Back to ClarityQ

Privacy Notice

Last updated: May 2026 · ClarityQ Ltd · Company No. 17072041 · Document Ref: CQ-PN-001

1. Who We Are

ClarityQ Ltd is a clinical analytics platform registered in England and Wales (Company No. 17072041), with its registered address at 71-75 Shelton Street, London, WC2H 9JQ. ODS Code: O3E4P.

For data protection enquiries, contact: info@clarityq.co.uk

2. Data Controller and Data Processor Roles

ClarityQ Ltd is the Data Processor. The GP practice or NHS organisation that commissions ClarityQ is the Data Controller.

As Data Processor, ClarityQ:

  • Processes personal data only on documented instructions from the Data Controller
  • Ensures all staff with access to personal data are bound by confidentiality obligations
  • Implements appropriate technical and organisational security measures
  • Does not engage sub-processors without prior authorisation from the Data Controller
  • Assists the Data Controller in responding to data subject access requests (DSARs)
  • Deletes or returns all personal data at the end of the processing agreement
  • Makes available all information necessary to demonstrate compliance

The Data Controller (GP practice) determines the purposes and means of processing personal data, ensures a lawful basis exists under UK GDPR, and is responsible for providing fair processing information to data subjects (patients).

3. Lawful Basis for Processing

ClarityQ processes data under the following lawful bases:

  • Article 6(1)(b) — Performance of a contract (service delivery to subscribing practices)
  • Article 6(1)(f) — Legitimate interests (platform security, audit logging, fraud prevention)
  • Article 9(2)(h) — Health data processing for the provision of health care (where applicable)

The Data Controller (GP practice) relies on their own lawful basis for collecting and sharing data with ClarityQ, typically under Article 6(1)(e) — Public task, or Article 9(2)(h) — Health care provision.

4. What Data We Process

Clinical analytics data (pseudonymised): Aggregated, population-level health indicators extracted from EMIS Web or SystmOne. No direct patient identifiers are processed.

User account data: Name, email address, role, organisation, login timestamps, and audit trail of platform actions.

Clinical Scribe transcriptions: Voice-to-text output only. Audio is processed ephemerally and never stored. Only the transcribed text is retained for the clinician to review and copy.

Triage Co-pilot input: Symptom descriptions entered by clinicians. Automated PII detection strips any patient-identifiable information (NHS numbers, names, postcodes, dates of birth, email addresses, phone numbers) before processing.

5. PII Prevention Controls

ClarityQ implements automated PII detection and stripping on all free-text input fields. The following identifiers are automatically detected and blocked:

  • NHS numbers (10-digit format)
  • UK postcodes
  • Dates of birth
  • Email addresses
  • UK phone numbers
  • Patient names (via pattern matching)

This operates at both the client-side (immediate user feedback) and server-side (API-level blocking) to ensure defence in depth.

6. Data Sharing and Sub-Processors

ClarityQ shares data only with the following sub-processors, all under Data Processing Agreements:

  • Amazon Web Services (AWS) — Cloud infrastructure, eu-west-2 (London). ISO 27001, Cyber Essentials Plus certified.
  • Netlify — Frontend hosting and CDN delivery.
  • Stripe — Payment processing (PCI DSS Level 1 compliant).

All data is processed and stored within the UK (AWS eu-west-2, London region). No international data transfers take place for NHS patient data.

ClarityQ will not share personal data with any third party for marketing purposes.

7. Data Retention

ClarityQ retains data for 7 years in accordance with the NHS Records Management Code of Practice 2021. This applies consistently across:

  • Audit logs and access records
  • Processing activity records
  • System and security logs
  • Incident and breach records
  • Governance review records
  • Clinical safety documentation

Clinical Scribe audio: Never stored. Processed ephemerally and discarded immediately after transcription.

On subscription termination: User data is retained for 30 days to allow export, then securely deleted. Audit logs are retained for the full 7-year period as required by NHS records management.

8. Data Security

ClarityQ implements comprehensive security measures:

  • Encryption: AES-256 at rest (AWS KMS), TLS 1.2+ in transit
  • Authentication: Multi-factor authentication (MFA) mandatory for all users
  • Access control: Role-based access control (RBAC) with admin-only restrictions on sensitive pages
  • Monitoring: AWS GuardDuty, Security Hub, CloudTrail, CloudWatch alarms
  • Content Security Policy: CSP headers enforced via Netlify edge functions
  • Certifications: Cyber Essentials certified, DSPT aligned, DCB0129 compliant

9. Your Rights Under UK GDPR

As a data subject, you have the following rights:

  • Right of access (Article 15) — Request a copy of your personal data
  • Right to rectification (Article 16) — Request correction of inaccurate data
  • Right to erasure (Article 17) — Request deletion of your data (subject to retention obligations)
  • Right to restrict processing (Article 18) — Request limitation of processing
  • Right to data portability (Article 20) — Receive your data in a structured format
  • Right to object (Article 21) — Object to processing based on legitimate interests

For patient data, rights requests should be directed to the Data Controller (your GP practice), as ClarityQ processes this data on their behalf.

For platform user data, contact info@clarityq.co.uk. We will respond within 30 days.

10. Complaints

If you are dissatisfied with how your data is handled, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first at info@clarityq.co.uk so we can try to resolve any concerns directly.

Contact

For privacy or data protection queries:
ClarityQ Ltd
71-75 Shelton Street, London, WC2H 9JQ
Email: info@clarityq.co.uk
Company No. 17072041 · ODS Code: O3E4P

© 2026 ClarityQ Ltd. All rights reserved.