Spell QMSPro
Back to home

Legal

Privacy Policy

Effective May 1, 2026

Spell Solutions (“we”, “us”) operates the Spell QMS Pro service (the “Service”). This policy explains what information we collect when you use the Service, how we use it, and the choices you have. We treat your data like a regulated record — minimal collection, strong access controls, no surprises.

1. Information we collect

Account information. Name, email, organisation, role, password hash, and any profile details you provide when creating an account or being invited to a tenant.

Customer content. Records you create within the Service — quality objectives, risks, audits, findings, CAPAs, change requests, management reviews, controlled documents, and any files you attach. We treat customer content as confidential and access it only to operate, support, or secure the Service.

Usage and diagnostic data. Server logs, IP address, browser type, device identifiers, request timestamps, error traces, and feature interaction events. We use this to keep the Service reliable and to detect abuse.

Communications. Messages you send us through forms, email, or support channels.

2. How we use information

We use the information described above to:

  • provide, maintain, and improve the Service;
  • authenticate users and enforce access controls;
  • respond to support requests and account inquiries;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with legal obligations and enforce our agreements; and
  • send transactional and (only with consent) product-update communications.

3. Legal bases (for users in the EEA / UK)

We process personal data on the bases of (a) performance of a contract with you or your organisation, (b) our legitimate interests in operating and securing the Service, (c) your consent where required, and (d) compliance with legal obligations.

4. Sharing

We do not sell personal data. We share information only with: (i) sub-processors that help us operate the Service (cloud hosting, email delivery, error monitoring), each under a written data-processing agreement and bound to confidentiality; (ii) your organisation’s tenant administrators; and (iii) authorities when legally required.

A current list of sub-processors is available on request to legal@spell.solutions.

5. Data location and transfers

Customer content is stored in AWS US East (N. Virginia). Where transfers of personal data out of the EEA, UK, or other jurisdictions occur, we rely on Standard Contractual Clauses and additional safeguards consistent with applicable law.

6. Retention

We retain customer content for the lifetime of your subscription plus a reasonable wind-down period, then delete or anonymise it. Logs and diagnostic data are typically retained for 30 days. You may request earlier deletion of personal data subject to legal-hold and legitimate-business exceptions.

7. Your rights

Depending on where you reside, you may have rights to access, correct, delete, export, or restrict processing of your personal data, and to lodge a complaint with a supervisory authority. To exercise these rights, contact privacy@spell.solutions. We respond within 30 days.

8. Security

See our Trust & Security page for details. In short: TLS in transit, AES-256 at rest, role-based access, audit logging, MFA on operator access, and 24/7 monitoring.

9. Children

The Service is intended for business users aged 18+. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy from time to time. Material changes will be posted here with an updated effective date and, where appropriate, notified by email or in-app banner.

11. Contact

Spell Solutions, 1000 Main Street, Suite 2300, Houston, TX 77002, USA. Email privacy@spell.solutions.