Privacy Policy for Businesses

Privacy Policy (Business Clients)

‍

Introduction: This Privacy Policy for Business Clients explains how Health Pros Network Ltd (“we” or “us”), operating CareTag.uk, collects and uses personal data in the context of providing services to our business and institutional clients (“Business Clients”). If you represent a company or organisation that uses CareTag (either via a self-hosted model or CareTag-hosted model), this Policy is relevant to you and to the individuals whose data you may ask us to process as part of the service. We are committed to complying with the UK GDPR and UK data protection laws in all aspects of our service delivery.

‍

There are typically two scenarios for Business Clients:

1. Self-Hosted Model (Model A): We provide your organisation with guidance, materials, or software to implement a CareTag-like solution on your own systems. In this case, you (the Business Client) largely control the data environment.
   
   
2. CareTag-Hosted Model (Model B): We host the CareTag profiles for your organisation’s members on our platform, similar to our service for individual users, but under a contract with your organisation. We act as a data processor on your behalf for the personal data of your members/employees that you provide or ask us to handle.
   ‍

This Policy covers both personal data about you as our direct client (e.g., business contact details) and personal data of your members that we may process in Model B. We aim to clarify roles and responsibilities in each case.
‍

Data Controller vs Data Processor: When we process personal data of individuals in hosted profiles under contract to a Business Client, the Business Client is usually the primary “data controller” determining the purpose (providing an emergency info service for its members) and we act as a “data processor” following the client’s instructions. For personal data that we collect about our Business Client contacts (like the name and email of the person arranging the service), we act as a data controller for that data (managing our business relationship). This Policy will indicate which situation applies where relevant.

Information We Collect and Process:
‍

• Business Contact Information: If you are our Business Client (or a representative of one), we will collect personal data such as your name, business email address, phone number, job title, and the company/organisation details (name, address, company number if applicable). This typically comes from you when you enquire about or sign up for our services. We use this to communicate and manage our contract with your organisation.
  
  
• Contract and Account Details: We will maintain records of the agreement or contract with your organisation, which may include signed agreements, purchase orders, number of profiles/licenses purchased, and billing information. Personal data here might include the signatory’s name, the primary contact’s details, and any notes from meetings or communications.
  
  
• Member Data (CareTag-Hosted model): If you use our CareTag-hosted service for your members or employees, we will process personal data about those individuals similar to what is described in the Individual Users Privacy Policy. This can include:
  
  
  • Identity info (name, maybe ID or membership number if provided).
    
    
  • Contact info (city, possibly an email or phone if provided, though often for emergency profiles an individual’s own contact may not be needed if the organisation handles that).
    
    
  • Emergency contacts (names/phones of their contacts).
    
    
  • Medical info (conditions, medications, allergies, etc.) if the service involves that.
    
    
  • Any other fields your organisation decides to include in the profile form (language, etc).
    
    
  • We might receive this data either via bulk import provided by you, or via individual forms that your members fill (which feed into our system).
    
    
  • Note: In many cases, for liability reasons and data accuracy, we encourage that individual members give their own explicit consent and provide their data directly (even if the service is paid by the organisation). If that’s the case, we will also treat those individuals as data subjects with rights, and this Policy works in conjunction with the Individual Privacy Policy which those individuals would also receive.
    
    
• Member Data (Self-Hosted model): In the self-hosted scenario, generally we do not collect or process your members’ personal data (since you are hosting it). We may have incidental exposure if we assist in setup (for example, if we troubleshoot by seeing some dummy data or if you share a sample profile with us), but we will not retain or use any of your members’ data in self-hosted cases. Our focus will be on providing you with templates or technical support without handling live personal data. If, however, as part of onboarding we need a list of members or something to set up, we will only use it for that setup and delete it after.
  
  
• Support Communications: If you or your team contact us for support or training, we may collect the contact details of the person reaching out and any information they volunteer about issues (which could include personal data in context, like “Member Jane Doe has trouble accessing her profile”). We use this only to assist you and keep records of support.
  
  
• Website Usage / Technical Info: Business Clients using our site (like logging into an admin dashboard if provided) may have similar technical data collected (IP addresses, device info, etc. via logs or cookies) as individual visitors. This is mainly for security monitoring. If we provide a dedicated admin portal for organisations, we may log admin user activities (like which profiles were accessed or edited by the org) for audit trails – this may include personal identifiers like the username of the admin and timestamp.
  
  

Purposes of Processing & Legal Bases:

For Business Contact/Client Data (i.e., data about you, the client or your staff):
‍

• Service and Contract Management: We use your business contact information to discuss our services with you, prepare proposals, and fulfill our contract. For instance, to send onboarding materials, to communicate about profile usage, or to send invoices. Legal basis: Performance of a contract (Art 6(1)(b) UK GDPR) – e.g., we need to email the project lead to deliver our service – and/or Legitimate interests (Art 6(1)(f)), such as effectively managing customer relationships and providing support. We consider this use necessary and not overridden by your rights since it’s generally professional context data.
  
  
• Billing and Accounting: We process billing contact info and payment details (if you pay by bank transfer or such, we might have bank account info, etc.) to issue invoices, receive payments, and maintain financial records. Legal basis: Performance of contract (providing the service for payment) and Legal obligation (Art 6(1)(c)) as we must keep proper books, tax records, etc.
  
  
• Marketing and Updates: If you’re a business contact, we may occasionally send you updates about new CareTag features or related services that might interest your organisation. We will ensure to comply with direct marketing rules – for corporate subscribers (B2B emails), we may not need prior consent under PECR, but we will always provide an easy opt-out. Legal basis: Legitimate interests – promoting and growing our business with relevant clients. You can object to or opt-out of such emails at any time.
  
  
• Business Client Support and Training: If we provide training sessions or materials to your staff, we may keep record of attendees (names, roles) simply to track who’s trained. Legal basis: Legitimate interests in ensuring proper use of our service by client’s staff.
  
  
• Enforcing our Agreement / Legal: We may process client contact data and contract details if necessary to enforce our terms or handle legal disputes. For example, if we need to seek payment or deal with a breach, we’ll use the info as needed. Legal basis: Legitimate interests in protecting our contractual rights, or legal obligation if responding to lawful orders.

For Members’ Personal Data (Hosted Profiles) that we process on behalf of Business Clients: 
‍

• Providing the Service to Members: The primary purpose is to host the emergency profile on our secure platform, accessible via tag or URL, similar to how we do for individual retail customers. We will display the data as needed in emergencies. Legal basis: From our perspective as a processor, the legal basis is determined by you, the Business Client (the controller). Typically, you will rely on one or more bases: explicit consent from the member for special health data and either consent or legitimate interests or contract for the basic data. For transparency, we assume most Business Clients will obtain explicit consent from each individual to share their data with CareTag for this purpose, especially given health details. Some might argue vital interest for emergency health info or legitimate interest in workplace safety, but explicit consent is the safest route. We require that you ensure a valid lawful basis exists for us to process each member’s data.
  
  
• Data Processing on Instructions: We will collect/process whatever member data you instruct us to as part of setting up profiles. For example, if you send us a spreadsheet of member info to bulk import, we’ll use it only for that. If members fill out our online form under your arrangement, we’ll use that to populate profiles. We use member data only to fulfill the service (hosting and making available the profile, and related actions like sending renewal notices if that’s in the arrangement).
  
  
• Profile Renewal and Maintenance (Business): Similar to individuals, profiles under a business contract are valid typically for 1 year unless renewed. We will either coordinate with you, the client, for renewal (e.g., we might send you a list of upcoming expirations), or if agreed, we might notify the individual members directly (with your permission). Legal basis: Performance of contract (with you) for us to manage the service; for any direct contact with members, we’d rely on either the member’s initial consent or our joint legitimate interest in continuing the service. (We will not solicit members outside of the scope you permit.)
  
  
• Support to Members: If a member of your organisation contacts us directly for support (say they want to update something or request deletion), we will address it. If we are processor, we might forward the request to you or handle it as per an agreed procedure. Typically, we’ll act on it (since not doing so could harm the person in emergency context). Legal basis: Compliance with legal obligations (data subject rights) and our contract with you to provide good service to your members.
  
  
• Anonymised or Aggregated Insights: We may produce aggregated statistics for internal use or for you, the client. For instance, number of profiles active, usage frequency (if trackable), etc., which do not identify individuals. This is not personal data at that point. We might use it to improve our services or offer insights to you about uptake.
  
  
• No Additional Use: We will not use your members’ personal data for any purpose other than providing the CareTag profile service, as per our contract. We will not contact those individuals for marketing, sign them up for our independent services, or share their data with third parties (except sub-processors as needed) without direction from you or as required by law.
  
  

Special Category Data & Lawful Basis: When processing health information for your members, both your organisation and we (as your processor) must comply with Article 9 of GDPR. Typically, explicit consent from the data subject will be the condition used. We strongly recommend that you gather explicit consent from each member when enrolling them in the CareTag system, especially since data concerning health is sensitive. Alternatively, some organisations might use Article 9(2)(c) (vital interests) if, for example, the service is aimed at potentially life-threatening scenarios and member consent cannot be easily obtained (though in a planned setup, consent is usually feasible). Another possibility is Article 9(2)(h) (for preventative or occupational medicine, if relevant and health professional is involved) or (i) public health, but those usually require specific contexts. In most cases, explicit consent is simplest and clearest.
‍

As part of our agreement (in our Data Processing Agreement or Terms), we will assume you have obtained whatever consent or legal basis is appropriate from your members before giving their data to us. You must also provide them a privacy notice (or ensure they see ours) explaining how their data will be used. We can assist by providing a template or allowing you to direct them to this Policy and the Individual Privacy Policy.
‍

How We Share Data in Business Context:
‍

• Within the Organisation: If you as a Business Client have multiple staff interacting with us, we might share business-related info among them (e.g., CC both the project manager and the finance officer in emails about renewal). We presume internal sharing is fine on your side.
  
  
• With Member Data (Hosted): The member profiles will be accessible to those individuals (they might get a link to view their own profile) and to anyone they give the CareTag link to (similar to individual scenario). Additionally, you (the organisation’s authorised personnel) might have access to view or edit those profiles via an admin dashboard or by receiving copies of the data. We will follow your instructions on who should have admin access. Ensure that any of your staff given such access are trained and authorised to handle that personal data confidentially.
  
  
• Service Providers (Sub-processors): For providing services to Business Clients, we use the same infrastructure and providers as for individuals. This includes our hosting/CMS provider, email systems, and Stripe (if payments are through card). If you require it, we can provide a list of sub-processors and ensure we have data processing agreements with each. Key sub-processors likely are:
  
  
  • Hosting/Cloud provider (could be in US/EU as noted, with safeguards).
    
    
  • Email delivery services (for sending profile links or notifications).
    
    
  • Analytics or monitoring tools (if used on admin interface, though we minimize any tracking).
    
    
  • If we deploy a separate system for your org (less likely unless self-hosted where you host, then it’s on you).
    
    
• Stripe or Payment Info: If you pay via online card payment for bulk purchases, Stripe processes that. If you pay via bank transfer or invoice, we share necessary info with our bank (payee name, reference).
  
  
• Third-Party Partners: We generally do not involve other third parties in delivering the service to your members. If that ever changes (say we partner with a medical ID bracelet company for distribution), we’ll ensure data sharing is only as needed and documented.
  
  
• Legal Disclosure: The same as elsewhere, if required by law or valid authority request, we might have to disclose data. For example, if an authority investigates something and needs logs. We would likely inform you unless legally barred.
  
  

International Transfers (Business Data): As with individual data, any personal data we process for Business Clients or their members may be transferred to and stored outside the UK (e.g., in the EEA or US) because of our use of certain service providers. We ensure compliance with transfer rules by using adequacy (the EU is considered adequate by UK, so EEA storage is fine) or SCCs for any US transfers For instance, our main hosting might be in the US under SCCs, and our form system is EU-based (Spain), and Stripe may store data in US. We can provide more details if needed for your DPIA. If your organisation requires that data stay in UK/EU only, discuss with us – we might be able to configure EU-only storage depending on our providers’ options.
‍

Data Retention: For Business Client-related data:
‍

• Contract Data: We’ll retain contracts and related documents for at least the duration of our business relationship and then as long as necessary (typically 6 years after contract end) for legal record-keeping. This can include the contract itself, invoices, and key communications.
  
  
• Business Contacts: If you are a contact person and leave your organisation or it ceases to be a client, we may retain your contact info in our client archives or CRM for a period (again, often 6 years) in case of follow-up or legal issues. We’ll delete or anonymize when no longer needed.
  
  
• Member Data (Hosted): The retention for members’ profiles is similar to individuals: we keep their data active for the subscription term. If your contract covers, say, 100 profiles for a year, we’ll delete profiles that are not renewed after that year. If our contract ends or you instruct us to end service for certain members, we will delete their personal data from our systems (after providing any required exports back to you). We usually give Business Clients control—if you end the contract, we either return all personal data to you or delete it, as per your preference (and consistent with legal requirements). We won’t hold onto your members’ data beyond necessary. We may keep anonymised stats.
  
  
• Member Data (Self-Hosted): Since we don’t store it, retention is your responsibility. If we had any on-boarding files, we’ll delete those after setup.
  
  
• Backup Policy: Our system likely does regular backups for disaster recovery. So even if we delete a profile, it might remain in encrypted backups for a short period until those roll over. We ensure backups are protected and eventually purged.
  
  
• Incident Logs: If, for example, you had a security incident and we assisted, we might keep logs or reports of that incident for legal compliance and analysis, possibly containing personal data. We’d keep those as needed (maybe 6 years in case of legal).
  
  
• We will also comply with any specific retention commitments in our contract or data processing agreement with you.
  
  

Data Subject Rights (for Members under Business): If we are a processor, your members’ rights (access, correction, deletion, etc.) should be primarily exercised through you (the controller). However, practically, if a member contacts us directly (perhaps not knowing the behind-the-scenes arrangement), we will either direct them to their organisation or, where appropriate and permitted, assist with fulfilling the request on your behalf. We do not intend to obstruct any data subject rights. Some specifics:
‍

• Right to be Informed: It’s your duty to inform your members how their data will be used. We provide you this Policy which you can share. In many cases, we also recommend giving each member the standard CareTag Individual Privacy Policy so they know how we handle their info similarly to individual users.
  
  
• Access and Rectification: If you as an organisation want to get all data we have on your members, we’ll provide it to you upon request (since you control it). If an individual asks us for access to their profile info, we will likely just show them their profile (since that’s the data), or ask you if it’s okay. For rectification, since profile edits can be done via admin or support, we handle that quickly.
  
  
• Erasure: If a member under your programme wants their data deleted, usually they’ll go through you. But if they come to us, and we confirm their identity, we would inform you and likely proceed to delete their profile (we have to balance between individual’s right and our obligations to you; our standard contract with you should allow us to delete if a data subject validly withdraws consent or requests erasure). We’ll notify you of such deletion.
  
  
• Objection/Restriction: Similar logic – if someone objects to processing, we tell you. If you instruct us to restrict processing of a certain profile, we can disable access to it temporarily.
  
  
• Portability: If requested, we can export an individual’s data (like in CSV) and give it to them or you, whatever is appropriate.
  
  
• We have processes to handle rights requests efficiently. Business Clients should also be prepared to handle member requests directly, and can then forward instructions to us.
  
  

As a Business Client, you should ensure you have a lawful basis to share data with us and to allow us to process it. You should also have your own privacy notice for your members (or employees) that mentions this data sharing with CareTag (Health Pros Network Ltd) and the basics of what we do. If you need our input for that notice, we can provide suggested text.
‍

Security Measures: We extend the same technical and organisational security measures described in the Individual Privacy Policy to the data we process for Business Clients. Additionally, if required, we can sign a separate Data Processing Agreement (DPA) outlining specific security and confidentiality commitments. Highlights:
‍

• We ensure that all staff who handle Business Client data are trained in confidentiality and data protection.
  
  
• For self-hosted solutions, we might provide guidance on security best practices, but implementing them is up to you since you will host the data. We are not liable for breaches on your systems (see Terms).
  
  
• For hosted solutions, we treat your members’ data with high security: encryption, access control, monitoring for unauthorized access, etc., as already detailed.
  
  
• We can support you in any Data Protection Impact Assessment (DPIA) you conduct by providing information about our system.
  
  
• Breach notification: If we experience a personal data breach affecting your members’ data, we will notify you without undue delay so that you can fulfill any obligation to inform authorities or individuals. We’ll provide relevant details and assist in investigation and mitigation.
  ‍

Compliance and Accountability: We maintain records of processing as required and have a designated team member responsible for data protection compliance. While we may not be required to appoint a formal DPO (Data Protection Officer) under law, we treat data protection seriously at a leadership level. Our ICO registration (if applicable) and contact info are available for you and data subjects.
‍

International Business Clients: If your organisation or members are outside the UK, please note that their data will be handled according to UK GDPR standards, which are largely aligned with EU GDPR. If needed, we can accommodate EU Standard Contractual Clauses if you are an EU-based controller using our processing services. We can also discuss any local law requirements.
‍

Changes to this Policy: If we update the Individual Privacy Policy, we will likewise update this Business Client Privacy Policy to reflect any changes relevant to business scenarios. We will inform our Business Clients of any significant changes, and you in turn should inform your members if it affects them. This Policy is effective as of the date below and remains in effect until superseded by a revision.
‍

Last Updated: 31st of May 2025