in Section 14.
7. How long we keep your personal data
We keep personal data only for as long as is necessary for the purposes for which it was collected, including any legal, accounting, or reporting requirements. The retention periods we apply include the following:
- Website enquiry and prospect data: up to 12 months from the last meaningful interaction, after which records are deleted or anonymised.
- Customer records and contractual correspondence: for the duration of the engagement and for 5 years thereafter, in line with statutory limitation periods and accounting requirements.
- Marketing data: until you withdraw consent or object, plus a short period to record the withdrawal request.
- Live chat transcripts: for up to 12 months unless required for a longer period to support an active enquiry or legal claim.
- Cookie data: as set out in the duration column of the cookie table in Section 9.
8. Security of your personal data
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, including:
- encryption of data in transit (HTTPS/TLS) and at rest where supported by our service providers;
- access controls, multi-factor authentication, and the principle of least privilege for staff and processors;
- network and endpoint security monitoring through our internal security operations function (QMC4-Cyber);
- documented information-security policies, regular security awareness training, and supplier due diligence.
No method of transmission over the internet or electronic storage is 100% secure. Where you have a username and password (e.g. for any client portal) you are responsible for keeping these confidential.
9. Cookies and similar technologies
9.1 What cookies are
Cookies are small text files that are placed on your device when you visit a website. They allow the website to recognise your device, remember your preferences, and collect information about how you use the site. Similar technologies include web beacons, tracking pixels, and browser local/session storage; references to “cookies” in this Policy include those technologies.
First-party cookies are set by the domain you are visiting (qmc4.com). Third-party cookies are set by domains other than the one you are visiting (for example, our service providers).
9.2 How we use cookies
We use cookies for the following purposes:
- Strictly necessary: to enable core functionality of the Site, including security, network management, accessibility, and recording your cookie preferences. These cookies are exempt from the consent requirement under PECR.
- Analytics / performance: to understand how visitors use the Site, identify popular content, and improve the user experience.
- Functionality: to recognise returning visitors and support optional features such as live chat history.
- Marketing / advertising (if enabled): to measure marketing effectiveness and deliver relevant communications. We do not currently set advertising cookies; this Policy will be updated if that changes.
9.3 Your consent
When you first visit the Site, our consent banner asks you to choose which categories of non-essential cookies you accept. We will only set non-essential cookies (analytics, functionality, marketing) where you have given consent. You can change or withdraw your consent at any time by clicking the “Manage cookies” link in the footer of the Site.
9.4 Detailed list of cookies we use
The tables below list the cookies that may be set when you visit the Site, based on the standard HubSpot tracking code, the HubSpot live chat (chatflows) tool, and HubSpot’s CDN provider (Cloudflare). The actual cookies set on your device depend on your interactions with the Site and the choices you make in the consent banner. Cookies marked as “Session” expire when you close your browser.
Strictly necessary cookies (no consent required under PECR)
| Cookie name | Provider / Party | Purpose | Duration |
|---|---|---|---|
| __cfruid | Cloudflare (3rd-party) | Set by HubSpot’s CDN provider to support rate-limiting policies and protect site availability. | Session |
| __cfuvid | Cloudflare (3rd-party) | Set by HubSpot’s CDN provider to support rate-limiting policies. | Session |
| __cf_bm | Cloudflare (3rd-party) | Used by HubSpot’s CDN provider for bot management and protection against automated abuse. | 30 minutes |
| __hs_opt_out | QMC4 / HubSpot (1st-party) | Records when a visitor has opted out of cookies so the consent banner does not display again. | 6 months |
| __hs_do_not_track | QMC4 / HubSpot (1st-party) | Set when a visitor disables tracking, preventing the HubSpot tracking code from sending information. | 6 months |
| __hs_initial_opt_in | QMC4 / HubSpot (1st-party) | Prevents the consent banner from displaying repeatedly to visitors using strict browser settings. | 7 days |
| __hs_cookie_cat_pref | QMC4 / HubSpot (1st-party) | Records the cookie categories the visitor has consented to via the consent banner. | 6 months |
| __hs_gpc_banner_dismiss | QMC4 / HubSpot (1st-party) | Records that the Global Privacy Control banner has been dismissed. | 180 days |
| __hs_notify_banner_dismiss | QMC4 / HubSpot (1st-party) | Records that the cookie notification banner has been dismissed. | 180 days |
| hs_ab_test | QMC4 / HubSpot (1st-party) | Ensures visitors consistently see the same variation of an A/B test page. | Session |
| hs-messages-is-open | QMC4 / HubSpot (1st-party) | Records whether the live chat widget is open so its state persists across pages. | 30 minutes |
| hs-messages-hide-welcome-message | QMC4 / HubSpot (1st-party) | Prevents the chat welcome message from re-appearing for one day after dismissal. | 1 day |
Analytics cookies (consent required)
| Cookie name | Provider / Party | Purpose | Duration |
|---|---|---|---|
| __hstc | QMC4 / HubSpot (1st-party) | The main HubSpot analytics cookie. Records the domain, visitor’s unique identifier (hubspotutk), first-visit timestamp, last-visit timestamp, current-visit timestamp, and session number. | 6 months |
| hubspotutk | QMC4 / HubSpot (1st-party) | Identifies a unique visitor. Passed to HubSpot on form submission and used to deduplicate contact records. | 6 months |
| __hssc | QMC4 / HubSpot (1st-party) | Tracks active sessions. Records the domain, page-view count for the session, and session start timestamp. Used to determine when the session timestamps in __hstc should be updated. | 30 minutes |
| __hssrc | QMC4 / HubSpot (1st-party) | Set whenever HubSpot changes the session cookie, to determine whether the visitor has restarted their browser. | Session |
Functionality cookies (consent required, except where noted)
| Cookie name | Provider / Party | Purpose | Duration |
|---|---|---|---|
| messagesUtk | QMC4 / HubSpot (1st-party) | Recognises visitors who use the live chat tool, allowing chat history to load on return visits in the same browser. Treated as strictly necessary where the ‘Consent to collect chat cookies’ setting is enabled. | 6 months |
Note on additional tools: If we add Google Analytics, LinkedIn Insight Tag, Meta Pixel, Microsoft Clarity, or any other tracking or advertising technology to the Site, this Policy and the cookie table will be updated and you will be re-prompted for consent where required.
9.5 How to manage or disable cookies
In addition to using our consent banner, you can manage cookies through your web browser. Most browsers allow you to view, delete, and block cookies. Instructions for the major browsers are available at:
- Google Chrome: support.google.com/chrome/answer/95647
- Mozilla Firefox: support.mozilla.org/kb/enhanced-tracking-protection-firefox-desktop
- Apple Safari: support.apple.com/guide/safari/manage-cookies-sfri11471
- Microsoft Edge: support.microsoft.com/microsoft-edge/delete-cookies-in-microsoft-edge
Please note that blocking strictly necessary cookies may affect your ability to use parts of the Site.
9.6 Global Privacy Control (GPC)
We honour the Global Privacy Control signal where supported by your browser. When a GPC signal is detected, we treat it as a request to opt out of non-essential cookies for that browser session.
10. Your rights
Subject to applicable conditions and exemptions, you have the following rights under UK GDPR in respect of personal data we hold about you:
- Right of access: to obtain confirmation that we process your data and a copy of that data.
- Right to rectification: to have inaccurate data corrected and incomplete data completed.
- Right to erasure (“right to be forgotten”): to have your data deleted in certain circumstances.
- Right to restriction: to restrict our processing in certain circumstances.
- Right to data portability: to receive certain data you have provided to us in a structured, commonly used, machine-readable format.
- Right to object: to object to processing based on our legitimate interests, and to direct marketing at any time.
- Rights relating to automated decision-making: we do not currently make decisions based solely on automated processing that produce legal or similarly significant effects on you.
- Right to withdraw consent: where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, please contact us using the details in Section 14. We will respond within one calendar month, although this period may be extended by up to two further months for complex requests. We may need to verify your identity before responding.
11. Children’s privacy
The Site and our services are intended for business use and are not directed at children. We do not knowingly collect personal data from children under the age of 16. If you believe we may have collected personal data from a child, please contact us and we will take steps to delete that data.
12. Third-party websites
The Site may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. We encourage you to read the privacy policy of every website you visit.
13. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. The “Effective date” and “Last reviewed” fields at the top of this Policy indicate when it was most recently updated. We encourage you to review this Policy periodically. Where the changes are material, we will provide a more prominent notice (for example, by email or via a banner on the Site).
14. How to contact us
If you have any questions about this Policy, wish to exercise your rights, or have a privacy-related concern, please contact us:
Email:
privacy@qmc4.com
Post: QMC4 Group Limited, Ohana, Hougues Magues Lane,
St Sampson, Guernsey GY2 4WA
Telephone:
+44 (0)1481 240400