Last updated 2026-07-05
Curelo provides care-home management software to registered care providers ("customers"). This policy explains how we handle personal data across our website and application.
For the personal and special-category (health) data of residents and staff held in the application, the care provider is the data CONTROLLER and Curelo is the data PROCESSOR, acting on the provider's documented instructions under a Data Processing Agreement. For account and billing data of the customer's own staff administrators, Curelo is the controller.
Our Data Protection Officer can be reached at privacy@curelo.care.
For resident health data, the care provider (as controller) relies on Article 6(1)(c)/(e) and the Article 9(2)(h) condition (provision of health and social care) together with the associated Data Protection Act 2018 Schedule 1 condition. Curelo processes it only on the provider's instructions.
For customer account and billing data, our lawful bases are contract (Article 6(1)(b)) and legitimate interests (Article 6(1)(f)) in operating and securing the service.
Some features use AI to summarise or highlight information (for example care-note drafting, rota suggestions, and risk indicators). AI outputs are decision-support only and are not a diagnosis or a medical device; clinical judgement remains with the registered clinician.
Where an AI feature sends data to a third-party model provider, that provider is a sub-processor listed in our sub-processor register, bound by contract, and the transfer is covered by appropriate safeguards.
Care records are retained in line with the NHS Records Management Code of Practice — generally a minimum of 8 years after the end of care or after death, and longer where a specific legal requirement applies. Retention is set and instructed by the care provider as controller.
Right to erasure does not override these retention obligations for care records; where erasure cannot be honoured, we and the provider will explain why.
Account and billing data is retained for the duration of the customer relationship and as required for tax and accounting.
Individuals have rights of access, rectification, erasure (subject to retention law), restriction, portability and objection. Residents and their representatives should contact the care provider, who is the controller. Requests may also be raised with us at privacy@curelo.care and we will assist the controller.
You may complain to the Information Commissioner's Office (ico.org.uk).
Questions about this document? Contact privacy@curelo.care.