cqcplatform
Start free trial

PRIVACY POLICY

How we look after your data.

cqcplatform processes personal data on behalf of UK GP practices. This policy explains what we collect, why, how long we keep it, and the rights you have under UK GDPR and the Data Protection Act 2018.

LAST UPDATED · 13 MAY 2026

Plain-English summary

  • We host all customer data inside the United Kingdom.
  • We never sell personal data, and we never use NHS patient data for marketing.
  • Inside the platform, every meaningful action is audit-logged — that's by design for CQC inspections.
  • You (the practice) are the data controller for clinical / patient data. cqcplatform is your processor.

The full policy below sets out our obligations to you in detail. If you have any questions, write to dpo@cqcplatform.uk.

Who we are

cqcplatform is operated by cqcplatform Ltd, a company registered in England and Wales. Our registered office is in London, United Kingdom. We are registered with the Information Commissioner's Office (ICO).

For data your practice uploads into the platform (policies, incidents, training records, complaints, employee records), your practice is the data controller and cqcplatform Ltd acts as your data processor under a written Data Processing Agreement. We do not access this data except as needed to deliver and support the service.

What we collect

We collect three categories of data:

  1. Account data — name, email, role at the practice, hashed password, login timestamps.
  2. Tenant data — policies, SOPs, training certificates, incident and complaint records, signatures, audit log entries. This data is owned by your practice; we are the processor.
  3. Diagnostic data — anonymised performance metrics, error reports and feature usage counters used to improve reliability.

We do not ingest patient clinical records. The platform is for practice compliance evidence, not patient-level care delivery.

How we use it

  • To provide the cqcplatform service to your practice.
  • To send transactional emails (sign requests, password resets, renewal notifications). These send from yourconnected mailbox where you've enabled the integration.
  • To investigate and fix faults — strictly within the audit trail, and only where reasonably necessary.
  • To comply with our legal obligations (for example, retaining audit data the CQC may require).

Lawful basis

Under UK GDPR Article 6, we rely on the following lawful bases:

  • Contract — for providing the service to the practice.
  • Legitimate interest — for security, fraud-prevention, and product analytics that don't identify individuals.
  • Legal obligation — for retention of audit data required by regulators.

Sharing & sub-processors

We never sell personal data. We share data only with the following sub-processors, each contractually bound to UK GDPR-equivalent protection:

  • Google Cloud (Cloud Run, Cloud SQL, Cloud Storage) — UK region.
  • Resend — transactional email infrastructure.
  • Stripe — payment processing for paid plans.

A current sub-processor list is available on request from dpo@cqcplatform.uk.

Retention

Tenant data is retained for the lifetime of your subscription, plus a 90-day post-cancellation grace period during which you can export everything. After 90 days, all tenant data is permanently deleted unless we are otherwise legally required to retain it (for example, audit logs that may be required by the CQC).

Account data is retained for as long as you have an active account, plus 24 months after closure for fraud-prevention purposes.

Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Request erasure of your personal data (subject to lawful retention).
  • Object to or restrict processing.
  • Receive your data in a portable format.
  • Lodge a complaint with the ICO (ico.org.uk).

To exercise these rights, write to dpo@cqcplatform.uk. We will respond within one calendar month.

Security

Encryption in transit (TLS 1.2+) and at rest. Role-based access controls inside the platform. UK-hosted infrastructure on Google Cloud. Regular vulnerability scans. The platform is aligned with the NHS Data Security & Protection Toolkit (DSPT).

Suspected security issues can be reported in confidence to security@cqcplatform.uk.

International transfers

All customer data is stored within the United Kingdom. Where a sub-processor operates outside the UK (Stripe, US-headquartered), transfers are governed by the UK International Data Transfer Agreement or equivalent adequacy mechanisms.

Cookies & tracking

We use strictly necessary cookies for authentication and session management. We do not use third-party advertising trackers. Optional analytics, when enabled, are first-party and aggregated.

Changes to this policy

We may update this policy from time to time. Substantive changes will be communicated to your practice administrator at least 30 days in advance.

Contact us

Questions about this policy or about how we look after your data? Contact us or email dpo@cqcplatform.uk.