Last updated: 25 April 2026
Clinq ("we", "us", "our") provides booking, messaging, and payment software to UK general practitioner (GP) practices. The service is operated from clinq.online.
For patient-related personal data, the GP practice using our software is the data controller under the UK GDPR, and we act as a data processor on their behalf. For data we collect directly from practice staff who use our dashboard (e.g. their login credentials), we are the data controller.
On behalf of the GP practice, we process:
For practice staff who use the dashboard we process: name, email address, hashed password, two-factor authentication secret, IP address and basic device metadata for session security.
Patient data is processed on the lawful basis the GP practice relies on for providing healthcare to that patient — typically "provision of health or social care" under Article 9(2)(h) UK GDPR, with consent for the use of the WhatsApp channel.
Staff data is processed under our legitimate interest in operating the service, and where necessary for contract performance.
Application data is stored on encrypted databases hosted on infrastructure located in the United Kingdom. Patient personal identifiers are encrypted at rest with per-practice keys.
Media files are stored on Cloudflare R2 in UK/EU regions, or on the practice's own R2 bucket if they have configured one.
WhatsApp messages transit through the Meta WhatsApp Cloud API. Payment data is handled by Stripe Inc. and Stripe Payments UK Ltd. Transactional email is sent via Resend. These sub-processors have their own privacy policies which apply to their handling of the data.
Patient messages, bookings, and media are retained for as long as the GP practice instructs us to retain them, in line with their own clinical record retention policy. On request from the practice we will delete or export the data.
Staff account data is retained while the account is active and for up to 90 days after account closure for audit and dispute resolution.
Under UK GDPR you have rights of access, rectification, erasure, restriction of processing, portability, and to object to processing. For patient data, please direct your request to the GP practice, who as data controller will instruct us. For staff account data, please email privacy@clinq.online.
For the specific procedure to request deletion of your data, see our data deletion instructions.
You can also lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
We take appropriate technical and organisational measures to protect personal data: encryption at rest, TLS in transit, two-factor authentication for staff logins, per-tenant isolation of patient data, and least-privilege access controls.
We use strictly necessary cookies for session management on the staff dashboard and for fraud prevention on the patient booking pages (Google reCAPTCHA v3). We do not use advertising or analytics cookies that require consent.
We will update the "last updated" date above when we make changes. Material changes will also be communicated to practice administrators by email.
Questions about this policy: privacy@clinq.online.