Privacy Policy

Our privacy policy and how we use your data

Last updated: 10 January 2025

This Privacy Policy explains how Day2Day Care processes personal data when you use our platform. We are the data controller for account, billing, and marketing data. For personal data you enter about service users, staff, and contacts within the product, we act as your data processor under your instructions.

1. Who we are

Day2Day Care (the “Service”) is a US-based platform provided for care organisations operating globally, including the UK. To contact us about privacy, email legal@day2day.care.

2. Data we collect

  • Account and identity data (name, email, role, organisation, login credentials).
  • Contact details for people you add (e.g., carers, family contacts, clinicians, service users) and call/task records you store in the Service.
  • Usage, device, and technical data (log data, IP address, browser type, app events) for security and performance.
  • Billing and subscription data (plan, payment status, invoicing details).
  • Support communications and feedback you provide.
  • Cookie and similar technology data (see Cookie Policy).

3. How we collect data

  • Directly from you when you create an account, enter records, or contact support.
  • From your organisation’s authorised users who add you or assign work to you.
  • Automatically through logs, cookies, and analytics when you use the Service.

4. Lawful bases (UK GDPR & Global Privacy Laws)

Depending on your location (such as the UK, EEA, or US states with specific privacy laws), we process your data based on the following lawful bases:

  • Contract: to provide and support the Service you subscribe to.
  • Legitimate interests: to secure, improve, and support the Service, prevent abuse, and communicate necessary service updates.
  • Consent: where required for optional analytics, cookies, or marketing emails.
  • Legal obligation: to comply with applicable law and regulatory requests.
  • Vital interests: only in rare cases to protect life or physical safety.

5. How we use data

  • Operate, maintain, and improve the Service and its security.
  • Authenticate users, manage roles, and deliver multi-tenant access.
  • Provide support, training, and respond to requests.
  • Send service communications (e.g., security notices, changes to terms).
  • Provide analytics and audit trails for your organisation’s use; optional product analytics subject to consent where applicable.
  • Process payments and manage subscriptions.

6. Special category data and records you upload

The Service may be used to store information about residents, service users, or health interactions. You remain the data controller for that content. You must ensure a lawful basis under applicable privacy laws (such as UK GDPR and appropriate Article 9 conditions, or US health privacy laws) to process such data. We process such data only on your documented instructions to provide the Service, subject to a Data Processing Addendum (DPA) or Business Associate Agreement (BAA) on request.

7. Sharing and processors

  • Service providers and subprocessors for hosting, communications, analytics, and support, bound by confidentiality and data protection terms.
  • Authorities or third parties where required by law, to protect rights, or to respond to lawful requests.
  • Business transfers if we undergo a merger, acquisition, or sale; we will notify you where legally required.

8. International transfers

As a US-based company, your data may be stored or processed in the United States and other regions. Where personal data is transferred from the UK or EEA, we rely on appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA), plus technical and organisational controls.

9. Data Retention and Deletion Policy

We keep personal data for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Data may persist in backups for a limited period (typically up to 90 days) before being securely overwritten.

How to Request Data Deletion

You have the right to request the deletion of your personal data. To initiate a data deletion request, you can:

  • Email us directly at legal@day2day.carewith the subject line "Data Deletion Request".
  • If you are a user within an organisation (e.g., a care worker), please contact your organisation's administrator first, as they are the data controller for your workplace records.

What Data is Deleted or Kept

Upon receiving a verified deletion request, we will delete your account credentials, profile information, and associated personal identifiers. However, please note that certain types of data may be retained even after a deletion request:

  • Legally Required Records: We must retain certain care records, audit logs, and compliance documentation to meet US, UK, and other regional health and social care regulatory requirements.
  • Financial Data: Billing and transaction history will be retained for tax and accounting purposes (typically 7 years).
  • Anonymised Data: We may retain aggregated, de-identified data that can no longer be linked to you for analytics and service improvement.

10. Security

We use appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, and monitoring. You are responsible for securing user access, devices, and choosing strong authentication measures.

11. Your rights

Depending on your situation and location (e.g., under UK GDPR, EU GDPR, or applicable US state laws like the CCPA/CPRA), you may have rights to: access, rectification, erasure (deletion), restriction, objection, data portability, and to withdraw consent where we rely on consent. You may also have the right to opt-out of the "sale" or "sharing" of personal information, though Day2Day Care does not sell your personal data. Submit requests to legal@day2day.care. You can lodge a complaint with the Information Commissioner’s Office (ICO) in the UK or your local supervisory authority.

12. Children

The Service is not directed to children under 18. Do not create end-user accounts for minors.

13. Cookies and similar tech

We use cookies and similar technologies for essential functions, preferences, analytics, and security. Details, choices, and consent controls are set out in our Cookie Policy.

14. Changes

We may update this Privacy Policy to reflect legal or product changes. We will post the updated version with a new “Last updated” date and notify you of material changes where reasonable.

15. Contact

For questions, data subject requests, or to request a DPA, contact legal@day2day.care.