Legal

GDPR & UK data protection

CareDeck is designed from the ground up to comply with UK GDPR and the Data Protection Act 2018.

UK GDPR compliance

CareDeck processes personal data — including special category health data — on behalf of UK care homes. We take this responsibility seriously and have built data protection into every layer of the platform, from column-level encryption to row-level security policies enforced at the database level.

Controller and processor roles

Your care home is the data controller for all resident data. CareDeck Ltd is your data processor under Article 28 UK GDPR. We process resident data only on your documented instructions and never for our own purposes.

A Data Processing Agreement (DPA) is available to all customers on request. Enterprise customers receive an executed DPA as part of their contract.

Data subject rights

Under UK GDPR, residents and other data subjects have the following rights. As data controller, your care home is responsible for handling subject access requests; CareDeck will assist you in fulfilling them within the platform.

Right of access

Data subjects can request a copy of the personal data held about them.

Right to rectification

Data subjects can request correction of inaccurate or incomplete data.

Right to erasure

Data subjects can request deletion of their data, subject to legal retention obligations.

Right to restriction

Data subjects can request that processing be limited in certain circumstances.

Right to portability

Data subjects can receive their data in a structured, machine-readable format.

Right to object

Data subjects can object to processing based on legitimate interests.

To exercise any right or to request assistance, contact our DPA Officer at dpo@caredeck.co.uk.

Special category data

Resident health data is "special category" data under UK GDPR Article 9. CareDeck processes this data under Article 9(2)(h) — provision of health or social care — and implements additional safeguards including column-level PGP encryption, role-based access control, and immutable audit logging.

International transfers

All personal data is stored and processed within the United Kingdom. No international transfers take place. We do not use cloud infrastructure based outside the UK for any personal data.

Retention and deletion

Resident data is retained for the period agreed in your DPA. When a subscription ends, data is held for 30 days to allow export, then securely and irreversibly deleted. Audit logs may be retained for longer where required by law or regulation.

Breach notification

In the event of a personal data breach, CareDeck will notify you without undue delay and within 72 hours of becoming aware, as required under UK GDPR Article 33. We will provide all information needed for you to assess your own notification obligations to the ICO and to affected individuals.

Data Protection Officer

CareDeck's Data Protection Officer can be contacted at dpo@caredeck.co.uk.

ICO registration

CareDeck Ltd is registered with the Information Commissioner's Office (ICO). You can verify our registration on the ICO's public register. Our ICO registration number is available on request.