Legal Document

Privacy Policy

How CQC IQ collects, uses and protects your personal data · Version 1.0 · Last Updated: 9 April 2026

Important Notice: This document is a professionally drafted template prepared with the assistance of AI. It must be reviewed, amended and approved by a qualified solicitor admitted in England and Wales before publication or use with customers.

This Privacy Policy explains how Ophthalmic Supplies and Solutions Ltd, trading as CQC IQ ("CQC IQ", "we", "us", "our") collects, uses, stores and protects personal data when you use our platform ("Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

This policy applies to all users of the Service, including registered managers, clinical leads, governance leads, and other healthcare staff who access CQC IQ.

Data Controller: Ophthalmic Supplies and Solutions Ltd (trading as CQC IQ)

Contact: [email protected]

ICO Registration: [Pending registration]

Last Updated: 9 April 2026

1. What Personal Data We Collect

1.1 Account and Identity Data

Full name
Email address
Job title and role (e.g. Registered Manager, Clinical Lead)
Organisation name and address
Password (stored as a one-way cryptographic hash — we cannot access your password)

1.2 Usage and Activity Data

Log-in timestamps and IP addresses
Pages visited and features used within the Service
Checklist item updates and completion status
Mock inspector session transcripts and scores
Actions created and completed
Notifications read and dismissed

1.3 Content You Upload

Evidence notes and documents uploaded against checklist items
Playbook content and inspection preparation notes
Video files uploaded to the Clinic Walkthrough Scan feature (deleted within 1 hour — see Section 4)

1.4 Payment Data

We do not store your payment card details. Payment processing is handled by Stripe, Inc. We receive only a payment reference and subscription status from Stripe. Stripe's privacy policy is available at stripe.com/gb/privacy.

1.5 What We Do NOT Collect: CQC IQ is not designed to process patient data. We do not collect, process or store any patient-identifiable information, clinical records, medical histories or NHS numbers. You must not upload patient data to CQC IQ. Doing so would breach UK GDPR and your own obligations as a data controller.

2. How We Use Your Personal Data

2.1 Lawful Bases

Purpose	Lawful Basis	Details
Providing the Service	Contract	Processing necessary to deliver the platform you have subscribed to
Account management	Contract	Creating and managing your account and subscription
Sending service emails	Contract	Verification, password reset, action reminders, weekly digest
AI feature processing	Contract	Processing your inputs through AI models to return responses
Improving the Service	Legitimate interests	Analysing anonymised usage patterns to improve features
Legal compliance	Legal obligation	Complying with applicable laws and regulatory requirements
Fraud prevention	Legitimate interests	Detecting and preventing misuse of the Service

3. Who We Share Your Data With

3.1 Sub-processors

Sub-processor	Purpose	Location
Anthropic, Inc.	AI processing — mock inspector, scenario scoring, gap analysis, walkthrough scan	USA (UK IDTA/SCCs)
Amazon Web Services	Cloud infrastructure and file storage (S3)	EU (Ireland)
Stripe, Inc.	Payment processing	USA
SendGrid (Twilio)	Transactional email delivery	USA (SCCs)
Railway / Render	Application hosting and database	EU region

3.2 International Transfers

Anthropic processes data in the United States. This transfer is covered by the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) as appropriate. We have assessed the transfer and are satisfied that adequate protections are in place.

3.3 We Do Not Sell Your Data

We do not sell, rent or share your personal data with third parties for their own marketing or commercial purposes.

3.4 Legal Disclosures

We may disclose personal data if required to do so by law, court order or regulatory authority, or if necessary to protect the safety of any person.

4. The Clinic Walkthrough Scan — Special Notice

This feature processes video footage. Read this section carefully before use.

When you use the Clinic Walkthrough Scan feature:

You upload a video file which is temporarily stored on our servers (AWS S3)
We extract individual frames from the video (one frame every 3 seconds, maximum 80 frames)
Each frame is transmitted to the Anthropic Claude API for AI analysis
After analysis, ALL extracted frames are deleted from our servers immediately
The original video file is deleted within 1 hour of upload
Only the text findings from the analysis are stored — no images are retained

Before uploading any video, you must confirm that:

The video contains no identifiable patients or individuals who have not consented to filming
No confidential patient or clinical information is visible in the footage
You are authorised to record the premises shown

5. Data Retention

Data Type	Retention Period
Account data	Duration of Subscription + 30 days after termination
Usage logs	12 months
Checklist and compliance data	Duration of Subscription + 30 days
Mock session transcripts	12 months from session date
Payment records	7 years (required by HMRC)
Walkthrough scan video frames	Deleted immediately after analysis
Walkthrough scan video files	Deleted within 1 hour of upload
Walkthrough scan text findings	12 months

After applicable retention periods, data is securely deleted or anonymised.

6. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or destruction. These include:

Passwords stored as one-way bcrypt hashes (minimum cost factor 12)
All data in transit encrypted via TLS 1.2 or higher
Data at rest encrypted by our cloud infrastructure providers
Access to production systems restricted to authorised personnel only
Regular security reviews

No method of internet transmission or electronic storage is 100% secure. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay.

7. Your Rights

Under UK GDPR you have the following rights regarding your personal data:

Right of access

Receive a copy of your personal data we hold

Right to rectification

Correct inaccurate or incomplete data

Right to erasure

Request deletion of your data in certain circumstances

Right to restrict processing

Limit how we use your data in certain circumstances

Right to data portability

Receive your data in a machine-readable format

Right to object

Object to processing based on legitimate interests

To exercise any of these rights, email us at [email protected]. We will respond within one month. You also have the right to lodge a complaint with the ICO at ico.org.uk.

8. Cookies

CQC IQ uses the following cookies:

Cookie	Purpose	Can be disabled?
Session cookie	An httpOnly, secure cookie containing your encrypted session token. Essential for the Service to function.	No — essential

We do not use advertising, analytics or tracking cookies.

9. Children

The Service is not directed at children under 18 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected].

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or prominent notice in the Service at least 14 days before they take effect. The current version is always available at inspectready.co.uk/privacy.

11. Contact

If you have questions about this Privacy Policy or our data practices, contact our Data Protection contact at:

Email: [email protected]

Address: Ophthalmic Supplies and Solutions Ltd (trading as CQC IQ), England

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113.