Privacy Policy & GDPR Compliance

1. Introduction & GDPR Commitment

NHSCareHub ("we", "us", "our") is committed to protecting your privacy in full compliance with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This Privacy Policy explains how we collect, use, disclose, and safeguard your information.

2. Information We Collect

We collect the following categories of personal data:

• Identity Data: Name, email, phone, date of birth, NHS number, professional registration
• Professional Data: Job title, department, qualifications, certifications, CV
• Document Data: Uploaded CVs, credentials, compliance assessments
• Device Data: IP address, browser type, device identifiers
• Usage Data: Pages visited, time spent, interactions with services
• Consent Data: Marketing preferences, GDPR consent records

3. Legal Basis for Processing (Article 6 GDPR)

We process your personal data under the following legal bases:

• Consent: When you explicitly opt-in to communications or services
• Contract: To perform services you have requested (job applications, document downloads)
• Legal Obligation: To comply with healthcare regulations and legislation
• Legitimate Interests: To improve services, prevent fraud, ensure security

4. Your GDPR Rights

Under GDPR, you have the following rights:

• Right of Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Correct inaccurate personal data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing (Article 18): Limit how we use your data
• Right to Data Portability (Article 20): Receive your data in a structured format
• Right to Object (Article 21): Object to certain types of processing
• Right to Withdraw Consent: Withdraw consent at any time without penalty

5. Data Sharing & International Transfers

We do not sell your personal data. We may share your information with:

• Healthcare employers when you apply for positions
• Service providers assisting in platform operations
• Government bodies when required by law
• Law enforcement with proper legal authority

All data processing occurs within the UK/EEA. Any international transfers comply with GDPR Chapter 5 safeguards.

6. Data Security & Protection

We implement industry-standard security measures including:

• End-to-end encryption for all data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Regular security audits and penetration testing
• Access controls and authentication mechanisms
• Regular backup and disaster recovery procedures

7. Data Retention

We retain personal data for as long as necessary to provide services and comply with legal obligations. Typically:

• Active account data: Retained while account is active
• Historical data: Retained for 6 years for audit purposes
• Consent records: Retained for 3 years after withdrawal
• You can request deletion subject to legal requirements

8. Cookies & Tracking

We use cookies to enhance your experience. Essential cookies cannot be disabled. You can manage cookie preferences through your browser settings. All cookies are GDPR compliant and require consent.

9. Data Breach Notification

In the event of a personal data breach that poses a risk, we will notify affected individuals within 72 hours as required by GDPR Article 33, along with information about remediation steps.

10. Data Protection Officer & Contact

11. Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have violated your GDPR rights. Contact: ico.org.uk