CareBridge Ltd ("CareBridge", "we", "us") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose and safeguard information when you use our workforce compliance platform (the "Service"), in accordance with the UK GDPR and the Data Protection Act 2018.
1. Who we are
CareBridge Ltd is a company registered in England & Wales. We act as a data processoron behalf of care providers (our customers) who are the data controllers of workforce records they upload, and as a data controller for account, billing and usage data of users who register with the Service.
2. Personal data we collect
- Account data: name, work email, hashed password, organisation, role.
- Workforce records (processed on behalf of customers): candidate and worker details, DBS certificate numbers, Right-to-Work evidence, training certificates, supervision notes, evidence documents.
- Usage data: log-in events, IP address, browser type, audit-trail actions.
- Cookies and similar technologies: see our Cookie Policy.
3. Lawful bases for processing
- Contract: to provide the Service to you or your organisation.
- Legitimate interests: to secure, improve and support the Service.
- Legal obligation: to meet record-keeping, tax and regulatory requirements.
- Consent: where required (e.g. non-essential cookies, marketing emails).
4. Special category data
Workforce records may include special category data (e.g. health-related training, criminal-record information via DBS). We process this strictly under contract with the controller, with appropriate safeguards and only as instructed in our Data Processing Agreement.
5. Where your data is stored
All personal data is hosted in UK / EEA data centres. We do not transfer personal data outside the UK or EEA without appropriate safeguards (Standard Contractual Clauses, UK Addendum, or an adequacy decision).
6. Retention
Workforce records are retained for as long as the customer's account is active, plus any period required by law (e.g. CQC and HMRC retention periods). On termination, data is returned or securely deleted within 90 days unless a longer retention is legally required.
7. Your rights
Under UK GDPR you have the right to:
- Access a copy of your personal data.
- Rectify inaccurate or incomplete data.
- Erase your personal data ("right to be forgotten").
- Restrict or object to processing.
- Data portability.
- Withdraw consent at any time.
- Lodge a complaint with the Information Commissioner's Office (ico.org.uk).
For workforce records, please contact your employer (the data controller). For account data, email dpo@carebridge.app.
8. Security
We use industry-standard safeguards including TLS 1.2+ in transit, AES-256 encryption at rest, role-based access control, audit logging, signed short-lived download URLs for evidence documents, and regular penetration testing.
9. Sub-processors
A current list of sub-processors is available on request. We notify customers of changes in line with our Data Processing Agreement.
10. Changes to this policy
We will notify you of material changes by email or in-product notice at least 30 days before they take effect.