1. Introduction
Hearthstone Supported Living Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Controller: Hearthstone Supported Living Ltd, Company Number 17028948, registered at 49 Noakes Avenue, Chelmsford, CM2 8EN.
Data Protection Contact: Contact us through our contact page
2. Information We Collect
We may collect and process the following categories of personal data:
2.1 Service Users and Prospective Service Users
- Full name, date of birth, gender, and contact details
- Health information, medical history, and medication records
- Care needs assessments and support plans
- Mental capacity assessments and best interest decisions
- Funding arrangements and financial information
- Next of kin and emergency contact details
- Religious, cultural, and dietary preferences
- Photographs (with consent) for identification and care purposes
2.2 Referrers and Professionals
- Name, role, organisation, and professional contact details
- Referral information and correspondence
2.3 Job Applicants and Employees
- Name, contact details, and employment history
- Qualifications, training records, and DBS disclosure results
- Right to work documentation and references
- Health information relevant to occupational health
- Bank details and payroll information (employees)
2.4 Website Visitors
- Contact form submissions (name, email, phone, message)
- Cookie data and usage analytics (see our Cookie Policy)
- IP address and browser information
3. How We Use Your Information
We use personal data for the following purposes:
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing care and support services | Contract performance; Vital interests; Legal obligation |
| Processing referrals and assessments | Legitimate interests; Consent |
| Medication management and health monitoring | Vital interests; Legal obligation |
| Safeguarding and duty of care | Legal obligation; Vital interests; Public interest |
| Regulatory compliance (CQC, local authority) | Legal obligation |
| Recruitment and employment | Contract performance; Legal obligation |
| Responding to enquiries | Legitimate interests; Consent |
| Quality improvement and audit | Legitimate interests |
| Complaints handling | Legal obligation; Legitimate interests |
4. Special Category Data
As a care provider, we process special category data including health information, which requires additional safeguards. We process this data on the basis of:
- Explicit consent from the data subject (or their legal representative)
- Provision of health or social care (Article 9(2)(h) UK GDPR)
- Vital interests of the data subject
- Legal obligations relating to safeguarding and public protection
5. Who We Share Data With
We may share personal data with:
- Health professionals: GPs, hospitals, pharmacies, community health teams
- Local authorities: Social workers, commissioning teams, safeguarding boards
- Regulatory bodies: Care Quality Commission (CQC)
- Emergency services: Where necessary for safety
- Family members / advocates: With appropriate consent or legal authority
- Insurance providers: For claims and liability purposes
- IT service providers: Who process data on our behalf under contract
We will never sell your personal data to third parties. We do not transfer personal data outside the UK without appropriate safeguards.
6. Data Retention
We retain personal data only for as long as necessary:
- Service user records: 8 years after the end of service (or longer if required by law)
- Staff records: 6 years after employment ends
- Recruitment records (unsuccessful): 6 months after the recruitment process
- Enquiry and referral data: 2 years if no service is commenced
- Website contact forms: 12 months
- Safeguarding records: Retained indefinitely in line with statutory requirements
7. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Secure, locked storage for paper records
- Password-protected systems and encrypted communications
- Access controls based on role and need-to-know
- Staff training on data protection and confidentiality
- Regular security reviews and risk assessments
- Secure disposal of records when retention periods expire
8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access: Request a copy of your personal data
- Right to rectification: Have inaccurate data corrected
- Right to erasure: Request deletion of your data (subject to legal obligations)
- Right to restrict processing: Limit how we use your data
- Right to data portability: Receive your data in a common format
- Right to object: Object to certain types of processing
- Rights related to automated decision-making: We do not use automated decision-making
To exercise any of these rights, please contact us through our contact page. We will respond within one month.
9. Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to resolve any concerns directly first. Please contact us before raising a complaint with the ICO.
10. Changes to This Policy
We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated "last updated" date. We encourage you to review this page periodically.
11. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Hearthstone Supported Living Ltd
49 Noakes Avenue, Chelmsford, CM2 8EN
Contact us through our contact page