Privacy Policy

CareEvidence AI Ltd (“we”, “us”, “CareEvidence AI”) is a company registered in England and Wales. We provide a software platform that helps UK adult social care providers prepare DoLS, MCA, risk and CQC evidence using AI-assisted drafting and human-reviewed approval workflows.

You can contact us by email at hello@care-evidence-ai.com.

For data about a care provider’s residents, service users, relatives and staff, the care provider is the controller and CareEvidence AI Ltd is a processor acting on documented instructions from that controller.

For data we collect directly — such as your account email, billing details, support correspondence, and how you use the marketing site — CareEvidence AI Ltd is the controller.

• Account data: name, work email, organisation, role, encrypted password hashes (handled by Amazon Cognito).
• Care content (processed on behalf of the controller): care notes, daily logs, risk assessments, capacity assessments, DoLS documentation, uploaded documents, AI drafts and reviewer decisions. This may include special-category data under UK GDPR Article 9 (health data).
• Audit metadata: who did what and when in the platform — required for compliance and inspection.
• Operational telemetry: error logs, latency metrics, security events. We aim to keep these free of resident-identifiable content.

As processor for care content, our processing is governed by the Data Processing Agreement between CareEvidence AI Ltd and the controller (the care provider). The lawful basis is determined by the controller, typically a combination of legitimate interests, legal obligation (CQC, Mental Capacity Act 2005, DoLS) and consent where applicable.

As controller for account, billing and platform-operations data, we rely on contract performance (UK GDPR Art 6(1)(b)), legitimate interests in operating, securing and improving the service (Art 6(1)(f)), and legal obligations such as accounting and tax law (Art 6(1)(c)).

AI drafts are generated only when an authorised user asks the platform to draft from selected care evidence. The active AI provider is recorded in our sub-processor register before use with real care data, and must be covered by terms that prohibit model training on customer care content sent through the integration. Drafts are returned to the platform, stored against the source note, and held in the human-review queue until approved or rejected by a designated reviewer in your organisation.

AI output is decision-support only. It is not a substitute for professional judgement and must not be the sole basis for any decision about an individual’s care, capacity, or liberty.

The pilot stack uses managed infrastructure for web hosting, API/worker compute, database, document storage, queues, identity, billing, email and monitoring. The current production sub-processor list, regions and transfer safeguards are maintained in our DPA and sub-processor register.

Where a sub-processor operates from outside the UK / EEA, the transfer must be covered by an appropriate lawful transfer mechanism such as the UK International Data Transfer Agreement, UK Addendum to EU SCCs, adequacy regulations, or another reviewed safeguard.

Care content is retained for as long as the controller’s subscription is active, plus a default 90-day grace period after termination during which the controller may export their data. After the grace period expires, care content is deleted from primary storage and from backups in line with our deletion runbook.

Account data, billing records and audit metadata are retained for the period required by UK accounting and tax law (currently six years from the end of the relevant accounting period).

Individuals have rights under UK GDPR including access, rectification, erasure, restriction, portability, and objection. Where CareEvidence AI Ltd is a processor (most resident data), please direct rights requests to your care provider as the controller. We will support the controller in responding within statutory timeframes.

For data where CareEvidence AI Ltd is the controller (account, billing, support), email privacy@care-evidence-ai.com.

We use sub-processors for hosting, database, storage, identity, billing, email, monitoring, and optional AI inference. The full list with addresses, regions, transfer safeguards and contact details is available on request as part of our DPA. The current draft register includes:

• Amazon Web Services — storage, queues, identity and optional email/AI services
• Neon — managed database
• Render — API and worker hosting
• Vercel — web hosting
• Stripe — checkout, invoices and subscriptions
• Resend, Postmark or AWS SES — transactional email, depending on environment
• Sentry — error monitoring
• Anthropic or AWS Bedrock — optional AI inference when enabled

See our Security page for a summary of our technical and organisational measures, including row-level tenant isolation, encryption in transit and at rest, MFA, audit logging and incident response.

You can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk. We’d appreciate the chance to address concerns first — please email privacy@care-evidence-ai.com.

We will notify active customers by email if a material change to this policy requires renewed acceptance. The current version is v2026-05-04.