CareSyndicate← Back to home
Draft — not legal advice. This document is a first draft intended to replace a broken footer link. It has not been reviewed by a solicitor. Verify the details with legal counsel before relying on it.

Privacy Policy

How we handle your personal data under UK GDPR and the Data Protection Act 2018.

Last updated 22 April 2026

1. Who we are

CareSyndicate is a healthcare workforce platform operated by Vertex Legacy Limited, a company registered in England and Wales. For the purposes of the UK GDPR and the Data Protection Act 2018, Vertex Legacy Limited is the data controller for personal data collected through caresyndicate.ai and related services.

You can contact our Data Protection team at privacy@caresyndicate.ai.

2. Scope

This policy covers personal data we collect from four types of people who use CareSyndicate:

  • Contractors — healthcare workers (nurses, carers, support workers, therapists) who sign up to find placements.
  • Care Providers — care homes, domiciliary agencies, and NHS bodies who post care packages and engage contractors.
  • Recruiters — healthcare recruitment agencies who place contractors on behalf of providers.
  • Visitors to our public website.

3. What personal data we collect

From all users

  • Name, email address, password (stored hashed), phone number.
  • Account activity logs, device information, IP address.

From contractors specifically

  • Date of birth, National Insurance number, home address, Unique Taxpayer Reference (UTR) or company registration number depending on payment route.
  • Professional qualifications (NMC PIN, HCPC registration, training certificates).
  • Compliance documents: DBS certificate, right-to-work evidence, photo ID, proof of address, public liability insurance, professional indemnity insurance.
  • Bank details for payment (encrypted at rest and only decrypted at the point of payroll export).
  • Health-related information where it is relevant to a role (for example, confirmation of occupational health clearance). This is special category data and we handle it with the additional safeguards described below.

From care providers and recruiters

  • Organisation name, registered office address, Companies House number, CQC registration, VAT number.
  • Named contacts (Registered Manager, Nominated Individual, billing contact, compliance lead).

4. Lawful basis for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract — processing necessary to deliver the services you have signed up for, including matching, payments, and statements.
  • Legal obligation — HMRC reporting, right-to-work verification, safeguarding, and regulatory compliance with the Care Quality Commission (CQC).
  • Legitimate interests — fraud prevention, service improvement, platform security. We balance these interests against your rights and you can object at any time.
  • Consent — marketing communications and any optional features clearly labelled as consent-based. You can withdraw consent at any time.

For health-related special category data, we rely on UK GDPR Article 9(2)(b) (employment, social security, and social protection law) and Schedule 1 of the Data Protection Act 2018 where applicable.

5. How we use personal data

  • To operate the platform: create and authenticate accounts, match contractors to care packages, manage engagements, process timesheets, generate self-billing statements, and pay contractors.
  • To meet compliance obligations: verify right-to-work, track DBS renewal dates, apply IR35 determinations, and generate CQC Regulation 19 evidence packs.
  • To communicate with you about your account, compliance deadlines, and platform updates.
  • To improve the platform — we use aggregated, de-identified usage data for analytics. We do not use your data to train third-party large language models.
  • To detect and prevent fraud, abuse, and safeguarding risks.

6. Who we share personal data with

We share data with third-party service providers (processors) who help us run the platform. Each processor is bound by a data processing agreement and only uses data for the purposes we instruct. Our current processors include:

  • Supabase (EU region) — authentication, database hosting, file storage.
  • Render — application hosting.
  • Resend — transactional email delivery.
  • Twilio — SMS notifications.
  • Sentry (EU region) — error monitoring.
  • Anthropic — AI assistance for matching explanations and platform insights. Prompts are scrubbed of sensitive identifiers before they are sent and we do not include health data, bank details, or full National Insurance numbers in prompts.

We also share data when required by law (for example, with HMRC for tax reporting) or to protect the vital interests of the individual or others.

7. International transfers

We aim to keep personal data within the UK and EEA. Where a processor is based outside those regions (for example, Anthropic in the United States), we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with appropriate supplementary measures.

8. Retention

We keep personal data only for as long as we need it for the purposes set out in this policy, or as required by law. Indicative retention periods:

  • Account data — for the life of your account, plus 12 months after closure.
  • Financial and tax records (self-billing statements, invoices, timesheets) — 7 years from the end of the tax year they relate to (HMRC requirement).
  • Compliance documents (DBS, RTW, training certificates) — while you are active on the platform plus 6 years after last engagement.
  • Audit logs — 7 years.
  • Marketing preferences — until you unsubscribe.

9. Security

We apply technical and organisational measures appropriate to the risks involved in processing your data:

  • TLS 1.2+ in transit and AES-256 at rest.
  • Encryption of contractor bank details using envelope encryption — decrypted only in the payroll export stream, never shown in previews or admin listings.
  • Row-level security enforced at the database layer.
  • Role-based access inside the platform, with the principle of least privilege.
  • Audit logging of sensitive actions.

10. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Request erasure of your data, subject to legal retention obligations.
  • Restrict or object to processing in certain circumstances.
  • Receive your data in a portable format or ask us to transmit it to another controller.
  • Withdraw consent where processing is based on consent.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects. CareSyndicate's AI matching produces suggestions only — a human always makes the placement decision.

To exercise any of these rights, email privacy@caresyndicate.ai. We will respond within one month.

11. Cookies

We use a small number of first-party cookies required for authentication and session management. We do not use advertising cookies. Analytics, where used, are privacy-first and do not identify individuals.

12. Complaints

If you are unhappy with how we have handled your data, please contact us first so we can try to resolve it. You also have the right to complain to the Information Commissioner's Office (ICO).

13. Changes to this policy

We will update this policy from time to time. We will notify registered users of material changes by email and post the effective date at the top of this page.

14. Contact

Vertex Legacy Limited
Email: privacy@caresyndicate.ai
General: hello@caresyndicate.ai