GDPR Notice
Your data rights matter. This notice explains how ClinBridge Health Ltd processes personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have a question or wish to exercise a right, email ssekar@outlook.com.
1. Data Controller Identity
ClinBridge Health Ltd
Registered in England and Wales | Data Controller for all Med-Guide platform users
Contact: ssekar@outlook.com
2. What Personal Data We Process
| Category | Data Elements | Lawful Basis | Retention |
|---|---|---|---|
| Account identity | Full name, email address, username, organisation | Contract (Art 6(1)(b)) | Active subscription + 12 months |
| Authentication | Password hash (SHA-256, never plain text), session token | Contract (Art 6(1)(b)) | Until account deletion |
| Subscription | Tier level, subscription status, billing reference | Contract (Art 6(1)(b)) | 7 years (legal obligation) |
| Usage and security | Login timestamps, IP address, device fingerprint, audit log | Legitimate interest (Art 6(1)(f)) | 12 months |
| Platform behaviour | Medication search queries (linked to user account) | Legitimate interest (Art 6(1)(f)) | 24 months |
| AI queries (Tier 2/3) | Text of AI assistant questions during session | Contract (Art 6(1)(b)) | Not retained after session ends |
Special category data: We do not process health data about residents or service users. The platform is a medication reference tool. Users must not enter resident personal data into the platform.
3. Lawful Basis Register
| Processing Activity | Lawful Basis | Necessity |
|---|---|---|
| User authentication and session management | Art 6(1)(b) — Contract performance | Cannot provide service without this |
| Subscription management and billing | Art 6(1)(b) — Contract performance | Necessary to operate paid service |
| Sending account and security notifications | Art 6(1)(b) — Contract performance | Necessary for service integrity |
| Audit logging of admin actions | Art 6(1)(f) — Legitimate interest | Security, fraud prevention, compliance |
| Search query analysis for DB improvement | Art 6(1)(f) — Legitimate interest | Product improvement; users benefit from better data |
| Legal compliance and regulatory obligations | Art 6(1)(c) — Legal obligation | Required by UK law |
| Optional marketing communications | Art 6(1)(a) — Consent | Only where user has explicitly opted in |
4. Data Transfers Outside the UK
Some of our processors operate outside the UK:
- Supabase (database) — EU data centres; adequacy decision applies; Standard Contractual Clauses in place
- Anthropic (AI assistant) — US-based; data transfer covered by UK adequacy mechanism; no AI query data retained after session
- Cloudflare (hosting/CDN) — global CDN; UK data residency for core data; transfers covered by their Data Processing Addendum
All international transfers are protected by appropriate safeguards under UK GDPR Article 46.
5. Your Rights Under UK GDPR
🔍 Right of Access (Art 15)
Request a copy of all personal data we hold about you. Response within 30 days, free of charge.
✏️ Right to Rectification (Art 16)
Request correction of inaccurate or incomplete personal data without undue delay.
🗑️ Right to Erasure (Art 17)
Request deletion of your data where no legal basis remains. Some data may be retained for legal obligations.
🔒 Right to Restriction (Art 18)
Request that we limit processing of your data in specific circumstances (e.g. disputed accuracy).
🔄 Right to Portability (Art 20)
Receive your data in a structured, machine-readable format (JSON or CSV) for transfer elsewhere.
✋ Right to Object (Art 21)
Object to processing based on legitimate interests. We will cease unless compelling grounds exist.
To exercise any right, email ssekar@outlook.com with "Data Subject Request" in the subject line. We will verify your identity and respond within 30 calendar days.
6. Automated Decision-Making
The AI Clinical Assistant (available to Tier 2 and Tier 3 users) provides informational responses based on the medication database. It does not make automated decisions that produce legal or similarly significant effects on individuals. All clinical decisions remain with the qualified prescriber.
7. How We Protect Your Data
- All communications encrypted via TLS 1.3
- Passwords hashed (SHA-256 + salt) — never stored or transmitted in plain text
- Role-based access control — staff see only data relevant to their tier
- Session expiry after 45 minutes of inactivity
- Account lockout after 5 failed attempts with 30-minute lockout period
- Full audit trail of all authentication events and admin actions
- Data hosted on ISO 27001-certified infrastructure
8. Data Breach Procedure
In the event of a personal data breach, ClinBridge Health Ltd will:
- Assess the severity and scope of the breach within 24 hours of discovery
- Notify the ICO within 72 hours where required by UK GDPR Article 33
- Notify affected data subjects without undue delay where the breach poses a high risk to their rights
- Document the breach, its effects, and remedial action taken
9. Contact and Complaints
Data Subject Requests and Privacy Queries:
Email: ssekar@outlook.com
Subject line: "Data Subject Request — [Your Name]"
Supervisory Authority:
You have the right to lodge a complaint with the ICO at any time:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk | Tel: 0303 123 1113
10. Updates to This Notice
This GDPR Notice will be reviewed at least annually and whenever there are material changes to our processing activities. The "Last updated" date above indicates the most recent revision. Significant changes will be communicated to registered users by email.