1. Who we are
Audiology CQC Limited ("we", "us", "our") is a CQC registration consultancy for audiology and registered nursing professionals. We operate a secure online portal at audiologycqc.co.uk that helps clients prepare and manage their Care Quality Commission applications.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Audiology CQC Limited is the data controller for the personal data processed through our website and portal.
2. What data we collect
We collect and process the following categories of personal data, all of which are necessary to support your CQC registration application:
Client business information
- Business name, trading name, and company number
- Business address, email, telephone, and website
- Legal entity type and registration details
Registered Manager personal information
- Full name, date of birth, and home address
- Professional registration details (HCPC, NMC, or other bodies)
- DBS certificate number and issue date
- Employment history, qualifications, and GP details
- Referee contact information
- Fit and Proper Person declaration details
Staff information
- Staff names, roles, and professional registration details
- DBS and mandatory training records
- CQC regulated activity assignments
Documents
- Policies, certificates, insurance documents, and other files uploaded to the portal
- AI-generated documents such as Statements of Purpose and CQC policies
Website enquiry data
- Name, email, telephone, and profession submitted via our contact form
3. Why we process your data
We process your personal data for the following purposes, all of which are necessary for the performance of our contract with you or for our legitimate interests in operating a consultancy service:
- CQC application preparation — populating official CQC registration forms, generating Statements of Purpose, and compiling application bundles
- Ongoing compliance management — tracking policy reviews, document expiry, staff training, equipment calibration, and clinical audit schedules
- Communication — sending notifications about upcoming deadlines, expiring documents, and application progress
- Service improvement — understanding how the portal is used to improve our consultancy service
We do not use your data for marketing purposes, sell it to third parties, or share it with anyone outside of the CQC application process.
4. How we protect your data
We take the security of your data extremely seriously. Your CQC application contains sensitive personal and business information, and we employ multiple layers of protection:
Our commitment: Every technical decision in the design of our portal has been made with data security as a primary consideration. We use the same level of security infrastructure trusted by healthcare organisations and financial institutions.
Infrastructure security
Encryption in transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2+ (HTTPS). We enforce HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.
Encryption at rest
All database records and uploaded files are encrypted at rest using AES-256 encryption. Your data is protected even in the unlikely event of a physical storage breach.
EU-based hosting
All data is stored in AWS eu-west-2 (London) data centres. Your data never leaves the UK/EU, ensuring full compliance with UK GDPR data residency requirements.
Private document storage
All uploaded documents are stored in a private storage bucket. Files are never publicly accessible — each download requires a time-limited, cryptographically signed URL generated on demand.
Access control
Row-Level Security (RLS)
Every database table is protected by Row-Level Security policies enforced at the database engine level. Clients can only access their own data — this is not application logic that can be bypassed, but a fundamental database constraint.
Role-based access
The portal separates consultant and client access. Clients see only their own records. Consultants see only their assigned clients. There is no global admin access to client data.
Secure authentication
User authentication uses industry-standard JWT (JSON Web Token) sessions with secure password hashing (bcrypt). All authentication is handled by our database provider's battle-tested auth infrastructure.
Invite-only registration
Client accounts are created by invitation only. There is no public self-registration. Each invitation is sent via a secure, time-limited email link.
Application security
Security headers
Our site enforces Content-Security-Policy, X-Frame-Options (DENY), X-Content-Type-Options, and Referrer-Policy headers to prevent cross-site scripting, clickjacking, and data leakage.
No tracking or analytics
We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts. We do not serve advertisements. Your browsing activity within the portal is not monitored or shared.
Minimal permissions
The portal requests no browser permissions — no camera, microphone, geolocation, or payment API access. Our Permissions-Policy header explicitly blocks all of these.
AI processing safeguards
When generating documents (Statements of Purpose, policies), your data is sent to Anthropic's Claude API via our own secure server-side proxy. Data is used solely for generating your document and is not retained by the AI provider for training or any other purpose.
5. Third-party processors
We use the following third-party services to operate the portal. Each processes data only as necessary to provide their service and under strict contractual obligations:
- Supabase (EU region) — database hosting, authentication, and file storage. Data stored in AWS eu-west-2 (London).
- Netlify — website hosting and form submissions. Static files only; no client data is stored on Netlify servers.
- Anthropic — AI document generation (Statement of Purpose, CQC policies). Data is sent via server-side API calls only when you explicitly request document generation. Data sent to Anthropic via the API is not used for model training. Anthropic may retain API logs briefly for trust and safety purposes, in accordance with their data usage policy.
We do not share your personal data with any other third parties.
6. Your rights under UK GDPR
Under UK data protection law, you have the following rights:
- Right of access (Article 15) — request a copy of all personal data we hold about you
- Right to rectification (Article 16) — request correction of inaccurate or incomplete data
- Right to erasure (Article 17) — request deletion of your personal data and account
- Right to data portability (Article 20) — request your data in a portable, machine-readable format
- Right to restrict processing (Article 18) — request that we limit how we use your data
- Right to object (Article 21) — object to our processing of your data
Built-in GDPR tools: Our portal includes self-service tools for exercising your rights. From your account settings you can export all your data (Article 20 — delivered as a ZIP containing HTML and JSON files) or permanently delete your account and all associated data (Article 17 — cascading deletion that removes all records, documents, and activity logs).
To exercise any of these rights, or if you prefer to make a request in writing, contact us at info@audiologycqc.co.uk. We will respond within 30 days.
7. Data retention
We retain your data for as long as your account is active and your consultancy engagement is ongoing. Specifically:
- Active accounts — data is retained for the duration of the client relationship and for 12 months after the engagement ends, to support any follow-up queries or CQC inspections
- Closed accounts — when you request account deletion, all data is permanently removed from our systems within 30 days, including all database records, uploaded documents, activity logs, and generated files
- Contact form enquiries — retained for up to 12 months to respond to your enquiry and for business records, then deleted
8. Cookies
Our portal does not set any cookies. Authentication tokens are stored in your browser's local storage, not as cookies. We do not use any analytics, advertising, or preference cookies. No cookie consent banner is required as we do not use cookies.
9. Children's data
Our portal is designed for use by healthcare professionals and business operators. We do not knowingly collect personal data from individuals under the age of 18. Where client applications involve paediatric services, the data collected relates to the provider's regulatory compliance, not to individual children.
10. Changes to this policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements. We will notify active portal users of any material changes via the portal's notification system. The "last updated" date at the top of this page indicates when the policy was most recently revised.
11. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We would appreciate the opportunity to address your concerns directly before you contact the ICO. Please reach out to us first.
12. Contact us