Skip to content

Legal

Privacy Policy

Last updated 12 June 2026

Draft for review. This document is written to be accurate and substantive, and it is subject to a final check by our legal advisers before launch. If a point here affects a decision you are making, please contact us first so we can confirm it.

VircareOS provides software for UK home care agencies. This policy explains what personal data we handle, why, and how we protect it. It is written to meet the UK GDPR and the Data Protection Act 2018.

Care data is sensitive. We treat it that way. The short version: care records belong to the agency that creates them, we hold them on the agency’s behalf, every agency’s data is isolated from every other, and you can export or delete your data.

1. Who we are

VircareOS (“we”, “us”) provides the VircareOS platform at vircareos.com. We are registered with the UK Information Commissioner’s Office (ICO). Our registered company details and Data Protection contact will be confirmed on this page at launch.

You can reach us about privacy through our contact form. We will route data protection questions to the right person.

2. Our two roles: controller and processor

Data protection law distinguishes the “controller” (who decides why and how data is used) from the “processor” (who acts on the controller’s instructions). We act in both roles, depending on the data:

  • We are the processor for the care data an agency enters: clients, visits, notes, medication records, risk assessments, and similar. The agency is the controller. We process this data only to provide the service and on the agency’s instructions.
  • We are the controller for account data we need to run VircareOS itself: the names and emails of the people who sign in, sign-up details, billing contacts, support messages, and basic usage and security logs.

Where we are the processor, a data processing agreement governs that relationship. We will make our standard processor terms available to agencies on request.

3. What we process and why

The categories of personal data we handle include:

  • Account and contact data: names, email addresses, role, and the agency you belong to.
  • Care records entered by agencies: client details, visit times and locations at clock-in and clock-out, care notes, medication and administration records, risk assessments, body maps, incidents, consent records, and safeguarding entries.
  • Special category data: health and care information, which receives extra protection under the law.
  • Carer work data: schedules, hours, and the portable work record a carer chooses to build.
  • Technical data: sign-in security logs, device and browser information, and audit trails of who changed what.

We do not sell personal data. We do not use care data to train AI models. We do not run third-party advertising trackers on the product.

4. Lawful bases

For account data where we are the controller, we rely on these lawful bases under Article 6 of the UK GDPR:

  • Contract: to create and run your account and provide the service you signed up for.
  • Legitimate interests: to keep the service secure, prevent abuse, and improve reliability, balanced against your rights.
  • Consent: for optional marketing emails, which you can withdraw at any time.
  • Legal obligation: where we must keep or disclose data to meet a legal duty.

For care data, the agency as controller sets the lawful basis. Health and care information is special category data; the condition for processing it is normally the provision of health or social care under Article 9(2)(h), and safeguarding of individuals at risk where relevant. We process it as a processor under the agency’s instructions.

5. How we store and protect it

Our security model is built into the architecture, not bolted on:

  • Data is hosted in UK and EU regions.
  • Strict tenant isolation: row level security in the database keeps each agency's data separate, enforced at the data layer, not only in the interface.
  • Encryption in transit, and encryption of secrets at rest.
  • Role-based access: managers, carers, and family members each see only what their role allows.
  • Compliance records are append-only. They are superseded, never silently overwritten or hard-deleted, so the history stays intact.
  • Audit logging records sensitive changes with who, what, and when.
  • Documents and photos are held in private storage and served through short-lived signed links.

6. Sub-processors and international transfers

We use a small number of trusted providers to run the service. Current sub-processors are:

  • Supabase: database, authentication, and file storage, in EU and UK regions.
  • Vercel: application hosting and content delivery.
  • Resend: transactional email, such as invitations and account messages.

Where data is processed outside the UK, we rely on appropriate safeguards such as UK approved standard contractual clauses. We will keep an up to date list of sub-processors available to agencies, and give notice of material changes.

7. How long we keep data

We keep account data for as long as your account is active, and for a limited period afterwards to meet legal and security needs, then we delete or anonymise it.

For care records, the agency decides the retention period in line with its own obligations. Care records in the UK are often kept for several years after care ends, and longer for children, depending on the agency’s statutory duties. We retain and delete care data on the agency’s instruction.

8. Your rights

Under UK GDPR you have the right to:

  • Be informed about how your data is used.
  • Access a copy of your data.
  • Have inaccurate data corrected.
  • Have data erased in certain circumstances.
  • Restrict or object to certain processing.
  • Data portability, to receive your data in a usable format.
  • Withdraw consent at any time, where we rely on consent.

For account data, contact us and we will respond within the time limits the law sets. For care records, the agency is the controller, so a request may be handled by the agency; we will support the agency in responding. We never charge to export your data, and there is no lock-in.

9. People at risk and special protection

Care often involves older people, people with dementia, and other people who may be vulnerable. We apply the least-privilege principle throughout: each person sees only the data their role needs. Family members see care visibility, never operational or compliance internals. Safeguarding records receive the strictest access controls.

10. Personal data breaches

We maintain controls to detect and contain security incidents. Where a breach is likely to result in a risk to people’s rights, we will report it to the ICO without undue delay and within 72 hours where required, and we will inform affected controllers so they can meet their own duties.

11. Cookies

We use only the cookies needed to sign you in and keep your session secure. We do not use advertising or cross-site tracking cookies. The brand intro animation uses your browser’s local storage to remember that you have seen it, so it does not replay; that stays on your device.

12. Changes to this policy

We may update this policy as the product develops or the law changes. We will revise the date at the top and, for material changes, give notice in the product or by email.

13. Contact and complaints

Please raise any concern with us first through our contact form so we can put it right. You also have the right to complain to the ICO at ico.org.uk.