360 ComplianceClient Sign In

Privacy Policy

Last updated: 14 May 2026

360 Compliance Ltd (“we”, “us”, “our”) is committed to protecting your personal data. This policy explains what data we collect, why we collect it, how we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Data Controller: 360 Compliance Ltd

Contact: info@360compliance.co.uk

Phone: +44 7999 367999

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is available on request.

2. Data we collect

2.1 Client organisation users (portal accounts)

  • Name, email address, phone number
  • Job title and employment position
  • IP address and browser information (for security and audit logging)
  • Session data (automatically deleted after 8 hours)

2.2 Staff compliance records (special category data)

On behalf of client organisations, we process the following categories of data about their staff members:

  • DBS certificates — certificate number, type, issue and expiry dates (criminal records data under Article 10 UK GDPR)
  • Right to Work documents — passport scans, visa documents, biometric residence permits (biometric data under Article 9 UK GDPR)
  • Immunisation records — vaccine history, dates, certificates (health data under Article 9 UK GDPR)
  • Proof of Address — utility bills, bank statements, council tax letters
  • CVs and employment references — employment history, referee contact details
  • Staff appraisals — performance records, development actions, e-signatures

2.3 Public survey respondents

When you complete a public survey created by one of our client organisations, we collect your survey responses and, for spam prevention purposes, your IP address and browser information. We do not collect your name or email address.

2.4 Website visitors

We do not use tracking cookies or analytics tools on our website. We do not collect personal data from visitors who do not contact us or create an account.

3. Legal basis for processing

Contract (Article 6(1)(b))

Managing portal accounts, delivering our compliance services, processing staff HR records on behalf of client organisations.

Legal obligation (Article 6(1)(c))

Maintaining audit logs for CQC Regulation 17 compliance (7-year retention), processing DBS and Right to Work data under safeguarding and immigration legislation.

Legitimate interests (Article 6(1)(f))

Security monitoring, fraud prevention, IP address collection on public surveys to prevent spam.

For special category data (health, biometric, criminal records), we rely on Article 9(2)(b) — processing necessary for employment law obligations — and Article 9(2)(g) — substantial public interest (safeguarding).

4. Who we share data with

We do not sell personal data. We share data only with the following processors, each bound by a Data Processing Agreement:

ProcessorPurposeLocation
Neon (PostgreSQL)Database hostingUK (London)
Cloudflare R2File storage (documents, images)EU (jurisdiction-locked)
VercelApplication hostingUK (London)
ResendTransactional email deliveryEU

All processors are located in the UK or EU. No personal data is transferred to countries outside the UK/EU.

5. How long we keep your data

Audit logs7 years (CQC Regulation 17)
Policy acknowledgements7 years (CQC Regulation 17)
DBS certificate metadataDuration of employment
Right to Work documents2 years after employment ends
Immunisation recordsDuration of employment
Staff appraisals6 years
CVs and employment referencesDuration of employment
Session data8 hours (automatic deletion)
Invitation records30 days after acceptance or revocation
Public survey responses2 years

6. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data, subject to legal retention obligations (see Section 5)
  • Restriction — limit how we process your data
  • Portability — receive your data in a machine-readable format
  • Object — object to processing based on legitimate interests

To exercise any of these rights, contact us at info@360compliance.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.

7. Security

We implement appropriate technical and organisational measures to protect personal data, including encrypted sessions (AES-256-GCM), role-based access controls, tenant isolation, presigned URLs for sensitive file access, and comprehensive audit logging. All sensitive documents are stored in a private encrypted bucket and never exposed directly.

8. Changes to this policy

We may update this policy from time to time. We will notify registered users of material changes by email. The “last updated” date at the top of this page reflects the most recent revision.