Home Privacy Policy

Privacy Policy

Effective date: 7 June 2026

1. About this Privacy Policy

This Privacy Policy explains how we collect, use, share, and protect personal information when you visit and use ERClock at https://erclock.com (the "Site"). It also explains your rights and how to exercise them.

ERClock is a free, ad-free informational and directory site that aggregates and displays emergency-room ("ER") and urgent-care ("UC") wait-time information for facilities across the United States, together with directory information such as addresses, US Centers for Medicare & Medicaid Services ("CMS") quality measures, and Google ratings.

ERClock does not offer user accounts, logins, payments, subscriptions, or e-commerce. We do not sell anything to you, we do not run advertising, and we do not send marketing emails or newsletters.

Please read this Privacy Policy alongside our Terms of Use. Because ERClock is a health-adjacent information service, we remind you that the Site is not medical advice and is not a substitute for professional medical care. In an emergency, call 911 or go to the nearest emergency room. Never delay or avoid seeking care based on information on the Site.

2. Who we are (data controller)

The data controller responsible for your personal information is:

Search Ventures Ltd A company registered in England and Wales, company number 10588553. Registered office: 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE, United Kingdom.

Contact for all privacy matters: [email protected]

We are established in the United Kingdom, but our audience and subject matter are predominantly in the United States. We process personal data as a UK controller. We do not target the European Union or European Economic Area, and we have not appointed an EU representative under Article 27 of the EU GDPR. This Policy is designed to comply with UK data protection law (the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR")) and to address the rights of users in the United States, including under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA").

We have not appointed a Data Protection Officer, as we are not legally required to do so. You can raise any data protection question with us using the contact details above.

3. The personal information we collect and process

We deliberately keep data collection to a minimum. We do not ask you to create an account, and we do not collect your name, email address, or telephone number through ordinary use of the Site.

(a) Community wait-time submissions

If you choose to submit a wait time for a facility, we store only:

  • the facility type (ER or UC);
  • the facility identifier;
  • the wait time in minutes (a value between 0 and 1,440); and
  • the visit timestamp.

We do not collect your name, email, phone number, or any account details when you submit a wait time.

(b) Salted hash of your IP address (submissions)

When you submit a wait time, we never store your IP address in raw form. Instead, we store only a salted SHA-256 hash of your IP address. We use this hash solely for rate-limiting and abuse prevention (for example, to prevent the same source flooding the Site with submissions). We treat this hash as pseudonymised personal data — it is not anonymous, because it can in principle be used to single out a device, but it cannot readily be turned back into your IP address. This hash is processed and stored alongside each submission, and is handled under the abuse-prevention basis described in Section 5.

(c) Anti-bot verification (Cloudflare Turnstile)

Our submission form is protected by Cloudflare Turnstile. When you interact with the form, a verification token is sent to Cloudflare to confirm you are not an automated bot. Turnstile is loaded only on the submission form, which you choose to use; it is not loaded on our general browsing pages.

(d) Content delivery, proxy, and security (Cloudflare)

The Site sits behind Cloudflare, which provides content delivery, proxy, and security services. In doing so, Cloudflare processes connection data such as your IP address (in raw form) and request metadata, and may set strictly-necessary security cookies. We do not use Cloudflare Web Analytics, and we do not use any Cloudflare cookie for analytics or advertising.

(e) Analytics (Google Analytics 4)

We use Google Analytics 4 (gtag.js, measurement ID G-XJ4T7EXBWX) to understand how the Site is used. Where you consent, Google Analytics sets analytics cookies and collects usage data, device information, and approximate location. Approximate location is derived from your IP address, which Google uses transiently for this purpose; Google states that it does not log or store the IP address in Google Analytics 4. Google Analytics runs, and sets analytics cookies, when you visit the Site; you can opt out at any time using your browser's cookie controls or Google's opt-out browser add-on (https://tools.google.com/dlpage/gaoptout).

(f) Server logs

Our web server (IIS) may automatically record standard request metadata, such as IP address (in raw form), user-agent (browser/device), date and time, and the pages or resources requested. These logs help us operate, secure, and troubleshoot the Site.

We do not carry out advertising profiling, we do not use your personal information to send you marketing, and we do not sell personal information.

4. The displayed facility data (not your personal information)

The wait-time and directory information shown on the Site about facilities is drawn from third-party and public sources, including:

  • CMS public hospital datasets;
  • Google Business Profile data (ratings, hours, photos) obtained via a third-party data provider;
  • publicly accessible wait-time feeds and widgets published by health systems (for example Epic MyChart ED wait widgets, HCA, LifePoint, and the Clockwise/Experity urgent-care platform, among others); and
  • community-submitted readings (clearly labelled as such and never mixed with official feeds).

This facility data is generally not your personal information. It is provided by third parties and is displayed "as is." We explain how we handle the third-party data provider as a processor in Section 7.

5. How and why we use your information (purposes and lawful bases)

Under the UK GDPR we must have a lawful basis for each use of your personal information. The table below sets out what we do and why.

What we doPersonal data involvedLawful basis (UK GDPR)
Display and aggregate community wait-time submissions to operate the information serviceFacility type, facility ID, wait minutes, timestamp (the associated salted IP hash is processed under the abuse-prevention basis in the row below)Legitimate interests (operating and improving a free public information service)
Prevent abuse and apply rate-limiting on submissionsSalted hash of IP address; Cloudflare Turnstile tokenLegitimate interests (security, integrity of the Site, prevention of fraud and abuse)
Deliver, proxy, and secure the Site via CloudflareIP address, request metadata; strictly-necessary cookiesLegitimate interests (network and information security); the strictly-necessary cookies are exempt from the PECR consent requirement
Operate, secure, and troubleshoot the Site via server logsIP address, user-agent, timestamps, URLsLegitimate interests (security and reliable operation)
Measure and understand Site usage via Google AnalyticsUsage/device data, approximate location; analytics cookiesLegitimate interests (to understand and improve how the Site is used); you can opt out at any time (see Section 6)

Where we rely on legitimate interests, we have considered whether those interests are overridden by your interests, rights, and freedoms, and we have concluded they are not, given the limited, low-impact nature of the data and the security/operational purposes for which it is used.

We rely on our legitimate interests in understanding and improving how the Site is used as the basis for analytics. You can opt out of analytics at any time (see Section 6), and you will not be disadvantaged for doing so.

You have the right to object at any time to our processing of your personal data that is based on our legitimate interests. See Section 10 for how to exercise this and your other rights.

6. Cookies and similar technologies

We use a small number of cookies. Strictly necessary cookies are required for the Site to function securely and are set without consent. Analytics cookies are set by Google Analytics when you use the Site; you can opt out at any time using your browser's cookie controls or Google's opt-out browser add-on (https://tools.google.com/dlpage/gaoptout).

You can control cookies at any time through your browser settings, and you can opt out of Google Analytics using Google's opt-out browser add-on (https://tools.google.com/dlpage/gaoptout). Blocking non-essential cookies will not stop you using the Site.

Cookies table

Cookie / technologyCategoryProviderPurposeTypical duration
Cloudflare __cf_bmStrictly necessaryCloudflareBot management and security to deliver the Site reliably~30 minutes
Cloudflare cf_clearanceStrictly necessaryCloudflareStores the result of a security challenge so genuine users are not repeatedly challenged; classified as strictly necessary because it is required to deliver the Site securely and to prevent abuseUp to ~1 year
Cloudflare Turnstile token/stateStrictly necessaryCloudflareVerify that form submissions are made by a human, not a bot (loaded only on the submission form)Session / short-lived
_gaAnalyticsGoogleDistinguishes unique users for usage statisticsUp to 2 years
_ga_XJ4T7EXBWXAnalyticsGooglePersists session state for Google Analytics 4Up to 2 years

Cookie names and durations are indicative and may change as providers update their products.

Through Google Analytics, Google uses your IP address transiently to derive approximate location, as described in Section 3(e). You can opt out of Google Analytics at any time using Google's opt-out browser add-on (https://tools.google.com/dlpage/gaoptout). Most browsers also let you block or delete cookies through their settings, although strictly-necessary cookies are needed for the Site to work properly.

7. Processors and who we share information with

We do not sell your personal information and we do not share it for advertising. We use a small number of trusted service providers ("processors") who act on our instructions:

  • Google LLC — provides Google Analytics 4. Processes analytics, usage, device, and approximate-location data on our behalf.
  • Cloudflare, Inc. — provides content delivery, proxy, security, and the Turnstile anti-bot service. Processes connection data (including raw IP address) and request metadata.
  • Third-party Google Business Profile data provider — supplies the facility ratings, hours, and photos that we display on the Site. This provider supplies displayed facility data to us; it does not receive your personal information from us.

We may also disclose information where we are required to do so by law, to respond to lawful requests by public authorities, to enforce our Terms of Use, or to protect the rights, property, or safety of ERClock, our users, or others.

8. International transfers

We are based in the United Kingdom, but some of our processors process personal data in the United States and potentially other countries outside the UK. Where personal data is transferred outside the UK, we rely on appropriate safeguards recognised under UK data protection law, as follows:

  • Google LLC — transfers are made under the EU–US Data Privacy Framework and its UK Extension (under which Google LLC is certified), supplemented by the UK International Data Transfer Agreement ("IDTA") or the UK Addendum to the EU Standard Contractual Clauses where required.
  • Cloudflare, Inc. — transfers are made under the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses, and/or the EU–US Data Privacy Framework and its UK Extension where Cloudflare is certified, as set out in Cloudflare's data processing terms.

You can obtain a copy of the relevant safeguard, or more information about the safeguards applying to a particular transfer, by contacting us at [email protected].

9. How long we keep your information (retention)

We keep personal information only for as long as necessary for the purposes set out in this Policy. Our retention periods are:

  • Salted hash of IP address (submissions): deleted within 30 days, being our rate-limiting and abuse-prevention window.
  • Community wait-time submissions (facility type/ID, minutes, timestamp): retained for up to 24 months, after which readings are deleted or irreversibly aggregated. Older readings naturally lose value and may be removed or aggregated sooner.
  • Server/IIS logs: retained for 90 days, then deleted or overwritten.
  • Google Analytics data: user and event data retention is set to 14 months in Google Analytics 4, subject to Google's own retention controls.

Where we cannot set a fixed period in advance, we apply the criteria of necessity for the stated purpose, security needs, and any legal obligations to decide how long to keep information.

10. Your data protection rights (UK GDPR)

Subject to certain conditions and exemptions, you have the right to:

  • Access the personal information we hold about you;
  • request rectification of inaccurate or incomplete information;
  • request erasure of your information;
  • request restriction of our processing;
  • object to processing based on our legitimate interests;
  • request portability of information you provided to us, where applicable; and
  • opt out of analytics at any time, using your browser settings or Google's opt-out browser add-on.

You have the right to object at any time to our processing of your personal data that is based on our legitimate interests.

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects concerning you (UK GDPR Article 22).

An important practical point. Because community submissions contain no name, email, account, or other direct identifier, and because we store IP information only as a salted hash, we are often unable to identify you from the information we hold (UK GDPR Article 11). In those cases we may not be able to locate "your" data in order to action a rights request, and we may ask you to provide additional information to enable us to do so. We will be honest with you about what is and is not technically possible.

To exercise any right, please contact [email protected]. We will respond within the time limits required by law (generally within one month). We do not charge a fee for most requests.

Complaints. If you are unhappy with how we handle your personal information, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom. Helpline: 0303 123 1113. Website: https://ico.org.uk.

We would, however, appreciate the chance to address your concerns first, so please consider contacting us before approaching the ICO.

11. Your California privacy rights (CCPA/CPRA)

This section applies to California residents and supplements the rest of this Policy.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, as those terms are defined under the CCPA/CPRA. We do not sell or share personal information and have no practice of doing so. We do not offer financial incentives in exchange for personal information.

Categories of personal information we collect. We collect the following categories of personal information:

  • Identifiers / online identifiers — IP address (processed in raw form by our CDN/security provider and in our server logs, and stored only as a salted hash in connection with community submissions), and connection metadata; and
  • Internet or other electronic network activity information — usage data, device information, and approximate location collected via analytics and server logs.

We do not collect Social Security numbers, financial account information, precise geolocation, or sensitive personal information.

Sources. We collect this information directly from your interaction with the Site and through our service providers (Cloudflare and Google).

Purposes. We use this information to operate, secure, and improve the Site; to prevent abuse; and to understand usage, as described in Section 5.

Retention. We retain each category of personal information for the periods described in Section 9 (How long we keep your information).

Your California rights. Subject to verification and legal limits, you have the right to:

  • know/access the categories and specific pieces of personal information we have collected;
  • delete personal information we have collected from you;
  • correct inaccurate personal information;
  • opt out of the sale or sharing of personal information (not applicable, as we do not sell or share); and
  • not be discriminated against for exercising your rights.

Because we do not sell or share personal information, we do not provide a "Do Not Sell or Share My Personal Information" link. As with UK requests, the limited, identifier-light nature of our data may mean we cannot associate the data we hold with you. To make a request, contact [email protected]. We will acknowledge California requests within 10 business days and respond within 45 days, extendable by a further 45 days where reasonably necessary, with notice. We will take reasonable steps to verify your request before responding.

12. Children's privacy

The Site is not directed to children and is intended for a general adult audience seeking facility information. We do not knowingly collect personal information from children under 13 (and, for users in the United Kingdom, we do not target information-society services at children under 13, the age of consent for such services under the Data Protection Act 2018).

Our Terms of Use additionally provide that the Site is not directed to children and that anyone under 18 should use the Site only with the involvement of a parent or guardian. The age-13 threshold above governs our position on the collection of personal data, while the involvement of a parent or guardian for under-18s is a matter of responsible use under the Terms; the two are complementary and not in conflict.

Because the Site is not designed for or directed to children, and because we collect only minimal, identifier-light data and apply high-privacy defaults (no accounts, no marketing, no profiling, minimal analytics with an opt-out), we consider it appropriately protective of any child who may nonetheless access it, consistent with the principles of the UK Age Appropriate Design Code (Children's Code). We keep this position under review and will conduct a data protection impact assessment if our processing changes in a way that could affect children. If you believe a child has provided us with personal information, please contact [email protected] and we will take reasonable steps to delete it.

13. How we protect your information (security)

We take appropriate technical and organisational measures to protect personal information, including:

  • storing IP information only as a salted SHA-256 hash, never in raw form, for submissions;
  • Cloudflare Turnstile anti-bot protection on the submission form;
  • a Cloudflare security and proxy layer in front of the Site;
  • rate-limiting to reduce abuse; and
  • encryption of data in transit using HTTPS/TLS.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we work to protect your information using measures appropriate to its sensitivity and the risks involved.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we do, we will revise the "Effective date" at the top of this Policy and post the updated version on the Site. Where changes are significant, we will take reasonable steps to bring them to your attention. We encourage you to review this Policy periodically.

15. How to contact us

If you have any questions, concerns, or requests about this Privacy Policy or your personal information, please contact:

Search Ventures Ltd 82a James Carter Road, Mildenhall, Bury St. Edmunds, England, IP28 7DE, United Kingdom. Email: [email protected]