Privacy Policy for Care Agencies

Effective Date: 5th January 2026
Last Updated: 17th January 2026

1. Introduction

This Privacy Policy explains how Vera ("we", "us", "our") processes personal data when providing our medication adherence monitoring service to domiciliary care agencies ("you", "your agency").

Vera provides AI-powered voice call services that help care agencies monitor medication adherence for their clients between care visits. This policy describes our role as a data processor and how we handle personal data on behalf of your agency.

2. Our Role and Your Responsibilities

2.1 Data Controller vs Data Processor

• Your agency is the data controller: You determine the purposes and means of processing your clients' personal data. You are responsible for compliance with UK GDPR, obtaining appropriate legal bases and consents, and fulfilling data subject rights.
• Vera is the data processor: We process personal data only on your documented instructions, as set out in our Data Processing Agreement and service terms.

2.2 Your Obligations as Data Controller

When using Vera's services, you must:

• Ensure you have a lawful basis for processing your clients' personal data through Vera (typically Article 6(1)(e) - public task or Article 6(1)(f) - legitimate interests, combined with Article 9(2)(h) - health/social care provision for special category data)
• Obtain appropriate consent from clients for Vera to contact them by telephone as part of your care delivery
• Provide clients with the "Privacy Notice for Care Recipients" (available from Vera) explaining how their data will be processed
• Ensure clients understand they can withdraw consent to Vera calls at any time (though this may affect your ability to provide medication monitoring)
• Comply with all UK GDPR requirements including data subject access requests, rectification, erasure, and other rights
• Only provide Vera with personal data necessary for medication adherence monitoring

3. What Data We Process on Your Behalf

When providing services to your agency, we process the following categories of personal data about your clients:

3.1 Client Identification Data

• Full name
• Date of birth
• Telephone number
• Client reference number (assigned by your agency)
• Address (optional, for emergency services coordination if required)

3.2 Health-Related Data (Special Category Data under Article 9)

• Medication schedule (times when medications should be taken)
• Medication names (optional - not required for basic service)
• Call response data (whether client confirmed taking medication, reported issues, or did not answer)
• Voice recordings of calls between Vera's AI system and your clients
• Transcripts of these calls
• Flags and alerts regarding missed medications or reported problems

3.3 Service Usage Data

• Call logs (date, time, duration, outcome)
• System interaction data (dashboard access by your staff)
• Communication between your agency and Vera (support tickets, emails)

3.4 Agency Data

• Your agency name, address, and CQC registration number
• Names and contact details of authorised staff members who access Vera's dashboard
• Billing and payment information

4. How We Process Data on Your Behalf

4.1 Purposes of Processing

We process your clients' personal data solely to:

• Make scheduled voice calls to clients at medication times
• Record and transcribe these calls for accuracy verification
• Generate alerts when clients miss medications or report problems
• Provide dashboard reporting on medication adherence trends
• Maintain records for quality assurance and service improvement
• Comply with legal obligations and regulatory requirements

4.2 Legal Basis for Our Processing

As a data processor, we rely on your agency's legal basis for processing. We understand that you will typically rely on:

• Article 6(1)(e) - processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority (provision of social care)
• Article 9(2)(h) - processing necessary for health or social care purposes, including the management of health or social care systems and services

4.3 Our Sub-Processors

We engage the following sub-processors to deliver our services:

Sub-Processor Management: We maintain a Data Processing Agreement with each sub-processor requiring equivalent data protection standards. We will notify you of any changes to sub-processors with reasonable notice.

Data Location: All personal data is stored on servers physically located in the United Kingdom. Data may transit through EU data centres during processing but is never stored outside the UK/EU.

5. Data Security

5.1 Technical and Organisational Measures

We implement appropriate technical and organisational measures to protect personal data, including:

Technical Measures:

• Encryption in transit (TLS 1.3) for all data transmission
• Encryption at rest (AES-256) for all stored data
• Access controls and authentication (multi-factor authentication for all staff)
• Regular security testing and vulnerability assessments
• Automated backup systems with encryption
• Secure API authentication for all integrations

Organisational Measures:

• Staff training on data protection and confidentiality
• Access to personal data limited to staff who require it for service delivery
• Confidentiality agreements for all staff and contractors
• Incident response procedures
• Regular review of security measures
• Data processing policies and procedures

5.2 Data Breach Notification

In the event of a personal data breach affecting your clients' data, we will:

• Notify your agency without undue delay and within 72 hours of becoming aware
• Provide details of the nature of the breach, categories and volume of data affected, and likely consequences
• Describe measures taken or proposed to address the breach and mitigate harm
• Cooperate with your agency in fulfilling your own notification obligations to the ICO and affected data subjects

6. Data Retention

6.1 Retention Periods

We retain personal data on your behalf for the following periods:

• Call recordings and transcripts: 6 years from date of call (aligns with CQC record-keeping requirements and Care Act 2014 guidance)
• Call metadata and adherence records: 6 years from date of call
• Client contact information: Duration of your service subscription plus 30 days
• Anonymised/aggregated data: Indefinitely (for service improvement and quality assurance)

These retention periods align with:

• Care Quality Commission record-keeping guidance
• Social care statutory requirements
• Limitation periods for potential claims

6.2 Deletion Upon Request

When you request deletion of specific client data or terminate your subscription:

• We will securely delete or return all personal data within 30 days of your request or contract termination
• You may request data export in common formats (CSV, JSON) before deletion
• Deletion is permanent and irreversible
• We may retain anonymised data that cannot be linked back to individuals

7. Your Rights and Our Support

As the data controller, you are responsible for responding to data subject rights requests from your clients. We will assist you by:

7.1 Access Requests (Article 15)

• Providing copies of all personal data we hold about specific clients within 72 hours of your request
• Supplying data in commonly used electronic formats

7.2 Rectification (Article 16)

• Correcting inaccurate data immediately upon your instruction
• Updating client records in our systems within 24 hours

7.3 Erasure/Right to be Forgotten (Article 17)

• Deleting client data upon your instruction within 30 days
• Providing confirmation of deletion

7.4 Restriction of Processing (Article 18)

• Temporarily suspending calls to specific clients while disputes are resolved
• Maintaining but not further processing data as instructed

7.5 Data Portability (Article 20)

• Exporting client data in structured, machine-readable formats (CSV, JSON)

7.6 Objection (Article 21)

• Immediately ceasing calls to clients who object to processing
• Maintaining records only as required by law

8. International Transfers

We do not transfer personal data outside the United Kingdom or European Economic Area. All data is:

• Stored on servers physically located in the UK (London region)
• Processed by sub-processors with UK or EU data centres
• Subject to UK GDPR and Data Protection Act 2018

If we ever need to transfer data outside the UK/EEA, we will:

• Notify you in advance
• Implement appropriate safeguards (Standard Contractual Clauses or adequacy decisions)
• Obtain your prior consent where required

9. Audits and Compliance

9.1 Your Audit Rights

You have the right to:

• Request information about our data processing activities
• Conduct audits of our data processing practices (with reasonable notice and during business hours)
• Review our Data Processing Agreement and sub-processor agreements
• Request evidence of compliance with UK GDPR

9.2 Our Compliance Commitments

We commit to:

• Annual third-party security audits
• Maintaining ISO 27001 certification (target: Year 2)
• Regular staff training on data protection
• Cooperation with ICO investigations if required
• Transparency about any compliance incidents

10. Data Processing Agreement

This Privacy Policy should be read together with our Data Processing Agreement, which sets out:

• Detailed processing instructions
• Subject matter and duration of processing
• Nature and purpose of processing
• Types of personal data and categories of data subjects
• Your obligations and our obligations
• Sub-processor terms
• Liability and indemnification

The Data Processing Agreement forms part of your service contract with Vera.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in data protection law
• New features or services
• Changes to our sub-processors
• Improvements to our security measures

We will notify you of material changes by:

• Email to your registered contact at least 30 days before changes take effect
• Prominent notice in the Vera dashboard
• Updating the "Last Updated" date at the top of this policy

Continued use of our services after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

12.1 Data Protection Enquiries

For questions about this Privacy Policy or our data processing practices:

Email: sam.evans@veracare.co.uk
Data Protection Officer: Sam Evans

12.2 Complaints

If you have concerns about how we process personal data, you have the right to complain to:

Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113
Website: www.ico.org.uk

However, we encourage you to contact us first so we can address your concerns directly.

13. Definitions

Data Controller: The organisation that determines the purposes and means of processing personal data (your care agency).

Data Processor: The organisation that processes personal data on behalf of the data controller (Vera).

Data Subject: The individual whose personal data is being processed (your clients receiving care).

Personal Data: Any information relating to an identified or identifiable natural person.

Special Category Data: Sensitive personal data including health data, which requires additional protection under Article 9 of UK GDPR.

Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

Document Version: 1.0
Approved By: Samuel Evans, Co-founder
Next Review Date: 17th January 2027

Privacy Notice for Care Recipients

About This Notice

Your care agency uses Vera, a telephone service that calls you at medication times to help you remember to take your medicines. This notice explains how your information is used when you receive calls from Vera.

This notice is written in plain English to be as clear as possible. If you have any questions, please ask your care worker or care coordinator.

Who This Notice Is For

This notice is for you if:

• You receive care at home from a domiciliary care agency
• Your care agency has arranged for Vera to call you about your medications
• You receive telephone calls from Vera's automated voice system

The Simple Version

What happens:

• Vera calls you at the times you're supposed to take your medications
• You confirm whether you've taken your medicines
• If you miss medications or have problems, Vera alerts your care agency
• Your care agency can see reports about your medication adherence

Your information:

• We keep your name, phone number, and medication schedule
• We record the phone calls and what you say
• We store this information securely for 6 years
• We only share it with your care agency and people who help us provide the service

Your rights:

• You can stop receiving Vera calls at any time by telling your care agency
• You can ask to hear your call recordings
• You can ask us to correct wrong information
• You can complain if you're unhappy about how your information is used

The Full Details

1. Who We Are

Vera is a service provided by Vera Care Ltd.

We provide telephone medication reminder calls on behalf of your care agency. Your care agency has asked us to call you to help ensure you take your medications safely between care visits.

2. What Information We Collect About You

When your care agency uses Vera to support your care, we collect and use:

Personal Details

• Your full name
• Your telephone number
• Your date of birth
• A reference number your care agency uses to identify you

Health Information

• The times you should take your medications each day
• The names of your medications (only if your care agency provides this)
• Whether you confirm taking your medications during calls
• Any problems you report (such as side effects, missed doses, or running out of medication)

Call Records

• Audio recordings of telephone calls between you and Vera's automated system
• Written transcripts of what was said during calls
• The date, time, and length of each call
• Whether you answered the call or not

3. How We Collect Your Information

We receive your information from:

• Your care agency: They provide your name, phone number, date of birth, and medication schedule
• Telephone calls: We record what you say when Vera calls you
• Our automated system: This tracks when calls are made and answered

We do not collect information from any other sources.

4. Why We Use Your Information

We use your information to:

1. Make medication reminder calls: Calling you at the times you should take your medications
2. Check you've taken your medicines: Recording your responses when you confirm or report issues
3. Alert your care agency: Letting them know if you miss medications, report problems, or don't answer calls
4. Keep records: Documenting that medication monitoring is happening (required by care regulations)
5. Improve the service: Making sure calls are clear and helpful
6. Comply with the law: Meeting requirements for care record-keeping

5. Legal Basis for Using Your Information

Your care agency is legally responsible for your care and your information. They use your information because:

• Health and social care law requires them to monitor your medication safety
• They have a duty of care to support you with medications
• The Care Quality Commission expects them to have systems for medication monitoring

Your care agency should have explained Vera to you and asked if you consent to receiving these calls. You can withdraw this consent at any time by telling your care agency.

6. Who We Share Your Information With

Your Care Agency

• We send alerts when you miss medications or report problems
• We provide reports showing your medication adherence patterns
• Your care coordinators and care workers can see this information on their dashboard

Companies That Help Us Provide the Service

We use other companies to help deliver Vera calls. These are called "sub-processors" and include:

• Telephone companies that connect the calls to you
• Computer companies that store your information securely
• Technology companies that power the voice system and convert speech to text

All these companies:

• Are based in the United Kingdom or European Union
• Only use your information to provide the Vera service
• Have strict contracts requiring them to keep your information safe
• Cannot use your information for their own purposes

Legal Requirements

We may share your information if:

• Required by law or court order
• Necessary to prevent serious harm
• Required by regulators like the Care Quality Commission

We will never:

• Sell your information to anyone
• Use it for marketing
• Share it with anyone not listed above
• Send it outside the UK or Europe

7. How We Keep Your Information Safe

We take your privacy seriously and use multiple security measures:

Technical Security:

• All information is encrypted (scrambled) when stored and when sent
• Strong passwords and access controls
• Regular security checks
• Automatic secure backups

Organisational Security:

• Only staff who need to access your information can do so
• All staff are trained on confidentiality
• Strict policies about handling your information
• Regular audits of our security

Call Recording Security:

• Recordings are encrypted immediately
• Stored on secure UK servers
• Only accessible to authorised care agency staff and Vera support team
• Never shared outside these groups

8. How Long We Keep Your Information

We keep your information for:

• Call recordings and transcripts: 6 years from the date of each call
• Medication adherence records: 6 years from each record
• Your contact details: While your care agency uses Vera, plus 30 days after they stop

Why 6 years?

• This matches Care Quality Commission requirements for care records
• It aligns with legal time limits for potential complaints or claims
• Your care agency may need these records for regulatory inspections

After these time periods, we securely and permanently delete your information.

If your care agency asks us to delete your information sooner (for example, if you stop receiving their care), we will delete it within 30 days.

9. Your Rights

You have important rights about your information:

Right to Access Your Information

You can ask to see:

• All information we hold about you
• Recordings of your calls with Vera
• Reports sent to your care agency

How: Contact your care agency or email us at sam.evans@veracare.co.uk. We'll provide this within one month, free of charge.

Right to Correct Wrong Information

If any information about you is wrong (for example, wrong phone number or medication times), you can ask us to correct it.

How: Tell your care agency or email sam.evans@veracare.co.uk. We'll update it within 24 hours.

Right to Delete Your Information

You can ask us to delete your information if:

• You stop receiving care from the agency
• You withdraw consent for Vera calls
• The information is no longer needed

How: Tell your care agency or email sam.evans@veracare.co.uk. We'll delete it within 30 days.

Note: We may need to keep some information if required by law (for example, if there's an ongoing CQC investigation).

Right to Restrict Use

You can ask us to temporarily stop using your information while issues are resolved (for example, if you dispute its accuracy).

How: Contact your care agency or email sam.evans@veracare.co.uk.

Right to Stop Vera Calls

You can stop receiving Vera calls at any time.

How: Tell your care worker, care coordinator, or call your care agency. They will stop Vera calls immediately.

Right to Complain

If you're unhappy about how your information is used, you can complain to:

Your Care Agency First:
They should handle complaints about your care and how Vera is used

Then Vera:
Email: sam.evans@veracare.co.uk

The Information Commissioner's Office (ICO):
If you're still unhappy after raising concerns with us:

Telephone: 0303 123 1113
Website: www.ico.org.uk
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

The ICO is the UK regulator for data protection.

10. Automated Decision-Making

What this means: Vera is an automated system - a computer makes the calls and processes your responses without a human listening to every call.

How it works:

• Vera's computer system calls you at scheduled times
• It asks if you've taken your medication
• It recognises your answer and records it
• If you say you haven't taken medication or report problems, it alerts your care agency automatically

Human oversight:

• Your care agency reviews alerts and takes action
• Care coordinators monitor adherence reports
• Humans make all care decisions - the computer just collects and reports information

You have the right to:

• Request human review of any alerts or decisions
• Object to automated processing
• Have your care agency review call transcripts if there are concerns about accuracy

11. Family Members and Representatives

If you have:

• Lasting Power of Attorney (Health and Welfare)
• A Court-appointed deputy
• A designated family representative

They can exercise your rights on your behalf, including:

• Requesting access to your information
• Asking for corrections or deletions
• Making complaints

They will need to provide proof of their authority (such as LPA documentation).

Current access: Currently, only your care agency staff can see your Vera information. Family members cannot access the dashboard or reports directly. This may change in future, and we will update this notice if it does.

12. Changes to This Notice

We may update this notice if:

• We add new features to Vera
• Laws about data protection change
• We change how we process information

If we make significant changes, your care agency will give you a new copy of this notice.

13. Questions or Concerns

If you have questions about this notice or how your information is used:

Ask your care worker or care coordinator - They can explain how your care agency uses Vera.

Contact Vera directly:

• Email: sam.evans@veracare.co.uk
• Post: To be confirmed

We can provide this notice in other formats:

• Large print
• Audio recording
• Different languages
• Easy Read version

Just ask your care agency or contact us directly.

Quick Summary Card

You can keep this section as a reminder:

Document Version: 1.0
Last Updated: 17th January 2026
Next Review: 17th January 2027

This notice has been written to meet UK GDPR transparency requirements while remaining accessible to elderly care recipients. It uses plain English and avoids legal jargon wherever possible.