Privacy notice

How the PCRA SOP Maker handles your practice's data. This notice is in plain English; the underlying technical evidence is in the project's docs/dpia/ folder for your DPO to review.

Last updated: May 2026 · Controller: Primary Care Research Alliance (PCRA), supporting NIHR South East · Contact: dpo@sopify.co.uk

What this tool does

PCRA SOP Maker drafts a bespoke set of clinical-trial Standard Operating Procedures for your practice based on a short intake form. The output is a Microsoft Word zip file you download, review, sign and file. The tool does not store your data after generation completes.

What data we collect

We collect what you type into the wizard. That is, in summary:

Practice information — practice name, address, ICB, list size, practice type.
Named research roles — the names and professional registration numbers (GMC, NMC) of your Principal Investigator, Research Lead, and Practice Manager.
Operational details — clinical system, equipment, archiving arrangement, ISF format, emergency arrangements, nearest A&E.
SOP scope — whether you've chosen the Core or Comprehensive pack.

We do not collect:

Patient data of any kind.
Trial-participant data.
Your personal email address, NHS account, or any identifier of the person filling in the form.
Payment data.

Lawful basis

We process this data under Article 6(1)(f) UK GDPR — legitimate interests. Our legitimate interest is helping NHS GP practices comply with the Medicines for Human Use (Clinical Trials) (Amendment) Regulations 2025 and ICH GCP E6(R3). We do not process special-category (Article 9) data.

The named individuals' data items (names, GMC/NMC numbers) are about NHS staff acting in their professional capacity. Most are already in the public domain via the GMC/NMC online registers. We've assessed that the legitimate interests test is met because the processing is proportionate, expected by trial-active practices, and necessary to produce SOPs that name the responsible roles.

Where your data goes

From your browser to the SOP Maker server over HTTPS.
The server holds the data in process memory while drafting your pack.
For each SOP, the server sends the regulatory briefing, the master prompt and your intake to Anthropic's API (Claude). Anthropic processes the request on US infrastructure.
Anthropic returns the SOP markdown. The server bundles all SOPs into a single zip on its local disk.
You download the zip. The server schedules the zip and the in-memory data for automatic deletion within 24 hours.

Cross-border transfer

The transfer to Anthropic is to the United States and is covered by the UK-US Data Bridge (the UK extension of the EU-US Data Privacy Framework, in force since 12 October 2023). Anthropic's commercial Data Processing Agreement also includes Standard Contractual Clauses as a fallback safeguard.

Anthropic's commercial terms state that API inputs and outputs are not used to train Anthropic's models. PCRA holds a signed Data Processing Agreement with Anthropic confirming this and the retention period (default 30 days for API logs).

How long we keep your data

Where	What	How long
SOP Maker server (memory)	Your intake and the SOPs while they're being drafted	Up to 24 hours after generation; deleted automatically
SOP Maker server (disk)	The final zip ready for you to download	Up to 24 hours from creation; deleted automatically
Anthropic API	The prompts and responses	Up to 30 days, per Anthropic's commercial terms
Your computer	The downloaded zip and extracted SOPs	You decide; the SOPs themselves carry a 25-year retention obligation under CTIMP regulations once signed
Hosting platform request log	HTTP method, path, status code, IP — your intake content is NOT logged	Per the platform's standard log retention (typically 7-30 days)

Your rights

Under UK GDPR you have the right to:

Access a copy of the data we hold about your practice.
Rectify data that's wrong.
Erase your data. The 24-hour auto-purge handles this routinely. If you need it deleted sooner, email us with the date and time you used the tool and we'll purge the specific session.
Object to processing. You can decline to use the tool — manual SOP drafting is the alternative.
Data portability — the zip download is the portable copy.
Lodge a complaint with the Information Commissioner's Office (ico.org.uk) if you think we have processed your data unlawfully.

Automated decision-making

SOP Maker uses an AI model (Anthropic's Claude) to draft documents, but the tool does not make decisions about individuals. Article 22 UK GDPR (right not to be subject to automated decisions with legal/similar effect) does not apply because the tool produces a draft document that you, the practice, then review, edit, sign and approve.

Security

All traffic is over HTTPS (TLS 1.2 or higher).
Access is gated by a password supplied by your NIHR South East research lead.
The application code does not log your intake fields, prompts, or responses.
Login attempts and generation requests are rate-limited to deter abuse.
Server-side session cookies are HttpOnly and expire after 8 hours of inactivity.

Contact

For any privacy question, data subject request, or to report a concern:

Email: dpo@sopify.co.uk
Subject line: "SOP Maker — privacy"

If you do not receive a response within 5 working days, escalate to PCRA's data protection lead at info@pcralliance.uk.

Changes to this notice

We will update this notice when the tool changes meaningfully (new fields collected, new processors involved, new retention periods, new security controls). The date at the top of the notice indicates the last revision. The technical evidence in docs/dpia/ is updated alongside.

This notice is provided alongside, not in place of, your DPO's review of the underlying DPIA. PCRA is responsible for keeping this notice accurate; your DPO is responsible for confirming it reflects your local processing context.