Careframe

Privacy Policy

Last updated: [DATE]

This Privacy Policy explains how Careframe (“Careframe”, “we”, “us”) handles personal data. Careframe is a UK software platform for residential children’s homes, operated by [COMPANY LEGAL NAME], a company registered in England and Wales (company number [COMPANY NUMBER]), with its registered address at [REGISTERED ADDRESS]. We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO REGISTRATION NUMBER].

1. Our two roles: processor and controller

How we handle data depends on whose data it is, so it helps to be clear about two different roles:

  • As a data processor — for the records our customers put into the platform. When a children’s home or provider (our customer) uses Careframe to manage its staff and the children in its care, the customer decides why and how that data is used. They are the data controller; we process that data on their instructions, under a written data processing agreement. See our Data Processing terms for the detail.
  • As a data controller — for our own corporate data. When we handle information about prospective customers, account holders, website visitors, billing contacts, and people who get in touch with us, we decide why and how that data is used. This Privacy Policy mainly covers what we do as a controller, and points to the Data Processing terms for what we do as a processor.

2. The data we collect as a controller

  • Account and contact details — name, work email, phone number, job title, and the organisation you work for.
  • Billing information — billing contact, billing address, and subscription details. Card payments are handled by our payment provider; we do not store full card numbers ourselves.
  • Enquiry and support data — anything you send us when you request a demo, ask a question, or raise a support request.
  • Usage and technical data — limited information about how the platform and our website are used, such as sign-in activity, device and browser type, and IP address, used to keep the service secure and working well.

We do not seek to collect special-category or children’s data in our role as a controller. Such data is held within customer workspaces, where we act as a processor (see section 1 and the Data Processing terms).

3. Why we use it, and our lawful basis

Under UK GDPR we must have a lawful basis for using personal data. The bases we rely on as a controller are:

  • Contract — to set up and manage your account, provide the service, and handle billing.
  • Legitimate interests — to respond to enquiries, keep the service secure, prevent misuse, and improve what we offer, balanced against your rights and expectations.
  • Legal obligation — to meet our own legal, accounting, and regulatory duties.
  • Consent — where we ask for it, for example for certain marketing messages or non-essential cookies. You can withdraw consent at any time.

4. Special-category and children's data

The platform is used to handle sensitive information, including special-category data (such as health information) and information about children. As explained above, that data sits within customer workspaces and we handle it only as a processor, on the customer’s documented instructions. The customer, as controller, is responsible for identifying the appropriate special-category condition and any further lawful basis for that data. We support customers in keeping that information secure and in meeting requests from data subjects.

5. Sharing and sub-processors

We do not sell personal data. We share it only where necessary to run the service:

  • Sub-processors — trusted suppliers who help us deliver the platform, such as our hosting, database, email, and payment providers. They act on our instructions under written agreements. The current list of sub-processors that handle customer data is maintained in our Data Processing terms.
  • Professional advisers and authorities — where we are required to share data to meet a legal obligation, or to establish, exercise, or defend legal claims.

6. Where your data is held

We host the platform and store data in the UK or the European Economic Area (currently in EU data centres in Germany). Where personal data is processed outside the UK, this happens only in jurisdictions covered by UK adequacy regulations — which include the EEA — or with appropriate safeguards in place, such as the International Data Transfer Agreement, so that your data continues to be protected.

7. How long we keep it

We keep personal data only for as long as we need it. Account and billing data is kept for the life of the relationship and then for a reasonable period to meet our legal and accounting duties. Enquiry data is kept only as long as needed to deal with the enquiry and any follow-up. Customer data held in a workspace is retained, and deleted, in line with the Data Processing terms and the customer’s instructions.

8. How we protect it

We take the security of personal data seriously and maintain organisational and technical measures designed to protect it. These commitments include:

  • Encryption of data in transit and at rest.
  • Role-based access controls, so people see only what they need.
  • Multi-factor authentication for access where appropriate.
  • Audit logging of significant activity.
  • Hosting in the UK or the EEA with reputable infrastructure providers.
  • Ongoing review of our security practices as the service develops.

No system can be completely secure, but we work to keep our safeguards proportionate to the sensitivity of the data we handle.

9. Data breaches

We maintain procedures to detect, investigate, and respond to personal-data breaches. Where a breach affecting personal data we control is likely to result in a risk to people’s rights and freedoms, we will notify the ICO without undue delay, and within 72 hours where feasible, and tell affected individuals where required. Where a breach affects customer data we process, we will notify the relevant customer (the controller) without undue delay so they can meet their own obligations.

10. Your rights

Under UK data-protection law you have rights over your personal data, including the right to be informed, to access a copy of your data, to have inaccurate data corrected, to have data erased in certain circumstances, to restrict or object to processing, and to data portability. Where we rely on consent, you can withdraw it at any time.

To exercise these rights for data we hold as a controller, contact us at hello@careframe.co.uk. If your request relates to records held within a customer’s workspace (for example a staff member’s or child’s record), please contact that organisation, as they are the controller; we will support them in responding.

You also have the right to complain to the ICO at ico.org.uk, though we would welcome the chance to put things right first.

11. Cookies

Our website uses a small number of cookies. For details of what they are and how to manage them, see our Cookie Policy.

12. Changes to this policy

We may update this policy from time to time. If we make a meaningful change, we will update the date above and, where appropriate, let you know.

13. Contact

If you have any questions about this policy or how we handle personal data, contact us at hello@careframe.co.uk.