Privacy Notice

How THREEVION handles your information.

This Privacy Notice explains, in plain English, what personal information THREEVION Ltd collects, why we collect it, how we use it, and what rights you have. It is written to be understood by parents, school staff, individual users, and anyone who has a question about how we treat data.

```
Operator THREEVION Ltd
Companies House 16861658
ICO Registration ZC076886
Version v1.0 · May 2026
Part A General website & enquiries For anyone visiting threevion.com or contacting us. Part B MYQER EDU for schools For schools, DSLs, governors, and parents of pupils. Part C MYQER for individuals For individual MYQER users. Part D MYQER Workforce For employers and employees using Workforce.

01Introduction

This Privacy Notice describes how THREEVION Ltd ("THREEVION", "we", "us") handles personal information in connection with our website at threevion.com, the MYQER and MYQER EDU services, and any direct communication you have with us by email or otherwise.

THREEVION Ltd is the operating company. MYQER is our product brand. MYQER EDU is the version of MYQER built specifically for UK schools. We mention this because some of the practical detail in this notice depends on which version of MYQER applies to you.

This notice is structured into four parts, so you can read only what applies to you. Part A covers the general website and enquiries. Part B covers MYQER EDU for schools and is the most detailed section, because it involves the most sensitive data. Parts C and D are short placeholders for MYQER (individual users) and MYQER Workforce, which are described in summary form here and will be expanded as those products go live.

We have tried to write this in plain English. If anything in this notice is unclear, please contact us at hello@myqer.com and we will explain.

02Who we are

THREEVION Ltd is a UK private limited company registered in England and Wales (Companies House number 16861658). We are registered with the Information Commissioner's Office as a data controller (registration ZC076886), which can be verified on the public ICO register.

We act as the data controller for personal information that we collect through this website, through direct enquiries, and through commercial conversations. For MYQER EDU specifically, we may act as a controller, a joint controller, or a processor depending on the data flow involved. Part B of this notice explains exactly which role applies in each case.

You can contact us at any time at hello@myqer.com.

03Your rights

Under UK GDPR and the Data Protection Act 2018, you have rights in relation to your personal information. These apply to all parts of this notice. You have the right to:

  • Be informed about what we do with your information (this notice is part of how we do that).
  • Access the information we hold about you.
  • Rectify information that is inaccurate or incomplete.
  • Erase information where there is no compelling reason for us to keep it.
  • Restrict processing of your information in certain circumstances.
  • Portability, meaning a copy of your information in a structured, commonly used, machine readable format where that applies.
  • Object to certain uses of your information, including direct marketing.
  • Not be subject to automated decision making that has legal or similarly significant effects. MYQER does not make automated decisions about you, but you have this right by law.

To exercise any of these rights, email hello@myqer.com with the words "data protection request" in the subject line. We will respond within one calendar month, as required by UK GDPR Article 12. We may ask you to verify your identity before acting on the request, to protect your information from being released to the wrong person.

If we cannot help, or you are unhappy with our response

You have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection. The ICO can be contacted at ico.org.uk, by phone on 0303 123 1113, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We would always prefer the chance to address your concern first, but you do not need to come to us before contacting the ICO.

Part A · General website and enquiries
For anyone visiting threevion.com or contacting us
This part applies to people who browse our website, fill in a contact form, request a pilot conversation, or otherwise get in touch with THREEVION outside the context of MYQER EDU, MYQER for individuals, or MYQER Workforce.

AWebsite and direct enquiries

What we collect

When you visit threevion.com or contact us directly, we may collect the following:

  • Contact information you provide: name, email address, organisation name, role, phone number where you share it.
  • The content of your enquiry: whatever you write in an email, contact form, or message.
  • Technical information needed to operate the website: IP address, browser type, pages visited, referrer URL, and standard log data. We keep this for operational and security purposes only.

Why we collect it and our lawful basis

  • To respond to your enquiry. Lawful basis: legitimate interests, or steps taken before entering a contract (UK GDPR Article 6(1)(b) or 6(1)(f)).
  • To discuss pilots, demos, proposals, and onboarding. Lawful basis: legitimate interests, or pre contract steps.
  • To keep the website running securely. Lawful basis: legitimate interests in the security and integrity of our infrastructure (Article 6(1)(f)).
  • To comply with legal or regulatory obligations where they apply. Lawful basis: legal obligation (Article 6(1)(c)).

How long we keep it

  • Active commercial conversations: for the duration of the conversation plus 24 months, in case you come back to us. After that we delete or anonymise.
  • Concluded enquiries with no follow up: 12 months after last contact, then delete.
  • Website server logs: 30 days unless retained longer for an active security investigation.
  • Anything you ask us to delete sooner: deleted within 30 days of your request, with backups expiring within 90 days under standard rotation.

Who we share it with

We share information from website enquiries with the service providers we use to operate the site and our email systems. These are listed in the subprocessor section of our Security and Compliance page. We do not sell, rent, or trade your information. We do not use it for unrelated marketing.

Part B · MYQER EDU for schools
For schools, DSLs, governors, and parents of pupils
This is the longest section because MYQER EDU involves the most sensitive data. If you are a school's Data Protection Officer reviewing MYQER, this is the section that answers your questions. Parents of pupils enrolled at a participating school should also read this part.

B1Overview

MYQER EDU is an emergency information access platform for UK schools. Its purpose is to give staff fast, scan based access to a small amount of critical health and emergency contact information about a pupil, in the seconds where it matters.

The information about a pupil is entered by the pupil's parent or legal guardian, not by the school and not by MYQER. The parent creates the profile through a secure invite link. The parent then downloads the resulting QR card and emails it to the school office. The school prints the card and displays it where it best supports the child.

In an emergency, any member of school staff can scan the QR card with the phone in their pocket. The emergency view appears on the device, showing the information the parent has chosen to share. It is read only, surfaces only on scan, and does not persist on the scanning device after the session ends.

What MYQER EDU is not

MYQER EDU is not a medical device, diagnostic tool, or substitute for professional clinical judgement. It is not a replacement for emergency services, first aid training, or staff training. It is not a replacement for a school's MIS, safeguarding platform, medical tracker, or Individual Healthcare Plans. It is a focused information access layer that sits beside the systems a school already uses.

B2What data we hold about a pupil

The information stored against a MYQER EDU profile is the minimum required to support an emergency response. The parent chooses what to enter. Typical fields include:

Field Purpose Required
Given name and chosen identifier So a responder knows whose profile they are looking at. Yes
Date of birth Useful for clinical context if emergency services are called. Optional
Known allergies For the responder to know what to avoid and what to anticipate. Optional
Prescribed emergency medication Adrenaline auto-injectors, asthma inhalers, rescue medication. Optional
Relevant medical conditions What the parent considers important to share in an emergency. Optional
Emergency contacts Up to three contacts with phone numbers, for the responder to call. Yes (at least one)
Free text guidance Short, parent written notes, for example "asthma plan in school office". Optional

What we do not collect

  • NHS numbers, GP details, or clinical records.
  • School performance data, attendance, attainment, or pastoral records.
  • Device identifiers or location data beyond what is needed for the platform to function.
  • Behavioural data, engagement scoring, or any form of pupil surveillance.
  • Special category data beyond what the parent has voluntarily entered for emergency purposes.

B3Our lawful basis

Personal data in MYQER EDU includes special category health data. Two articles of UK GDPR apply:

  • UK GDPR Article 6(1)(a) — consent. The lawful basis for processing personal data in MYQER EDU is the explicit consent given by the parent or legal guardian when they create the profile and download the QR card.
  • UK GDPR Article 9(2)(a) — explicit consent for special category data. Where the profile includes health information (allergies, conditions, medication), the parent is asked to give explicit consent at the point of profile creation. This consent can be withdrawn at any time.

For the operational running of the platform itself, we also rely on legitimate interests under Article 6(1)(f) for purposes such as security monitoring, fraud prevention, and the maintenance of the audit log.

Withdrawing consent

A parent can withdraw consent at any time by emailing hello@myqer.com from the email address associated with the profile, or by following the deletion process inside the profile management area. Withdrawal of consent does not affect the lawfulness of any processing we carried out before withdrawal.

B4Controller and processor roles

The roles in MYQER EDU are deliberately structured so that responsibility sits with the right party. We are transparent about this because it matters for a school's own data protection responsibilities.

Data flow Controller Processor
Pupil profile content (allergies, medication, contacts, etc) Parent or legal guardian, in their own capacity for their child THREEVION Ltd
School level operational data (monthly readiness reports, scan counts, profile counts) THREEVION Ltd jointly with the school THREEVION Ltd
School business data (school's contact details, named DSL, named governor for allergy safety) The school THREEVION Ltd, where THREEVION processes this on the school's behalf
Platform operational data (logs, security events, audit trail) THREEVION Ltd THREEVION Ltd

Each school that goes live with MYQER EDU signs a Data Processing Agreement with THREEVION Ltd, in line with UK GDPR Article 28. This contract sets out our processor obligations to the school in writing, names the subprocessors we use, and covers breach notification.

B5Who we share data with

MYQER EDU shares pupil profile data with a small number of subprocessors that operate the platform. The list is published openly on our Security and Compliance page and is updated when a subprocessor is added or removed. Schools using MYQER EDU are notified in advance of any change.

We do not sell, rent, or trade personal information. We do not share it for marketing or analytics purposes outside what is needed to operate the platform. We do not pass it to advertising networks, behavioural profiling services, or AI training datasets.

We will share information where:

  • The parent or legal guardian has asked us to.
  • The school requires it as part of its own safeguarding response (typically a copy of the profile data the parent has already shared with the school via the QR card).
  • Emergency services require it during an active emergency, in line with the safeguarding response.
  • We are required to share it by law, regulation, or a valid order from a UK authority.

B6Hosting and security

MYQER EDU runs on cloud infrastructure that holds independently audited certifications. The detailed posture is described on our Security and Compliance page, which schools' DPOs are welcome to review and link to in their own procurement files.

In summary:

  • Hosting providers: Render (application) and Supabase (database, authentication). Both hold ISO/IEC 27001:2022 and SOC 2 Type 2 certifications.
  • Data region: European Union. Data resides within EU data centres.
  • Encryption: TLS 1.2 or higher in transit, AES-256 at rest.
  • Access: parents and adults access their profile area through email based magic link authentication. Schools do not have logins. Internal administrative access is restricted to named THREEVION personnel and logged in an append only audit trail.
  • Honest statement: THREEVION Ltd itself is not currently ISO 27001 certified. Independent certification is on our roadmap. What is verifiable today is that the infrastructure MYQER runs on holds those certifications.

B7Retention and deletion

  • While the profile is active: data is retained for as long as the parent maintains the profile.
  • On request to delete: profile data is deleted within 30 days of a verified deletion request from the parent. Backups expire within 90 days under standard rotation.
  • On profile inactivity: if a profile has not been accessed by its owner for 24 months, MYQER will contact the registered email address before any retention action is taken.
  • School level operational data (monthly readiness reports, anonymised scan counts): retained for the duration of the school's contract plus 12 months for audit purposes, then deleted.
  • Audit logs: retained for 24 months for security and integrity purposes, then deleted.

B8Children's data

MYQER EDU profiles describe children, but children do not interact with the platform. The parent or legal guardian creates and controls the profile in the child's interest. The child does not sign up, does not have a login, does not receive marketing, and is not the data controller of their own profile while a minor.

We follow the ICO's Age Appropriate Design Code as guidance where it applies, even though MYQER EDU is not a service used directly by children. This includes minimising data collection, defaulting to high privacy settings, and avoiding the use of dark patterns to encourage parents to share more data than necessary.

When a child turns 18, or when the parent decides to transfer profile ownership at an earlier date, the profile can be moved to the data subject themselves and the original parent's consent role ends.

A note to parents

You are in charge of your child's MYQER EDU profile. You decide what to put in it. You can change it at any time. You can delete it at any time. The school does not edit it. MYQER does not edit it. If you have any concern at all, email hello@myqer.com and we will explain or act.

B9International transfers

MYQER EDU data is stored in the European Union. The UK Government recognises the EU as having adequate data protection standards, so transfers from the UK to our EU data centres take place under the UK GDPR adequacy framework and do not require additional safeguards.

Some of our subprocessors are global companies and may, in limited operational circumstances, route traffic through non EU data centres (for example, Cloudflare's global edge network). Where this happens, the transfer is covered by appropriate safeguards including Standard Contractual Clauses or the equivalent.

Part C · MYQER for individuals
For individual adult users of MYQER
MYQER for individuals is the consumer version of the product. The detailed Privacy Notice for this version is in active development alongside the product. This part is a short placeholder until the consumer service is live.

CMYQER for individuals

This section will be expanded when MYQER for individuals is live.

MYQER for individuals will use the same minimum data, parent or self controlled, privacy first design principles described in Part B. The lawful basis will be the data subject's own explicit consent under UK GDPR Article 6(1)(a) and Article 9(2)(a) for health information. The hosting, security, retention, and rights commitments described elsewhere in this notice will apply equally. A dedicated Privacy Notice section will be published here when the service is generally available. In the meantime, please contact hello@myqer.com with any questions.

Part D · MYQER Workforce
For employers and employees using MYQER Workforce
MYQER Workforce is an emergency information access service for employers. The detailed Privacy Notice for Workforce is in active development. This part is a short placeholder until the service is live.

DMYQER Workforce

This section will be expanded when MYQER Workforce is live.

MYQER Workforce will operate on the same principles described elsewhere in this notice: minimum data, employee controlled profiles, privacy first design, no behavioural tracking, no AI decision making. Employers using Workforce will sign a Data Processing Agreement with THREEVION Ltd in line with UK GDPR Article 28. A dedicated section will be published here when the service is generally available. In the meantime, please contact hello@myqer.com with any questions.

04Cookies and analytics

The threevion.com website uses a minimal set of cookies and similar technologies. We do not use behavioural advertising cookies, cross site tracking, or third party advertising networks.

Essential cookies

These are necessary for the website to function: session handling, security, and remembering your acceptance of cookies. They do not require consent under UK law.

Analytics

We may use a privacy respecting analytics provider to understand site performance and usage patterns in aggregate. Any analytics we use will respect your "do not track" browser setting and will not include third party tracking or fingerprinting.

You can control cookies through your browser settings. If you disable essential cookies, some site functions may not work properly.

05Changes to this notice

We may update this Privacy Notice from time to time. The most likely reasons are: a change to one of our subprocessors, a change to the services we offer, a change to applicable law, or an improvement in how we describe what we do.

When we update the notice, we will change the version number and date in the header. For material changes that affect parents or schools, we will also notify the affected schools and parents directly by email.

06Complaints

If you have a concern about how we handle your personal information, we would always prefer the chance to address it directly. Email hello@myqer.com with the words "privacy complaint" in the subject line and we will respond within five working days.

You also have the right at any time to complain to the Information Commissioner's Office, which is the UK supervisory authority for data protection. You do not need to come to us first.

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Contact

For any privacy related question, request, or concern, please contact us. We commit to responding to data protection requests within one calendar month and to general enquiries within five working days.

All privacy and data enquiries
hello@myqer.com
Operator
THREEVION Ltd
Registered in England and Wales
Company No. 16861658
ICO Reg. ZC076886
Supervisory authority
Information Commissioner's Office
ico.org.uk
0303 123 1113
This document
Version 1.0, May 2026
Reviewed: at least annually, and after any material change.
threevion.com/privacy.html
```