Privacy Policy
Last updated: 7 July 2026 · UK GDPR & Data Protection Act 2018 compliant
1. Who we are
PatientCare ("we", "us", "our") is a UK homecare management platform operated by Bluevels Technologies Ltd. Our registered office is 123 Care Street, London, SW1A 1AA. Company No. 12345678. For privacy queries contact us at hello@caretive.com.
2. The data we collect
We collect the minimum personal data needed to deliver the service:
- Account holders — name, work email, phone, agency name, password hash, login activity.
- Staff records — entered by your agency: contact details, employment history, DBS, training, payroll figures.
- Client records — entered by your agency: care plans, visit notes, MAR records, medical conditions where relevant to care.
- Technical data — IP address, browser type, device information for security and audit logging.
3. Lawful basis
We process personal data under the following UK GDPR lawful bases:
- Contract — to provide the service you have signed up for.
- Legal obligation — to comply with HMRC, CQC and Care Act 2014 requirements.
- Legitimate interest — to keep the platform secure and prevent fraud.
- Consent — for optional marketing emails, which you can withdraw at any time.
4. Where your data lives
All client and staff data is stored on UK-based infrastructure that meets the NHS Data Security and Protection Toolkit standards. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). We do not transfer personal data outside the UK without an adequacy decision or appropriate safeguards.
5. How long we keep it
We retain personal data only for as long as needed to provide the service or comply with UK law. Care records are retained for the minimum period required by the Care Act 2014. When you close your account we delete or anonymise your data within 90 days, except where retention is required by law.
6. Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you (Subject Access Request)
- Correct inaccurate or incomplete data
- Request deletion (right to be forgotten), subject to legal retention
- Restrict or object to processing
- Data portability — export in CSV or JSON
- Withdraw consent for marketing at any time
- Complain to the ICO at ico.org.uk
7. Cookies
We use only essential cookies needed for authentication and security. We do not use third-party tracking, advertising, or analytics cookies on the dashboard. The marketing site uses minimal first-party analytics to understand visitor patterns, with no cross-site tracking.
8. Sub-processors
We use the following sub-processors, all UK or EU based:
- UK hosting provider — infrastructure (London region)
- Stripe / GoCardless — subscription billing
- UK SMS & email gateway — appointment reminders and notifications
9. Changes to this policy
We will notify you by email at least 30 days before any material change to this policy. Continuing to use the service after that date constitutes acceptance of the new terms.