How do I clear sensitive customer data?


Qudini takes information security and data protection very seriously. We are dedicated to a high standard of information security practices and procedures. We do this for all of our client's data, user account information, and Personal Identifiable Information (PII) of customers.

Sensitive Data Mode is a key feature used by the majority of our clients to ensure that their customers’ personal data is safe, such as our healthcare or financial sector clients. The purpose of this article is to go through how the Sensitive Data Mode functionality works within the Qudini settings, including:

  1. What is Sensitive Data Mode

  2. Configuration options

  3. How the Sensitive Data Mode works

  4. What data we keep and why


Other Resources

If you would like to understand more about our privacy policies or terms of using our applications, web app and our booking interface widget, or our company website, information can be found here:

Terms and Privacy Links:

If you have any questions regarding data protection, our Data Protection Officer can be contacted at the Qudini registered office address or via


1. What is Sensitive Data Mode

The Data sensitive feature is designed to give you control over the PII data collected within Qudini. The controls of this feature within your Merchant are only available to Qudini employees in order to ensure that any changes to this control are directed through the proper channels. This will be outlined as part of the onboarding of your organisation when implementing Qudini.

Note: this is a merchant-wide setting, meaning there is one setting that will impact all venues within a merchant. Individual stores and venues cannot have their own Sensitive Data Mode configuration.

If you would like to see the current configuration of the Data Sensitive mode for your organisation, or make any changes to it, please contact your Qudini account manager or email:

2. Configuration Options

When enabled, Sensitive Data Mode will automatically anonymise customer PII entered in Qudini once they are "Finished" (i.e. they are no longer waiting to have their service with an advisor to start).

This includes customers that:

  • Are assigned to an Advisor and then marked as Finished.

  • Leave the queue via the weblink (a.k.a Queue progress tracker).

  • Are marked as No Show, Cancellation or Walk Out via the staff app.

  • Cancel their appointment booking.

Delete after:

By default, this setting is configured to delete data after 24 hours once the customer is Finished. This can be changed to be any number of hours, days, weeks that you required (including 0 hours).

The background operation that deletes the customer data runs on a cycle every 30 minutes. Therefore if your requirement is to set Sensitive Data mode to delete after 0 hours, it may in actual fact take up to 30 minutes before a customer record is anonymised.

Please note that we take nightly backups with a 7-day cycle. So any data backed up will remain within encrypted backups for 7 days before they are fully deleted.

Data included:

Data Sensitive mode includes the deletion of the following data points that are captured in Qudini when a customer is added:

  • First name

  • Last name

  • Phone number

  • Contents of any SMS sent to the customers

  • Email address

  • Postcode

It’s possible to also include:

  • Notes field - in some cases users may add PII in the customer notes.

  • Customer Questions - in the event that you have configured questions that collect PII (e.g. the customer’s date of birth).

  • Customer Description - this is not commonly used for PII data gathering, but the data is also not used for reporting. We therefore recommend to include it in the data removal process.

3. How the Sensitive Data Mode works

Sensitive Data Mode does not actually delete any customer records within the database, it overwrites the data points mentioned above within each customer row. This ensures that customers’ PII is completely irretrievable (even to Qudini), but Qudini still keeps a record of the customer for reporting purposes.

Sensitive Data is overwritten by a timestamp: **REMOVED_[date+time]**

You can see this within the History section of the application:

Important note:

Sensitive Data Mode does not affect historical data captured in Qudini. If you have already added customers to Qudini, regardless of whether they are a Walk-in or Appointment Booking customers, at any stage prior to enabling Sensitive Data Mode, Qudini will not treat their PII as sensitive and therefore will not anonymise them.

For example, if you had added a customer to the queue yesterday, and today you decided to enable Sensitive Data Mode to delete after 30 mins, Qudini will not go back and remove that customer’s PII.

If you would like to have your historical Qudini customer data anonymised, we can do this on your behalf, please contact your Qudini account manager or email:

4. What data we keep and why

After it has been anonymised, we retain the customer record data and timestamps to create metrics such as wait times, service lengths, and product proportions. Which we then can provide back to users within reports and dashboards.

The anonymised data is stored within a Data Warehouse in order for Qudini to utilize it within our Analytics platform.

Important note: When setting up Customer Questions, it's important that you do not configure any questions that collect PII from customers. Sensitive or Personal information should never be allowed to enter into Analytics as this is used for anonymised reporting only.

However if you must collect PII information using Customer Questions to faciliate effective service within your Qudini environment. We do have an option to prevent the Question responses from entering analytics (see below). With this setting disabled, the responses will be visible to users/staff during service and customer interactions. But they will be anonymised under the Sensitive Data mode configuration.

Did you find it helpful? Yes No