Privacy notice

Last updated: 2026-05-26

This notice explains how Handby Ltd (company number 17092920), the company that operates the CarersDoc platform ("CarersDoc", "we"), handles personal data when you use the platform. We act as a data processor for our customers — care providers regulated by the CQC who use CarersDoc to manage their workforce records. The care provider that employs you is the controller of your data; CarersDoc processes it on their instruction. This notice covers our processor-side commitments + the small amount of data CarersDoc collects directly to operate the platform (account email, sign-in telemetry, audit log entries tied to your user id).

Controller / processor

Your employer (the care provider using CarersDoc) is the controller of personal data about you and the people in their care. CarersDoc is the processor — we hold and process that data under written instruction in our Data Processing Agreement with each tenant. For data-subject rights requests (access, rectification, erasure), contact your employer first; they will use CarersDoc's built-in DSAR tooling to fulfil your request.

What we collect

Account identity: your email address, name, role (carer / manager / HR admin / read-only director), and the tenant you belong to. Provided when your employer invites you.
Sign-in telemetry: timestamps of successful + failed sign-ins, hashed IP addresses for fraud detection, MFA factor type used. Retained per the audit-trail floor for your employer's tenancy.
Tenant content: the documents, signatures, training records, and onboarding evidence created by your employer + you under their employment relationship. CarersDoc processes this under instruction; we do not analyse it or use it to train any model.
Communications log: a record of emails and SMS messages CarersDoc sent on your employer's behalf (recipient address / number, timestamp, subject line, provider message ID, delivery status). The full message body is not retained beyond what's needed for delivery — typically a few minutes.
Audit trail: every significant action you take in the platform is recorded in an append-only event log tied to your user ID. This is required for CQC inspection + UK GDPR Article 30 record-keeping. The audit log is retained for the life of your employer's tenancy plus the statutory floor for the relevant class of record.

Lawful basis

Where CarersDoc acts as a controller (e.g. for the small set of platform-operations data: your account email, IP-derived sign-in telemetry hashed for fraud prevention, audit log entries identifying which user took which action), we rely on legitimate interest (operating a secure platform our customers can trust) and contractual necessity (we can't provide the service without identifying who's signed in).

[SOLICITOR REVIEW: confirm legitimate-interest balancing test is documented (DPO deliverable per docs/dpo-brief.md); confirm contractual-necessity scope is accurate against the standard tenant DPA.]

Sub-processors

CarersDoc uses the following sub-processors to operate the platform. Each is bound by a Data Processing Agreement that flows down the controller-side obligations from your employer.

Vercel Inc. — application hosting (region: London, UK).
Amazon Web Services — Postgres, blob storage, email delivery (region: London, UK). Contracting entity (Amazon Web Services UK Ltd / EMEA SARL) is confirmed in the order form.
Inngest Inc. — scheduled job execution (region: confirmed per the sub-processor register at docs/sub-processors.md before activation).
Twilio Inc. — SMS delivery (UK carrier routing).
Functional Software Inc. (Sentry) — error reporting, only if your employer enables it (region: confirmed per the sub-processor register at docs/sub-processors.md before activation).

The canonical, version-controlled list lives at docs/sub-processors.md in our public source repository.

Retention

Documents are retained per statutory floors enforced in code (see /admin/retention inside each tenant). The classes are: adult social-care personnel records — 8 years post-employment (CQC + NHS Records Management Code); general HR records — 6 years; child-related records — until the subject reaches age 25 (these require manual review and are not auto-actioned in v1). The retention sweep runs daily at 06:00 Europe/London to action documents past their deadline. Account-level data (email, sign-in telemetry, audit-log entries identifying which user took which action) is retained for the life of your employer's tenancy. On tenancy termination, deletion follows the wind-down schedule in our Terms of Service (export window, then production deletion, then backup rolloff).

[SOLICITOR REVIEW: retention floors listed match STATUTORY_FLOORS in src/server/lib/retention-evaluator.ts (lines 47–70). Statutory authorities we cite — CQC personnel retention + NHS Records Management Code Annex D for adult_care_8yr; general HR limitation period (Limitation Act 1980) for hr_6yr; child-records safeguarding floor (IICSA recommendations) for child_age25 — need solicitor sign-off against the actual statutory texts.]

Your rights

Under the UK GDPR you have the following rights in relation to your personal data. To exercise them, contact your employer (the controller) directly. They can use CarersDoc's DSAR workflow to fulfil access + portability requests.

Right of access: see what personal data we hold about you.
Right to rectification: correct inaccurate personal data.
Right to erasure: ask for your data to be deleted, subject to statutory retention floors.
Right to restriction: limit how we process your data while a dispute is being resolved.
Right to portability: receive your personal data in a structured, machine-readable format.
Right to object: object to processing based on legitimate interest.

Security

Personal data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Multi-factor authentication is required for high-risk roles. Multi-tenant data is isolated at the database level by PostgreSQL Row-Level Security — a query bug in our application returns no rows rather than leaking across tenants. The full audit trail is hash-chained and tamper-evident.

Personal data breaches

Personal data breaches affecting your data will be notified to your employer (the controller) without undue delay after CarersDoc becomes aware of them, in line with UK GDPR Article 33(2). Your employer is obliged under UK GDPR Article 33(1) to notify the ICO within 72 hours of becoming aware of a notifiable breach — our notification is designed to give them enough lead time to meet that obligation. CarersDoc operates the breach workflow surfaces at /admin/breach that support both sides of the chain.

International data transfers

Personal data is hosted in the United Kingdom on Vercel (region lhr1, London) and AWS (region eu-west-2, London). We do not transfer personal data outside the UK or EEA. Limited operational telemetry (error reports, if Sentry is enabled by your employer) may transfer to processors with EU-region facilities under UK GDPR Article 46 standard contractual clauses.

[SOLICITOR REVIEW: the active sub-processor register at docs/sub-processors.md is UK + UK-routed (AWS eu-west-2, Vercel lhr1, Twilio UK carrier). Sentry ships disabled by default (SENTRY_DSN unset = SDK no-op); activation requires confirming Sentry's worker-region matches the policy. Inngest region asserted as EU pending vendor RFI in the sub-processor register. Confirm the no-transfer-outside-UK-or-EEA position holds against this list.]

Contact

For questions about this notice or to exercise data-subject rights against CarersDoc as a controller of platform-operations data, contact us at the address below.

[SOLICITOR REVIEW: insert designated DPO or representative contact details once a DPO is appointed per docs/dpo-brief.md. UK GDPR Article 37 mandates this for processors handling special-category data on a large scale — see brief for the Article 37(1)(b) + 37(1)(c) reasoning.]

Changes to this notice

We will update this notice as the platform evolves. Material changes will be flagged in the application UI for at least 30 days before they take effect.