1. Who we are
RegisterCQC ("we", "us", "our") operates the website registercqc.co.uk and the RegisterCQC platform. We are a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller contact: dpo@registercqc.co.uk
2. What data we collect
We collect the following categories of personal data:
- Account data: full name, email address, password (stored as a one-way hash), account type, and plan.
- Organisation data: organisation name, service type, address, and postcode that you provide when setting up a registration journey.
- Registration progress data: checklist responses, notes, tracker updates, and documents status you record within the platform.
- Payment data: transaction reference, plan purchased, and amount. Full card details are handled by Stripe and never stored on our servers.
- Usage data: pages visited, session data, and error logs for platform reliability.
- Communications: emails you send to us for support or queries.
3. Legal basis for processing
- Contract performance (Article 6(1)(b)): processing necessary to provide the service you have signed up for.
- Legitimate interests (Article 6(1)(f)): platform security, fraud prevention, and service improvement.
- Legal obligation (Article 6(1)(c)): financial record-keeping obligations.
- Consent (Article 6(1)(a)): marketing emails, where you have opted in.
4. How we use your data
- To provide, maintain, and improve the RegisterCQC platform
- To process payments and maintain billing records
- To send transactional emails (password reset, invite links, payment confirmations)
- To send milestone notifications about your registration progress
- To respond to support requests
- To detect and prevent fraud and abuse
- To comply with legal obligations
5. Who we share data with
We share data only with the following third-party processors, all operating under appropriate data processing agreements:
- Stripe Inc — payment processing (Stripe Privacy Policy: stripe.com/gb/privacy)
- Anthropic PBC — AI policy generation feature (data not used for model training per our API agreement)
- Hostinger — server hosting (EU-based or UK adequacy decision covered)
We do not sell personal data to third parties. We do not share data with advertisers.
6. Data retention
- Account and registration data: retained for the duration of your account plus 2 years after account closure, to allow reinstatement and comply with financial obligations.
- Payment records: retained for 7 years for VAT and accounting purposes.
- Session data: expires after 7 days of inactivity.
- Support emails: retained for 2 years.
7. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any right, email dpo@registercqc.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
8. Cookies
We use a single session cookie (strictly necessary) to keep you signed in. We do not use advertising, analytics, or third-party tracking cookies. See our Cookie Policy for full details.
9. Security
We implement appropriate technical and organisational measures including: bcrypt password hashing, HTTPS/TLS encryption, rate limiting on authentication endpoints, and HTTP security headers. No method of transmission is 100% secure; we notify you without undue delay if a breach affects your data.
10. Changes to this policy
We may update this policy. Material changes will be notified by email to registered users. Continued use after the effective date constitutes acceptance.
11. Contact
Data protection enquiries: dpo@registercqc.co.uk
General enquiries: hello@registercqc.co.uk