BoolCare

Legal

Privacy Policy

Last updated: 10 June 2026

BoolCare is a platform used by care professionals to manage resident records, care plans, and risk assessments. Because it processes health data, we have written this policy to be specific, transparent, and legally precise. Please read it carefully.

1. Who We Are

BoolCare is a product of Boolbase Ltd(“Boolbase”, “we”, “us”, “our”), a technology company registered in England and Wales.

  • Trading name: BoolCare
  • Parent company: Boolbase Ltd
  • Website: boolcare.co.uk
  • Application: app.boolcare.co.uk
  • ICO Registration: [Registration pending — to be updated]
  • Contact: hello@boolcare.co.uk

2. Data Controller vs Data Processor

This distinction is important and affects your rights:

Your organisation is the Data Controller

The care home, supported living provider, or organisation that uses BoolCare is the Data Controller for all resident personal data entered into the platform. You determine the purposes for which resident data is collected and processed. You are responsible for ensuring you have a lawful basis for entering and storing that data.

BoolCare is the Data Processor

Boolbase Ltd acts as a Data Processor when processing resident data on your behalf. We process that data only according to your documented instructions (i.e. the features you use within the platform) and for no other purpose. We do not access, use, or share resident data except to provide the contracted service.

A Data Processing Agreement (DPA) is available on request and governs the processing of resident data between your organisation and Boolbase Ltd. To request a DPA, contact hello@boolcare.co.uk.

BoolCare is the Data Controller for staff account data

For data about staff accounts (names, email addresses, roles), Boolbase Ltd is the Data Controller. The lawful basis for this processing is contract performance — providing the agreed service to your organisation.

3. What Data We Collect

3.1 Staff account data (Boolbase is Controller)

  • Name, email address, and job role
  • Login activity and session data
  • Notification preferences
  • Audit log entries (who did what, and when)

3.2 Resident data — Special Category (Your organisation is Controller; Boolbase is Processor)

Resident data entered into BoolCare constitutes Special Category personal data under UK GDPR (Article 9) because it relates to health and care needs. This includes:

  • Personal identifiers — full name, date of birth, NHS number, room number
  • Health information — diagnoses, medications, allergies, care needs, body maps
  • Care plans and risk assessments
  • Daily notes, handover notes, and form submissions
  • Emergency contact details
  • Photos (if uploaded)

Your organisation, as Data Controller, must identify and document an appropriate lawful basis for processing this data. For most care providers this will be Article 6(1)(b)(contract of care) and Article 9(2)(h) (health or social care purposes).

3.3 AI query data

When staff use the AI Assistant, queries and responses are processed server-side. Queries may contain resident context data necessary to answer the question. AI processing logs are retained for 30 days for debugging and security purposes, then permanently deleted. This data is never used to train AI models.

3.4 Technical and analytics data

  • Anonymous page view and feature usage analytics (Vercel Analytics — no cookies, no personal identifiers)
  • Server-side request logs (IP address, timestamp, route) — retained for 30 days for security monitoring
  • Error and performance logs — retained for 14 days

3.5 Billing data

  • Subscription and payment history
  • Payment method details are handled entirely by Stripe — we never store card numbers

4. How We Use Your Data

Staff account data (we are Controller)

  • To provide access to the BoolCare platform
  • To send service-related notifications (never marketing without consent)
  • To maintain security, prevent fraud, and comply with legal obligations
  • To produce audit trails required by CQC and other regulators

Resident data (we are Processor)

  • To store and display records as requested by your organisation
  • To generate AI-assisted care plans, risk assessments, and reports
  • To provide the AI Assistant with context to answer staff queries
  • For no other purpose without your explicit instruction

5. Sub-Processors

We use the following third-party sub-processors to provide the service. All are bound by data processing agreements and operate under GDPR-equivalent standards:

  • Supabase— database and authentication provider. Resident data is stored in Supabase’s UK region only.
  • Vercel— hosting and edge network. Application code and static assets are served via Vercel’s infrastructure. No resident data is stored in Vercel.
  • OpenAI— AI processing for care plan generation, risk assessments, and the AI Assistant. Data is processed under OpenAI’s Data Processing Agreement. OpenAI does not use data submitted via the API to train its models. Prompts containing resident data are transmitted only to answer the specific query.
  • Resend — transactional email delivery (e.g. invitation emails, AI-generated report emails). Recipient addresses are shared; message content is deleted from Resend servers after delivery.
  • Stripe — payment processing and subscription management. Payment card data is processed directly by Stripe and never stored by Boolbase.

We will notify you of any changes to this sub-processor list with at least 14 days’ notice, giving you the opportunity to object before the change takes effect.

6. Data Transfers Outside the UK

All resident data is stored in the UK (Supabase UK region). Some sub-processors (OpenAI, Resend, Stripe) may process data in the United States. Each operates under the UK International Data Transfer Agreement (IDTA) or equivalent safeguards. No resident data is stored permanently outside the UK.

7. Security

We employ the following technical and organisational measures:

  • Row-level security (RLS) — each organisation can only access its own data at the database level
  • Encryption in transit — all data is transmitted over TLS 1.2+
  • Encryption at rest — all data stored in Supabase is encrypted at rest
  • Audit trail — all significant actions are logged with user, timestamp, and change details
  • Access controls — role-based access (Manager, Senior Carer, Staff) limits what each user can see
  • No service key in clients — privileged database access keys are server-side only and never exposed to browsers or mobile apps

8. Data Retention

  • Resident data: Retained for the duration of your subscription. On cancellation, data is retained for 30 days to allow export, then permanently deleted.
  • Staff account data: Deleted within 30 days of account closure or staff removal.
  • Audit logs: Retained for 7 years to support regulatory compliance and CQC inspections.
  • AI query logs: Retained for 30 days then permanently deleted.
  • Billing records: Retained for 7 years for accounting and legal purposes.
  • Technical/server logs: Retained for 30 days then deleted.

9. Your Rights Under UK GDPR

Rights relating to staff account data (Boolbase is Controller)

You have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate data
  • Erasure — request deletion of your data (subject to legal retention obligations)
  • Restriction — request that we limit processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests

To exercise these rights, email hello@boolcare.co.uk. We will respond within 30 days.

Rights relating to resident data (your organisation is Controller)

For requests relating to resident data, the Data Controller is your organisation. Residents or their representatives should direct rights requests to your organisation directly. We will support you in fulfilling those requests.

10. Data Breach Notification

In the event of a personal data breach, we will notify affected organisations within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Notification will include the nature of the breach, the categories and approximate number of individuals affected, likely consequences, and measures taken or proposed to address it.

11. Cookies

The marketing website (boolcare.co.uk) uses no tracking cookies. Vercel Analytics collects anonymous usage data without cookies or personal identifiers.

The BoolCare application (app.boolcare.co.uk) uses technically necessary session cookies only to maintain your authenticated session. These are essential for the application to function and do not require consent under PECR.

12. Children and Vulnerable Adults

BoolCare is designed for use by care professionals to manage records of residents in their care, which may include elderly or vulnerable adults and, in some settings, children. All resident data is classified as sensitive and processed with the highest level of care. We do not knowingly collect personal data from children under 18 as direct users of the platform.

13. Changes to This Policy

We will notify active subscribers of material changes by email with at least 14 days’ noticebefore changes take effect. The “last updated” date at the top of this page reflects the most recent revision. Continued use of the service after the effective date constitutes acceptance.

14. Complaints

If you are unhappy with how we handle your data, please contact us first at hello@boolcare.co.uk. If we are unable to resolve your concern, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):