Call us anytime
0141 474 5919
COOKIE POLICY
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP
privacy@clinicalauditcompass.co.uk
ICO Registration: ZC067899
Effective date: April 2026
1. Introduction
This Policy explains how Clinical Audit Compass Ltd uses cookies on our website and how the Clinical Audit Compass mobile app uses device identifiers. It is maintained in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
This Policy should be read alongside our Privacy Policy, which describes how we process personal data more broadly.
2. Scope
This Policy applies to:
• Our website — clinicalauditcompass.co.uk and any related subdomains (including the admin portal).
• Our mobile applications — the Clinical Audit Compass apps for iOS and Android.
Part A — Website Cookies
3. What Are Cookies?
Cookies are small data files placed on your device when you visit a website. They are used to maintain session state, remember preferences, and support website functionality. Cookies may be set directly by Clinical Audit Compass (“first-party cookies”) or by authorised service providers (“third-party cookies”).
4. Cookies We Use on Our Website
Our website uses only strictly necessary (essential) cookies. We do not use analytics, advertising, tracking, or profiling cookies on our website. As a result, no cookie consent banner is required under PECR, because strictly necessary cookies are exempt from the consent requirement.
The essential cookies we use are:
• Session cookies — used to maintain a secure session when a User is logged in (for example, to the admin portal). These are deleted when the browser session ends.
• Authentication cookies — used to remember that a User is logged in during a single browsing session.
• Security cookies — used to detect malicious activity and prevent unauthorised access (for example, CSRF protection tokens).
These cookies are necessary for the website to function. Disabling them may prevent secure login or affect site functionality.
5. What We Do Not Use on Our Website
We confirm that our website does NOT use:
• Analytics cookies (Google Analytics or similar).
• Advertising cookies or tracking pixels.
• Social media tracking cookies.
• Cross-site behavioural profiling.
If this changes in the future — for example, if we introduce website analytics — we will implement a compliant cookie consent banner and update this Policy before deployment.
6. Managing Website Cookies
Users can manage or delete cookies through their browser settings. Note that blocking essential cookies may prevent secure login or limit website functionality. Guidance is available from browser providers:
• Chrome: https://support.google.com/chrome/answer/95647
• Safari: https://support.apple.com/guide/safari/manage-cookies
• Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge
Part B — Mobile App Device Identifiers
7. How the Mobile App Differs
Mobile apps do not use cookies in the traditional browser sense. Instead, they rely on device identifiers provided by the operating system (iOS or Android) and by integrated software development kits (SDKs) such as Firebase. This section describes what identifiers the Clinical Audit Compass mobile app uses and why.
8. Identifiers Used by the Mobile App
• Firebase Installation ID — a unique anonymous identifier generated by Firebase when the app is first installed. Used for crash reporting, platform stability monitoring, and aggregated analytics.
• Crashlytics Installation UUID — an anonymous identifier linked to a specific app installation, used to group crash reports from the same device so we can diagnose and fix stability issues.
• Authentication tokens — short-lived secure tokens used to maintain a User’s logged-in state. Stored locally on the device.
• Device and operating system metadata — such as OS version, device model, and app version. Used to diagnose platform-specific issues and ensure compatibility.
These identifiers are used solely for operation, security, stability, and improvement of the Service. They are not used for advertising, behavioural profiling, or cross-app tracking.
9. What the Mobile App Does Not Do
We confirm that the Clinical Audit Compass mobile app does NOT:
• Use the iOS IDFA (Identifier for Advertisers) or Android Advertising ID.
• Share data with advertising networks.
• Track User activity across other apps or websites.
• Build behavioural profiles of Users.
• Access precise location data.
10. Firebase SDK and Google LLC
The app includes the Firebase SDK, operated by Google LLC, covering Firebase Analytics and Firebase Crashlytics. Firebase acts as an authorised sub-processor of our primary development partner, Dotsquares Ltd, under a GDPR-compliant Data Processing Agreement. Firebase data is used only for aggregated analytics, crash diagnostics, and platform stability monitoring; it is not used for advertising or profile building.
International data transfers relating to Firebase are governed by UK adequacy decisions, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as set out in Section 10 of our Privacy Policy.
11. Managing Mobile App Identifiers
Users can manage mobile identifiers through their device settings:
• iOS — Settings → Privacy & Security → Tracking, and Settings → Privacy & Security → Analytics & Improvements.
• Android — Settings → Google → Ads, and Settings → Privacy.
Essential identifiers such as authentication tokens cannot be disabled without preventing the app from functioning. Disabling Firebase identifiers (where the operating system allows it) may reduce our ability to diagnose crashes or improve stability but will not otherwise affect app functionality.
12. Legal Basis
12.1 Website Essential Cookies
Strictly necessary cookies are exempt from consent requirements under Regulation 6(4) of PECR. We use them on the legal basis of legitimate interests (UK GDPR Article 6(1)(f)) and contractual necessity (UK GDPR Article 6(1)(b)) — they are required to deliver a secure, functional website.
12.2 Mobile App Identifiers
Mobile app identifiers used for core functionality (authentication tokens, device metadata for compatibility) are processed on the basis of contractual necessity (UK GDPR Article 6(1)(b)).
Firebase identifiers used for analytics and crash reporting are processed on the basis of legitimate interests (UK GDPR Article 6(1)(f)) — maintaining platform security and stability. Users may disable Firebase identifiers at the operating system level as described in Section 11.
13. Retention
• Website session and authentication cookies — deleted when the browser session ends.
• Security cookies — expire automatically (typically within 24 hours).
• Firebase identifiers — retained in accordance with Firebase retention settings (typically two (2) to fourteen (14) months).
• Authentication tokens on mobile — short-lived, refreshed or discarded according to secure token lifecycle practices.
14. Changes to This Policy
We may update this Policy periodically to reflect changes in technology, regulation, or platform functionality. Material changes (such as introducing analytics or advertising identifiers) will be communicated through the platform or by email, and where required by PECR, we will introduce a compliant consent mechanism before deployment.
15. Contact Information
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP
privacy@clinicalauditcompass.co.uk
ICO Registration: ZC067899