Call us anytime
0141 474 5919
PRIVACY POLICY
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP
privacy@clinicalauditcompass.co.uk
ICO Registration: ZC067899
Effective date: April 2026
1. Introduction and Purpose
This Privacy Policy explains how Clinical Audit Compass Ltd (“we”, “our”, “the Company”) collects, processes, stores, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).
We are committed to handling your data transparently, lawfully, and securely. This Policy describes what personal data we hold, how we use it, who we share it with, how long we keep it, and the rights you have in relation to that data.
2. Scope of This Policy
This Policy applies to all users of the Clinical Audit Compass platform, including healthcare professionals, students in regulated programmes, educational partners, and authorised testers. It covers all personal data processed through the mobile app, web platform, dedicated UK server hosting infrastructure, Firebase analytics, and integrated payment processors (Stripe, Apple, Google).
3. Data Controller
Clinical Audit Compass Ltd is the Data Controller for all personal data processed through the platform. We determine the purposes and methods by which personal data is processed and are responsible for ensuring compliance with UK GDPR.
The Data Protection Lead can be contacted at privacy@clinicalauditcompass.co.uk for all data protection matters, including access, correction, deletion, and complaints.
4. Categories of Personal Data We Collect
We collect only the minimum data required to operate the platform effectively. The categories are:
•Account information: name, email address, profession, workplace or university, and user role.
•Usage information: login activity, device type and operating system, and basic in-app interaction data.
•Clinical log data: anonymised clinical encounter entries, reflective notes, audit entries, and CPD records submitted by the User. This data must not contain patient-identifiable information.
•Uploaded images: only non-confidential, non-patient-identifiable images are permitted (for example, photographs of CPD cer tificates).
•Analytics and diagnostic data: Firebase Analytics and Firebase Crashlytics data, including anonymised performance metrics and crash logs.
•Subscription metadata: confirmation of a successful purchase from Stripe, Apple, or Google, including plan type and renewal status. No card numbers or full payment details are stored by Clinical Audit Compass Ltd.
What we do not collect
•Patient-identifiable data — this is strictly prohibited by platform design and by these Terms.
•Card numbers or full payment details — payment is handled entirely by Stripe, Apple, or Google.
•Precise location data — we do not track User location.
•Data used for advertising or behavioural profiling — we do not run advertising, and do not share data with ad networks.
5. Special Category Data
We do not knowingly process special category health data within the meaning of Article 9 UK GDPR. Clinical log entries are anonymised and must not contain patient-identifiable information. Information about the User themselves (such as their profession or workplace) is treated as standard personal data, not special category data.
If a User inadvertently submits patient-identifiable or special category data, they must notify us immediately at privacy@clinicalauditcompass.co.uk so that the content can be removed.
6. How We Obtain Data
Personal data is collected directly from Users during registration, through normal app usage, from clinical entries made by the User, and through automated analytics systems (Firebase). We do not purchase third-party data, and we do not use personal data for unrelated profiling.
7. Lawful Basis for Processing
We process personal data under the following lawful bases (UK GDPR Article 6):
• Contractual necessity (Article 6(1)(b)) — to create and maintain User accounts, deliver core platform features (clinical logging, CPD, reflective practice, audit cycles, portfolio export), and process subscription payments.
• Legitimate interests (Article 6(1)(f)) — to maintain platform security, prevent misuse, monitor performance and stability, and improve the Service. These interests are balanced against User rights and expectations and do not override them.
• Consent (Article 6(1)(a)) — for any optional analytics or marketing communications where consent is specifically requested. Users may withdraw consent at any time without affecting other aspects of the Service.
• Legal obligation (Article 6(1)(c)) — where required to comply with UK law, including tax, accounting, and regulatory obligations (for example, retention of financial records by payment processors).
Where Users submit data about themselves that could be regarded as special category data, processing is based on Article 9(2)(a) explicit consent by virtue of voluntary account creation and data entry. Users are not required to submit such data to use the Service.
8. Minimum Age
The platform is intended for registered healthcare professionals and students in regulated programmes aged 18 or over. It is not intended for users under 18. We do not knowingly collect or store data relating to minors. If we become aware that data relating to a minor has been collected, we will take prompt steps to delete it.
9. Data Sharing and Third-Party Processors
We share personal data only with third-party service providers essential for the operation of the platform. All processors operate under GDPR-compliant Data Processing Agreements (DPAs).
9.1 Hosting and Development
Dotsquares Ltd (UK-based) acts as our primary data processor, providing application development and managing our dedicated UK-based server (London). Dotsquares has signed a Data Processing Agreement with Clinical Audit Compass Ltd.
9.2 Analytics and Diagnostics
Google LLC via Firebase (specifically Firebase Analytics and Firebase Crashlytics) provides aggregated usage data, crash reporting, and performance diagnostics. Firebase is operated as an authorised sub-processor of Dotsquares Ltd. Firebase data is used solely to maintain platform stability and identify issues; it is not used for advertising, cross-platform tracking, or profile building.
9.3 Payment Processing
Subscription payments are processed by:
• Apple Inc. for iOS In-App Purchases
• Google LLC for Google Play Billing (Android)
• Stripe Payments UK Ltd for web-based subscriptions
These providers act as independent data controllers for payment data. No card numbers or full payment details are stored by Clinical Audit Compass Ltd.
Subscription and Billing:-
Clinical Audit Compass offers auto-renewable subscriptions that provide full access to premium features.
Subscription durations:
Monthly
Annual
Pricing:
Pricing is displayed in-app at the time of purchase and may vary by region, currency, taxes, and platform (Apple App Store or Google Play Store).
Payment processing:
Apple App Store: Payment is processed by Apple through your Apple ID account.
Google Play Store: Payment is processed by Google through your Google Play account.
We do not store full payment card details.
Auto-renewal:
Subscriptions renew automatically unless canceled before the renewal deadline shown by your platform provider.
Renewal charge timing:
Apple App Store: Your account is charged for renewal within 24 hours before the end of the current billing period.
Google Play Store: Your account is charged on or shortly before the renewal date for the next billing period.
Manage or cancel subscription:
Apple App Store: Manage/cancel in Apple ID Account Settings > Subscriptions.
Google Play Store: Manage/cancel in Google Play > Payments & subscriptions > Subscriptions.
Free trial (if offered):
If a free trial is provided, any unused portion of the trial is forfeited when you purchase a subscription, where permitted by applicable law.
Refunds:
Apple App Store purchases are refunded in accordance with Apple’s refund policies.
Google Play Store purchases are refunded in accordance with Google Play’s refund policies.
Terms of Use (EULA): https://www.apple.com/legal/internet-services/itunes/dev/stdeula/
9.4 Authentication and Email
Authentication and email delivery providers may process limited account data as required to deliver account verification and transactional communications. All such providers are bound by GDPR-compliant agreements.
No personal data is sold, rented, or disclosed to third parties for marketing purposes.
10. International Data Transfers
User data is primarily stored on a dedicated UK-based server. However, certain sub-processors (including Firebase, operated by Google LLC) may process data outside the UK.
Where personal data is transferred internationally, we rely on one or more of the following safeguards:
• UK adequacy decisions, where a recipient country has been formally recognised as providing adequate data protection.
• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs).
• Additional technical and organisational measures, such as encryption in transit and at rest.
We require all processors to implement equivalent levels of security and protection for personal data.
11. Security Measures
We apply technical and organisational measures to safeguard personal data, including:
• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256).
• Secure UK-based dedicated server hosting with role-based access controls.
• Strict prohibition of patient-identifiable data entry, enforced through platform design (structured dropdowns).
• Multi-factor authentication for administrative access.
• Firebase Crashlytics for real-time stability monitoring.
• Internal staff confidentiality obligations and role-based access controls.
• Cyber Essentials certification (April 2026), demonstrating baseline technical controls.
• Clinical Safety Case Report and Hazard Log maintained in accordance with DCB0129.
• Independent penetration testing planned as part of full DTAC compliance.
No system is completely secure, but we take all reasonable steps to protect User data.
12. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes set out in this Policy, or as required by law. The main retention periods are:
• Account data: retained while the User account is active. Automatically deleted or anonymised twelve (12) months after prolonged inactivity, unless the User has requested earlier deletion.
• Clinical log data and reflections: retained while the User account is active, or until the User deletes the entry. On account closure, data is deleted or anonymised in line with the User’s preference.
• Uploaded images: retained until removed by the User or on account closure.
• Analytics and diagnostic data: retained in accordance with Firebase retention settings (typically two (2) to fourteen (14) months).
• Payment metadata: retained by the relevant payment processor in accordance with their own financial compliance policies. Where we hold confirmation records for our accounting obligations, these are retained for six (6) years as required by HMRC.
•Backups: stored securely with automated expiry cycles; typically purged within thirty (30) to ninety (90) days.
A full retention matrix is maintained internally and may be shared on request for institutional or enterprise users.
13. Breach Notification
If a personal data breach occurs, we will:
• Assess the severity, scope, and likely impact.
• Notify affected Users directly where there is a high risk to their rights or freedoms.
• Report to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where legally required.
• Document the breach and any corrective actions taken in our internal Incident Response Plan.
Users must notify us immediately at privacy@clinicalauditcompass.co.uk if they believe their account has been compromised.
14. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
• Right of Access — to request copies of personal data we hold about you.
• Right to Rectification — to correct inaccurate or incomplete information.
• Right to Erasure (“right to be forgotten”) — to request deletion of personal data, subject to legal exemptions.
• Right to Restrict Processing — to limit how your data is used.
• Right to Data Portability — to request an export of your data in a structured, commonly used format.
• Right to Object — to processing based on legitimate interests or for direct marketing purposes.
• Right Not to Be Subject to Automated Decision-Making — the platform does not make automated decisions with legal or similarly significant effects on Users.
• Right to Withdraw Consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of earlier processing.
Requests will be responded to within one calendar month of receipt. Complex cases may be extended by up to two further months under Article 12(3), in which case we will explain the reason for the extension.
15. Account Deletion
Users may request deletion of their account and associated personal data at any time. To request account deletion:
Email privacy@clinicalauditcompass.co.uk with the subject line “Account Deletion Request”, including the email address associated with your account.
We will acknowledge the request within three (3) working days and complete the deletion within fourteen (14) calendar days, unless we are required by law to retain certain information (for example, financial records under HMRC requirements). Where data must be retained for legal reasons, we will explain what is retained and for how long.
Users may also export their personal data before deletion by including “Data Export Request” in the same email.
Categories of data deleted include account information, clinical log entries, reflections, CPD entries, uploaded images, and associated metadata. Categories retained for legal compliance (where applicable) include limited financial metadata held by payment processors under their own policies, and accounting records retained by Clinical Audit Compass Ltd for six (6) years in accordance with HMRC requirements.
16. How to Exercise Your Rights
To exercise any of the rights in Section 14 or request account deletion under Section 15, contact privacy@clinicalauditcompass.co.uk. To protect User accounts, we may require identity verification before disclosing or deleting data. We will inform Users of outcomes, actions taken, and reasons for refusal where legal exemptions apply.
17. Complaints and Regulatory Contact
If you believe your data has been mishandled or your rights have not been upheld, you may file a complaint directly with the Information Commissioner’s Office:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk
We encourage Users to contact us first at privacy@clinicalauditcompass.co.uk so we can attempt to resolve concerns informally and promptly.
18. Policy Updates and Review Cycle
This Privacy Policy may be updated periodically to reflect changes in regulation, technology, or platform functionality. Material updates will be communicated to Users by email or in-app notification, and continued use of the platform constitutes acceptance of the revised Policy. The Policy is reviewed at least annually or sooner where required by law or operational change.
19. Contact Information
Clinical Audit Compass Ltd (SC871235)
Clyde Offices, 2nd Floor, 48 West George Street, Glasgow, G2 1BP
privacy@clinicalauditcompass.co.uk
ICO Registration: ZC067899