This Privacy Policy explains how Training Intelligence (TIQ) Ltd collects, uses, stores, and protects your personal data when you use the Prentice platform or visit tiqplus.com. We are committed to transparency and to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
The data controller is Training Intelligence (TIQ) Ltd, a private limited company registered in England and Wales.
- Company name: Training Intelligence (TIQ) Ltd
- Company number: 15284245
- Registered address: 43-45 Devizes Road, Swindon, Wiltshire, SN1 4BG
- Email: privacy@tiqplus.com
Where Prentice is deployed by a training provider or employer organisation, that organisation may act as a separate data controller for learner data within their instance. This policy covers TIQ's activities as data controller and, where applicable, as data processor acting on behalf of those organisations.
2. Data we collect
2.1 Account and identity data
When you create an account or are invited to the platform, we collect: name, email address, job title, organisation name, and account credentials (hashed password or SSO token).
2.2 Platform usage data
As you use Prentice, we collect data generated by your use of the platform, including:
- Learner records: progress, evidence submissions, OTJ hours logs, assessment results, KSB mapping data, voice journal recordings and transcripts
- Tutor records: marking activity, review notes, feedback, cohort management actions
- Employer records: dashboard views, compliance reports accessed
- Admin records: programme configurations, user management actions, system settings
2.3 Technical and device data
We automatically collect: IP address, browser type and version, operating system, device identifiers, page views, session duration, referring URLs, and error logs.
2.4 Communications data
If you contact us directly (by email or in-app messaging), we retain the content of those communications.
2.5 Demo request data
If you submit a demo request via our website, we collect: name, work email, organisation name, primary training type, and approximate learner numbers.
3. How we use your data
| Purpose | Data used | Legal basis |
|---|---|---|
| Providing the Prentice platform and its features | Account data, platform usage data | Contract performance |
| Generating AI-powered insights (evidence tagging, review prep, early warning) | Learner records, programme data | Contract performance / Legitimate interests |
| Sending transactional communications (account alerts, review reminders) | Email, notification preferences | Contract performance |
| Responding to support and sales enquiries | Communications data | Legitimate interests |
| Improving the platform (analytics, bug fixing) | Technical and usage data | Legitimate interests |
| Compliance and audit trail maintenance | All platform activity logs | Legal obligation / Contract performance |
| Marketing communications (product updates, webinars) | Email, name | Consent / Legitimate interests (B2B) |
| Fraud prevention and security | Technical data, account data | Legitimate interests / Legal obligation |
4. Legal basis for processing
We rely on the following lawful bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to deliver the platform services under our subscription agreement.
- Legitimate interests (Art. 6(1)(f)): Improving our product, preventing fraud, B2B marketing where we have a pre-existing relationship. We have conducted legitimate interest assessments (LIAs) for these activities.
- Legal obligation (Art. 6(1)(c)): Where we are required to retain records for regulatory, tax, or legal compliance purposes.
- Consent (Art. 6(1)(a)): For optional marketing communications to individual contacts. You may withdraw consent at any time.
Where we process special category data (e.g. health information that may be referenced in voice journals or accessibility adjustments), we rely on explicit consent (Art. 9(2)(a)) or employment/social security obligations (Art. 9(2)(b)) as applicable.
5. Sharing your data
We do not sell personal data. We share data only in the following circumstances:
5.1 Within the platform
Learner data is visible to their assigned tutor, their employer (where an employer portal is enabled), and the training provider's admin team. This visibility is controlled by the training provider configuration and is a core part of the service.
5.2 Sub-processors
We use third-party sub-processors to deliver our service. Key sub-processors include:
- Amazon Web Services (AWS) — Cloud infrastructure and data storage (EU/UK regions)
- OpenAI / Anthropic — AI model APIs used for evidence tagging, content generation, and review preparation. Data sent to AI APIs is processed under DPA agreements and is not used to train foundation models.
- Formspree / email service provider — Demo request form processing
- Analytics provider — Anonymised usage analytics
All sub-processors are bound by data processing agreements (DPAs) that meet UK GDPR requirements. A full list of sub-processors is available on request.
5.3 Legal requirements
We may disclose data where required by law, court order, or regulatory authority (e.g. Ofsted, ICO).
5.4 Business transfers
If TIQ Ltd is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users in advance.
6. Data retention
We retain personal data for as long as necessary to fulfil the purposes described in this policy, subject to the following guidelines:
- Active accounts: Retained for the duration of the contract plus 12 months to allow for potential reactivation.
- Learner records: Retained for 7 years after programme completion to satisfy Ofsted, ESFA, and apprenticeship funding audit requirements, unless the training provider requests earlier deletion and this is permissible under applicable regulations.
- Compliance training records: Retained for the period specified by the relevant regulation (typically 3–7 years).
- Demo enquiries: Retained for 24 months from enquiry date, then deleted unless a commercial relationship has been established.
- Technical logs: Retained for 90 days for security and debugging purposes.
- Audit trail logs: Retained for 7 years as an immutable record.
7. Security
We implement the following security measures to protect your data:
- 256-bit AES encryption at rest; TLS 1.2+ encryption in transit
- Role-based access controls with principle of least privilege
- Multi-factor authentication (MFA) support
- SOC 2 Type II certified infrastructure
- ISO 27001 certified information security management
- Cyber Essentials Plus accreditation
- Regular penetration testing and vulnerability assessments
- Immutable audit logs for all data access and modification events
- UK data residency option available for organisations requiring data to remain in the UK
In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with UK GDPR Articles 33 and 34.
8. Your rights under UK GDPR
Under UK GDPR, you have the following rights. To exercise any of these rights, contact us at privacy@tiqplus.com:
- Right of access (Art. 15): Request a copy of the personal data we hold about you (Subject Access Request).
- Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): Request deletion of your data where we no longer have a lawful basis to hold it. Note that some data may be required to be retained for regulatory purposes.
- Right to restriction (Art. 18): Request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
- Rights related to automated decision-making (Art. 22): You have the right not to be subject to solely automated decisions that produce significant effects. Our AI features inform human tutors and administrators; final decisions are made by people.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will respond to all requests within one calendar month. Where requests are complex or numerous, we may extend this by a further two months with notice.
9. Cookies
We use the following categories of cookies:
| Category | Purpose | Consent required |
|---|---|---|
| Strictly necessary | Session management, authentication, security | No |
| Functional | User preferences (language, display settings) | No |
| Analytics | Anonymised usage statistics to improve the platform | Yes |
| Marketing | Understanding which content led you to us (marketing site only) | Yes |
You can manage cookie preferences through our consent banner when you first visit tiqplus.com, or by adjusting your browser settings. Disabling strictly necessary cookies will affect your ability to use the platform.
10. International data transfers
We primarily store and process data in the UK and EU on AWS infrastructure. In cases where data may be transferred outside the UK/EEA (for example, when using certain AI model APIs), we ensure that appropriate safeguards are in place under UK GDPR Chapter V, including:
- Adequacy decisions by the UK Secretary of State
- UK International Data Transfer Agreements (IDTAs)
- Standard Contractual Clauses (SCCs) with UK addendums
11. Children's data
Prentice is designed for use by adults aged 16 and over. Where learners under 18 use the platform as part of an apprenticeship programme, they do so under the oversight of their training provider and employer. Training providers deploying Prentice for learners under 18 are responsible for obtaining appropriate parental consent and complying with applicable requirements for processing minors' data.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and by a prominent notice on the platform at least 14 days before the change takes effect. The "last updated" date at the top of this page reflects the most recent revision. We recommend reviewing this policy periodically.
13. Contact and complaints
For any questions about this policy or to exercise your data subject rights, contact us:
- Email: privacy@tiqplus.com
- Post: Training Intelligence (TIQ) Ltd, 43-45 Devizes Road, Swindon, Wiltshire, SN1 4BG
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF