Data Protection Policy

Last revision date: 20 May 2024

Introduction

This Data Protection Policy explains what information we collect, how we use it, who we share it with, and your rights under data protection laws, including the UK GDPR.

Moralbox is a training management and compliance platform used by organisations and individuals to manage and track training activity. We take data protection seriously and are committed to being transparent and fair with how we use your personal information.

We never sell personal data and only share it when required to provide our service or comply with the law. Sensitive data, such as National Insurance numbers and user passwords, is encrypted.

Key Definitions 

User – A person with a Moralbox account.

Individual User – A User managing their own Workpass Profile.

Organisation: A business or charity using Moralbox.

Organisation User: A User acting on behalf of an Organisation.

Individual: A directly employed person or sub-contractor whose training is managed by the Organisation.

Workpass Profile: The personal data and associated records of an individual for compliance and safety monitoring.

Training Record Sharing: An optional feature enabling Individuals or Organisations to securely share selected training information (name, photo, and training records) via a QR code and secure PIN with authorised recipients.

Consent: Permission given by an Individual to manage or access their data.

Subject Access Request (SAR): A request to access, rectify, delete, or port your personal data.

Third Party: Any entity or person not employed by your Organisation or by Moralbox.

What Data We Process and Why

Workpass Profile

Purpose:
To help individuals and Organisations manage and track compliance and safety.

What we process:

  • Name (mandatory)
  • Date of birth (optional)
  • Address (optional)
  • National Insurance number (optional)
  • Training records (e.g., certificates, expiry dates) (optional)
  • Access and change history (optional)
  • Consent history and affiliated Organisations (optional)
  • Other personal information (optional)

Note: Only first and last names are mandatory. All other information is optional and stored at the discretion of the Organisation.

Who can access it:
The Organisation has access to all Workpass Profiles or restricted access depending upon user access controls. The Individual user has access to their own Workpass Profile if they have been set up with a user account.

Training Record Sharing (optional)

Purpose:
To allow individuals to prove training records associated with their Workpass Profile at the point of source with authorised recipients.

What information is shared:

  • Name (mandatory)
  • Photo (mandatory)
  • Training records (certificates, expiry dates) (optional)
  • QR Code and secure PIN for controlled access

How it works:
Organisation Users may optionally generate a digital or printed card containing a secure QR code for Individual Workpass Profiles. When scanned by an authorised recipient (e.g., site managers, compliance officers), the recipient must enter a secure PIN to access the Individual’s training records. Use of the Workpass feature is entirely optional and controlled by the Individual or their Organisation.

Who can access it:
Only people explicitly authorised by the Individual or Organisation, via scanning the QR code and entering the secure PIN.

Individuals or Organisations explicitly consent to sharing data through the Training Record Sharing feature at the point of generating the digital or printed QR code. Individuals have full control and visibility over what information is shared and can revoke sharing at any time through their Workpass Profile settings.

Third-party responsibility:
The authorised recipient (e.g., site manager, compliance officer) acts as an independent data controller. The third party is responsible for processing the data according to their own privacy policies and applicable data protection laws. Moralbox is not responsible for third-party use or handling of shared data once accessed.

Organisation Data 

Purpose: To operate Organisation accounts and structure users.

What we process:

  • Organisation name (mandatory)
  • Registration numbers, user accounts (optional)
  • Group structures (optional)

Who can access it:

  • Organisation Users and Administrators.

User Data

Purpose: For login, support, activity tracking, and platform security.

What we process:

  • Name, email address, login history
  • IP address, browser type, screen resolution, device type
  • Actions taken within the platform (audit logs)

 Who can access it:

  • Organisation Admins for their Organisation’s users
  • Moralbox employees for technical support and system improvements

Payment Data

Purpose: To process payments and provide billing clarity.

What we process:

  • Last 4 digits of card number, expiry date, cardholder name, card type
  • We do not store full card details

Who can access it:

  • Stripe.com processes all payments securely. Moralbox staff have limited access for support purposes only.

Cookies

Purpose: To manage sessions, remember logins, and reduce fraud.

Legal Grounds for Processing

We process your data based on:

  • Consent – When you give permission (e.g. sharing your Workpass Profile)
  • Contract – When processing is necessary to provide our services
  • Legal Obligation – When required by law
  • Legitimate Interests – For platform security, fraud prevention, and service improvement

Your Data Protection Rights

You have the right to:

  • Access your personal data
  • Correct or update incorrect data
  • Request deletion of your data
  • Request a copy of your data in a portable format
  • Object to certain types of processing

 

These rights can be exercised via your account settings or by contacting us. We may request ID and will respond within 30 days.

Data Retention

  • Workpass Profiles – Up to 10 years after last activity unless deletion is requested
  • User Accounts – Deleted after 12 months of inactivity
  • System Logs – Retained for 12 months for audit and security
  • Payment Summaries – Retained for 7 years for financial reporting and compliance

 Subprocessors (UK-based)

All data processing activities undertaken by Moralbox are performed exclusively within the United Kingdom. We do not transfer or process personal data through subprocessors located outside the UK, ensuring all data remains within UK jurisdiction at all times.

Children’s Data

Moralbox is not designed for use by individuals under 16. If a minor’s data is entered (e.g. by an employer), the Organisation is responsible for ensuring the correct consents are in place.

Automated Decision-Making

We do not make decisions using automated processes that produce legal or similarly significant effects.

Policy Changes

We will notify users of significant policy changes at next login and highlight what has changed.

Data Processing Addendum (DPA)

A DPA is available upon request and supplements this policy as part of our Terms and Conditions.

Contact Us

If you have questions or want to exercise your rights, contact us:

Email: [email protected]

Post: Evolve Business Centre, Cygnet Way, Houghton le Spring DH4 5QY

Company Number: 08642375 (England & Wales)

We are committed to protecting your privacy and handling your data responsibly. Feedback is always welcome.