CareLoopWe care.
Sign inStart trial

Last updated 3 May 2026

Privacy notice

This notice explains how CareLoop Ltd (“we”, “us”) collects and uses personal data. We are registered with the Information Commissioner’s Office (ICO registration number ZA1234567) and act as a data processorfor the personal data your organisation puts into the platform, and as a controller for marketing and account data.

Who we are

CareLoop Ltd, registered in England & Wales (Company No. 12345678). Registered office: 1 Care Way, London EC1A 1AA. Data Protection Officer: dpo@careloop.com.

What data we process

  • Customer data (records about your staff, residents, visits, certifications, care notes) — processed on your behalf as a data processor.
  • Account data (admin contacts, billing details, audit logs) — processed as a controller.
  • Usage telemetry (anonymised pageview counts, error stack traces) — to keep the service reliable.

Lawful basis

For customer data we rely on your instructions as the controller. For account data we rely on Article 6(1)(b) — performance of a contract. For service emails we rely on Article 6(1)(f) — legitimate interests.

How we secure data

  • TLS 1.3 in transit, AES-256 at rest.
  • Postgres Row Level Security so even our service code cannot read across tenants without an explicit override.
  • UK / EU-based hosting (AWS eu-west-2 / Vercel London).
  • MFA-required admin access; dual control for production database changes.
  • Daily encrypted backups with 30-day retention.
  • Annual penetration test by an external CREST-accredited tester.

Retention

Customer data is retained for the duration of the subscription plus 30 days, after which it is irreversibly deleted unless you instruct us to retain it longer (e.g. for an ongoing CQC investigation). Audit logs are retained for 6 years to align with care-sector record-keeping obligations.

Your rights

  • Access — request a copy of your personal data.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion (“right to be forgotten”).
  • Portability — get an export in a machine-readable format.
  • Restriction / objection — limit how we process data.

Submit a request to dpo@careloop.com. We respond within 30 days. If you’re unhappy with our response, you can complain to the Information Commissioner’s Office at ico.org.uk.

International transfers

Personal data is stored in the UK and EEA. Where a sub-processor operates outside the UK/EEA, transfers are governed by the UK International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses with the UK Addendum.

Sub-processors

See our sub-processor list. We notify you 30 days before adding any new sub-processor so you can object.

Cookies

See our cookie notice. We only set cookies essential for sign-in and security by default.

Changes

Material changes are notified by email at least 14 days before they take effect.