Clinical Disclaimer: ClinBridge Health does not process, store or access any patient data, resident records, or identifiable clinical information. No patient or resident data is ever transmitted to or stored by ClinBridge Health.
1. Who We Are
ClinBridge Health Ltd ("ClinBridge", "we", "us", "our") operates the ClinBridge Med-Guide platform at clinbridge-medguide.co.uk and the marketing website at clinbridgehealth.co.uk.
ClinBridge Health Ltd is the Data Controller for personal data processed in connection with the platform, as defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data We Collect
2.1 Account and Registration Data
- Full name
- Email address
- Job role or professional designation (e.g. Senior HCA, Registered Nurse, Care Manager)
- Organisation name (care home or employer)
- Subscription tier, account creation date and last login timestamp
2.2 Payment and Billing Data
Payment transactions are processed exclusively by Lemon Squeezy. ClinBridge Health does not store card numbers, bank details or any financial payment credentials. We retain only a transaction reference ID and subscription status for account management purposes.
2.3 Platform Usage Data
- Pages and medication entries accessed within the platform
- Search queries entered into the medication search function
- Device type, browser type and operating system (technical metadata only)
- Session timestamps and duration
- IP address (security and fraud prevention only — not retained beyond 30 days)
2.4 Device Fingerprint
A non-identifiable device fingerprint is collected to support session security and prevent unauthorised account sharing. This cannot identify you personally outside the ClinBridge platform.
2.5 What We Do Not Collect
ClinBridge Health does not collect, process or store patient or resident names, NHS numbers, care records, medical histories, care plans, medication administration records (MAR sheets), or any data relating to individuals in your care.
3. How We Use Your Data
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Creating and managing your account | Name, email, job role, organisation | Contract performance |
| Providing platform access | Account data, subscription status, device fingerprint | Contract performance |
| Processing subscriptions and trials | Email, transaction reference, subscription dates | Contract performance |
| Transactional communications (password reset, renewal notices) | Email address | Contract performance |
| Platform security and fraud prevention | IP address, device fingerprint, session data | Legitimate interests |
| Platform improvement (anonymised, aggregated data only) | Anonymised usage and search data | Legitimate interests |
| Responding to support queries | Communications data, account data | Legitimate interests / Legal obligation |
| Product update notifications (opt-in only) | Email address, job role | Consent |
| Legal and regulatory compliance | Account data, transaction records | Legal obligation |
4. Lawful Basis for Processing
Under UK GDPR Article 6, we rely on: contract performance (Article 6(1)(b)) for service delivery; legitimate interests (Article 6(1)(f)) for security and platform improvement; consent (Article 6(1)(a)) for optional marketing communications, which may be withdrawn at any time; and legal obligation (Article 6(1)(c)) for statutory record-keeping.
5. Data Sharing and Third Parties
We do not sell your personal data. We do not share data with third parties for marketing purposes. Our sub-processors are:
- Supabase Inc. — Database and authentication infrastructure (EEA-hosted, SOC 2 Type II certified)
- Cloudflare Inc. — Content delivery and platform hosting
- Lemon Squeezy / Stripe — Payment processing (independent data controller for payment data)
- Email delivery provider — Transactional emails only
We may disclose data where required by law, court order, or regulatory authority. International transfers are subject to appropriate UK GDPR-compliant safeguards including Standard Contractual Clauses.
6. Data Retention
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data (active users) | Duration of subscription + 12 months | Service provision and dispute resolution |
| Account data (deleted/lapsed accounts) | 6 years from last transaction | HMRC financial record-keeping obligations |
| Transaction reference IDs | 6 years | UK tax and accounting obligations |
| IP addresses | 30 days | Security monitoring only |
| Session and usage logs | 90 days (anonymised after 30 days) | Security and platform improvement |
| Support communications | 3 years from resolution | Complaint and dispute records |
7. Security
Our security measures include TLS/SSL encryption for all data in transit, encrypted database storage (Supabase), Row-Level Security (RLS) policies, secure password hashing (bcrypt), device fingerprint-based session validation, and internal access controls. Report suspected security incidents to security@clinbridgehealth.co.uk. In the event of a notifiable breach, we will inform the ICO within 72 hours and affected individuals without undue delay.
8. Your Rights Under UK GDPR
- Right of access (Article 15): Request a copy of personal data we hold about you
- Right to rectification (Article 16): Request correction of inaccurate or incomplete data
- Right to erasure (Article 17): Request deletion, subject to legal retention obligations
- Right to restriction of processing (Article 18): Request limitation on how we use your data
- Right to data portability (Article 20): Request a machine-readable copy of data you have provided
- Right to object (Article 21): Object to processing based on legitimate interests
- Right to withdraw consent: Withdraw consent for marketing communications at any time
To exercise any right, contact privacy@clinbridgehealth.co.uk. We will respond within one calendar month. No charge applies unless requests are manifestly unfounded or excessive.
9. Cookies and Tracking
We use only essential cookies necessary for platform operation. We do not use advertising cookies, tracking pixels, or third-party analytics cookies that identify you personally.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| sb-auth-token | Essential | Authentication session management (Supabase) | Session / 7 days |
| sb-refresh-token | Essential | Session refresh for authenticated users | 30 days |
| cf_clearance | Essential | Cloudflare security verification | Session |
10. GDPR Notice — Data Controller Information
Data Controller: ClinBridge Health Ltd
Framework: UK GDPR and Data Protection Act 2018
ICO Registration: Pending registration with the Information Commissioner's Office
Contact: privacy@clinbridgehealth.co.uk
ClinBridge Health is a clinical reference tool for staff training and education. It is not a medical device under UK MDR 2002 (as amended) and does not generate, process or store clinical decisions or patient-specific recommendations.
AI Clinical Assistant — Data Handling
The AI Clinical Assistant (Tier 3) processes the text of queries entered by users to generate clinical reference responses. Users must not enter patient names, NHS numbers, resident identifiers, or any personally identifiable information. Queries are not retained beyond the active session in identifiable form.
11. Children
ClinBridge Health is intended for adult healthcare professionals in registered care settings only. We do not knowingly collect personal data from individuals under 18. Contact us immediately if you believe a minor has registered an account.
12. Changes to This Policy
We will notify registered users by email of material changes and display a prominent notice on the platform. The "Last updated" date at the top reflects the most recent revision. Continued use following notice of changes constitutes acceptance.
13. Contact Us & Complaints
Data Protection Contact
Email: privacy@clinbridgehealth.co.uk
General enquiries: hello@clinbridgehealth.co.uk
Security incidents: security@clinbridgehealth.co.uk
Complaints to the ICO
If dissatisfied with our handling of your data, you may complain to the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We encourage you to contact us first to resolve any concern.