RxTerminal

GDPR & Data Protection Statement

This statement describes how Strixon Ltd and Strixon Ltd handle personal data in connection with the RxTerminal service.

1. Who We Are

Strixon Ltd is a company registered in England and Wales under company number 16475557, with its registered office at 3 Tamworth Road, Newcastle Upon Tyne, NE4 5AJ.

Strixon Ltd develops and operates RxTerminal, a real-time queue management system.

Data protection contact: contact@strixon.co.uk

2. Data Controller and Data Processor Roles

Strixon Ltd is the Data Controller for personal data collected through this portal. Strixon Ltd acts as a Data Processor, processing that data only on the organisation's documented instructions under a Data Processing Agreement.

Strixon Ltd acts as Data Controller only for its own staff, contractor, supplier, and website visitor data.

3. What Personal Data We Process

Customer data

  • First name and last name
  • Date of birth and postcode (for counter-based identity verification)
  • Service category selected
  • Queue timestamps (arrival, called, completion)

We do not collect NHS numbers, payment card information, or clinical records.

Staff and manager data

  • Full name and application login credentials
  • Role and organisation assignment
  • Session and audit log data

4. Lawful Basis for Processing

  • Article 6(1)(f) — Legitimate interests: queue management and service delivery.
  • Article 9(2)(h): where health-related information is included in a customer's query, for provision of health or social care.
  • Article 6(1)(b): performance of a contract, for staff and contractor data.

5. Data Retention

  • Customer personally identifiable information is automatically anonymised after 90 days.
  • Anonymised service records are retained for 7 years for operational and legal purposes.
  • Staff account data is retained for the duration of the subscription plus 30 days.
  • Audit logs are retained for 12 months in line with NHS DSP Toolkit guidance.

6. Where Data Is Stored

All customer and staff data is stored on a managed PostgreSQL database hosted in Germany, EEA. Application servers do not persistently store customer records.

7. Sub-Processors

Sub-processorPurposeLocation
HetznerApplication server compute & database managementGermany (EU)
Docker HubContainer image registry (no personal data processed)USA
Microsoft AzureCommunications (email and text messages)UK South

8. Your Rights

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making (RxTerminal does not make automated decisions with legal or significant effects)

Requests relating to your data held within Strixon Ltd's account should be directed to Strixon Ltd as Data Controller.

For data for which Strixon Ltd is Data Controller, contact contact@strixon.co.uk.

9. Data Security

  • All data in transit encrypted via TLS 1.2+
  • All data encrypted at rest
  • Database connections requiring SSL
  • Role-based access controls
  • Passwords stored as bcrypt hashes
  • Audit logging of all significant data access and modification events

10. Data Breaches

In the event of a personal data breach, Strixon Ltd will assess the risk within 24 hours, notify affected organisation clients without undue delay, and support ICO notification within 72 hours where required.

Suspected breaches should be reported to security@strixon.co.uk.

11. Complaints

Contact Strixon Ltd at contact@strixon.co.uk, or lodge a complaint with the ICO:

  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Telephone: 0303 123 1113
  • Website: ico.org.uk