Privacy Policy — Yoshe TriQ™
Yoshe TriQ™ · Learning Management System

Privacy Policy

How we collect, use, share and protect personal data across the Yoshe TriQ platform.

Yoshe Clinical Operations Ltd (UK) Yoshe Clinical Operations LLC (US) Yoshe Clinical Operations Private Limited (India)
Version 1.0 Effective 10 July 2026 Last reviewed 10 July 2025

1. Who we are

This Privacy Policy explains how Yoshe Clinical Operations collects, uses, shares and protects personal data through the Yoshe TriQ™ Learning Management System (the "LMS" or the "Platform"), accessible at yosheclinical.com and yoshe.co.uk.

For users and customers in the United Kingdom and the European Economic Area, the controller (or, where we process on a customer's behalf, the processor) is Yoshe Clinical Operations Ltd, a company registered in England and Wales (company number 07792526, registered office Spaces, The Porter Building, 1 Brunel Way, Slough, England, SL1 1FQ). For users in the United States, services are provided by Yoshe Clinical Operations LLC (447 Broadway, 2nd Floor, #2158, New York, New York 10013, USA). In India, services are provided by Yoshe Clinical Operations Private Limited (c/o Workenstein Collaborativespaces Pvt Ltd, Cyber Crown, Sec-II, HUDA Techno Enclave, Madhapur, Hyderabad, Telangana 500081, India). In this Policy, "Yoshe", "we", "us" and "our" refer to the relevant entity above.

Our Data Protection Officer can be reached at: The DPO, Yoshe Clinical Operations Ltd, The Porter Building, 1 Brunel Way, Slough, England, SL1 1FQ, or by email at [email protected].

Whatever your location, you can contact us about any data-protection matter — including reaching our EU representative or our India Grievance Officer (see section 5) — at [email protected]. Requests are routed internally to the right person.

2. Controller and processor roles

The LMS is a multi-tenant platform used by a range of customer organisations, including Yoshe's own internal teams, NHS organisations, UK universities and councils, and pharmaceutical and biotechnology companies (each a "Sponsor Organisation"). Our role under data protection law depends on the context:

  • When a Sponsor Organisation uses the LMS to train and certify its own people, that organisation is the controller of the learner personal data it uploads or generates, and Yoshe acts as its processor, handling that data only on its documented instructions under a written Data Processing Agreement (Article 28 UK GDPR).
  • When Yoshe operates the Platform itself — managing accounts, securing the service, maintaining audit trails, providing support, and improving the product — Yoshe acts as a controller for those limited purposes.

This Policy is written to serve two audiences. Section 3 addresses individual learners and other named users. Section 4 addresses Sponsor Organisations. Where a conflict arises between this Policy and a signed Data Processing Agreement with a Sponsor Organisation, the Data Processing Agreement prevails for processing carried out on that organisation's behalf.

3. Privacy information for learners and users

This section is for the individuals who hold an account and use the LMS — learners (site staff), site coordinators, sponsor administrators, operations staff and auditors. If your account was created by your employer or a Sponsor Organisation, that organisation decides what training you must complete and is the controller of your training record; you should also read their own privacy notice.

3.1 Personal data we process about you

We have designed the LMS around the principle of data minimisation. We do not collect special-category (sensitive) data through the LMS, and we do not process payment card data through the Platform. The categories of personal data we process are:

CategoryExamplesSource
Identity & accountFull name; account email address; role (learner, coordinator, sponsor admin, operations, auditor)You, your employer, or a Sponsor Organisation
Professional contextJob title; department; assigned site (name, ID, location); sponsor and protocol assignmentYour employer / Sponsor Organisation
Learning & complianceCourse enrolments, module and slide progress, time-on-task, assessment attempts and answers, pass/fail outcomes, certificates and expiry datesGenerated as you use the LMS
Authentication & securityPassword (stored only as a secure hash), multi-factor authentication settings, login history, failed-login and lockout events, electronic-signature recordsGenerated at sign-in / signing
Technical & deviceIP address, browser type and user-agent, device and session information, and cookie identifiersCollected automatically
Consent & preferencesYour cookie choices and your acknowledgement of this Policy and the TermsYou
Support & communicationsHelp-desk tickets you raise, their content and any attachments, and our repliesYou

3.2 Why we process it and our lawful bases

Where Yoshe is a controller, we rely on the following lawful bases under Article 6 UK GDPR:

PurposeLawful basis
Creating and administering your account and delivering trainingPerformance of a contract, or our legitimate interests in operating the Platform for our customers
Recording training completion, generating certificates and maintaining the regulated audit trailLegal obligation and legitimate interests (evidencing GxP / clinical-trial training to regulators such as the MHRA, FDA and EMA)
Securing the Platform, authentication, fraud/abuse prevention, logging and monitoringLegal obligation (Article 32 security) and legitimate interests
Providing help-desk supportPerformance of a contract and legitimate interests
Setting non-essential (analytics/marketing) cookiesConsent (PECR 2003 and Article 6(1)(a))
Improving the Platform using aggregated or ticket-derived insightsLegitimate interests (we do not use sensitive data for this)

Where our basis is legitimate interests, we have balanced those interests against your rights and can provide our assessment on request. Where a Sponsor Organisation is the controller, the lawful basis for processing your training data is set by that organisation.

3.3 The person and account model

The LMS lets one individual hold several accounts — for example, if you work with more than one Sponsor Organisation — and switch between them, similar to switching between email accounts. To support this while minimising data, your core identity details (name and login email) are stored once against a single "person" record, and each sponsor account is kept logically separated so that one Sponsor Organisation cannot see your activity under another.

3.4 Who we share your data with

We do not sell your personal data. We share it only as necessary:

  • Your Sponsor Organisation and its authorised administrators and site coordinators, who can see the training records for their own people.
  • Auditors and regulators — during a time-boxed, read-only, IP-restricted audit, an internal, sponsor-commissioned or regulatory auditor (e.g. MHRA, FDA, EMA) may view training records and audit logs within the agreed scope. Their access automatically expires at the end of the audit window.
  • Our sub-processors — vetted service providers who host and support the Platform (for example, our cloud hosting provider), each bound by an Article 28 contract. A current list of sub-processors is available on request.
  • Authorities and advisers — where we are legally required to disclose, or to establish, exercise or defend legal claims.

3.5 International transfers

Personal data is hosted in the United Kingdom or the European Economic Area by default. Data residency can be configured per Sponsor Organisation (UK, EU or US). Where data is transferred outside the UK or EEA, we rely on an adequacy decision or appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum, or the European Commission's Standard Contractual Clauses (SCCs), and we document the transfer and any transfer risk assessment in our records. Transfers involving our India entity are made consistently with the Digital Personal Data Protection Act 2023 and the DPDP Rules 2025. See section 5 for region-specific detail.

3.6 How long we keep it

Because training certificates held in the LMS are used to evidence regulated (GxP) training, the LMS is treated as a regulated electronic-records system under 21 CFR Part 11 and EU GMP Annex 11. We therefore apply retention periods driven by regulatory requirements rather than convenience:

  • Training records, certificates, assessment attempts, electronic signatures and audit-trail entries are retained for a minimum of five (5) years, and longer where a regulatory submission, predicate rule or Sponsor Organisation instruction requires an extended period.
  • Learner accounts are retained while active and for a defined inactivity period thereafter, subject to the minimum retention applying to any regulated records linked to the account.
  • Session records, CSV onboarding files and support tickets are kept for shorter, defined periods and then deleted or purged automatically.

Regulated records are not casually deleted. Where retention is required, records are pseudonymised rather than erased, and any deletion of a regulated record is performed only by an authorised system administrator following documented authorisation.

3.7 Your rights

Subject to the regulatory retention rules above, you have the right to be informed; to access a copy of your data; to rectification; to erasure; to restrict or object to processing; and to data portability. You also have the right to withdraw consent (for example, to non-essential cookies) at any time, as easily as you gave it.

  • Access and portability: we provide a machine-readable (JSON/CSV) and human-readable (PDF) export of the personal data we hold about you, spanning all of your accounts, within one calendar month.
  • Erasure: we will honour valid erasure requests for non-regulated data. Where data forms part of a regulated training record or audit trail, we may be unable to erase it and will instead rely on the exemption in Article 17(3)(b) UK GDPR, documenting our lawful basis and pseudonymising where possible. If your account is controlled by a Sponsor Organisation, we will forward your request to them.

To exercise any right, contact us using the details in section 1. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113, though we would welcome the chance to resolve your concern first.

3.8 Cookies and similar technologies

We use strictly necessary cookies to run the Platform and keep it secure; these do not require consent. We set analytics or other non-essential cookies only after you have given consent through our cookie banner, where "Reject all" is as prominent as "Accept all". Your choice is recorded with a timestamp, and you can change it at any time. Further detail is set out in our separate Cookie Notice.

3.9 Security

We protect personal data with encryption in transit (TLS 1.2+) and at rest (AES-256), strong hashed passwords, mandatory multi-factor authentication for administrators, role-based access control, tenant separation, comprehensive logging, and an immutable audit trail. We maintain a personal-data breach process and will notify the competent supervisory authority (for example, the ICO in the UK, the relevant EU supervisory authority, or the Data Protection Board of India) and affected individuals where legally required, generally within 72 hours of becoming aware of a reportable breach.

3.10 Automated decision-making and children

The LMS applies automated rules such as locking an enrolment after repeated assessment failures or issuing expiry reminders; these do not produce legal or similarly significant effects without human involvement, and a coordinator can review a lockout. The LMS is intended for use by professional adults in a workplace context and is not directed at children.

4. Privacy information for Sponsor Organisations

This section is for our customers — the NHS bodies, universities, councils, pharmaceutical and biotech organisations and others who license the LMS to train their own people.

4.1 Your role and ours

For the learner and training data you and your users place in the LMS, you are the controller and Yoshe is your processor. We process that data only on your documented instructions, under a written Data Processing Agreement that forms part of your contract with us and which sets out the subject-matter, duration, nature and purpose of processing, the types of data and categories of data subject, and our respective obligations.

4.2 Our commitments as your processor

  • We process personal data only on your documented instructions, including on international transfers.
  • We ensure personnel authorised to process the data are bound by confidentiality.
  • We implement the technical and organisational security measures required by Article 32 (summarised in section 3.9).
  • We engage sub-processors only under Article 28 terms and will inform you of intended changes so you may object.
  • We assist you, taking into account the nature of processing, with data-subject requests and with your obligations on security, breach notification and data protection impact assessments.
  • On termination we return or delete personal data as you choose, subject to any regulatory retention obligation, and can issue a certificate of destruction on offboarding.

4.3 Accountability records

We maintain a Record of Processing Activities (Article 30), a documented data-flow and storage map, a current sub-processor list, and evidence of our security certifications and testing (including our path to Cyber Essentials Plus and alignment with the NHS Data Security and Protection Toolkit). These are available to you under the audit provisions of your Data Processing Agreement.

5. Regional privacy information

The Yoshe TriQ platform is offered across several jurisdictions. The core protections above apply to everyone. This section sets out the additional rights and information that apply depending on where you are, and should be read together with sections 1 to 4.

UK United Kingdom

Processing of UK personal data is governed by the UK GDPR, the Data Protection Act 2018 and the Data (Use and Access) Act 2025, regulated by the Information Commissioner's Office (ICO). You have the rights set out in section 3.7. If you are not satisfied with how we handle your personal data, you can complain to the ICO at ico.org.uk, by calling 0303 123 1113, or by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would welcome the chance to address your concern first.

EU European Union / EEA

Where we offer the platform to, or monitor the behaviour of, individuals in the European Economic Area, our processing is governed by the EU General Data Protection Regulation (Regulation (EU) 2016/679). Because Yoshe is established outside the EU, and to the extent Article 3(2) EU GDPR applies to our processing, we have appointed (or will appoint) a representative in the Union under Article 27. You may contact our EU representative on any issue relating to our processing of your personal data by writing to [email protected], and we will route your request to them.

Your rights under the EU GDPR mirror those in section 3.7 (access, rectification, erasure, restriction, objection, portability, and withdrawal of consent). In addition:

  • Lawful bases are those set out in Article 6 EU GDPR, as described in section 3.2.
  • International transfers out of the EEA are made under an adequacy decision or appropriate safeguards, principally the European Commission's Standard Contractual Clauses (SCCs), together with a transfer risk assessment where required.
  • Complaints. You have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. Because we are not established in the EU, more than one national supervisory authority may be competent. A list of authorities is published by the European Data Protection Board (edpb.europa.eu).

US United States

In the United States, services are provided by Yoshe Clinical Operations LLC. There is no single federal privacy law; instead, applicable obligations depend on the customer, sector and state. Where our processing falls within scope of a US state privacy law (for example, in states that grant rights to access, correct, delete or obtain a copy of personal data, and to opt out of certain processing), we honour the rights that law provides. Because the platform does not process payment-card data or special-category health data, and is used in a professional training context, several state-law thresholds may not apply. To exercise any right, contact us using the details in section 1.

India India

In India, services are provided by Yoshe Clinical Operations Private Limited, and processing of digital personal data is governed by the Digital Personal Data Protection Act, 2023 (DPDP Act) together with the Digital Personal Data Protection Rules, 2025. Under this framework Yoshe acts as a Data Fiduciary (or, where it processes on a Sponsor Organisation's instructions, as a Data Processor), and you are a Data Principal. The DPDP Rules are being brought into force in phases, with full compliance required by 13 May 2027; we are aligning our practices ahead of that date.

In line with the DPDP Act and Rules:

  • Notice and consent. Where we rely on your consent, we provide a clear, itemised notice in plain language describing the personal data collected, the purpose of processing, how you may exercise your rights, and how to complain to the Data Protection Board of India. Consent is free, specific, informed, unconditional and given by clear affirmative action, and you may withdraw it at any time as easily as you gave it.
  • Your rights as a Data Principal: the right to access a summary of your personal data and processing; the right to correction and erasure; the right to grievance redressal; and the right to nominate another person to exercise your rights in the event of death or incapacity.
  • Grievance Officer. You can raise any concern with our Grievance Officer at [email protected] (Yoshe Clinical Operations Private Limited, c/o Workenstein Collaborativespaces Pvt Ltd, Cyber Crown, Sec-II, HUDA Techno Enclave, Madhapur, Hyderabad, Telangana 500081). We aim to resolve grievances within the timeframe required by the DPDP Rules (currently 90 days).
  • Children's data. The DPDP Act requires verifiable parental consent before processing a child's personal data and prohibits tracking, behavioural monitoring or targeted advertising directed at children. The platform is intended for professional adults and is not directed at children; we do not knowingly process children's data through it.
  • Data breaches. We will notify the Data Protection Board of India and affected Data Principals of a personal data breach in the manner and within the timeframes required by the DPDP Rules.
  • Complaints. After contacting our Grievance Officer, you may escalate a complaint to the Data Protection Board of India.

6. Changes to this Policy

We review this Policy at least every 12 months and will update it as our processing or the law changes (including under the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025). Material changes will be notified to account holders and Sponsor Organisations, and the "last reviewed" date above will be updated. This is Version 1.0. Effective date: 10 July 2026; last reviewed: 10 July 2025.