The short version: we collect only what we need, store it securely, never sell it, and give you full control over it. This document explains everything in detail as required by UK law.
Jiffy Compliance is a workforce compliance platform run by Loxbrook Associates Limited. We also trade as Marble Training.
| Detail | Information |
|---|---|
| Registered company name | Loxbrook Associates Limited |
| Company number | 04924146 |
| Registered office | 182 Worcester Road, Bromsgrove, B61 7AZ |
| Trading as | Jiffy Compliance · Marble Training |
| ICO Registration Number | [To be inserted] |
| Contact email | [email protected] |
For UK GDPR and Data Protection Act 2018 purposes, Loxbrook Associates Limited is the data controller for personal data collected through the Jiffy Compliance website, marketing activities, and standalone eLearning purchases.
For personal data that business customers upload about their workers, we act as a data processor — following your instructions under our Data Processing Agreement.
We don't knowingly collect special category data (health, biometric, religious, political or genetic data) through our website or contact forms. If your workforce records or accident reports contain occupational health information, that's processed strictly as your data processor under the Data Processing Agreement — you're responsible for ensuring you have a lawful basis for processing it.
| Purpose | Data used |
|---|---|
| Responding to contact form enquiries and gap analysis bookings | Name, email, company, role, message |
| Creating and managing your platform account | Name, email, company, role, password (hashed) |
| Processing standalone eLearning purchases and giving you course access | Name, email, payment data (Stripe), course progress and completion |
| Managing business eLearning accounts and tracking team completions | Account holder details, team member names and emails, completion records |
| Issuing and storing course certificates | Name, completion data, course details |
| Delivering the Jiffy Compliance platform and its features | Account data, workforce data you upload |
| Sending you transactional emails — account alerts, expiry notifications, order confirmations | Name, email |
| Improving the platform through analytics | Usage data, technical data (anonymised where possible) |
| Complying with legal obligations | Any data required by law |
| Protecting against fraud and misuse | Technical data, payment data, usage data |
We don't use your data for automated decision-making that has a legal or similarly significant effect on you without a human reviewing it first. We don't sell, rent or trade your personal data to third parties for marketing purposes.
Under UK GDPR, we rely on the following legal bases depending on what we're using your data for:
| Processing activity | Legal basis |
|---|---|
| Responding to contact enquiries | Legitimate interests (Article 6(1)(f)) — responding to business communications |
| Platform account creation and delivery | Performance of a contract (Article 6(1)(b)) |
| Standalone eLearning purchase and course delivery | Performance of a contract (Article 6(1)(b)) |
| Issuing certificates and managing learner accounts | Performance of a contract (Article 6(1)(b)) |
| Transactional communications | Performance of a contract (Article 6(1)(b)) |
| Analytics and platform improvement | Legitimate interests (Article 6(1)(f)) — only where analytics cookies are accepted |
| Legal compliance | Legal obligation (Article 6(1)(c)) |
| Fraud prevention and security | Legitimate interests (Article 6(1)(f)) |
Where we rely on legitimate interests, we've assessed that those interests don't override your rights and freedoms. You can object to processing on legitimate interests grounds at any time — see Section 9.
These are essential for the website and platform to work — session management, security tokens and load balancing. They don't require your consent under PECR or UK GDPR.
With your consent, we use Google Analytics (Google LLC) to understand how visitors use our website. Google Analytics collects information about your use of the site in anonymised form. IP addresses are anonymised. You can opt in or withdraw consent at any time using our cookie preference tool.
Google LLC is a US company. Where data is transferred outside the UK, we have appropriate safeguards in place (UK-US Data Bridge / Standard Contractual Clauses). See Google's privacy policy.
Our website loads fonts from Google Fonts. Google may collect your IP address when serving these fonts. This is a technical necessity for rendering the site. See the Google Fonts privacy FAQ.
You can manage cookie preferences at any time using the cookie banner or by contacting us. You can also control cookies through your browser settings.
We don't sell your data. We only share it where it's necessary to provide the service or where the law requires it.
| Recipient | Why | Location |
|---|---|---|
| Lovable Technologies Inc. | Platform infrastructure, hosting, database and application services. They act as our data processor under a signed Data Processing Agreement. | EU region (EU data hosting selected) |
| Stripe, Inc. | Payment processing for standalone eLearning purchases, LMS subscriptions and other paid add-ons. Stripe processes your payment card details directly — we don't store your card information. Stripe's privacy policy is at stripe.com/gb/privacy. | USA (UK-US Data Bridge / SCCs) |
| Google LLC (Google Analytics) | Website analytics — only where you've consented to analytics cookies. | USA (UK-US Data Bridge / SCCs) |
| Legal and regulatory authorities | Where required by law, court order or regulatory request. | UK |
Lovable's sub-processors include Supabase (database hosting) and others listed at trust.lovable.dev. All are bound by contractual data protection obligations.
We never share your personal data or your workers' data with partner companies (see Terms of Service, Section 8) without your explicit consent.
We've selected EU-region data hosting through Lovable. Your platform data is stored within the EU/EEA by default.
Some transfers outside the UK do happen — for example to Google for analytics and to Stripe for payment processing. In each case we make sure the right safeguards are in place:
You can request a copy of the transfer mechanisms we rely on by emailing [email protected].
| Data type | How long we keep it |
|---|---|
| Contact form submissions and gap analysis enquiries | 12 months from submission, then securely deleted |
| Platform account data (profiles, settings, workforce records) | For as long as your account is active, then deleted within 3 months of account closure |
| Standalone eLearning learner accounts and course completion records | 12 months from purchase date (matching course access period), then deleted — unless you upgrade to a full account |
| Business eLearning account data and team completion records | For as long as the account is active, then deleted within 3 months of closure |
| Payment transaction records | 7 years (HMRC requirement) |
| Analytics data (Google Analytics) | 26 months (Google's default — you can opt out at any time) |
| Legal and compliance records | As required by law — typically 6 years for contractual records under the Limitation Act 1980 |
When retention periods end, data is securely deleted or anonymised. You can ask us to delete your data earlier — see Section 9.
eLearning certificates: we recommend downloading your certificate as soon as you complete a course. If your learner account expires and you haven't saved your certificate, you may lose access to it.
Under UK GDPR and the Data Protection Act 2018, you have the following rights over your personal data:
To exercise any of these rights, email us at [email protected]. We'll respond within one calendar month. We may ask you to verify your identity first.
Right to complain: if you're unhappy with how we've handled your data, you can complain to the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We'd appreciate the chance to put things right first — please email us before contacting the ICO.
Jiffy Compliance is a business platform for organisations and their adult employees and contractors. We don't knowingly collect personal data from anyone under 18. If you think we've collected data from a minor by mistake, please contact us at [email protected] and we'll delete it promptly.
We take the security of your data seriously. The measures we have in place include:
If a personal data breach is likely to affect your rights and freedoms, we'll notify the ICO within 72 hours and contact affected individuals without undue delay.
No system is completely secure. If you have concerns about the security of your account, please contact us straight away at [email protected].
We may update this Privacy Policy from time to time — to reflect changes in how we operate, the technology we use, or what the law requires. When we make material changes, we'll update the date at the top and, where appropriate, let registered users know by email. It's worth checking this page periodically.
For any questions about this Privacy Policy or how we handle your data:
Loxbrook Associates Limited (trading as Jiffy Compliance and Marble Training)
182 Worcester Road, Bromsgrove, B61 7AZ
Email: [email protected]
Website: jiffyaiportal.com