Privacy Policy
Last updated: 28 March 2026
1. Who we are
CareGist is a trading name of H-Kay Limited, registered in England and Wales (company number 10417923), with registered address at C/O Bilberry Accountants Ltd, Castle Court, 41 London Road, Reigate, England, RH2 9RJ.
We are the data controller for the personal data described in this policy. You can contact us at privacy@caregist.co.uk.
H-Kay Limited is not required to appoint a Data Protection Officer (DPO) under Article 37 of the UK GDPR as our core activities do not involve large-scale processing of special category data or systematic monitoring of individuals.
2. What data we collect
We collect and process the following personal data:
2.1 Data you give us
- Account registration: name, email address, and password. Passwords are hashed using industry-standard salted hashing algorithms. We never store passwords in plain text.
- Billing: processed by Stripe. We do not store card numbers, expiry dates, or CVV codes. Stripe's privacy policy applies to payment data.
- Enquiry forms: name, email, phone number, message content, and care requirements you submit when contacting a care provider through our platform
- Reviews: name, email, review text, star rating, and relationship to the care provider. Reviews you submit may be published publicly on our website together with the name you provide and your relationship to the care provider.
- Provider claims: name, email, phone, role, and proof of association with the care provider
2.2 Data we collect automatically
- API usage: API key, request timestamps, endpoints called, rate limit counters
- Server logs: IP address, user agent, request path, response status code. These are collected for security monitoring and abuse prevention.
2.3 Care provider data
Our directory contains information about care providers sourced from the Care Quality Commission (CQC) public API. This includes provider names, addresses, phone numbers, CQC ratings, inspection dates, and service types. This data is published by CQC as a public authority under its statutory functions and is not personal data in most cases. Where it includes personal data (e.g., registered manager names in CQC reports), the lawful basis for our processing is legitimate interest (Article 6(1)(f) UK GDPR).
3. How we use your data
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Provide your account and API access | Contract (Art. 6(1)(b)) |
| Process payments via Stripe | Contract (Art. 6(1)(b)) |
| Send enquiries to care providers on your behalf | Consent (Art. 6(1)(a)) — you choose to submit the form |
| Publish reviews you submit | Consent (Art. 6(1)(a)) — reviews are published publicly with your name |
| Process provider claims | Legitimate interest (Art. 6(1)(f)) — verifying provider identity |
| Monitor API usage and enforce rate limits | Legitimate interest (Art. 6(1)(f)) — service security |
| Server logs, IP address logging, and security monitoring | Legitimate interest (Art. 6(1)(f)) — preventing abuse and securing the service |
| Publish care provider directory data from CQC | Legitimate interest (Art. 6(1)(f)) — public transparency |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest as our lawful basis, we have carried out a Legitimate Interest Assessment (LIA) to ensure our processing is necessary and that your rights and interests do not override our legitimate interests. You may request a copy of our LIA by emailing privacy@caregist.co.uk.
4. Who we share data with
4.1 Data processors
| Processor | Purpose | Location |
|---|---|---|
| Stripe Inc. | Payment processing | US (SCCs in place) |
| Railway Corp. | API and database hosting | US/EU |
| Vercel Inc. | Frontend website hosting | US/EU |
| Postcodes.io (ONS) | Postcode geocoding (no personal data sent) | UK |
These providers act as data processors and process data on our behalf under data processing agreements.
4.2 Other sharing
- Care providers — when you submit an enquiry form, we share your name, email, phone, and message with the care provider you are enquiring about. You consent to this sharing when you submit the form.
We do not sell your personal data to third parties. We do not use your data for advertising or profiling.
5. International transfers
Some of our data processors (Stripe, Railway, Vercel) process data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or by the processor's participation in recognised data transfer frameworks.
6. How long we keep data
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account, then 30 days |
| API usage logs | 90 days |
| Server logs (IP addresses) | 90 days |
| Enquiry form data | 12 months, then anonymised |
| Reviews | Published indefinitely; deleted on request |
| Provider claims | Duration of the claim, then 12 months |
| Billing records | 7 years (HMRC requirement) |
| Care provider directory data | Refreshed weekly from CQC; superseded data deleted |
7. Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your data ("right to be forgotten")
- Restrict processing — ask us to limit how we use your data
- Data portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent, you can withdraw at any time
To exercise any of these rights, email privacy@caregist.co.uk. We will respond within 30 days (one calendar month) as required by law.
8. Security
We protect your data with:
- Passwords hashed using industry-standard salted hashing algorithms (never stored in plain text)
- API keys generated using cryptographically secure random tokens
- HTTPS encryption for all data in transit
- PostgreSQL database with access restricted to application services only
- Payment data handled entirely by Stripe (PCI DSS Level 1 certified)
- Environment variables for all secrets (never committed to source code)
9. Cookies
CareGist does not use tracking cookies, advertising cookies, or third-party analytics cookies. We may use essential cookies strictly necessary for the functioning of the website (e.g., session management). These do not require consent under the Privacy and Electronic Communications Regulations 2003 (PECR).
10. Automated decision-making
CareGist does not make automated decisions that produce legal or similarly significant effects on individuals. Any scoring or ranking of care providers (such as our data completeness tiers) is informational only and does not constitute an assessment of care quality.
11. Children
CareGist is not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will delete it promptly.
12. Our role
CareGist provides a directory and data platform about care providers. We do not provide care services, medical advice, or healthcare services. We are not responsible for the care provided by any listed provider. Always verify information directly with the care provider and check the latest CQC inspection report at cqc.org.uk before making care decisions.
13. Changes to this policy
We may update this privacy policy from time to time. Material changes will be notified by email to registered users. The "last updated" date at the top of this page indicates when it was last revised.
14. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF