Privacy Policy

Last updated: March 2026

1. Who We Are

PassCare Ltd (“PassCare”, “we”, “us”) is a UK-based healthcare training platform. We are the data controller for personal data processed through our Service. Contact: privacy@passcare.co.uk

2. What Data We Collect

• Account data: name, email address, job title, organisation name
• Training data: lesson progress, quiz answers, scores, completion dates, certificates
• Organisation data: organisation name, type, CQC IDs, staff list
• Billing data: processed by Stripe (we do not store card numbers)
• Usage data: pages visited, features used, device information (anonymised analytics)
• Communication data: support emails, feedback, NPS responses

3. Legal Basis for Processing

• Contract performance: processing necessary to deliver training services
• Legitimate interest: compliance tracking, platform improvement, fraud prevention
• Legal obligation: retention of training records as required by healthcare regulations
• Consent: marketing communications (you can withdraw at any time)

4. How We Use Your Data

• Delivering and personalising training content
• Tracking training compliance and generating certificates
• Providing compliance reports to your organisation's administrators
• Sending training reminders and expiry notifications
• Processing payments and managing subscriptions
• Improving the Service through anonymised analytics

5. Data Sharing

We share data only with:

• Your organisation: administrators can view training records of their staff
• Supabase: database hosting (London region, SOC 2 Type II compliant)
• Stripe: payment processing (PCI DSS Level 1 compliant)
• Vercel: application hosting
• Resend: transactional email delivery
• Certificate verifiers: minimal data (module name, dates, status) when a certificate QR code is scanned

We do not sell personal data to third parties.

6. Data Retention

Training records are retained for 6 years by default, aligned with the NHS Records Management Code of Practice. Organisations can configure their own retention period. Account data is deleted within 30 days of account closure. Billing records are retained for 7 years (HMRC requirement).

7. Your Rights (UK GDPR)

• Access: request a copy of your personal data (JSON export)
• Rectification: correct inaccurate data via your profile settings
• Erasure: request deletion of your account and data (Article 17)
• Portability: export your training records in a machine-readable format (Article 20)
• Restriction: restrict processing in certain circumstances
• Objection: object to processing based on legitimate interest

To exercise your rights, email privacy@passcare.co.uk. We will respond within 30 days.

8. Data Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Row Level Security (RLS) enforces tenant isolation at the database level
• Regular security audits and penetration testing
• Staff access limited to minimum necessary (principle of least privilege)
• Security headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options

9. International Transfers

Data is primarily stored in the UK/EEA (Supabase London region). Where data is processed outside the UK (e.g., Vercel edge network), we ensure adequate safeguards are in place including Standard Contractual Clauses.

10. Cookies

We use essential cookies for authentication and session management only. We do not use third-party tracking cookies or advertising cookies. Analytics are server-side and anonymised.

11. Changes to This Policy

We may update this policy periodically. Significant changes will be notified via email to organisation administrators.

12. Contact & Complaints

Data Protection contact: privacy@passcare.co.uk

You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk