Privacy Policy

Last Updated: 1 April 2025

Controller: CQCLogic Ltd

Contact: legal@cqclogic.com


This Privacy Policy explains how CQCLogic Ltd (“CQCLogic”, “we”, “us”, “our”) collects, uses, stores, and protects personal data when you use our website and platform at www.cqclogic.com (the “Service”). We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By accessing or using our Service, you acknowledge you have read and understood this Privacy Policy.

1.1 Who We Are

CQCLogic Ltd is the data controller responsible for your personal data. We are registered in England and Wales (Company Number: [Company Registration Number]) with our registered address at [Registered Address], England.

For privacy-related queries, contact our Data Protection contact at: legal@cqclogic.com

1.2 What Personal Data We Collect

Information You Provide Directly

  • Account registration data: full name, email address, job title, phone number

  • Organisation details: care service name, CQC registration number, CQC Location ID, service type, number of beds, team size

  • Billing information: payment card details (processed by Stripe; we do not store card numbers), billing address, VAT number

  • Inspection data: uploaded CQC inspection reports, self-reported compliance notes

  • Communications: support enquiries, feedback, and correspondence with our team

Information Collected Automatically

  • Usage data: pages visited, features used, time spent, click patterns

  • Device and technical data: IP address, browser type and version, operating system, screen resolution

  • Cookie data: session identifiers, preference cookies (see Cookie Policy)

  • Log data: error logs, performance data, security event logs

Information from Third Parties

  • CQC API: publicly available rating and registration data linked to your CQC Location ID

  • Stripe: payment confirmation and subscription status (not card details)

  • Google OAuth (if used): name and email for account sign-in

1.3 How We Use Your Personal Data

We process your personal data only where we have a lawful basis to do so under UK GDPR. Our lawful bases are:


  • Contract performance: to provide the Service you have purchased, process payments, generate improvement plans, and manage your subscription

  • Legitimate interests: to improve our platform, monitor for fraud and abuse, send relevant product updates, and analyse usage patterns

  • Legal obligation: to comply with tax laws, data retention requirements, and regulatory demands

  • Consent: to send marketing emails (you may withdraw consent at any time)

1.4 Data Sharing and Third Parties

We do not sell your personal data. We share data only with trusted service providers who process it on our behalf, including:


  • Supabase (database and authentication hosting) – EU/UK data residency

  • Stripe (payment processing) – PCI DSS compliant

  • OpenAI (AI plan generation) – data processed under our API agreement with appropriate data processing terms)

  • n8n (workflow automation) – self-hosted or EU-based instance

  • Hostinger (web hosting) – EU data centres

  • Email service provider for transactional and marketing emails


All third-party processors are subject to data processing agreements and are required to process data only for the purposes we specify.

1.5 International Data Transfers

Where data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or an adequacy decision from the UK Information Commissioner. OpenAI processes data in the United States under SCCs.

1.6 Data Retention

  • Account data: retained for the duration of your account plus 7 years after closure for legal compliance

  • Inspection reports and improvement plans: retained for the duration of your subscription plus 3 years

  • Payment records: 7 years in accordance with HMRC requirements

  • Marketing preferences: until you withdraw consent or request deletion

  • Server logs: 90 days rolling retention

1.7 Your Rights Under UK GDPR

You have the following rights regarding your personal data:


  • Right of access: request a copy of the personal data we hold about you

  • Right to rectification: request correction of inaccurate or incomplete data

  • Right to erasure: request deletion of your data where there is no legitimate reason for us to retain it

  • Right to restrict processing: request we limit how we use your data

  • Right to data portability: receive your data in a structured, machine-readable format

  • Right to object: object to processing based on legitimate interests or for direct marketing

  • Rights in relation to automated decision-making: not to be subject to solely automated decisions that significantly affect you


To exercise any of these rights, contact us at legal@cqclogic.com. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

1.8 Children’s Data

Our Service is not directed at individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact us immediately.

1.9 Security

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, role-based access controls, regular security audits, and breach notification procedures. Despite these measures, no system is completely secure, and we cannot guarantee absolute security.

1.10 Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated by email and by displaying a prominent notice on our platform. Continued use of the Service after changes constitutes acceptance of the updated policy.