Privacy Policy

1. Data Controller

Copeland Security Group (trading as DOBS) is the data controller for personal data processed through the DOBS application.

Contact: [data-protection@dobs.app]

Address: [Registered address to be inserted]

2. What Data We Collect

Staff Data

• Full name
• PIN (stored as a one-way SHA-256 hash; the raw PIN is never retained)
• Role (staff or admin)
• WebAuthn biometric credential identifiers (no biometric templates are stored)

Resident Data

• First name, room number, date of birth, gender, NHS number
• Next of kin, allergies, medical history, and care notes
• Clinical observations: body map entries (injury type, location, description, wound measurements), vital signs (NEWS2), neurological observations (GCS), food and fluid intake records, psychiatric observation checks
• Photographs attached to body map entries
• Safeguarding alerts and escalation records
• Observation levels and monitoring flags

Family Portal Data

• Family member name, email address, phone number
• SMS consent status

Audit and System Data

• Timestamped audit log of all actions (who did what and when)
• Session authentication tokens (stored in browser localStorage)
• SMS delivery logs

3. Legal Basis for Processing

We process personal data under the following legal bases under UK GDPR:

• Legitimate interest (Article 6(1)(f)) for staff account management, audit logging, and care home operational data
• Vital interests (Article 9(2)(c)) and health and social care purposes (Article 9(2)(h)) for special category health data including body map observations, vital signs, neurological assessments, and safeguarding alerts
• Legal obligation (Article 6(1)(c)) for records retention in line with health and social care record-keeping requirements

DOBS processes special category data (health data) as defined under GDPR Article 9. This processing is necessary for the provision of health and social care and is subject to appropriate safeguards.

4. How Data Is Stored

• All data is stored in Neon Postgres, a managed PostgreSQL service, in an EU region data centre
• Data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2+
• The application is hosted on Vercel (serverless functions, EU edge network)
• Uploaded photographs are stored securely and are only accessible to authenticated, authorised users
• PIN codes are hashed using SHA-256 with a salt before storage; raw PINs are never persisted
• No data is stored on end-user devices beyond authentication session tokens

5. Who Has Access to Data

• Authenticated staff members who are assigned to the relevant care home can view and record observations for residents within that home
• Admin staff have additional access to manage residents, staff accounts, and view audit logs
• Super admins can manage multiple care homes and access cross-home data
• Family members with approved accounts have read-only access to observations for their linked resident(s) only
• Copeland Security Group technical staff may access data for system maintenance, support, and incident response, subject to strict access controls and confidentiality obligations

We do not sell, share, or transfer personal data to third parties for marketing or any unrelated purpose.

6. Data Retention

• Health observations and clinical records are retained for a minimum of 8 years from the date of the last entry, in line with NHS Records Management Code of Practice and health records guidance for adult social care
• Audit logs are retained for the same period as the records they relate to
• Staff account data is retained while the account is active and for 12 months after deactivation
• Family portal accounts are retained while active and deleted upon request

Care homes may request data export or deletion in accordance with their own policies and legal obligations.

7. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access -- request a copy of the personal data we hold about you
• Right to rectification -- request correction of inaccurate or incomplete data
• Right to erasure -- request deletion of your data where there is no compelling reason for continued processing (subject to legal retention requirements)
• Right to restrict processing -- request limitation of how we use your data
• Right to data portability -- receive your data in a structured, machine-readable format
• Right to object -- object to processing based on legitimate interest
• Right to complain -- lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113

To exercise any of these rights, contact us at [data-protection@dobs.app].

8. Cookies

DOBS uses essential cookies only for authentication session management. We do not use any tracking, analytics, or advertising cookies. No third-party cookies are set by the application.

9. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated through the application. The effective date at the top of this page indicates when the policy was last revised.