Privacy Policy & GDPR

This Privacy Policy explains how Pinnacle Care Management (“Pinnacle”, “we”, “us”, or “our”), a trading name of Phaino Labs LTD (Company Number pending), collects, uses, stores, and protects personal data when you use our cloud-based care management platform (the “Service”).

We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable data protection legislation. This policy should be read in conjunction with our Terms and Conditions.

Pinnacle acts as a Data Processor on behalf of our customer organisations (the “Data Controller”). Each care provider, children's home, or supported living service that subscribes to our platform is the Data Controller for the personal data they input into the Service.

For data relating to our customer accounts (billing contacts, administrators), Pinnacle acts as the Data Controller.

We process data on the following lawful bases under Article 6 of UK GDPR:

• Contract performance — To provide the Service as agreed in our Terms
• Legitimate interests — To improve our Service, prevent fraud, and ensure security
• Legal obligation — To comply with applicable laws and regulatory requirements
• Consent — For marketing communications, which you may withdraw at any time

3.1 Account & Billing Data (Data Controller)

• Organisation name, address, and registration details
• Administrator names, email addresses, phone numbers
• Billing and payment information (processed securely via Stripe; we do not store card numbers)
• Subscription tier, billing cycle, and usage data
• CQC/Ofsted registration numbers (for regulatory validation)

3.2 Service Data (Data Processor)

Data entered by our customers into the platform may include:

• Service user/young person records (names, dates of birth, health information)
• Care plans, daily notes, observations, and risk assessments
• Medication records and eMAR data
• Incident reports, safeguarding records, and missing from care reports
• Staff records, rosters, timesheets, and payroll data
• Meeting minutes, supervision records, and audit trails
• Voice recordings and AI-generated transcriptions
• Documents, images, and uploaded files

Important: The nature, scope, and categories of personal data processed through the Service are determined by the Data Controller (our customer). We process this data solely on their instructions and in accordance with our Terms and any applicable Data Processing Agreement.

3.3 Technical Data

• IP addresses, browser type, device information
• Login timestamps and session data
• Feature usage analytics (anonymised)
• Error logs and performance metrics

We implement appropriate technical and organisational measures including:

• Encryption in transit — All data is transmitted via TLS 1.2+ (HTTPS)
• Encryption at rest — All stored data is encrypted using AES-256
• Multi-factor authentication — MFA is enforced for all user accounts
• Tenant isolation — Strict data separation between customer organisations ensuring no cross-tenant data access
• Role-based access control — Granular permissions limiting data access to authorised personnel only
• Regular security audits — Ongoing vulnerability assessments and penetration testing
• Automated backups — Regular encrypted backups with disaster recovery procedures
• Rate limiting — API rate limiting and DDoS protection

All primary data is stored within the United Kingdom and the European Economic Area (EEA) using reputable cloud infrastructure providers.

Where data is processed by sub-processors outside the UK/EEA (such as for email delivery or payment processing), we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the ICO
• UK International Data Transfer Agreements (IDTAs)
• Adequacy decisions where applicable

Our key sub-processors include:

• Appwrite Cloud — Authentication and database services (EU)
• Supabase — Database and storage (EU/UK)
• Stripe — Payment processing (US, certified under EU-US Data Privacy Framework)
• Resend — Transactional email delivery
• OpenAI/Azure — AI transcription services (data not retained for training)

We retain data as follows:

• Active accounts — Service data is retained for the duration of the subscription
• Account termination — Upon subscription cancellation, all customer data is retained for 30 days to allow for reactivation, then permanently deleted within 90 days
• Billing records — Retained for 7 years as required by HMRC regulations
• Audit logs — Retained for 12 months for security purposes
• Anonymised analytics — May be retained indefinitely in aggregated, non-identifiable form

Data Controllers may request earlier deletion by contacting us. We will process such requests within 30 days, subject to any legal retention obligations.

As a data subject, you have the following rights:

• Right of access (Article 15) — Request a copy of your personal data
• Right to rectification (Article 16) — Request correction of inaccurate data
• Right to erasure (Article 17) — Request deletion of your personal data (“right to be forgotten”)
• Right to restriction (Article 18) — Request restriction of processing
• Right to data portability (Article 20) — Receive your data in a structured, machine-readable format
• Right to object (Article 21) — Object to processing based on legitimate interests
• Rights related to automated decision-making (Article 22) — We do not make solely automated decisions with legal effects

For service user/young person data: These requests should be directed to your care provider (the Data Controller), who may then instruct us to action the request. We will assist Data Controllers in responding to data subject requests within the statutory 30-day timeframe.

In the event of a personal data breach, we will:

• Notify affected Data Controllers without undue delay and within 72 hours of becoming aware of the breach
• Provide full details of the breach including nature, categories, approximate numbers of records affected, and remedial measures taken
• Assist Data Controllers in notifying the Information Commissioner's Office (ICO) and affected data subjects where required
• Document all breaches in our internal breach register regardless of severity

Our Service uses the following cookies:

• Essential cookies — Required for authentication, session management, and security (cannot be disabled)
• Functional cookies — Remember your preferences and settings
• Analytics cookies — Help us understand how the Service is used (anonymised)

We do not use third-party advertising cookies or tracking pixels. We do not sell or share your data with advertisers.

We may send you service-related communications that are essential to the functioning of your account (e.g., security alerts, billing notifications, maintenance notices). These are not marketing and cannot be opted out of.

Marketing communications (product updates, newsletters, feature announcements) are sent only with your explicit consent. You may withdraw consent at any time by clicking “unsubscribe” in any marketing email or by contacting us.

Our platform is designed to be used by care providers working with children and young people. We acknowledge the heightened sensitivity of children's data and implement additional safeguards:

• Children's data is processed solely on the instructions of the Data Controller (care provider)
• Access to young person records is restricted by role-based permissions
• All children's data processing complies with the ICO's Children's Code (Age Appropriate Design Code)
• We do not directly collect data from children — all data is entered by authorised care professionals

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via email or through a prominent notice within the Service at least 30 days before the changes take effect.

Continued use of the Service after the effective date of a revised policy constitutes acceptance of the updated terms.

For any privacy-related queries, data subject requests, or complaints:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):