Privacy policy

Who we are

CareResponse is a trading name of VAR Data Works, a sole proprietorship. When we say "CareResponse," "we," "us," or "our" in this policy, we mean VAR Data Works trading as CareResponse.

If you have questions about this policy, contact us at hello@careresponse.uk.

What we do

CareResponse is a care-alert routing service for UK home-care agencies. We connect to your care-management platform (such as PASS), read the visit notes your team writes, evaluate them against configurable rules, and dispatch SMS or voice alerts to the appropriate stakeholder when a concern is detected.

What data we process

To provide the service, we process:

• Care notes — text content of visit notes, including client name, carer name, visit time, and task completion records. These are read from your care-management platform via an authenticated API connection that you authorise.
• Stakeholder contact details — names, phone numbers, and email addresses of the people you designate to receive alerts (e.g. managers, families, social workers).
• User accounts — name, email address, and role of each person in your organisation who logs in to the CareResponse dashboard.
• Alert history — a timestamped audit log of every alert generated, including which rule fired, which stakeholder was contacted, and the delivery status.

Legal basis for processing

We process personal data under the UK GDPR on the following bases:

• Legitimate interests (Article 6(1)(f)) — the agency's legitimate interest in timely safeguarding and care quality, balanced against the data subjects' rights.
• Performance of a contract (Article 6(1)(b)) — to deliver the service you've subscribed to.

We act as a data processor on behalf of the care agency (the data controller). We process care notes and client data solely to provide the alerting service and do not use it for any other purpose.

Data sharing

We share data only with the sub-processors necessary to deliver the service:

• Twilio (US) — for SMS and voice call delivery. Twilio processes the stakeholder's phone number and the alert message content. Twilio is certified under the EU–US Data Privacy Framework.
• Cloud hosting provider — for running the application and database. Data is stored in UK or EU data centres.

We do not sell, rent, or trade personal data. We do not use care-note data to train machine-learning models.

Data retention

Alert history and audit logs are retained according to your plan tier, ranging from 14 days (trial) to indefinite (Enterprise). You can request deletion of all your data at any time by emailing hello@careresponse.uk. We will process deletion requests within 30 days.

Security

We protect data in transit with TLS encryption and at rest with AES-256 encryption. Access to production systems is restricted by role and requires multi-factor authentication. All API access is authenticated with short-lived JWT tokens scoped to your agency.

Your rights

Under the UK GDPR, individuals whose data we process have the right to access, rectify, erase, restrict processing of, or port their personal data. As we act as a data processor, these requests should typically be directed to your care agency (the data controller), who will instruct us accordingly. You can also contact us directly at hello@careresponse.uk.

Cookies

The CareResponse marketing website does not use tracking cookies or third-party analytics. The application dashboard uses a session token stored in your browser's local storage to keep you signed in; no advertising or analytics cookies are set.

Changes to this policy

We may update this policy from time to time. Material changes will be communicated to active subscribers by email. The "last updated" date at the top of this page reflects the most recent revision.