Legal

Privacy Policy

Last updated: 1 April 2025. This policy explains how CareShift Ltd collects, uses, and protects your personal data.

UK GDPR Compliance. CareShift Ltd is registered with the Information Commissioner's Office (ICO). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller for personal data processed on the CareShift platform is:

CareShift Ltd
1 Canada Square, Canary Wharf
London, E14 5AB
United Kingdom

Data Protection Officer: dpo@careshiftltd.com

2. Personal Data We Collect

We collect the following categories of personal data:

Identity DataFull name, date of birth, national insurance number (where required)
Contact DataEmail address, phone number, home address
Professional DataEmployment history, qualifications, professional registration numbers (e.g. NMC, HCPC)
Compliance DocumentsDBS certificates, right-to-work documents, proof of address, references
Financial DataBank account details, payment history (processed via secure payment processors)
Usage DataIP address, device information, pages visited, actions taken on the platform
Communication DataMessages sent through the in-platform messaging system
Location DataApproximate location for shift matching (not continuously tracked)

3. Lawful Basis for Processing

We process your personal data on the following lawful bases under UK GDPR:

  • Contract performance — to provide you with access to the Platform and our Services
  • Legal obligation — to comply with employment law, tax obligations, and anti-money laundering requirements
  • Legitimate interests — to improve the Platform, prevent fraud, ensure platform security, and send relevant product updates
  • Consent — for marketing communications and non-essential cookies (which you may withdraw at any time)

4. How We Use Your Data

We use your personal data to:

  • Create and manage your account
  • Match you with relevant shifts or workers
  • Verify compliance documents and professional credentials
  • Process payments and generate invoices
  • Facilitate communication between platform users
  • Provide customer support
  • Send transactional notifications (shift confirmations, compliance alerts)
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with our legal and regulatory obligations
  • Improve the Platform through aggregated analytics

5. Data Sharing

We do not sell your personal data. We share your data only:

  • With Care Organisations and Agencies as necessary to facilitate shift placements you have agreed to
  • With our trusted service providers who process data on our behalf (cloud hosting, payment processing, email delivery) under strict data processing agreements
  • With regulatory authorities (HMRC, ICO, CQC) where required by law
  • In the event of a corporate transaction (merger, acquisition), where we will notify you in advance

All third-party processors are contractually obligated to process data only as instructed and to maintain appropriate security standards.

6. International Transfers

Our platform infrastructure is hosted in data centres located in the United Kingdom and European Economic Area (EEA). Where data is transferred outside the UK/EEA, we ensure adequate safeguards are in place, including UK-approved Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to legal requirements:

  • Active account data: retained for the duration of your account
  • Shift and transaction records: 7 years (UK tax law requirement)
  • Compliance documents: until expiry plus 12 months, or as required by law
  • Audit logs: 2 years
  • Deleted account data: anonymised or deleted within 30 days of account closure, except where retention is legally required

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access — request a copy of personal data we hold about you
  • Right to rectification — ask us to correct inaccurate or incomplete data
  • Right to erasure — ask us to delete your data in certain circumstances
  • Right to restrict processing — ask us to pause processing of your data
  • Right to data portability — receive your data in a machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Rights related to automated decision-making — we do not make solely automated decisions with legal or significant effects

To exercise any of these rights, please email dpo@careshiftltd.com. We will respond within one calendar month. You also have the right to lodge a complaint with the ICO at ico.org.uk.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. These measures include end-to-end encryption, role-based access controls, regular security assessments, and staff data protection training.

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR.

10. Cookies

We use cookies and similar tracking technologies on our platform. For full details, see our Cookie Policy.

11. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by email and in-platform notification. The date of the most recent update is shown at the top of this page.

12. Contact

For data protection enquiries, contact our Data Protection Officer: dpo@careshiftltd.com

CareShift Ltd, 1 Canada Square, Canary Wharf, London, E14 5AB, United Kingdom

This Privacy Policy was last updated on 1 April 2025. CareShift Ltd is registered with the ICO (Registration No. ZA000000).