Privacy Notice
1. Who we are
NH Maintenance Ltd ("NHM") is the data controller for personal data processed through QuoteLogic. Our registered office is Consort House, Jubilee Road, West Sussex, RH15 9TL, United Kingdom. NHM is registered with the UK Information Commissioner's Office under registration number ZB450271.
Red Eagle Tech Ltd ("Red Eagle Tech") is our data processor. Red Eagle Tech designed, built and hosts QuoteLogic for us under a written services agreement. Red Eagle Tech only processes personal data on our documented instructions. Its registered office is Prospect House, Suite 26, 2 Athenaeum Road, London, N20 9AE, United Kingdom.
For privacy questions, contact NHM at sales@nhmaintenance.com or write to us at the registered office above. For platform security questions, you can also contact Red Eagle Tech at security@redeagle.tech.
2. What QuoteLogic does
QuoteLogic is an internal quoting platform used by NHM staff to prepare, issue and track repair quotes for NHM customers. It synchronises master data and quotes with other NHM systems. It also generates branded PDF quote documents that NHM emails to its customers.
QuoteLogic is intended for NHM staff use only. It is not a service offered to the general public.
3. What personal data we process
About NHM staff who use QuoteLogic
- Identifiers from Red Eagle Identity (the single sign-on service): your unique identifier, name, work email address and (if you upload one) profile picture.
- Role and organisation claims that determine what you are permitted to do in QuoteLogic.
- Account settings and preferences (e.g. light or dark theme).
- Activity records: when you signed in, what records you created, edited, sent or deleted, and (where relevant) the IP address from which a request was made.
About NHM customer contacts
- Business contact information for individuals at customer organisations: name, job title, work email, work phone, and the postal address of customer sites where work is performed.
- Records that link these contacts to other records in the system such as quotes.
About quote recipients
- Email addresses to which QuoteLogic-generated quote documents are sent, along with metadata about each send (date, recipient, the quote document that was attached, and whether the send succeeded or failed).
We do not process special category personal data (such as health, racial or ethnic origin, religious beliefs, biometric data or sexual orientation) through QuoteLogic. If that ever changes, this notice will be updated and affected individuals will be informed before the new processing starts.
4. Why we process it and our lawful bases
| Purpose | Lawful basis under UK GDPR |
|---|---|
| To authenticate NHM staff and grant them access to QuoteLogic. | Contract - Article 6(1)(b). Processing is necessary to provide a system used to perform your duties. |
| To enable NHM staff to create, edit, publish and track quotes. | Legitimate interests - Article 6(1)(f). NHM's legitimate interest in delivering services to its customers through an internal quoting tool. |
| To synchronise master data between QuoteLogic and other NHM systems. | Legitimate interests - Article 6(1)(f). NHM's legitimate interest in maintaining a single, accurate view of the data needed to quote. |
| To generate and email branded PDF quote documents to customers. | Legitimate interests - Article 6(1)(f). NHM's legitimate interest in communicating quotes to customers; the customer's legitimate interest in receiving them. |
| To keep the platform secure, monitor for misuse and incidents, and respond to faults (audit trail, server-side telemetry, error logging). | Legitimate interests - Article 6(1)(f). NHM's and Red Eagle Tech's legitimate interest in keeping the platform available, secure and operating correctly. |
| To comply with our legal and regulatory obligations (e.g. responding to lawful requests from regulators or law enforcement). | Legal obligation - Article 6(1)(c). |
We have completed a Legitimate Interests Assessment (LIA) for each "legitimate interests" purpose listed above and are satisfied that our interests are not overridden by your rights and freedoms. You can ask us for a summary of the LIA at any time using the contact details in section 16.
5. Where personal data comes from
- Directly from you, when you use QuoteLogic (for example, the actions you take that we record in the audit trail, or settings you change in your profile).
- From Red Eagle Identity, the single sign-on service that authenticates you. Your identity, role and organisation claims come from this source when you sign in.
- From NHM's other systems, which provide certain data that QuoteLogic uses.
6. Who we share personal data with
We share personal data with the following recipients. With each, we have a written agreement that requires them to protect the data and only process it for the purposes we have agreed.
- Red Eagle Tech Ltd - as our processor, to build, host, support and maintain QuoteLogic on our behalf.
- Microsoft - as Red Eagle Tech's sub-processor, providing Azure cloud hosting (App Service, SQL Database, Key Vault, Blob Storage, Application Insights, Front Door). Primary hosting region is Azure UK South.
- NHM's other business systems - the third-party software NHM uses as its source of truth for operational master data. Personal data flows in both directions between those systems and QuoteLogic so that customer and quote records stay in sync. You can ask us for further details about a specific recipient using the contact details in section 16.
- Twilio SendGrid - as Red Eagle Tech's sub-processor, to deliver quote emails and platform notifications.
- Quote recipients - the individuals or organisations to whom you send QuoteLogic-generated quote documents. Their email address is needed to deliver the quote.
- Regulators, law enforcement and the courts - where we are required by law, or where we need to share information to protect our rights or the safety of others.
We do not sell personal data, and we do not share it for advertising or marketing purposes.
7. Where personal data is processed
QuoteLogic's primary hosting region is Azure UK South, which is inside the United Kingdom. Day-to-day processing of QuoteLogic data happens in the UK.
Some of our sub-processors may process limited personal data outside the United Kingdom (for example, Microsoft and Twilio SendGrid operate global support and engineering teams). Where personal data is transferred outside the UK, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses as our transfer mechanism, together with the technical and organisational safeguards our sub-processors apply (such as encryption in transit and at rest, access controls, and personnel vetting).
You can request a copy of the safeguards that apply to a specific transfer by contacting us using the details in section 16.
8. How long we keep personal data
We keep personal data for no longer than necessary for the purposes set out in this notice. Our default retention periods are:
| Data category | Retention period |
|---|---|
| NHM staff user accounts and profile data | Until you leave NHM or the account is otherwise disabled; deletion of the account record follows within 30 days. |
| Audit trail of QuoteLogic actions (who did what, when) | 6 years from the date of the action, aligned with the Limitation Act 1980 for contract-related claims. |
| Login telemetry and server-side error / diagnostic logs | 90 days for verbose telemetry; 13 months for security-relevant events. |
| Quote drafts | Retained while the related job is open; deleted when the related job is closed or after 24 months of inactivity, whichever is sooner. |
| Published quotes (final quote records and their PDF artefacts) | 6 years from the date of issue. |
| Master data cached in QuoteLogic from NHM's other systems | Refreshed from the source system; deleted within 30 days of being marked for deletion in the source system, or when no longer needed. |
| Email delivery logs (date, recipient, status of each send) | 13 months. |
We review these retention periods at least once a year and shorten them where we can. Where personal data is no longer needed, it is deleted or anonymised.
9. How we keep personal data secure
We take the security of personal data seriously. Measures we have in place include:
- Encryption of personal data in transit using TLS 1.2 or higher, and at rest using AES-256.
- Single sign-on via Red Eagle Identity, with multi-factor authentication required for all users.
- Role-based access control inside QuoteLogic, so users can only see and edit what their role permits.
- Network-level isolation in Azure (Private Endpoints, VNet integration) so the database and storage layers are not directly reachable from the public internet.
- Continuous monitoring through Microsoft Defender for Cloud and Application Insights, with alerting on anomalous activity.
- An audit trail of who did what, when, inside QuoteLogic (see section 10).
- Coverage by Red Eagle Tech's Vulnerability Disclosure Programme, which lets security researchers responsibly report suspected vulnerabilities. Details at redeagle.tech/vulnerability-disclosure.
No system is perfect. If we suspect a personal data breach that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner's Office within 72 hours and, where required, to affected individuals without undue delay.
10. Workforce monitoring and audit trails
QuoteLogic keeps an audit trail of actions taken inside the platform - who created, edited, published or deleted a record, and when. This is essential to give NHM a reliable history of every quote and to investigate security or integrity incidents.
We also collect server-side telemetry through Microsoft Application Insights, recording technical events such as requests, dependencies, exceptions and performance metrics. This telemetry is used to keep the platform running, diagnose problems and improve reliability. It is not used to score, rank or make decisions about individual employees.
Audit trail and telemetry data are accessible to:
- QuoteLogic administrators inside NHM, for routine operational and compliance checks.
- Authorised Red Eagle Tech engineers, only when needed to investigate a specific incident or fix a fault.
We do not currently use any client-side analytics or session-recording tools (such as Microsoft Clarity, Google Analytics, Hotjar or FullStory). If we decide to introduce a tool of that kind in the future, we will update this notice, conduct a Data Protection Impact Assessment, and put in place a consent control before any non-essential cookies are placed on your device.
11. Cookies
QuoteLogic only uses cookies that are strictly necessary for the platform to work. These cookies do not track you across other sites and do not require your consent under the Privacy and Electronic Communications Regulations (PECR).
| Cookie name | Purpose | Lifetime |
|---|---|---|
| .RedEagle.NhmEstPfm.Auth | Maintains your signed-in session. | Up to 8 hours, refreshed on activity. |
| .AspNetCore.Antiforgery.* | Protects forms against cross-site request forgery attacks. | Session. |
| .AspNetCore.Correlation.*, .AspNetCore.OpenIdConnect.Nonce.* | Used during the sign-in flow with Red Eagle Identity to protect against replay and forgery. | A few minutes during sign-in; cleared immediately afterwards. |
| ARRAffinity / ARRAffinitySameSite | Set by Azure App Service to keep your session pinned to the same backend instance. | Session. |
If we introduce non-essential cookies in the future (for example, analytics or session-replay), we will ask for your consent first through a clear, granular consent control that meets the requirements of UK GDPR and PECR. You will be able to change your choice at any time.
12. Automated decision-making
QuoteLogic does not make decisions about you that are based solely on automated processing (Article 22 UK GDPR). Quote pricing and recommendations are calculated from configurable rules, but every quote is reviewed by an NHM staff member before it is issued.
13. Your rights
Under UK GDPR you have the following rights in relation to your personal data:
- The right to be informed about how your personal data is processed (this notice is part of how we meet that right).
- The right of access - to ask for a copy of the personal data we hold about you.
- The right to rectification of inaccurate or incomplete personal data.
- The right to erasure ("the right to be forgotten") in certain circumstances.
- The right to restrict processing in certain circumstances.
- The right to data portability for data you have provided to us, where processing is based on consent or contract and carried out by automated means.
- The right to object to processing that is based on legitimate interests (including profiling), and an absolute right to object to direct marketing.
- The right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects on you (Article 22).
- The right to lodge a complaint with the Information Commissioner's Office (see section 14).
To exercise any of these rights, contact us using the details in section 16. We will respond within one month. If your request is complex or you make several requests, we may extend that period by up to two further months and will tell you why.
We will need to verify your identity before we can release personal data - this is to protect you.
14. How to make a complaint
If you are concerned about how we are handling your personal data, please come to NHM first. We will try to put things right.
- Email sales@nhmaintenance.com with "QuoteLogic data protection complaint" in the subject line, or write to NH Maintenance Ltd at the registered office in section 1.
- We will acknowledge your complaint within 30 days of receipt, in line with section 164A of the Data Protection Act 2018.
- We will investigate without undue delay, keep you informed of progress, and tell you the outcome.
If you remain unhappy with how we have handled your complaint, you also have the right to complain to the Information Commissioner's Office:
- Online: ico.org.uk/make-a-complaint
- By telephone: 0303 123 1113
- By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom
15. Changes to this notice
We may update this Privacy Notice from time to time - for example, when QuoteLogic changes, when we add new sub-processors, or when the law changes. The "Last updated" date at the top of this notice always shows when the latest version took effect. Where changes are material, we will tell you in good time before they take effect.
16. Contact us
For any question about this Privacy Notice, your rights, or how we use personal data:
- Email NHM: sales@nhmaintenance.com
- Post NHM: NH Maintenance Ltd, Consort House, Jubilee Road, West Sussex, RH15 9TL, United Kingdom
- Email Red Eagle Tech (technical / security only): security@redeagle.tech
17. About Red Eagle Tech
QuoteLogic is powered by Red Eagle Tech. Red Eagle Tech Ltd is the developer of the platform and provides it to NHM under a written services agreement. Red Eagle Tech retains ownership of the underlying software and intellectual property in QuoteLogic; NHM retains ownership of its data and its branding. Red Eagle Tech acts as NHM's data processor and only processes personal data on NHM's documented instructions and in accordance with this notice.
Red Eagle Tech's own corporate privacy notice (which covers Red Eagle Tech's business contacts and customer relationships, not QuoteLogic users) is published at redeagle.tech/privacy.