Legal

Privacy Notice

Last updated: 17 July 2026

This notice is maintained by VitalEasy Care Solutions Ltd and explains how we handle personal data about people who use our services, apply to work with us, or visit this website. We handle health and care data in line with the UK GDPR, the Data Protection Act 2018, the common law duty of confidence and the Caldicott Principles.

1.Who we are (the controller)

VitalEasy Care Solutions Ltd is the "data controller" for the personal data described in this notice. We are registered with the Information Commissioner's Office (ICO). You can contact our Data Protection Lead at dpo@vitaleasycare.com or by post at our registered office.

2.The personal data we collect

  • Clients & representatives: name, contact details, date of birth, NHS number, GP/next-of-kin details, funding source (self-funder, local authority, CHC, direct payments), care needs, risks, medication, health conditions, care plan notes, visit records and incident reports.
  • Candidates: name, contact details, right-to-work evidence, CV, references, qualifications, DBS/PVG results, occupational-health information and interview notes.
  • Website visitors: device and connection information, pages viewed, and information you provide through enquiry or application forms.

Health, disability, ethnicity, religion and criminal-record information are "special category" or criminal-offence data and receive additional protection.

3.Lawful bases for using your data

Under UK GDPR we rely on the following lawful bases:

  • Contract — to deliver the care services set out in your Care & Support Agreement, or to progress your job application.
  • Legal obligation — for record keeping required by CQC/Care Inspectorate, HMRC, safeguarding, health & safety and employment law.
  • Vital interests — where processing is necessary to protect someone's life, e.g. sharing information in a medical emergency.
  • Legitimate interests — to run and improve our service, prevent fraud and secure our systems, balanced against your rights.
  • Consent — for optional marketing communications, testimonials, and non-essential cookies. You may withdraw consent at any time.

For special-category health data we additionally rely on Article 9(2)(h) UK GDPR — provision of health and social care — and, where relevant, 9(2)(b) for employment/social protection and 9(2)(c) for vital interests. This is supported by conditions in Schedule 1 of the Data Protection Act 2018.

4.How we use your data

  • Assessing needs, planning and delivering safe, person-centred care.
  • Managing medication, incidents, safeguarding and continuity of care.
  • Recruiting, vetting, training and rostering our care workforce.
  • Meeting regulatory, tax, and insurance obligations.
  • Improving service quality through audit, supervision and complaints handling.
  • Communicating with you about your care or application.

5.Who we share it with

We only share information where there is a lawful basis and a genuine need. Recipients may include:

  • Your GP, community nursing, hospital and pharmacy teams involved in your care.
  • Local authority commissioners, NHS Continuing Healthcare and social workers where they fund or coordinate care.
  • The Care Quality Commission, Care Inspectorate Scotland, Care Inspectorate Wales and other regulators on lawful request.
  • Safeguarding authorities, the police and coroners where required by law or to protect someone at risk.
  • Trusted processors who host our systems (cloud database and file storage), payroll, DBS checks and occupational health, all under written data-processing agreements.

We do not sell personal data and do not use it for automated decisions with legal or similarly significant effects.

6.International transfers

Our systems are hosted within the UK/EEA wherever possible. Where a processor transfers data outside the UK, we rely on UK adequacy regulations or the ICO's International Data Transfer Agreement / EU Standard Contractual Clauses with the UK Addendum, together with a transfer risk assessment.

7.How long we keep it

  • Adult social care records: 8 years after the end of care, in line with the Records Management Code of Practice 2021.
  • Safeguarding records: retained in line with local authority requirements, typically at least 8 years.
  • Employee records: 6 years after employment ends; DBS certificate details typically 6 months, unless a longer period is justified.
  • Unsuccessful applicants: up to 12 months, then securely deleted unless you ask us to keep them longer for future roles.
  • Website enquiry data: up to 24 months from last contact.

8.How we protect your data

We use encryption in transit and at rest, role-based access control, multi-factor authentication for staff, audit logging, secure backups and staff training on confidentiality and information governance. Uploaded documents (such as CVs) are stored in a private storage bucket accessible only to authorised staff. We follow the Caldicott Principles: information about a person's care is shared only when justified, proportionate and on a need-to-know basis.

9.Your rights

Under UK GDPR you have the right to:

  • Be informed about how we use your data (this notice).
  • Request a copy of the personal data we hold about you (subject access).
  • Ask us to correct inaccurate data or complete incomplete data.
  • Ask us to erase data where there is no ongoing lawful reason to keep it.
  • Restrict or object to certain processing, including direct marketing.
  • Data portability where processing is based on consent or contract and is automated.
  • Withdraw consent at any time where consent is the lawful basis.

To exercise any right, email dpo@vitaleasycare.com. We will respond within one month. Some rights are qualified where records must be retained for regulatory, safeguarding or safety reasons.

10.Cookies

We use a small number of strictly necessary cookies to keep the site secure and remember your form entries. Analytics or marketing cookies, if any, are only set with your consent under the Privacy and Electronic Communications Regulations (PECR).

11.Complaints to the regulator

If you are unhappy with how we handle your data, please contact us first so we can put things right. You also have the right to complain to the Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF — ico.org.uk — 0303 123 1113.

12.Changes to this notice

We review this notice at least annually and update it when our processing changes. The "last updated" date at the top of the page reflects the most recent revision.

See also our Terms & Conditions.