CareOS
Sign Up

Privacy Policy

Our privacy policy and how we use your data

Last updated: 10 January 2025

This Privacy Policy explains how Day2Day Care processes personal data when you use our platform. We are the data controller for account, billing, and marketing data. For personal data you enter about service users, staff, and contacts within the product, we act as your data processor under your instructions.

1. Who we are

Day2Day Care (the “Service”) is provided for care organisations operating in the UK. To contact us about privacy, email legal@day2day.care.

2. Data we collect

  • Account and identity data (name, email, role, organisation, login credentials).
  • Contact details for people you add (e.g., carers, family contacts, clinicians, service users) and call/task records you store in the Service.
  • Usage, device, and technical data (log data, IP address, browser type, app events) for security and performance.
  • Billing and subscription data (plan, payment status, invoicing details).
  • Support communications and feedback you provide.
  • Cookie and similar technology data (see Cookie Policy).

3. How we collect data

  • Directly from you when you create an account, enter records, or contact support.
  • From your organisation’s authorised users who add you or assign work to you.
  • Automatically through logs, cookies, and analytics when you use the Service.

4. Lawful bases (UK GDPR)

  • Contract: to provide and support the Service you subscribe to.
  • Legitimate interests: to secure, improve, and support the Service, prevent abuse, and communicate necessary service updates.
  • Consent: where required for optional analytics, cookies, or marketing emails.
  • Legal obligation: to comply with applicable law and regulatory requests.
  • Vital interests: only in rare cases to protect life or physical safety.

5. How we use data

  • Operate, maintain, and improve the Service and its security.
  • Authenticate users, manage roles, and deliver multi-tenant access.
  • Provide support, training, and respond to requests.
  • Send service communications (e.g., security notices, changes to terms).
  • Provide analytics and audit trails for your organisation’s use; optional product analytics subject to consent where applicable.
  • Process payments and manage subscriptions.

6. Special category data and records you upload

The Service may be used to store information about residents, service users, or health interactions. You remain the data controller for that content. You must ensure a lawful basis under UK GDPR (and an appropriate Article 9 condition where health data is involved). We process such data only on your documented instructions to provide the Service, subject to a Data Processing Addendum (DPA) on request.

7. Sharing and processors

  • Service providers and subprocessors for hosting, communications, analytics, and support, bound by confidentiality and data protection terms.
  • Authorities or third parties where required by law, to protect rights, or to respond to lawful requests.
  • Business transfers if we undergo a merger, acquisition, or sale; we will notify you where legally required.

8. International transfers

Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), plus technical and organisational controls.

9. Retention

We keep personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Data may persist in backups for a limited period before deletion. You may request deletion of content; we will act where legally permitted.

10. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, and monitoring. You are responsible for securing user access, devices, and choosing strong authentication measures.

11. Your rights

Depending on your situation, you may have rights under UK GDPR: access, rectification, erasure, restriction, objection, data portability, and to withdraw consent where we rely on consent. Submit requests to legal@day2day.care. You can lodge a complaint with the Information Commissioner’s Office (ICO) or your local supervisory authority.

12. Children

The Service is not directed to children under 18. Do not create end-user accounts for minors.

13. Cookies and similar tech

We use cookies and similar technologies for essential functions, preferences, analytics, and security. Details, choices, and consent controls are set out in our Cookie Policy.

14. Changes

We may update this Privacy Policy to reflect legal or product changes. We will post the updated version with a new “Last updated” date and notify you of material changes where reasonable.

15. Contact

For questions, data subject requests, or to request a DPA, contact legal@day2day.care.