Last updated: 9 June 2026
1. Who we are
OffNook ("we", "us", "our") is an independent, non-commercial calendar tool that helps NHS doctors and other healthcare professionals record their personal work patterns and share them with one partner of their choosing. We are not affiliated with, endorsed by, or operated on behalf of the National Health Service (NHS), any NHS Trust, Health Board, the General Medical Council (GMC), or any employer.
For the purposes of the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 ("DPA 2018") and the EU General Data Protection Regulation (Regulation (EU) 2016/679, "EU GDPR"), the controller of personal data processed through this service is the operator of this OffNook deployment, contactable at aimen.8250@gmail.com.
2. Scope of this policy
This policy describes how we collect, use, store, share and protect personal data when you use the OffNook website and any related services (together, the "Service"). It applies to all users, whether you access the Service from the United Kingdom, the European Economic Area ("EEA"), or elsewhere.
3. Personal data we collect
We process the following categories of personal data:
- Account data: your email address, an internal user identifier, and, where you use a third-party sign-in provider (such as Google), the basic profile information that provider returns (name, profile picture URL).
- Profile data: any optional information you choose to enter, such as your display name, grade (e.g. FY1, ST3, Consultant) and specialty. We do not ask for, and you should not enter, your GMC number, NHS smartcard number, employer payroll number, home address or any other identifier we do not need.
- Shift data: the dates, times, types (e.g. long day, night, on call, leave) and optional notes/locations you record for your own work pattern. This is personal data about your working time. It is not, and must not be used as, a clinical record.
- Partnership data: the invite code you generate, the email address (if any) you restrict an invite to, and the user identifier of the partner you successfully pair with.
- Technical data: minimal information required to operate the Service securely, including authentication tokens stored in your browser, IP address as seen by our hosting provider, request timestamps, and error/diagnostic logs.
What we do not collect: we do not collect patient data, clinical notes, identifiable patient information, your salary, your bank details, your location, or any biometric data. Do not enter any patient-identifiable information into the Service. Any such entry is a breach of these terms and, potentially, of your professional and legal obligations.
4. Special category data
Shift patterns can in some circumstances reveal information about a worker (for example, patterns of absence). We do not treat shift labels themselves as special category data under Article 9 UK GDPR / EU GDPR. However, you should not record health information, information about your sex life, religious observance, trade-union membership, racial or ethnic origin, or political opinions in free-text fields. If you choose to do so, you consent (Article 9(2)(a)) to us storing that information solely so that we can display it back to you and your paired partner. You can withdraw that consent at any time by deleting the relevant entry.
5. How we use personal data and our lawful basis
| Purpose | Lawful basis (UK/EU GDPR Art. 6) |
|---|---|
| Creating and authenticating your account | Contract (Art. 6(1)(b)) – to provide the Service you requested |
| Storing and displaying the shifts you record | Contract (Art. 6(1)(b)) |
| Sharing your shifts with the partner you have paired with | Consent (Art. 6(1)(a)) – given by completing the pairing flow |
| Protecting the Service against fraud and abuse, keeping logs | Legitimate interests (Art. 6(1)(f)) – to operate a secure Service |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where our lawful basis is consent, you can withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. Where our lawful basis is legitimate interests, we have carried out a balancing test and concluded that the processing is not overridden by your rights and freedoms. You can ask for a copy of that assessment by contacting us.
6. Sharing with a paired partner
Pairing is an explicit, mutual action. Until both users have accepted, no shift data is shared. Once paired, your paired partner can see:
- Your display name, grade and specialty (if you set them).
- The date, start time, end time, type and any notes/location for each shift you have recorded.
Your paired partner does not see your email address, your invite codes, or any other account-level data. Either partner can unpair at any time from the Partner page; on unpairing, the other user immediately loses access to your shift data going forward. Cached copies in the other user's browser are cleared on next refresh.
7. Who else we share data with (processors and sub-processors)
We rely on the following categories of processors. Each is bound by a written contract containing the safeguards required by Article 28 UK GDPR / EU GDPR:
- Backend, authentication and database hosting (Supabase / equivalent backend, surfaced as "Lovable Cloud" within the Service). Hosts your account, profile, shifts and partner records.
- Application hosting and content delivery (Cloudflare and the platform on which this Service is published). Serves the application code and routes requests.
- Third-party identity providers (e.g. Google, where you choose to sign in with them). Authenticates you and returns a basic identity assertion to us.
We do not sell personal data. We do not share personal data with advertisers. We do not share personal data with NHS organisations, your employer, the GMC, or any regulator unless we are legally required to do so (for example, in response to a valid court order) or you direct us to.
8. International transfers
Where personal data is transferred outside the UK or the EEA, we rely on one of the following safeguards: (a) an adequacy decision by the UK government or the European Commission; (b) the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses; or (c) the EU Standard Contractual Clauses (2021/914). You may request a copy of the relevant transfer mechanism by contacting us.
9. Retention
- Account and profile data: kept while your account is active and for up to 30 days after account deletion to allow for accidental recovery, after which it is permanently removed.
- Shift data: kept until you delete it or close your account.
- Invite codes: automatically expire after 14 days and are deleted within 30 days of expiry or cancellation.
- Diagnostic logs: retained for a maximum of 30 days, then deleted or irreversibly aggregated.
10. Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS), encryption at rest at the database layer, row-level security policies that scope each row to the user (or paired partner) entitled to read it, principle-of-least-privilege access controls, and short-lived authentication tokens. No system is perfectly secure; you are responsible for keeping your sign-in credentials and devices secure and for not sharing your invite code with anyone other than your intended partner.
11. Your rights
Under UK GDPR and EU GDPR you have the right to:
- access the personal data we hold about you (Art. 15);
- have inaccurate personal data corrected (Art. 16);
- have your personal data erased ("right to be forgotten", Art. 17);
- restrict processing in certain circumstances (Art. 18);
- receive your personal data in a structured, commonly-used, machine-readable format and transmit it to another controller (Art. 20);
- object to processing based on legitimate interests (Art. 21);
- withdraw any consent you have given (Art. 7(3));
- not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22) – we do not carry out such processing.
To exercise any of these rights, email aimen.8250@gmail.com. We will respond within one month, extendable by a further two months for complex requests (we will tell you if we extend).
12. Complaints
You have the right to lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ICO), ico.org.uk/make-a-complaint, 0303 123 1113. In the EEA, you may complain to the supervisory authority of your country of residence, place of work, or the place where the alleged infringement occurred. We would, however, appreciate the opportunity to address your concerns first – please contact us at aimen.8250@gmail.com.
13. Cookies and local storage
We do not use advertising or analytics cookies. We use only strictly necessary storage: authentication tokens stored by your browser to keep you signed in, and (for users who have not signed in) a local cache of your own draft shifts so the calendar works offline. Strictly necessary storage does not require consent under the Privacy and Electronic Communications Regulations (PECR).
14. Children
The Service is intended for working healthcare professionals and is not directed at children under 16. If you believe a child has provided us with personal data, contact us and we will delete it.
15. Changes to this policy
We may update this policy from time to time. Where changes are material, we will notify you by email or via an in-app notice before they take effect. The "Last updated" date at the top of this page always reflects the current version.
16. Contact
Questions, requests, or complaints: aimen.8250@gmail.com.
This policy is provided in good faith and aims to reflect the requirements of UK GDPR, the Data Protection Act 2018 and EU GDPR. It is not a substitute for independent legal advice; if you operate this Service or a fork of it for your own users, you should have this policy reviewed by a qualified data-protection professional.