Q2 Advisory – Privacy Policy
Effective March 2026
Purpose & Scope
Contact: info@q2advisory.ie (Data Protection Officer)
Legal Basis for Processing
Processing activity | GDPR legal basis | How we satisfy it |
|---|---|---|
Employment & HR administration (payroll, contracts, performance) | Contract (Art 6 (1)(b)) & Legal obligation (Art 6 (1)(c)) | Written employment contracts; statutory payroll requirements. |
Customer relationship management (CRM, support tickets) | Contract (Art 6 (1)(b)) & Legitimate interest (Art 6 (1)(f)) | Service agreements; LIA documented and retained. |
Marketing communications (newsletter, offers) | Consent (Art 6 (1)(a)) | Opt‑in checkbox; easy unsubscribe link. |
Supplier & partner onboarding | Contract (Art 6 (1)(b)) | Supplier agreements. |
Remote interviews with doctors (audio/video, transcription, AI analysis) | Explicit consent (Art 6 (1)(a)) + Special category consent if health‑related opinions are disclosed (Art 9 (2)(a)) | Separate consent tick‑boxes for recording and AI processing. |
Business intelligence & analytics (aggregated reports) | Legitimate interest (Art 6 (1)(f)) | Data is anonymised/pseudonymised; LIA performed. |
Security & fraud prevention | Legitimate interest (Art 6 (1)(f)) | Minimal data, strict access controls. |
Legal compliance & regulatory reporting | Legal obligation (Art 6 (1)(c)) | Required by Irish law (tax, employment, health‑safety). |
Data Categories Collected
Category | Typical examples | Reason for collection |
|---|---|---|
Identity | Name, date of birth, national ID/passport, employee number | Identification, legal compliance. |
Contact | Email, phone, postal address | Communication, service delivery. |
Employment | Job title, salary, tax code, bank details, performance reviews | HR & payroll. |
Customer | Purchase history, billing details, support interactions | Order fulfilment, support, invoicing. |
Supplier/Partner | Company registration, VAT number, contact person | Contractual relationship, payments. |
Interview media | Audio/video recordings, transcripts | Research & thematic analysis. |
Derived analytics | Aggregated trends, anonymised themes, KPI dashboards | Business intelligence, service improvement. |
Technical metadata | IP address, device type, login timestamps, cookies | Security, troubleshooting, usage analytics. |
Optional demographics | Age range, gender, nationality (voluntary) | Enriched statistical reporting. |
No data is collected beyond what is necessary for the stated purposes (principle of data minimisation).
How We Process Data
Personal data is gathered through secure, EU‑hosted web forms, corporate‑issued email addresses, telephone calls, or face‑to‑face meetings.
All data in motion is protected with TLS 1.3 (HTTPS for web traffic, WSS for any real‑time signalling).
- Proton Drive (Switzerland, EU‑compliant data‑centre locations)
- Speech‑to‑text – Recordings are uploaded to an EU‑hosted, GDPR‑compliant speech‑recognition service that runs entirely within the European Economic Area.
Thematic extraction – The resulting transcripts are passed to an EU‑hosted large‑language‑model environment.
All AI vendors are bound by a Data Processing Agreement (DPA) that expressly forbids any retention of the submitted audio/text beyond the immediate transcription request and prohibits the use of the data for model‑training or any secondary purpose.
- Raw recordings are automatically and irreversibly deleted after 30 days.
- Original transcripts are removed after 90 days.
- Consent logs are retained for 3 years to satisfy regulatory record‑keeping.
- Audit logs are kept for 2 years.
All deletions are performed by scripted, auditable jobs and are logged with timestamp, user ID and source IP to provide a verifiable trail.
Data Sharing & Transfers
Recipient | Purpose | Safeguards |
|---|---|---|
Employees & internal teams | Operational execution, HR, finance, BI | Role‑based access, MFA, encryption. |
Authorized third‑party processors (cloud, AI transcription, payroll, CRM) | Service provision | Signed GDPR‑compliant DPAs, EU‑only data centres, SCCs where required. |
Regulators & public authorities | Legal compliance, audits | Minimum data necessary, lawful request verification. |
Partners & collaborators (e.g., research institutions) | Joint studies, aggregated insights | Only fully anonymised data; DPA in place. |
Law enforcement | Criminal investigations (if legally compelled) | Only upon valid court order or statutory demand. |
No personal data is transferred outside the European Economic Area (EEA).
Retention Schedule
Data type | Retention period | Deletion trigger |
|---|---|---|
Raw interview recordings | 30 days | After successful transcription confirmation |
Original AI transcripts | 90 days | After thematic analysis is completed |
Anonymised thematic data | Indefinite | N/A (no personal identifiers) |
Employee records (HR) | Until 6 months after termination (plus statutory periods) | End of retention period |
Customer contracts & invoices | 7 years (tax law) | Expiry of statutory period |
Supplier contracts | 7 years | Expiry of statutory period |
Consent logs | 3 years after last interaction | Automatic archival |
Audit & security logs | 2 years | Routine log rotation |
Security Measures
Transport security
TLS 1.3 for all network traffic.
At‑rest encryption
AES‑256 with customer‑managed keys (KMS) in the EU.
Access control
Role‑based IAM, least‑privilege principle, Multi‑Factor Authentication for privileged accounts.
Monitoring & logging
Centralised SIEM (Elastic Cloud EU) with real‑time alerts on anomalous activity.
Penetration testing
Annual external testing by an Irish‑certified security firm; remediation within 30 days.
Incident response
Documented plan; DPC notified within 72 hours of any breach affecting personal data.
Data minimisation
Recordings trimmed to interview length; unnecessary metadata stripped before storage.
Anonymisation
Direct identifiers removed from transcripts before AI analysis; pseudonymisation used where needed.
Data Subject Rights
You have the following rights under the GDPR. Requests should be sent to info@q2advisory.ie and will be handled within 30 days.
Right to be informed
You receive this policy before any processing.
Right of access
Obtain a copy of the personal data we hold about you.
Right to rectification
Request correction of inaccurate data.
Right to erasure (“right to be forgotten”)
Request deletion of your personal data (except where legal obligations require retention).
Right to restriction of processing
Ask us to limit how we use your data.
Right to data portability
Receive your data in a structured, commonly used format.
Right to object
Object to processing based on legitimate interests or direct marketing; you may also object to automated decision‑making (including AI transcription).
Right to lodge a complaint
With the Irish Data Protection Commission (DPC) at https://www.dataprotection.ie.
Data Protection Impact Assessments (DPIA)
Processing activities that involve audio/video recording, AI transcription, or large‑scale profiling trigger a DPIA under GDPR Art. 35. Q2 Advisory conducts DPIAs for:
- Remote doctor interviews (recording + AI analysis).
- Any new AI‑driven analytics platform.
The DPIA outcome, risk mitigation measures and sign‑off are retained for six years and reviewed whenever the processing changes.
Changes to This Policy
We may amend this Privacy Policy to reflect legislative updates, new services or operational changes. Significant changes will be communicated via email (for existing contacts) and posted on our website with a revised “effective date”.
Contact Details
Data Protection Officer (DPO)
Email: info@q2advisory.ie
For any questions regarding this policy, data handling practices, or to exercise your rights, please contact the DPO using the details above.