Contents

1. Who We Are2. What Personal Data We Collect3. How We Collect Your Data4. How We Use Your Data5. Legal Basis for Processing6. Who We Share Your Data With7. How Long We Keep Your Data8. Your Rights Under UK GDPR9. Cookies10. Data Security11. International Data Transfers12. Children's Privacy13. Changes to This Policy14. Contact & Complaints

Last updated

18 May 2025

UK GDPR Compliant

Privacy Policy

This policy explains how Quiet Medical Ltd ("Quiet", "we", "us", "our") collects, uses, and protects your personal data when you use our platform at quietmedical.co.uk. We are committed to handling your data lawfully, transparently, and securely.

Section 1

Who We Are

Quiet Medical Ltd is the data controller for personal data collected through this platform. We operate quietmedical.co.uk — a compliance and matching platform for NHS locum doctors and recruitment agencies in the UK.

We were formerly known as WhatTheBleep Ltd. Our registered address is: 37-40 Church Gate, Loughborough, LE11 1UE, England.

For data protection enquiries, contact us at: privacy@quietmedical.co.uk

Section 2

What Personal Data We Collect

For Doctors

  • Identity data: full name, GMC number, date of birth
  • Contact data: email address, phone number
  • Professional data: specialty, grade, years of UK experience, location preferences
  • Compliance documents: certificates, DBS checks, occupational health records, appraisal records (stored in your Digital Compliance Vault)
  • Document expiry dates and notification preferences
  • Subscription and billing data (payment handled by Stripe — we do not store card details)
  • Platform usage data: login times, features used, notifications read

For Agencies

  • Agency name, registration details, contact information
  • Recruiter names and email addresses
  • Matching preferences: specialties, grades, locations
  • Subscription and billing data
  • Platform usage data

For All Users

  • Authentication data (email address, encrypted password hash)
  • Technical data: IP address, browser type, device type, session tokens
  • Communication data: messages sent via the platform's chat feature
  • Cookie and analytics data (see Section 9)

Section 3

How We Collect Your Data

  • Directly from you — when you register, complete your profile, upload documents, or contact us
  • Automatically — when you use the platform (login events, page views, feature interactions)
  • From third parties — Stripe (payment status), authentication providers (if you use SSO)

Section 4

How We Use Your Data

  • To provide and maintain your account and the platform's core features
  • To match doctors with suitable agencies (anonymised matching for Base tier; named matching for Pro/Advanced)
  • To send document expiry reminders and compliance notifications
  • To process subscription payments via Stripe
  • To improve the platform through aggregated, anonymised usage analytics
  • To respond to support requests and enquiries
  • To comply with our legal obligations (including anti-money laundering and fraud prevention)
  • To enforce our Terms & Conditions

We do not sell your personal data to third parties. We do not use your data for automated decision-making that produces legal or similarly significant effects.

Section 6

Who We Share Your Data With

  • Agencies — your professional profile is shared with matched agencies according to your tier settings. Base tier doctors are shown anonymised (blurred). Pro/Advanced doctors are visible by name.
  • Stripe — payment processing. Stripe is PCI DSS compliant. We share only what is necessary to process your subscription.
  • Supabase — our database and authentication infrastructure provider. Data is stored in the EU.
  • Vercel — our hosting provider. Processes request data in accordance with their DPA.
  • Legal authorities — if required by law, court order, or to protect the rights and safety of users.

We never share your compliance documents with agencies without your explicit action (e.g. clicking "Share Document").

Section 7

How Long We Keep Your Data

  • Account data — retained while your account is active and for 2 years after account closure
  • Compliance documents — retained while you hold an account; deleted within 30 days of account closure (unless you download them first)
  • Payment records — retained for 7 years as required by HMRC
  • Platform logs — retained for 90 days for security monitoring
  • Chat messages — retained for 12 months after the conversation ends

You may request early deletion of your data at any time (see Section 8).

Section 8

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — request a copy of the data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data ("right to be forgotten")
  • Right to restrict processing — ask us to pause processing of your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on consent, withdraw at any time

To exercise any of these rights, email us at privacy@quietmedical.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or call 0303 123 1113.

Section 9

Cookies

We use the following cookies:

  • Strictly necessary cookies — session authentication tokens required for the platform to function. These cannot be disabled.
  • Analytics cookies — anonymised usage data to help us improve the platform. You can opt out via your browser settings.

We do not use advertising or tracking cookies. We do not share cookie data with third-party advertisers.

Section 10

Data Security

We take data security seriously and apply the following measures:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access to production data is restricted to authorised personnel only
  • Passwords are never stored in plain text — we use bcrypt hashing via Supabase Auth
  • API keys and service credentials are stored as environment variables, never in source code
  • Regular security reviews and dependency updates

In the event of a personal data breach that poses a risk to your rights, we will notify the ICO within 72 hours and affected users without undue delay.

Section 11

International Data Transfers

Our primary database (Supabase) stores data within the EU. Some service providers (e.g. Vercel, Stripe) may process data in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO.

Section 12

Children's Privacy

Our platform is intended for medical professionals and is not directed at anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@quietmedical.co.uk.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of any material changes by email or via an in-app notification at least 14 days before the change takes effect. The "Last updated" date at the top of this page will always reflect the current version.

Continued use of the platform after the effective date constitutes acceptance of the updated policy.

Section 14

Contact & Complaints

For any data protection queries, subject access requests, or complaints:

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint