CG-360 LogoCG-360

Privacy Policy

Effective Date: 24 September 2025
Last Updated: 24 September 2025
Version: 1.0

This Privacy Policy explains how CG-360 ("we", "us", or "our") collects, uses, and protects personal data when you use our website, platform and related services (the "Service"). CG-360 is an AI-powered care home compliance platform designed to help care providers maintain regulatory compliance and manage operational documentation. We are committed to protecting your privacy and handling personal data transparently and securely in accordance with applicable data protection laws, including the UK GDPR and Data Protection Act 2018. Please read this policy carefully.

1. Data We Collect

We collect data necessary to provide the Service. Types of personal data we may collect include:

  • Account and contact details: name, email, phone, job title, and professional qualifications.
  • Organisation details: business name, address, CQC registration number, payment and billing information.
  • Staff and resident data: staff records, training information, care plans, and compliance documentation you upload (you remain the data controller for this information).
  • Usage data: login times, feature usage, device information, IP address, and analytics from your use of the Service.
  • Communication data: emails, support tickets, and feedback you send to us.
  • AI interaction data: queries submitted to our AI assistant and responses generated.

We do not intentionally collect or store sensitive health data such as full resident health records as part of our standard Service. If you choose to upload sensitive information, you must ensure you have the appropriate lawful basis and consents to do so. You remain the data controller for any personal data you upload to the platform.

2. AI Data Processing

CG-360 uses artificial intelligence to provide compliance assistance and document analysis. Our AI processing includes:

  • Document analysis and categorization of uploaded compliance documents.
  • Automated compliance checking against CQC standards and regulatory requirements.
  • Intelligent search and retrieval of relevant policies and procedures.
  • Generation of compliance reports and audit evidence packs.
  • Natural language queries about compliance requirements and best practices.

We use Google AI (Gemini) and OpenAI services for AI processing. Data processed by AI services is used solely for providing the Service and is not used to train general AI models without your consent. You can opt-out of AI processing by contacting us.

3. How We Use Personal Data

We process personal data for the following primary purposes:

  • To provide, operate and maintain the Service and related features, including AI-powered compliance assistance.
  • To manage accounts, billing and subscriptions, including payment processing.
  • To provide customer support and respond to enquiries about compliance and platform usage.
  • To improve the Service, perform analytics, and detect abuse or fraud.
  • To comply with legal obligations and protect our legal rights.
  • To send service-related communications, including security alerts and compliance reminders.
  • To analyse usage patterns and improve our AI models for better compliance assistance.

4. Legal Basis for Processing

Under applicable UK data protection law, we rely on one or more of the following legal bases to process personal data:

  • Performance of a contract: processing necessary to provide the Service and fulfil our contract with you.
  • Legal compliance: processing necessary to comply with a legal obligation, including CQC regulatory requirements.
  • Legitimate interests: where processing is necessary for our legitimate interests and does not override your rights (e.g., fraud detection, service improvement, security monitoring).
  • Consent: where we ask for and rely on your consent for specific processing activities (e.g., marketing communications, AI processing).

5. Data Sharing & Third Parties

We may share personal data with the following categories of recipients:

  • Service providers: Google Cloud Platform (hosting, Firebase services), Google AI (Gemini), OpenAI, Mailgun (email delivery), and Stripe (payment processing).
  • Professional advisors: lawyers, auditors, and consultants where required to obtain legal advice or perform audits.
  • Authorities: regulatory bodies such as the CQC, or law enforcement where required by law or to protect rights and safety.

We do not sell personal data to third parties. We require our processors to provide an appropriate level of protection and only to use personal data in accordance with our instructions. Our subprocessors include:

  • Google Cloud Platform (EU region)
  • Google AI (processed in accordance with their privacy policies)
  • OpenAI (processed in accordance with their privacy policies)
  • Mailgun (EU region)
  • Stripe (PCI DSS compliant)

6. International Transfers

Personal data may be processed or stored outside the UK/EU. When we transfer data internationally we use appropriate safeguards:

  • Google Cloud Platform: Data is stored in EU regions with EU-standard contractual clauses.
  • Google AI and OpenAI: Data processing occurs in accordance with their respective privacy policies and data protection agreements.
  • All transfers are made in compliance with UK GDPR requirements for international data transfers.

Contact us for more details about specific transfers and applicable safeguards.

7. Data Retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes and enforce our agreements. Our retention periods are:

  • Account data: Retained for the duration of your account plus 7 years for legal compliance.
  • Usage logs: Retained for 2 years for security and analytics purposes.
  • Payment data: Retained for 7 years for tax and accounting purposes.
  • AI interaction data: Retained for 1 year for service improvement, unless you opt out.
  • Uploaded documents: Retained according to your account settings and legal requirements.

You can request deletion of your data at any time, subject to legal retention requirements.

8. Cookies and Tracking

We use cookies and similar tracking technologies to operate the Service and provide analytics. We use Google Analytics (GA4) to understand how people use the Service; you can opt-out by disabling analytics cookies or using your browser's tracking prevention features.

  • Essential cookies: Required for platform functionality, authentication, and security.
  • Analytics cookies: Help us understand how you use the Service to improve performance.
  • AI functionality cookies: Enable AI-powered features and compliance assistance.
  • Third-party cookies: Used by Google Analytics, Firebase, and AI service providers.

You can manage cookie preferences via your browser settings or our cookie consent banner. Some features may not function properly without certain cookies.

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Access controls, multi-factor authentication, and role-based permissions.
  • Regular security assessments, penetration testing, and vulnerability scanning.
  • Secure backup and disaster recovery procedures.
  • Employee training on data protection and security practices.

No system is perfect — if we become aware of a personal data breach we will notify affected parties and regulators as required by law within 72 hours.

10. Automated Decision Making

We use automated processing to provide compliance assistance and document analysis. This includes:

  • Automated compliance checking against regulatory standards.
  • AI-powered document categorization and analysis.
  • Risk scoring for compliance gaps and issues.

You have the right to obtain human intervention, express your point of view, and contest automated decisions. Contact us if you wish to exercise these rights.

11. Your Rights

Subject to local law, individuals may have rights including:

  • Right to access: Request a copy of personal data we hold about you.
  • Right to rectification: Request correction of inaccurate data.
  • Right to erasure: Request deletion of your data in certain circumstances.
  • Right to restrict processing: Request limitation of how we process your data.
  • Right to data portability: Request your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests or for direct marketing.
  • Rights related to automated decision making: Human intervention and contest automated decisions.

To exercise your rights, contact us at support@cg360.co.uk. We will respond to requests within 30 days and may require verification of your identity.

12. Children

Our Service is not directed to children under 13. We do not knowingly collect personal data from children under 13. If you believe we have collected personal data from a child, please contact us immediately.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the effective date. Where required by law we will provide additional notice of material changes via email or platform notification.

14. Contact Us

If you have questions or requests regarding this Privacy Policy or our data practices, please contact:

Data Protection Officer: Jamie Mason Wright

Email: support@cg360.co.uk

Address: [Company Address to be inserted]

Phone: [Contact number to be inserted]

We will respond to privacy-related enquiries within 30 days.

This privacy policy is designed to comply with UK GDPR and Data Protection Act 2018 requirements. It should be reviewed by your legal advisor before implementation to ensure compliance with your specific circumstances.
We use cookies
We use essential cookies to run the service and analytics cookies to understand usage. You can accept analytics or reject them.