Back

Privacy Policy

Last updated: May 2025

Who we are

MedAudit ("we", "us", "our") is a platform connecting clinicians and students at St George's University Hospitals NHS Foundation Trust with audit, quality improvement, and research projects. Our website is available at medaudit.co.uk.

For data protection purposes, MedAudit is the data controller. You can contact us at hello@medaudit.co.uk.

What data we collect

When you register and use MedAudit we collect:

  • Account data — your name, email address, and password (stored securely via Supabase Auth)
  • Profile data — role, specialty, year of training, GMC number, organisation, bio, and smartcard access status, where you choose to provide them
  • Activity data — projects you create or apply to, messages you send, bookmarks, and notifications
  • Communications — messages sent through the platform's messaging feature
  • Contact form submissions — your name, email, and message when you use the contact form

Why we collect it and our legal basis

We process your data under the following legal bases (UK GDPR):

  • Contract — to provide the platform services you sign up for
  • Legitimate interests — to facilitate research collaboration between NHS staff and students, improve the platform, and send relevant project notifications
  • Consent — for optional communications such as weekly project digest emails (you can unsubscribe at any time)

How we store your data

Your data is stored securely using Supabase (PostgreSQL database), hosted within the EU/UK. Passwords are hashed and never stored in plain text. All data in transit is encrypted via HTTPS/TLS.

Transactional emails (application notifications, project updates) are sent via Resend, a UK-compliant email delivery service.

Who we share your data with

We do not sell your data. Your profile information (name, role, specialty, bio) is visible to other registered users of the platform to facilitate collaboration. Your email address and GMC number are never displayed publicly.

We share data with the following third-party processors only to the extent necessary to operate the service:

  • Supabase — database and authentication hosting
  • Resend — transactional email delivery
  • Vercel — website hosting

How long we keep your data

We retain your account and profile data for as long as your account is active. If you delete your account, your personal data will be removed within 30 days. Some anonymised activity records may be retained for platform analytics.

Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — request deletion of your personal data
  • Restriction — ask us to limit how we use your data
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests

To exercise any of these rights, email us at hello@medaudit.co.uk. We will respond within 30 days.

Cookies

MedAudit uses only essential cookies required for authentication and session management. We do not use advertising or tracking cookies.

Changes to this policy

We may update this policy from time to time. We will notify registered users of significant changes via email. Continued use of the platform after changes are posted constitutes acceptance.

Contact and complaints

For any privacy-related questions, contact us at hello@medaudit.co.uk.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.