Privacy Policy
Version 2026-06-02.v4 · Effective immediately · Last reviewed by the Qlinniq Data Protection Officer.
1. Who we are
Qlinniq is a mental-health intake and care-coordination platform (the “platform”, “we”, “us”) used to deliver mental-health services to patients in the United Kingdom and the United States. This policy describes what information we collect from you, why we collect it, who has access to it, how long we keep it, and the rights you have over it.
We act as the data controller for UK and EU/EEA patients, and as a HIPAA covered entity / business associate for US patients whose protected health information (PHI) we process. Our Data Protection Officer (DPO) and privacy contact is reachable at dpo@qlinniq.com and via the DPO page.
2. Information we collect
- Identity details (ITS ID, name, gender, date of birth, contact details, country, language preference).
- Clinical inputs you provide on the intake forms (presenting concerns, symptom severity, safety screening, PHQ-9 / GAD-7 responses, current medications, attachments you upload).
- Operational records from your care episodes (visits, sessions, follow-up tasks, notification delivery status).
- Audit logs of every action taken on your record by you, our administrators, and our clinicians.
- For minors (under 18 years), the identity of the consenting parent or legal guardian.
The intake form, PHQ-9 / GAD-7, and any clinical content you provide are special category data under GDPR Art. 9 (data concerning health, including mental health) and, for US patients, protected health information (PHI) under HIPAA.
3. Why we process your data (purposes & legal basis)
The table below maps each purpose to its lawful basis under GDPR Art. 6 and, where the data is special category, its additional basis under Art. 9. For US patients, the same processing is carried out for treatment, payment, and health care operations as permitted by the HIPAA Privacy Rule. Full detail per processing activity is recorded in our Records of Processing Activities.
| Purpose | Art. 6 basis | Art. 9 basis |
|---|---|---|
| Identity verification + account creation | (b) Contract | n/a |
| Intake screening (PHQ-9, GAD-7, presenting concerns) | (a) Explicit consent | (a) Explicit consent; (h) provision of healthcare |
| Clinical care delivery (visits, sessions, notes) | (b) Contract + (c) Legal obligation (applicable healthcare law) | (h) provision of healthcare |
| Appointment reminders & transactional notifications | (b) Contract | (h) where care-related |
| Optional outreach (research, programmes, surveys) | (a) Consent — opt-in | n/a (no special category) |
| Audit logging + security monitoring | (c) Legal obligation + (f) Legitimate interest | (h) where the data being audited is health data |
| Error monitoring (Sentry) | (f) Legitimate interest — system reliability | n/a (PII scrubbed before send) |
4. Who has access to your data
Inside the clinic, access is role-gated and least-privilege. Only the providers assigned to your care, the triage team, and a small number of administrators can read your record. Every read is logged. For US PHI we apply the HIPAA minimum-necessary standard.
Outside the clinic, we share the minimum data necessary with a small set of sub-processors (business associates) that help us deliver the service (notification delivery, error monitoring, hosting). The full list, with region and transfer safeguards, is published at /legal/subprocessors. We do not sell, rent, or share your data with advertisers, and we do not use PHI for marketing without your authorization.
5. Where your data is stored & international transfers
Patient data is hosted in-region: data for US patients is stored in AWS us-east-1 (United States) and data for UK and EU/EEA patients is stored in AWS eu-west-2 (London). Patient records do not leave their region for primary storage. Amazon Web Services acts as a hosting sub-processor under a HIPAA Business Associate Agreement (BAA) for US PHI and under GDPR-compliant data processing terms for UK/EU data.
To deliver SMS messages and transactional emails we use US-based processors. The table below names each one, the data category they receive, and the transfer safeguard that applies when UK/EU personal data is sent to them.
| Processor | Purpose | Data sent | Region | Transfer safeguard |
|---|---|---|---|---|
| Twilio | SMS reminders & OTPs | Phone number, message text | United States | UK IDTA / EU 2021 SCCs Module 2 + TIA; HIPAA BAA |
| Resend | Transactional email | Email address, message content | United States | UK IDTA / EU 2021 SCCs Module 2 + TIA |
| Sentry | Error monitoring | Anonymised error payloads only — PII scrubbed before transmission | United States | UK IDTA / EU 2021 SCCs Module 2 + contractual scrubbing |
US patients. Your PHI stays within the United States and is processed by us and our business associates under signed BAAs in accordance with the HIPAA Privacy and Security Rules.
UK & EU/EEA residents. Where your personal data is transferred to a processor outside the UK/EEA, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses, together with a transfer impact assessment. You may obtain a copy of the clauses applicable to any transfer by writing to our DPO at dpo@qlinniq.com.
6. How long we keep your data
Retention periods are set out in the separate Data Retention & Deletion Policy. When you withdraw your account, we anonymise identifying information within 30 days; clinical records are kept for the statutory medical-records retention period applicable to your region (for example, US HIPAA-related requirements and UK medical-records retention guidance) and then hard-deleted.
7. Your rights
You have the following rights regarding personal data we hold about you. Most are self-service from your profile page; for anything that cannot be self-served, write to our DPO.
- Access (GDPR Art. 15 / HIPAA right of access). Download a complete copy of every record we hold about you from your profile (“Export my data”).
- Rectification / amendment (GDPR Art. 16 / HIPAA right to amend). Submit a correction request from your profile; an administrator will review.
- Erasure (GDPR Art. 17 — “right to be forgotten”). Withdraw your account. Identifiers are anonymised within 30 days. Clinical records may be retained per applicable medical-records rules; once the retention window elapses they are hard-deleted.
- Restriction (GDPR Art. 18 / HIPAA request for restriction). Ask us to pause or restrict processing of your data.
- Portability (GDPR Art. 20). Receive your data in a structured, machine-readable format — JSON export and an HL7 FHIR R4 Patient Bundle are both available from your profile.
- Object (GDPR Art. 21). Object to processing based on legitimate interest. Marketing objections are honoured immediately.
- Withdraw consent (GDPR Art. 7(3)). Where processing is based on consent, you can withdraw at any time without affecting prior lawful processing.
- Accounting of disclosures (HIPAA). US patients may request an accounting of certain disclosures of their PHI.
- Lodge a complaint. In the UK, the Information Commissioner’s Office (ICO); in the EU/EEA, your local supervisory authority; in the US, the U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR).
8. Automated decision-making
Qlinniq suggests appropriate providers to the triage team based on your intake profile (age category, preference, language, modality). The final assignment is always made by a human administrator. This is not automated individual decision-making under GDPR Art. 22.
9. Children
For patients under 18 years of age, a parent or legal guardian must provide consent and be present at the time of the appointment. The guardian’s acknowledgement is recorded with the patient record. Where the patient is 12–18, we may also seek the patient’s assent in addition to the guardian’s consent.
10. Security
- HTTPS/TLS for all browser traffic.
- Role-based access control with least-privilege defaults; every clinical-data read is audited.
- Multi-factor authentication enforced for administrative and clinical roles.
- Encryption at rest on the database; password reset tokens stored as SHA-256 hashes.
- Audit logs scrubbed of IP / user-agent at 6 years and pruned at 7 years.
- Sentry PII scrubbing on the server before any error event leaves the host.
- HIPAA Security Rule administrative, physical, and technical safeguards for US PHI.
11. Breach response
In the event of a personal-data breach affecting UK/EU data subjects, we notify the lead supervisory authority (in the UK, the ICO) within 72 hours of becoming aware where required (GDPR Art. 33), and affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34). For US patients, we comply with the HIPAA Breach Notification Rule: affected individuals are notified without unreasonable delay and no later than 60 days, HHS is notified, and the media is notified for breaches affecting more than 500 residents of a state or jurisdiction.
12. Cookies & tracking
See the separate Cookies & Tracking page for the full list of cookies, their purposes, and how to change your preferences.
13. Is providing your data mandatory?
Providing identity and intake information is a contractual requirement; without it we cannot provide care. Providing optional outreach consent is, by definition, optional, and declining has no effect on the care you receive.
14. Changes to this policy
Material changes bump the version above and trigger a re-consent prompt at next login. Minor clarifications are versioned but do not re-prompt.
15. Contact
For any privacy concern, write to the DPO at dpo@qlinniq.com or via the contact card at /legal/dpo. For general support write to privacy@qlinniq.com.