Call us anytime0141 474 5919
Privacy Policy – Part 1
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP
privacy@clinicalauditcompass.co.uk
1. Introduction & Purpose
This Privacy Policy explains how Clinical Audit Compass Ltd (“we”, “our”, “the Company”) collects, processes, stores, and protects
personal data in accordance with the UK GDPR, the Data Protection Act 2018, and all applicable regulations.
This Part 1 outlines the foundation of our compliance responsibilities, the categories of data we collect,
and the lawful bases under which we operate.
2. Scope of This Policy
This Policy applies to all users of the Clinical Audit Compass platform, including healthcare professionals, students, educational partners,
and authorised testers. It covers all personal data processed through the mobile app, web platform, AWS hosting infrastructure,
Firebase analytics, and integrated payment processors (Stripe, Apple, Google).
3. Data Controller
Clinical Audit Compass Ltd acts as the Data Controller for all personal data processed through the platform.
We determine the purposes and methods by which personal data is processed and are responsible for ensuring compliance with UK GDPR.
4. Categories of Personal Data We Collect
We collect only the minimum data required to operate the platform effectively. Categories include:
• Account Information: name, email address, profession, workplace/university, user role.
• Usage Information: login activity, device information, app interactions.
• Anonymised Clinical Log Data: clinical encounters, reflective notes, audit-related entries.
• Uploaded Images: only non‑confidential and non‑patient‑identifiable images are permitted.
• Analytics Data: Firebase analytics, crash logs, performance diagnostics.
• Subscription Data: metadata generated from Stripe, Apple, or Google payment systems (no card numbers are stored).
5. How We Obtain Data
Personal data is collected directly from users during registration, through app usage, through anonymised clinical entries,
and through automated analytics systems. We do not purchase third‑party data, nor do we use personal data for unrelated profiling.
6. Lawful Basis for Processing (UK GDPR Article 6)
We process personal data under the following lawful bases:
• Article 6(1)(b) – Contractual necessity: required to operate user accounts and deliver platform features.
• Article 6(1)(f) – Legitimate interests: ensuring platform security, improving service performance, preventing misuse.
• Article 6(1)(a) – Consent: used for optional analytics or marketing communications (where applicable).
No special category patient data is processed. Users are strictly prohibited from entering identifiable patient information.
7. Children’s Data
The platform is not intended for users under 16. We do not knowingly collect or store data relating to minors.
8. Overview of Processing Activities
Personal data is used to authenticate users, enable secure logging of clinical encounters, support reflective practice,
generate CPD documentation, provide crash diagnostics, and ensure the reliability of the Service.
Further details of processing activities will be outlined in Parts 2 and 3 of this Policy.
Privacy Policy – Part 2
9. Data Sharing & Third‑Party Processors
We share personal data only with third‑party service providers essential for the operation of the platform.
All third‑party processors operate under GDPR‑compliant Data Processing Agreements (DPAs). These include:
• AWS (Amazon Web Services): secure cloud hosting and encrypted storage
• Firebase: analytics, crash reporting, and performance monitoring
• Stripe / Apple App Store / Google Play Billing: subscription and payment processing
• Email and authentication providers (where applicable)
No personal data is ever sold, rented, or disclosed for marketing to third parties.
10. International Data Transfers
Some processors may operate outside the UK (e.g., AWS global infrastructure, Firebase services).
When data is transferred internationally, we ensure compliance with:
• UK GDPR Chapter V
• UK Addendum to EU Standard Contractual Clauses (SCCs)
• Adequacy Decisions (where applicable)
We require all processors to implement equivalent levels of security and protection for personal data.
11. Security Measures
We apply technical and organisational measures to safeguard personal data, including:
• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Secure AWS hosting with granular IAM access controls
• Strict prohibition of patient-identifiable data entry
• Multi-factor authentication options (where available)
• Automatic monitoring via Firebase Crashlytics
• Role‑based access and internal staff confidentiality requirements
• Regular vulnerability assessments and penetration testing
No system is completely secure, but we take all reasonable steps to protect user data.
12. Data Minimisation & Storage Limitation
We collect only the data necessary to provide our services and retain it only for as long as required:
• Account data – retained while the user account is active
• Anonymised clinical logs – retained unless deleted by the user
• Analytics data – retained according to Firebase retention cycles
• Backup data – stored securely with automated expiry policies
Users may request deletion or export of their data at any time (details in Part 3).
13. Breach Notification Procedures
If a personal data breach occurs, we will:
• Assess the severity and impact
• Notify affected users where there is a high risk to rights or freedoms
• Report to the Information Commissioner’s Office (ICO) within 72 hours where legally required
• Document all breaches and corrective actions
We expect users to notify us immediately if they believe their account has been compromised.
Privacy Policy – Part 3
14. Data Retention Schedule
Clinical Audit Compass Ltd retains personal data only for as long as necessary to fulfil the purposes outlined in this Policy.
Retention periods include:
• Account Data – retained while the account is active. Deleted 12 months after inactivity unless required sooner.
• Clinical Log Data – retained unless deleted by the User; may be anonymised after account closure.
• Uploaded Images – retained until removed by the User; must never contain patient‑identifiable content.
• Analytics Data – retained according to Firebase retention settings (typically 2–14 months).
• Payment Metadata – retained in accordance with Stripe/Apple/Google policies for financial compliance.
• Backups – retained securely with automated expiry cycles.
A full retention matrix may be published as part of future enterprise documentation.
15. User Rights Under UK GDPR
Users have the following rights regarding their personal data:
• Right of Access – to request copies of personal data held.
• Right to Rectification – to correct inaccurate or incomplete information.
• Right to Erasure – to request deletion of personal data (“right to be forgotten”).
• Right to Restrict Processing – to limit how data is used.
• Right to Data Portability – to request export of personal data in a structured format.
• Right to Object – to certain types of processing based on legitimate interests.
• Right Not to Be Subject to Automated Decision‑Making – the platform does not use automated decision systems.
Requests will be responded to within one month unless extended under Article 12(3) for complex cases.
16. How to Exercise Your Rights
Users may submit data requests by contacting our Data Protection Lead at clinicalauditcompass@gmail.com.
To protect user accounts, we may require identity verification before disclosing or deleting data.
We will inform users of outcomes, actions taken, and reasons for decline where legal exemptions apply.
17. Complaints & Regulatory Contact
If a User believes their data has been mishandled or their rights breached, they may file a complaint directly with:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.org.uk
We encourage Users to contact us first so we can attempt to resolve concerns informally and promptly.
18. Policy Updates & Review Cycle
This Privacy Policy may be updated periodically to reflect changes in regulation, technology, or platform functionality.
Material updates will be communicated to Users, and continued use of the platform constitutes acceptance of the revised Policy.
The Policy is reviewed at least annually or sooner if required by law or operational changes.
Contact Information:
For all data protection matters, Users may contact:
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor
48 West George Street
Glasgow
G2 1BP
privacy@clinicalauditcompass.co.uk