All legal documents

Privacy Policy

Last updated 2026-07-05

Who we are

Curelo provides care-home management software to registered care providers ("customers"). This policy explains how we handle personal data across our website and application.

For the personal and special-category (health) data of residents and staff held in the application, the care provider is the data CONTROLLER and Curelo is the data PROCESSOR, acting on the provider's documented instructions under a Data Processing Agreement. For account and billing data of the customer's own staff administrators, Curelo is the controller.

Our Data Protection Officer can be reached at privacy@curelo.care.

What we process

  • Resident data: identifying details, NHS number, care plans, assessments, clinical observations, medication records, incidents, and related care documentation entered by the provider's staff.
  • Staff data: name, contact details, role, right-to-work and DBS status, training, supervisions, pay, and rota.
  • Account & usage data: email, authentication data, audit logs of actions taken in the system, and technical logs.
  • We do NOT sell personal data, and we do not use resident or staff data for advertising.

Lawful bases (UK GDPR)

For resident health data, the care provider (as controller) relies on Article 6(1)(c)/(e) and the Article 9(2)(h) condition (provision of health and social care) together with the associated Data Protection Act 2018 Schedule 1 condition. Curelo processes it only on the provider's instructions.

For customer account and billing data, our lawful bases are contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) in operating and securing the service.

AI features

Some features use AI to summarise or highlight information (for example care-note drafting, rota suggestions, and risk indicators). AI outputs are decision-support only and are not a diagnosis or a medical device; clinical judgement remains with the registered clinician.

Where an AI feature sends data to a third-party model provider, that provider is a sub-processor listed in our sub-processor register, bound by contract, and the transfer is covered by appropriate safeguards.

Retention

Care records are retained in line with the NHS Records Management Code of Practice — generally a minimum of 8 years after the end of care or after death, and longer where a specific legal requirement applies. Retention is set and instructed by the care provider as controller.

Right to erasure does not override these retention obligations for care records; where erasure cannot be honoured, we and the provider will explain why.

Account and billing data is retained for the duration of the customer relationship and as required for tax and accounting.

Security

  • Data is encrypted in transit (TLS) and at rest by our infrastructure providers.
  • Access is role-based and multi-tenant-isolated; every sensitive action is recorded in an immutable audit trail.
  • Two-factor authentication is available to all accounts and recommended for manager and above.
  • We operate on UK/EEA-hosted infrastructure; any transfer outside is covered by appropriate safeguards (see the sub-processor register).

Your rights

Individuals have rights of access, rectification, erasure (subject to retention law), restriction, portability and objection. Residents and their representatives should contact the care provider, who is the controller. Requests may also be raised with us at privacy@curelo.care and we will assist the controller.

You may complain to the Information Commissioner's Office (ico.org.uk).

Questions about this document? Contact privacy@curelo.care.