Privacy Policy
How ROTIX Ltd collects, uses, and protects your personal information.
1. Who We Are
ROTIX Ltd ("ROTIX.IO", "we", "us", "our") operates the website at rotix.io and the compliance management platform at compliance.rotix.io. We are a company registered in England and Wales. ROTIX Ltd is the data controller for all personal data processed under this policy.
Our services are UK-based but may be accessed by users outside the UK where lawful. We process personal data under UK GDPR as the controller and use contractual safeguards for international transfers as described below. If you are outside the UK, you may also have local privacy rights; contact us at compliance@rotix.io and we will handle requests consistently with applicable law and this policy.
If you have any questions about this policy or wish to exercise your rights, please contact us at compliance@rotix.io, write to ROTIX Ltd, 178a Chester Road, Northwich, England, CW8 4AL, or reach us via our LinkedIn page.
2. What Data We Collect
2.1 Data you provide directly
- Identity data: your full name and job title or role where provided.
- Contact data: your email address and company name.
- Assessment data: your responses to the ISO readiness questionnaire, including any additional context or notes you supply alongside individual answers.
- QMS kit intake data: your company profile, industry, products and services, core processes, customer types, sites, employee band, outsourced activities, and known problem areas submitted via the ISO 9001 QMS Starter Kit intake form. This information is used to generate your bespoke documentation and is processed by an AI model as described in Section 4.
- Account credentials: email address and hashed password for registered platform users. We never store plaintext passwords.
- Communications: any messages or information you send us through our contact channels.
2.2 Data collected automatically
- Usage data: pages visited, features used, time spent, and navigation paths within the platform.
- Technical data: IP address, browser type and version, device type, operating system, and time zone.
- Session data: authentication tokens stored in memory or short-lived server-side sessions. We do not use persistent tracking cookies for advertising or profiling purposes.
3. How and Why We Use Your Data
| Purpose | Data used | Legal basis (UK GDPR) |
|---|---|---|
| Deliver the free readiness assessment and email you your results and consultant report | Name, email, company, assessment responses | Performance of a contract / steps prior to contract (Art. 6(1)(b)) |
| Generate bespoke ISO 9001 QMS kit documents from your intake answers using AI, subject to consultant review before release | QMS kit intake data (company profile, industry, processes, products, customers, locations, problem areas) | Performance of a contract (Art. 6(1)(b)) |
| Connect you with a ROTIX.IO consultant following your assessment | Name, email, company, assessment responses | Legitimate interests — providing the service you requested (Art. 6(1)(f)) |
| Provide and administer the compliance management platform | Account credentials, usage data, engagement data | Performance of a contract (Art. 6(1)(b)) |
| Send transactional and service communications (reports, notifications, account updates) | Email, name | Performance of a contract (Art. 6(1)(b)) |
| Improve the platform, fix bugs, and develop new features | Usage data, technical data | Legitimate interests — improving our service (Art. 6(1)(f)) |
| Comply with legal obligations | As required | Legal obligation (Art. 6(1)(c)) |
| Protect the security and integrity of our systems | Technical data, usage data | Legitimate interests — security (Art. 6(1)(f)) |
We do not use your data for automated decision-making that produces legal or similarly significant effects without human review.
4. AI Processing
4.1 What is processed by AI
We use large language models (LLMs) in two parts of our service:
- Readiness assessment reports: your assessment responses (company name, sector, questionnaire answers) may be processed by an LLM to generate your readiness score, gap analysis, and consultant guide.
- QMS kit document generation: your QMS kit intake data (company name, industry, products and services, core processes, customer types, locations, employee band, outsourced activities, and known problem areas) is sent to an LLM to draft your bespoke ISO 9001 documents.
In both cases, the AI does not make final decisions about your organisation — all outputs are reviewed by a ROTIX.IO consultant before they are released to you.
4.2 Our AI sub-processor: Anthropic
Our current AI provider is Anthropic, PBC (headquartered in San Francisco, USA), whose Claude model family powers document generation and assessment analysis. We have entered into a Data Processing Agreement (DPA) with Anthropic under which:
- Anthropic processes your data only on our instructions and solely to return the API response.
- Your data is not used to train Anthropic's models. API usage is explicitly excluded from Anthropic's model training pipeline.
- Anthropic retains API inputs and outputs for a limited period (currently up to 30 days) for safety monitoring purposes only, after which they are deleted. We have additionally applied for Zero Data Retention (ZDR), under which no prompt or response content is stored on Anthropic's infrastructure beyond the duration of the API call.
- Anthropic is SOC 2 Type II certified and operates appropriate technical and organisational security measures.
4.3 International transfer
Because Anthropic is a US-based company, the AI processing described above involves a transfer of personal data to the United States. For UK-originating data, this transfer is protected by a UK International Data Transfer Agreement (IDTA) or equivalent contractual safeguards. For users outside the UK, equivalent Standard Contractual Clauses (SCCs), data processing terms, or other appropriate safeguards may apply depending on the jurisdiction and service context.
5. Who We Share Your Data With
We do not sell your personal data. We may share it with the following categories of recipient:
- ROTIX.IO consultants: your name, company, score, and assessment responses are shared with the ROTIX.IO consultant assigned to review your results.
- Email delivery providers: to send you your assessment report and any follow-up communications.
- Cloud infrastructure providers: hosting, database, and storage services operating under data processing agreements.
- AI sub-processors: Anthropic, PBC (USA) — processes assessment and QMS kit intake data to generate AI-assisted documents and reports, under a Data Processing Agreement. Anthropic does not use this data for model training. See Section 4 for full details.
- Legal and regulatory authorities: where we are required to disclose data by law, court order, or regulatory requirement.
All sub-processors are required to process data only on our instructions and in accordance with UK GDPR obligations.
6. International Transfers
Where personal data is transferred outside the UK or European Economic Area, we ensure an appropriate safeguard is in place — such as the UK International Data Transfer Agreement (IDTA), UK adequacy regulations, or Standard Contractual Clauses (SCCs) — before any transfer takes place.
7. Data Retention
| Data category | Retention period |
|---|---|
| Free assessment submissions (name, email, company, responses, reports) | 3 years from submission, or until you request deletion |
| QMS kit intake data and generated documents | Duration of engagement plus 5 years (standard business records), or until you request deletion. AI sub-processor (Anthropic) retains API inputs/outputs for up to 30 days for safety monitoring only, then deletes them. |
| Platform account data | Duration of active account plus 2 years after closure |
| Engagement and compliance workspace data | Duration of engagement plus 5 years (standard business records period) |
| Technical and usage logs | 90 days rolling |
| Legal obligation data | As required by applicable law |
At the end of the applicable retention period, data is securely deleted or irreversibly anonymised.
8. Cookies and Tracking
The public website (rotix.io) uses only technically necessary session mechanisms to operate core functionality. We do not place advertising, analytics, or fingerprinting cookies without your explicit consent. The compliance platform uses short-lived authentication tokens to maintain your session; these expire on logout or inactivity.
If we introduce optional analytics or functionality cookies in future, we will update this policy and present an appropriate consent mechanism before those cookies are set.
9. Your Rights Under UK GDPR
As a data subject, you have the following rights. To exercise any of them, please contact us at compliance@rotix.io, write to ROTIX Ltd, 178a Chester Road, Northwich, England, CW8 4AL, or reach us via our LinkedIn page.
- Right of access: obtain a copy of the personal data we hold about you.
- Right to rectification: correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): request deletion of your data where there is no overriding legitimate purpose to retain it.
- Right to restriction of processing: ask us to limit how we use your data in certain circumstances.
- Right to data portability: receive your data in a structured, machine-readable format where processing is based on consent or contract.
- Right to object: object to processing based on legitimate interests, including direct follow-up communications.
- Rights related to automated decision-making: not to be subject to a solely automated decision with significant legal effect.
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
We will respond to verified requests within one calendar month. We may need to verify your identity before fulfilling a request.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include encrypted data transmission (TLS), hashed password storage, access controls, network segmentation, and regular backups. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security but we take our obligations seriously and respond promptly to any confirmed incidents.
11. Third-Party Links
Our website may contain links to external sites, including LinkedIn and other platforms. This policy does not apply to those sites. We encourage you to read the privacy policies of any third-party services you visit.
12. Changes to This Policy
We may update this policy from time to time. The effective date at the top of this page will be updated accordingly. Where changes are material, we will notify registered users by email or in-platform notification before the changes take effect. Continued use of our services after the effective date constitutes acceptance of the revised policy.
13. Contact
For any privacy-related queries, to exercise your rights, or to raise a concern, please reach us at compliance@rotix.io, by post at ROTIX Ltd, 178a Chester Road, Northwich, England, CW8 4AL, or via our LinkedIn company page. We aim to respond within 5 business days.