Privacy Notice | ClarityQ

01

Who we are

ClarityQ Ltd ("ClarityQ", "we", "us", "our") is a UK-registered software company providing automated clinical analytics dashboards to NHS GP practices. Our platform integrates with EMIS Web and SystmOne to help practices monitor population health, QOF performance and clinical outcomes.

ClarityQ Ltd is registered in England and Wales. Our registered address is: 71-75 Shelton Street, London, Greater London, WC2H 9JQ.

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is ZC104169.

Our Data Protection Lead is Rakhee Cholera, Founder & Director. Contact: [email protected].

02

What this notice covers

ClarityQ processes personal data in two distinct capacities:

As a Data Controller We determine how and why personal data is processed when it relates to GP practice staff and contacts, prospective customers, employees, contractors, and website visitors.

As a Data Processor When processing NHS patient clinical data on behalf of GP practices, the GP practice is the data controller and ClarityQ acts as their data processor under a signed Data Processing Agreement. If you are an NHS patient, please direct data rights requests to your GP practice directly.

This notice applies to visitors to clarityq.co.uk, GP practice staff using the ClarityQ platform, prospective customers, and anyone who contacts us by email or phone.

03

Data we collect and process

As a data controller we collect the following categories of personal data:

Category	Examples	Source
GP practice contact data	Practice manager name, job title, work email, work phone, ODS code	Provided by the practice during contracting
Platform user data	Username, email address, login timestamps, dashboard usage logs	Created when we provision a practice account
Support communications	Name, email, description of support query (no patient data)	Submitted via email or support contact
Prospect / commercial data	Name, job title, organisation, work email, work phone	Provided directly or through NHS networks
Website visitor data	IP address, pages visited, browser type (via cookies — see Section 11)	Automatically collected on website visit
Employee / contractor data	Name, address, NI number, bank details, employment records	Provided during employment or engagement

We do not collect special category personal data (health information, ethnicity, religious beliefs) about GP practice staff, website visitors, or prospective customers. NHS patient health data is processed only as a data processor — see Section 4.

04

NHS patient data

If you are an NHS patient ClarityQ processes pseudonymised patient clinical data on behalf of your GP practice. Your GP practice is the data controller. To exercise your data rights or query your health record, please contact your GP practice directly.

When GP practices use the ClarityQ platform, pseudonymised patient clinical data is extracted from EMIS Web or SystmOne and transmitted to ClarityQ's secure cloud infrastructure for analytics processing.

What patient data we process

Coded diagnoses (SNOMED CT / Read codes)
Prescribed medications
QOF performance indicators
Age band, sex, and IMD deprivation decile

What patient data we do NOT process

NHS numbers · Patient names · Dates of birth · Home addresses · Free-text clinical notes

Pseudonymisation is applied at source within the GP clinical system before any data is transmitted to ClarityQ. Dashboard outputs apply statistical disclosure controls — any metric based on fewer than 5 patients is suppressed to prevent re-identification.

Patient data is processed under Article 9(2)(h) UK GDPR (healthcare purposes) and Schedule 1, Part 1, paragraph 2 DPA 2018 (health or social care purposes), under a signed Data Processing Agreement with each GP practice.

05

Lawful basis for processing

We process personal data only where we have a valid lawful basis under UK GDPR Article 6, and for special category data an additional condition under Article 9.

Processing activity	Lawful basis	Article
GP practice customer management	Performance of contract with the GP practice	Art. 6(1)(b)
NHS patient data analytics	Contract performance (as processor) + healthcare purposes (Art. 9)	Art. 6(1)(b) + 9(2)(h)
Prospect / pre-sales outreach	Legitimate interests — B2B marketing to NHS professionals	Art. 6(1)(f)
Security logging and audit	Legal obligation (DSPT, UK GDPR accountability) and legitimate interests	Art. 6(1)(c)+(f)
Employee / HR / payroll	Contract of employment and legal obligation (HMRC, statutory employment law)	Art. 6(1)(b)+(c)

Where we rely on legitimate interests for prospect outreach, you have the right to object at any time — see Section 10. Marketing objections are honoured immediately.

06

How we use your data

GP practice customers

Setting up and managing your ClarityQ platform account
Providing technical support and responding to queries
Sending service notifications, updates, and renewal information
Processing payments and managing the contractual relationship
Complying with legal and regulatory obligations (DSPT, UK GDPR)

Prospective customers

Responding to enquiries and providing product demonstrations
Sending commercial proposals and follow-up communications

Website visitors

Operating and improving the ClarityQ website
Analysing website usage where analytics cookies are accepted
Responding to contact form submissions

We do not use personal data for automated decision-making or profiling that has a legal or significant effect on individuals. We do not sell personal data to third parties.

07

Sharing and sub-processors

We do not sell personal data. We share it only with the following third parties and only to the extent necessary:

Organisation	Role	Data shared	Safeguards
Amazon Web Services (AWS)	Cloud infrastructure (IaaS)	NHS patient data (pseudonymised), platform logs	AWS DPA; ISO 27001; UK data centre eu-west-2 London; Cyber Essentials Plus
Google LLC — Google Workspace	Email and document management	Customer contact data, business email	Google Workspace DPA; ISO 27001/27017/27018; SOC 2
Microsoft Corporation — M365	Productivity and document storage	Customer contact data, business documents	Microsoft DPA; ISO 27001; Cyber Essentials Plus
HMRC / pension providers	Statutory obligations	Employee payroll data (as legally required)	Statutory legal basis; minimum necessary data only

We will notify GP practice customers at least 30 days before adding or replacing any sub-processor that handles NHS patient data, in accordance with our Data Processing Agreements. We may also disclose personal data to law enforcement or the ICO where legally required.

08

International transfers

ClarityQ's primary cloud infrastructure processes all NHS patient data within the United Kingdom (AWS eu-west-2, London region). We do not transfer NHS patient data outside the UK.

Our source code is hosted on GitHub (USA). We maintain a strict policy that no personal data or NHS patient data is ever stored in code repositories. Where any international transfer does occur (e.g. certain Google Workspace or Microsoft 365 processing), appropriate safeguards are in place including standard contractual clauses or UK adequacy decisions.

09

Retention periods

We retain personal data only as long as necessary for the purpose for which it was collected:

Data category	Retention period	Basis
NHS patient data (pseudonymised)	Contract duration + 12 months, then securely deleted	DPA obligations; data minimisation
GP practice customer data	Contract duration + 6 years	Limitation Act 1980
Support communications	3 years from resolution	Legitimate interests
Prospect / commercial data	12 months from last contact (immediately on objection)	Legitimate interests
Security audit logs	12 months active, 24 months archived	Legal obligation (DSPT)
Employee / HR records	Employment + 6 years	HMRC; statutory employment law

When personal data is no longer required it is securely deleted or anonymised. For NHS patient data we provide written confirmation of deletion to the GP practice on request.

10

Your rights

Under UK GDPR you have the following rights in relation to personal data ClarityQ holds about you as a data controller. These apply to GP practice staff, employees, prospective customers and website visitors.

NHS patients Your rights in respect of your health record should be directed to your GP practice, not ClarityQ.

📋

Right of Access

Request a copy of personal data we hold about you (Subject Access Request).

✏️

Right to Rectification

Ask us to correct inaccurate or incomplete personal data.

🗑️

Right to Erasure

Request deletion where there is no legal basis to retain your data.

⏸️

Right to Restriction

Ask us to pause processing while accuracy is disputed or a challenge resolved.

📤

Right to Portability

Receive personal data you provided in a structured, machine-readable format.

🚫

Right to Object

Object to processing based on legitimate interests. Marketing objections honoured immediately.

To exercise any right, contact [email protected]. We will acknowledge within 3 working days and respond within one calendar month. No charge applies.

If you are unsatisfied with our response you may complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint · 0303 123 1113.

11

Cookies

Our website may use cookies — small text files stored on your device — to operate the site and understand how visitors use it.

Essential cookies

Necessary for the website to function (session management, security). No consent required.

Analytics cookies

With your consent, we may use analytics cookies (such as Google Analytics) to understand visitor navigation. These collect anonymised data only.

Managing cookies

You can control cookies through your browser settings. To opt out of Google Analytics across all websites, visit tools.google.com/dlpage/gaoptout.

12

Security

Our technical and organisational security measures include:

AES-256 encryption of NHS patient data at rest; TLS 1.2+ in transit
Multi-factor authentication (MFA) enforced on all accounts and cloud services
Pseudonymisation of NHS patient data at source — no direct patient identifiers processed
Statistical disclosure controls (small cell suppression <5 patients) on all dashboard outputs
Role-based access control — each GP practice can only access its own data
Monthly security log review and automated anomaly alerting (AWS CloudTrail / CloudWatch)
Annual NHS DSPT self-assessment submission
Cyber Essentials certification (in progress)
DCB0129 Clinical Safety Officer oversight and hazard log maintained
Annual Business Continuity Plan testing and backup restoration verification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

13

Changes to this notice

We review this notice at least annually and whenever our data processing activities change materially. When we make significant changes we will update the "Last reviewed" date and, where appropriate, notify GP practice customers by email.

March 2026 Version 1.0 — Initial publication. Covers all processing activities in ClarityQ RoPA v1.0. ICO registration ZC104169 confirmed.

14

Contact us

For questions about this notice, to exercise your data rights, or to raise a data protection concern:

ClarityQ Ltd — Data Protection Lead

NameRakhee Cholera, Founder & Director

Email[email protected]

Address71-75 Shelton Street, London, Greater London, WC2H 9JQ

ICO RegZC104169

ICOico.org.uk · 0303 123 1113

We aim to acknowledge all queries within 3 working days and to respond in full within one calendar month. If you are not satisfied with our response, you have the right to complain to the ICO.