Privacy Policy
Last updated: May 2025
Who we are
MedAudit ("we", "us", "our") is a platform connecting clinicians and students at St George's University Hospitals NHS Foundation Trust with audit, quality improvement, and research projects. Our website is available at medaudit.co.uk.
For data protection purposes, MedAudit is the data controller. You can contact us at hello@medaudit.co.uk.
What data we collect
When you register and use MedAudit we collect:
- Account data — your name, email address, and password (stored securely via Supabase Auth)
- Profile data — role, specialty, year of training, GMC number, organisation, bio, and smartcard access status, where you choose to provide them
- Activity data — projects you create or apply to, messages you send, bookmarks, and notifications
- Communications — messages sent through the platform's messaging feature
- Contact form submissions — your name, email, and message when you use the contact form
Why we collect it and our legal basis
We process your data under the following legal bases (UK GDPR):
- Contract — to provide the platform services you sign up for
- Legitimate interests — to facilitate research collaboration between NHS staff and students, improve the platform, and send relevant project notifications
- Consent — for optional communications such as weekly project digest emails (you can unsubscribe at any time)
How we store your data
Your data is stored securely using Supabase (PostgreSQL database), hosted within the EU/UK. Passwords are hashed and never stored in plain text. All data in transit is encrypted via HTTPS/TLS.
Transactional emails (application notifications, project updates) are sent via Resend, a UK-compliant email delivery service.
Who we share your data with
We do not sell your data. Your profile information (name, role, specialty, bio) is visible to other registered users of the platform to facilitate collaboration. Your email address and GMC number are never displayed publicly.
We share data with the following third-party processors only to the extent necessary to operate the service:
- Supabase — database and authentication hosting
- Resend — transactional email delivery
- Vercel — website hosting
How long we keep your data
We retain your account and profile data for as long as your account is active. If you delete your account, your personal data will be removed within 30 days. Some anonymised activity records may be retained for platform analytics.
Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — request deletion of your personal data
- Restriction — ask us to limit how we use your data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email us at hello@medaudit.co.uk. We will respond within 30 days.
Cookies
MedAudit uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.
Changes to this policy
We may update this policy from time to time. We will notify registered users of significant changes via email. Continued use of the platform after changes are posted constitutes acceptance.
Contact and complaints
For any privacy-related questions, contact us at hello@medaudit.co.uk.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.