Care App is built with data protection at its core. We are registered with the Information Commissioner's Office (ICO) and comply fully with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Inkfinity Print Solutions Ltd operates as a data processor on behalf of care organisations that use the Care App platform. Each subscribing organisation is the data controller for the personal data of their staff and clients.
This means we only process personal data on the documented instructions of each organisation, and we never use that data for our own purposes.
We use one sub-processor to deliver the service:
Personal data is retained for the duration of the subscription. On termination, data is retained for 90 days to allow for export, after which it is permanently deleted in line with our Data Processing Agreement.
The following retention periods apply to specific data types held within the platform:
| Data Type | Retention Period | Reason |
|---|---|---|
| Client care records & support plans | 7 years post-discharge | Care sector best practice & potential legal claims |
| Medication records (MAR charts) | 2 years minimum | Medicines Management guidance |
| Incident & accident records | 3 years | Regulatory & insurance requirements |
| Staff records & timesheets | 6 years post-employment | Employment law & HMRC requirements |
| Financial records (invoices, subscriptions) | 6 years | Companies Act 2006 / HMRC |
| Audit logs | 3 years | GDPR accountability & regulatory inspection |
| Account data (post-termination) | 90 days | Data export window, then permanent deletion |
Retention periods reflect the requirements of the data controller (the subscribing care organisation). We retain data on the controller's behalf for the duration of the subscription. Controllers are responsible for ensuring their own retention policies comply with applicable law.
Individuals whose data is held within Care App have the following rights under UK GDPR:
Requests relating to individual rights should be directed to the subscribing organisation (the data controller) in the first instance. We will support controllers in fulfilling any requests we are required to assist with.
In the event of a personal data breach, we follow a documented incident response procedure. We notify affected organisations within 24 hours of confirming a breach and report to the ICO within 72 hours where required by law.
The following documents form our full data protection framework:
Our Article 28 UK GDPR compliant DPA, covering all processing obligations.
How we detect, contain, and report data breaches and security incidents.
The terms governing use of the Care App platform.
Care App does not use tracking cookies. However, to provide a secure and functional service, we use browser local storage to maintain your login session via Firebase Authentication. This is essential for the Service to work — without it you would be signed out every time you navigate between pages.
No data stored in local storage is shared with third parties or used for advertising. It contains only your authentication token and session state, which is cleared when you sign out.
For any data protection queries:
The UK Supervisory Authority is the Information Commissioner's Office (ICO): ico.org.uk · 0303 123 1113