CAREFUL

CAREFUL Systems Limited — Privacy Notice

Version: 2.1Effective: 18 April 2026Last reviewed: 19 May 2026Owner: Data Protection Officer

1. Introduction

Careful Systems Limited ("CAREFUL", "we", "our" or "us") respects the privacy of the customers, prospective customers, website visitors, employees, contractors, suppliers, partners, and the clinical users and patients who interact with our software and our business.

This notice explains what personal data we handle, why, on what legal basis, who we share it with, and the rights available to you. See also our Cookie Policy.

CAREFUL handles personal data in three capacities:

  • As a controller — for our customers, prospective customers, website visitors, employees, contractors, suppliers, partners and job applicants. We decide why and how this data is processed.
  • As a processor — for data related to users and patients, including clinical records hosted within the CAREFUL platform. We process this data on behalf of healthcare organisations and other customers. In this case our customer is the controller and is responsible for informing data subjects about the processing. They are also legally responsible for managing the commitments and responsibilities of that relationship. Section 4 explains what this means for users and patients and what protections we apply.
  • As a controller for limited purposes — including in respect of clinical users' data where we determine the purpose ourselves: platform-wide security, product analytics and improvement, billing, our own service communications, and legal compliance. Section 3 explains this basis.

Controller details: Careful Systems Limited, registered in England and Wales (company number 10176186), registered office: Vestry House, Laurence Pountney Hill, London, EC4R 0EH, United Kingdom.

Data Protection Officer: our DPO can be contacted at privacy@careful.online — +44 (0) 800 955 2273

Applicable law: the UK GDPR and the Data Protection Acts in the UK; the EU GDPR and the EU e-Privacy rules in the EEA; the Australian Privacy Act in Australia. We follow the applicable national laws of any other jurisdiction in which we operate.

2. Personal data we collect, and why

We may collect the following data directly from you, or automatically when you use our website. In some cases we may receive your data from third parties. Where we obtain data from a source other than you, we identify some of those sources below.

2.1 Customers and prospective customers

Identity data (name, job title), contact data (work email, telephone), and records of our dealings with you (enquiries, contracts, support history). Source: you, your organisation, or publicly available business sources.

2.2 Website visitors

Technical data (IP address, browser and device information) and usage data (pages visited, on-site activity). Source: automatically via your browser and our analytics.

2.3 Clinical users

Identity and contact data, user name, and account and authentication data. Source: the customer organisation and the user.

Our role for this data is mixed (see Section 4): we act as a processor for the healthcare organisation when the data is used solely to provide the service, and as a controller for purposes we determine ourselves, such as platform security, product improvement and billing.

2.4 Employees and contractors

Identity and contact data, account and authentication data, and work product (contracts, source code, intellectual property, non-personal business data). Employee data is governed in detail by our internal staff privacy notice.

2.5 Job applicants

Identity and contact data, CV and application materials, references and right-to-work information. Source: you and, where relevant, recruiters or referees.

2.6 Suppliers and partners

Business contact details and information necessary to manage the relationship and meet our obligations.

2.7 Patients

We host the following data about patients on behalf of our customers. For this data the healthcare organisation or customer is the controller; CAREFUL acts as processor under a written Data Processing Agreement and processes patient data only on that organisation's documented instructions (see Section 4):

  • Identity data: first name, last name, date of birth, age or age group, gender
  • Contact data: home address, telephone number
  • Health (special category) data: NHS number or equivalent, medical condition, medical history, clinical observations and tracking information, information about medication and treatment

Note that we do not store any other special category information about patients, such as race, or religious or political affiliation.

3. Legal bases for processing where we are the controller

Under UK GDPR Article 6 we rely on:

  • Performance of a contract — to deliver our services and meet our obligations (account creation, authentication, support).
  • Legitimate interests — to operate, secure, market and improve our business, including direct marketing to existing customers, internal analytics and product development. We balance these interests against your rights and document that balancing.
  • Legal obligation — to comply with tax, employment, regulatory and clinical-safety obligations.
  • Consent — for optional marketing, non-essential cookies, and any other processing where we ask for it. You may withdraw consent at any time.

Where we process special-category (health) data as a processor for a healthcare organisation or customer, the legal basis is established by that controller, not by us. Typically this will be UK GDPR Article 9(2)(h) (provision of health or social care), but it may vary by jurisdiction.

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

4. Patient and clinical-user data: our role and the protections we apply

This section applies to patient and clinical-user data hosted within CAREFUL by a healthcare organisation or other customer.

Who is responsible for your data. Your healthcare provider is the controller of your data and decides how it is used. CAREFUL is the processor: we host and process the data only on that provider's documented instructions and under a binding Data Processing Agreement. If you are a patient and wish to exercise your data rights, or have questions about how your clinical data is used, please contact your healthcare provider in the first instance. They are your primary point of contact and we will support them in responding.

Clinical users (clinicians and professional users authorised by a customer). When you access CAREFUL under a healthcare organisation's account, that organisation decides who is granted access and why. For the account and identity data used solely to provide the service to that organisation, we act as a processor on its instructions and it is the controller — so please raise questions about that data with your organisation in the first instance. Separately, we act as a controller for the limited purposes we determine ourselves (platform-wide security, product analytics and improvement, billing, our own operational communications, and legal compliance); for those purposes this notice and Section 3 govern, and you can exercise your rights with us directly at privacy@careful.online.

In addition to the requirements of our customer's instructions, the privacy and security of patient and clinical-user data hosted in CAREFUL is protected across several layers. In particular, this data is:

  • Hosted and stored within a jurisdiction that is appropriate to the patient, and not transferred outside that jurisdiction.
  • Encrypted both in transit and at rest.
  • Accessible only to authorised personnel under role-based access controls and strong authentication.
  • Held within an environment subject to independent security testing and continuous monitoring.
  • Managed under our information governance, clinical safety and data security programme.

More detailed technical and assurance evidence — such as our hosting architecture, security standards, sub-processor requirements and clinical safety case — may be provided to interested parties as required by law or at our discretion. Please apply at privacy@careful.online.

5. How we use your data

Depending on your relationship with us, we may use your data to:

  • manage customer, employee, contractor, applicant, partner and supplier relationships;
  • provide and host the CAREFUL platform;
  • offer customer support;
  • administer our business operations and finances;
  • undertake opt-in or legitimate-interest direct marketing;
  • improve our website, products and services;
  • assure security, fraud prevention and incident response;
  • comply with our legal, regulatory and clinical-safety obligations.

6. Sharing your data

We do not sell, rent or trade personal data. We share it only where necessary to operate our business, deliver our services, or comply with the law, and always under contractual or legal protections.

We use trusted sub-processors for infrastructure hosting, business productivity and collaboration, marketing communications, and software development and project management. For our hosting, we use only globally recognised infrastructure providers with appropriate ISO accreditation in data security and information governance.

A current list of sub-processors is available on request from privacy@careful.online. We notify customers of material changes in accordance with the relevant Data Processing Agreement.

7. International data transfers

CAREFUL platform user and patient data is hosted in jurisdictions appropriate to the customer for whom we act as processor. No such data is transferred internationally.

Other personal data is hosted primarily in the UK or EEA. Where personal data is transferred outside the UK, we rely on one of: a UK adequacy regulation or adequacy decision; the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or another lawful transfer mechanism, supplemented where appropriate by safeguards such as encryption and pseudonymisation.

8. How we protect your data

We apply technical and organisational measures appropriate to the sensitivity of the data, and require our sub-processors to do the same under written agreements:

  • Encryption of personal data in transit (TLS) and at rest
  • Role-based access controls and strong authentication
  • Pre-employment checks and confidentiality obligations for staff
  • Staff training on security, phishing and clinical safety
  • Regular vulnerability scanning and independent security review
  • Documented incident response and breach notification procedures
  • Physical and environmental security provided by our hosting providers, including 24/7 monitoring and restricted access

9. Data retention

We keep personal data only as long as necessary for the purposes for which it was collected, or as required by law. Patient data is retained according to the healthcare organisation's instructions and applicable national retention periods. Other typical periods:

  • Customer account records — duration of the relationship plus statutory limitation periods
  • Support enquiries — up to 2 years
  • Marketing — until you unsubscribe
  • Technical and security logs — up to 12 months unless required for an investigation

10. Your rights

Where we are the controller, you have rights under the UK GDPR and related legislation. These include the right to:

  • be informed about how your data is processed;
  • access your data;
  • rectify inaccurate or incomplete data;
  • erasure in certain circumstances;
  • restriction of processing in certain circumstances;
  • object to processing based on legitimate interests, or to direct marketing;
  • data portability for data you have provided to us;
  • not be subject to solely automated decisions with significant effects; and
  • withdraw consent where processing is based on consent.

To exercise these rights, email privacy@careful.online with "Data Request" in the subject line. We respond within one calendar month; for complex or numerous requests we may extend by up to two further months and will tell you why. We may ask you to verify your identity. Requests are free unless manifestly unfounded or excessive.

Patients: because your healthcare provider is the controller of your clinical data, please direct rights requests about that data to your healthcare provider, who we will support in responding. If you need help with this, please email privacy@careful.online.

11. Marketing

You may receive marketing from us where you have opted in, or under legitimate interests as an existing customer. Unsubscribe via the link in any marketing email, or by emailing privacy@careful.online with "Data Opt-Out" in the subject line. We do not share your data with partners or customers for their own marketing.

12. Cookies

We use cookies and similar technologies to operate our website and improve your experience. See our Cookie Policy for details and to manage preferences.

13. Children's privacy

We do not knowingly collect personal data directly from children through our website or business operations. Where CAREFUL hosts clinical records relating to children, it does so as a processor on behalf of, and under the responsibility of, the healthcare organisation that is the controller of that data. If you believe a child has provided us with personal data directly without appropriate authority, contact privacy@careful.online so we can act.

14. Changes to this notice

We may update this notice to reflect changes in our practices or the law. The version number and "Last updated" date above indicate when it was last revised.

15. Contact and complaints

Careful Systems Limited, Vestry House, Laurence Pountney Hill, London, EC4R 0EH, United Kingdom — company number 10176186.

General and data protection enquiries: privacy@careful.online · Phone: +44 (0) 800 955 2273

If you are not satisfied with our response, you may complain to the UK Information Commissioner's Office at ico.org.uk (helpline 0303 123 1113), or to the supervisory authority in your country of residence or work.

Have questions? Contact us