Skip to content
ZinqLeads

Compliance one-pager

Last reviewed 7 July 2026 · ZinqLeads

This page summarises how ZinqLeadsprotects the patient data it processes on behalf of your practice. It is written to support your evidence of good governance under CQC Regulation 17 — print it or show it to an inspector as a description of your missed-call recovery supplier's data handling. The contractual detail sits in the data processing agreement we sign with every practice before go-live.

At a glance

Data residency
Database hosted in London (AWS eu-west-2). Application served and processed in London (Vercel lhr1).
Encryption
AES-256 encryption at rest; TLS 1.2+ for all data in transit, including database connections.
Retention
Patient records deleted automatically 24 months after last activity (configurable per practice in the DPA).
Deletion
Automated daily purge, plus on-demand erasure of any individual patient record.
Roles
The practice is the data controller; ZinqLeads is its processor under a signed data processing agreement.
Patient opt-out
Reply STOP (or plain-language equivalents) suppresses the number permanently, effective immediately.

What ZinqLeads does, and the data it touches

ZinqLeadstexts back patients whose calls to the practice rang out, and follows up by SMS on the practice's behalf. To do that it processes: the patient's phone number, name where known, the treatment or reason enquired about, the SMS conversation itself, and — where a patient describes a symptom — a short urgency summary in the patient's own words. Symptom content is special category (health) data under UK GDPR Article 9 and is handled as described in our privacy notice. No clinical records are accessed: ZinqLeads does not connect to your practice management system or patient files.

Where data is stored and processed

The database holding leads, messages, and activity is hosted in the United Kingdom: London, AWS region eu-west-2. The application itself runs in London (Vercel region lhr1), so patient data is stored and processed in the UK by default.

Two functions rely on US-based providers: sending the SMS (telecoms provider) and drafting/triaging replies (AI provider). Where data leaves the UK for these providers it is transferred under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and each provider is bound by a data processing agreement. The named provider list is in your DPA and available to anyone on request.

Encryption

Data is encrypted at rest with AES-256 by our database host, and in transit with TLS 1.2 or higher on every connection — between the patient-facing site, the practice dashboard, the application, and the database (database connections require TLS; unencrypted connections are refused).

Retention and deletion

Patient records are deleted automatically 24 months after their last activity, by a purge that runs every day — the record, its message thread, and its activity history are removed together, and a deletion entry is written to the audit trail. A different retention period can be agreed per practice in the DPA.

Individual patients can be erased on demand at any time, for example to honour a UK GDPR erasure request. Where an identifier must survive for audit integrity (such as proof that an opted-out number was suppressed), the phone number is stored only as a one-way hash, so erasure leaves no recoverable personal data behind.

Patient opt-out

Every automated conversation honours opt-outs immediately and permanently. A reply of STOP (or a plain-language equivalent such as “please stop texting me”) suppresses that number for the practice: messaging ceases at once and the number cannot be re-contacted by the system, even by a future missed call. Follow-up messages carry “Reply STOP to opt out” wording.

Access control and auditability

Each practice's data is isolated to its own tenant: staff of one practice can never see another practice's patients. Significant events — messages sent, opt-outs, urgency flags, deletions — are recorded in a per-practice audit trail, so there is an answerable record of what the system did and when.

Incident response

If a personal data breach affects your practice's data, we notify you without undue delay after becoming aware of it, with the detail you need to meet your own 72-hour reporting duty to the ICO, and we assist with the investigation. This commitment is contractual, in the DPA.

How this supports CQC Regulation 17

Regulation 17 asks practices to maintain secure, accurate records and to assess and manage risks — including those arising from third-party suppliers. This page gives your practice, in one place: the supplier's data flows and storage locations, its encryption standards, its retention and deletion policy, its opt-out handling, its audit trail, and its breach-notification commitment. Together with your signed DPA it forms the due-diligence record for ZinqLeads that an inspector can be shown on request.

Questions

For the named sub-processor list, a copy of the DPA, or any other compliance question, email hello@zinqleads.com. We reply within one working day. See also our privacy notice and terms of service.