Privacy Policy

Last updated: July 2026

Draft template. This policy is a starting point and must be reviewed by a qualified data-protection advisor or solicitor before you rely on it commercially.

CareOps IQ (“we”, “us”) provides care-home operations software to UK care providers. This policy explains how we handle personal data in line with the UK GDPR and the Data Protection Act 2018.

Our role: controller and processor

For data about the care homes and individuals that use our service on behalf of a customer (for example, resident and staff records entered by a care provider), the customer is the data controller and CareOps IQ acts as a data processor, processing that data only on the customer’s documented instructions under a Data Processing Agreement. For data about our direct account holders and website visitors, we are the controller.

Data we process

Depending on how the service is used, this may include: account details (name, email, role, organisation); staff records (contact details, pay type/rate, shifts, leave, training and DBS expiry); resident and occupancy information (which may include special-category health data); rota, timesheet and payroll-related information; and technical data such as log and usage information.

Special-category (health) data

Care records can include information about a person’s health. Where we process such special-category data on behalf of a customer, we do so only under the customer’s instructions and appropriate lawful bases and conditions (for example, the provision of health or social care). Customers are responsible for ensuring they have a valid lawful basis and condition for the data they enter.

Lawful bases

As a controller, we rely on legitimate interests (operating and securing our service), contract (providing the service to account holders) and legal obligation where applicable. As a processor, the lawful basis is determined by the customer as controller.

How we use data

To provide, secure and improve the service; to authenticate users and enforce access controls; to send operational communications such as timesheet and rota notifications; and to meet legal and regulatory obligations.

Sharing and sub-processors

We use trusted sub-processors to run the service, including cloud hosting and database (Supabase), application hosting (Vercel) and transactional email (Resend). We do not sell personal data. Sub-processors are bound by contractual data-protection obligations.

Storage and international transfers

We aim to host personal data within the UK/EU. Where any transfer outside the UK/EEA is necessary, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or adequacy regulations.

Retention

We retain personal data for as long as needed to provide the service and to meet legal obligations, then delete or anonymise it. Customers control retention of the records they enter and can request export or deletion on termination.

Security

We apply technical and organisational measures including encryption in transit, row-level access controls scoped per care home, role-based permissions, and least-privilege service access. No system is perfectly secure, but we work to protect data appropriately for its sensitivity.

Your rights

Individuals have rights under the UK GDPR including access, rectification, erasure, restriction, portability and objection. Where we act as processor, please contact the relevant care provider (the controller); where we are the controller, contact us using the details below. You also have the right to complain to the Information Commissioner’s Office (ICO).

Cookies

We use essential cookies required for authentication and security. We do not use advertising cookies.

Contact

For any privacy question or to exercise your rights, contact us at hello@careiq.app. We will update this contact once our permanent domain is in place.