Privacy Policy

Last updated: 23 March 2026

1. Introduction

OroMiQ Ltd, a company registered in England and Wales (company number 17083358) with its registered office at Bank Gallery, 13 High Street, Kenilworth, CV8 1LY ("OroMiQ", "we", "us", or "our"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the OroMiQ platform, website, and associated services (the "Service").

OroMiQ Ltd is the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

2.1 Account Information

When you create an account or are invited to join, we collect:

  • Full name
  • Email address
  • Password (stored in hashed form)
  • Organisation name and details
  • Role within your organisation

2.2 Billing Information

Payment processing is handled by Stripe. We do not store your full card details. We receive and store a Stripe customer identifier and basic payment metadata (plan type, billing dates, invoice history).

2.3 Usage Data

We collect information about how you interact with the Service, including:

  • Pages and features accessed
  • Search queries within the platform
  • Dashboard configurations and preferences
  • Watchlist and portfolio selections
  • Notes and annotations you create

2.4 Technical Data

We automatically collect:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Referring URLs
  • Session duration and timestamps

2.5 Regulatory Data

The Service processes publicly available data from regulatory bodies such as the Care Quality Commission (CQC). This data relates to regulated care providers and locations, not to individual service users. We do not collect or process personal data of care home residents or service users.

3. How We Use Your Data

We use your personal data for the following purposes:

  • Service delivery: To provide, maintain, and improve the OroMiQ platform and your account.
  • Authentication: To verify your identity and manage access to your account and organisation.
  • Billing: To process payments, manage subscriptions, and issue invoices.
  • Communication: To send you service-related notifications, updates, and support responses.
  • Analytics: To understand how the Service is used and to improve features, performance, and user experience.
  • Security: To detect, prevent, and respond to security incidents, fraud, or abuse.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our contract with you (providing the Service, managing your subscription).
  • Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, analytics, and security, where these do not override your rights.
  • Consent: Where you have given specific consent, such as for analytics cookies (Google Analytics) or marketing communications. You may withdraw consent at any time.
  • Legal obligation: Where we are required to process data to comply with a legal obligation.

5. Data Sharing

We do not sell your personal data. We may share your data with:

  • Stripe: Our payment processor, for billing and subscription management.
  • Google: We use Google Analytics 4 (GA4) to analyse how the Service is used. GA4 collects anonymised usage data such as pages visited, session duration, and general location (country/region). Google may process this data on servers outside the United Kingdom. Analytics cookies are only set after you provide consent via our cookie banner. For more information, see Google's Privacy Policy.
  • Hosting providers: Cloud infrastructure providers who host the Service, subject to appropriate data processing agreements.
  • Your organisation: If you are part of a team, your name, email, and role are visible to administrators within your organisation.
  • Legal requirements: Where required by law, regulation, or legal process.

6. Data Retention

We retain your personal data in accordance with the following periods:

  • Account data: Retained for as long as your account is active. If you cancel your subscription, account data is retained for 90 days to allow reactivation, after which it is permanently deleted.
  • Billing records: Retained for 7 years from the date of the transaction, as required by UK tax and accounting regulations (HMRC).
  • Usage and analytics data: Retained for 14 months. Google Analytics data retention is configured to 14 months, after which it is automatically deleted by Google.
  • Session data: Authentication sessions expire automatically and are purged from our systems upon expiry.
  • Support correspondence: Retained for 2 years from the date of your last interaction.

Where you exercise your right to erasure (see Section 8), we will delete your personal data within 30 days, except where retention is required by law.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit and at rest, access controls, and regular security reviews.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of your personal data, subject to legal and contractual obligations.
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Data portability: Request a copy of your data in a structured, commonly used format.
  • Objection: Object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us via our help centre. We will respond within one month.

9. Cookies

The Service uses the following types of cookies:

9.1 Essential Cookies

These cookies are strictly necessary for the Service to function and cannot be disabled. They include:

  • Authentication cookies: Used to maintain your login session and verify your identity across requests.
  • Cookie consent cookie: Records your cookie preferences so that we do not ask you again on each visit.

9.2 Analytics Cookies

With your consent, we use Google Analytics 4 (GA4) to collect anonymised data about how the Service is used. These cookies help us understand which features are most popular, how users navigate the platform, and where we can improve.

Analytics cookies used by GA4 include:

  • _ga: Distinguishes unique users. Expires after 2 years.
  • _ga_*: Maintains session state. Expires after 2 years.

Analytics cookies are only set after you provide consent via our cookie banner. If you decline, no analytics cookies will be placed and no usage data will be shared with Google. You can change your preference at any time by clearing your cookies and revisiting the Service.

We do not use advertising cookies, remarketing cookies, or any other third-party tracking cookies.

10. International Transfers

Your data may be processed in countries outside the United Kingdom where our hosting providers operate. Where this occurs, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office.

11. Children

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Contact

If you have any questions about this Privacy Policy or how we handle your data, please contact us via our help centre.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.