Care Compliance Platform

Privacy Policy

This policy explains how Care Compliance Platform handles personal data. We aim to write it in plain English. If anything is unclear, please contact us.

Last updated:

1. Introduction

Care Compliance Platform (“the Platform”) is operated by Total Care Options Ltd (“we”, “us”, “our”), a company registered in England and Wales under company number 10976502, with its registered office at 4 Blenheim Court, Peppercorn Close, Peterborough, England, PE1 2DU. We are registered with the UK Information Commissioner’s Office (ICO) under registration number 1111111111.

This policy applies to anyone who uses the Platform; whether you visit our marketing site, sign up for an Account, are added as an Authorised User by your employer, or have personal data uploaded about you by a care provider that uses the Platform.

2. Controller & processor roles

Under UK GDPR, the “controller” decides why and how personal data is processed, and the “processor” processes it on the controller’s instructions. Our role depends on the data.

We are the controller for:

  • visitors to our marketing site (e.g. contact form submissions, essential cookies);
  • account holders and billing contacts of organisations that subscribe to the Platform; and
  • operational logs we generate to run and secure the Platform.

We are a processor for:

  • data that a subscribing care provider uploads to or generates on the Platform; including their staff records, training records, policy acknowledgements, audit findings, safeguarding incidents, and similar material. In this case the care provider is the controller and we process the data on their instructions under a Data Processing Agreement.

If you are a member of a care provider’s workforce or a person they support, and your personal data is held on the Platform by your employer or care provider, that organisation is the controller and you should contact them first about your data. We will support them in responding to you.

3. Personal data we collect

From account holders and Authorised Users: name, work email address, job title, organisation, phone (optional), profile photo (optional), login credentials (passwords are stored as one-way hashes; we never see them in plain text), multi-factor authentication settings.

Billing information: billing contact name and email, billing address, subscription plan, payment history. Card details are entered directly into Stripe and never stored on our servers.

Usage data: pages visited, features used, timestamps, IP address, browser type, device information, and other technical telemetry needed to run and secure the Platform.

Communications: messages you send us via the contact form or support email, including any attachments.

Customer Data uploaded by care providers (we are a processor for this): staff records, training records and certificates, employment documents (e.g. right-to-work, DBS), policies and acknowledgements, audits, spot checks, supervisions, meetings, safeguarding records, performance reviews, and similar compliance content.

4. How we use personal data

We use personal data to:

  • provide and operate the Platform;
  • authenticate users and keep accounts secure;
  • send service notifications, reminders, and alerts;
  • process payments and manage subscriptions;
  • provide customer support;
  • improve the Platform (e.g. by analysing aggregate usage patterns);
  • comply with our legal obligations (e.g. tax, fraud prevention) - and
  • protect the Platform and our users from abuse.

We do not sell personal data and we do not use it for advertising.

5. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract - to provide the Platform to subscribing organisations and their Authorised Users.
  • Legitimate interests - to secure the Platform, prevent fraud, improve the service, and respond to enquiries. We have balanced these interests against the rights of individuals.
  • Legal obligation - for example, retaining financial records for tax purposes.
  • Consent - where we ask for it explicitly (for example, for any future non-essential cookies or marketing communications). You can withdraw consent at any time.

6. Special category data

The Platform is designed for the care sector, so Customer Data uploaded by subscribing organisations may include special category personal data under UK GDPR Article 9; for example, health information, safeguarding records, or details that reveal racial or ethnic origin.

Where we process this data, we do so as a processor on the subscribing care provider’s instructions. The care provider is responsible for identifying an appropriate Article 9 condition (most commonly Article 9(2)(h); provision of health or social care; or 9(2)(b); employment-related obligations) and for any Data Protection Impact Assessment.

We apply additional safeguards to this data: encryption in transit and at rest, strict access controls, audit logging of access, and tenant-level data isolation in the underlying database.

7. Who we share data with

We share personal data only as needed to operate the Platform:

  • with our sub-processors (see section 8);
  • with our professional advisers (e.g. accountants, lawyers) where necessary;
  • if required by law, court order, or a regulator (e.g. ICO, HMRC);
  • in connection with a merger, acquisition, or sale of assets, in which case we will give notice before personal data is transferred and becomes subject to a different privacy policy; and
  • with your consent, or on your instructions (for example, if you ask us to integrate with another service).

8. Sub-processors

We use carefully selected sub-processors to help us run the Platform. Each is bound by a written contract that includes data protection obligations no less protective than this policy.

Sub-processorPurposeLocation
MagnaByte Solutions LtdDevelops and maintains the Platform software on our behalf.United Kingdom
Stripe Payments UK LtdSubscription billing and payment processing.UK / EU / US
Cloudflare, Inc.DNS, TLS, and edge security.Global (UK edge)
OVHApplication hosting and managed PostgreSQL database.EU / US
ResendTransactional email delivery (account notifications, password resets, reminders).EU / US
AWSStorage of uploaded files and documents (used only where the Platform is configured for cloud file hosting).EU / US

We may update this list from time to time. Material changes will be notified in advance so that customers can object.

9. International transfers

Where personal data is transferred outside the UK, we rely on a valid transfer mechanism; typically the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision; together with any supplementary measures required by law.

You can request a copy of the safeguards we rely on by contacting privacy@test.com.

10. How long we keep data

We keep personal data only for as long as we need it.

  • Account data - for the duration of your Subscription, then deleted within 90 days of termination (subject to any longer period required by law).
  • Customer Data - controlled by the subscribing care provider. By default, we make Customer Data available for export for 30 days after termination, then delete it within 60 days.
  • Billing records - retained for at least 6 years to meet HMRC requirements.
  • Security and audit logs - retained for up to 12 months.
  • Marketing site enquiries - retained for up to 24 months from your last interaction.

11. How we protect data

We use a layered set of safeguards, including:

  • TLS encryption for all data in transit;
  • encryption at rest for the database and file storage;
  • tenant isolation in the database so each organisation’s data is held in a separate schema;
  • role-based access control and least-privilege defaults;
  • multi-factor authentication for staff and admin accounts;
  • audit logging of sensitive actions and a clear incident-response process;
  • regular backups and tested restore procedures.

No system is completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR.

12. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased in certain circumstances (the “right to be forgotten”);
  • restrict or object to certain processing;
  • data portability; receive your data in a structured, commonly used, machine-readable format;
  • withdraw consent at any time, where processing is based on consent; and
  • complain to the ICO; though we’d appreciate the chance to address your concern first.

To exercise any of these rights, email privacy@test.com. We’ll respond within one month.

If your data is held on the Platform by a care provider (i.e. your employer or a service that supports you), please contact that organisation first; they are the controller and we will assist them in responding to you.

ICO: ico.org.uk · 0303 123 1113.

13. Children's data

The Platform is not intended for children under 16 and we do not knowingly collect their personal data directly. If a subscribing care provider uses the Platform to hold records about young people they support, the provider is the controller and is responsible for the lawful basis and any appropriate safeguards.

14. Cookies

We use a small number of strictly-necessary and preference cookies to run the Platform. We do not use advertising or third-party tracking cookies. See our Cookie Policy for the full list.

15. Changes to this policy

We may update this policy from time to time. The “last updated” date at the top shows when it last changed. Material changes will be notified by email or by an in-product notice before they take effect.

16. How to contact us