Privacy Policy

Last updated: 23 March 2026

Contents

Who we are
What data we collect
Lawful basis for processing
How we use your data
Who we share your data with
Data storage and security
How long we keep your data
Your rights under UK GDPR
Children
Cookies
Emergency QR codes
AI processing
Changes to this policy
Contact us

1. Who we are

CareBee is operated by CareBee Ltd (registered address to be confirmed). We are registered with the Information Commissioner's Office (ICO registration number to be confirmed).

Contact for data queries: privacy@carebee.co.uk. We do not have a formal Data Protection Officer at this stage, but all data queries are handled by the founding team.

2. What data we collect

We collect only what we need to provide the service. Here is a complete list.

2.1 Account data

Your name, email address, and password (stored as a one-way hash: we never see your actual password). Profile photo is optional.

2.2 Health and care records

The conditions, medications, allergies, appointments, test results, referral details, care plan notes, and DNACPR status that you choose to record. This is special category data (health data) under UK GDPR. We process it solely to provide the service back to you.

2.3 Personal details of the people you care for

Names, dates of birth, NHS numbers, GP and hospital details, next of kin information, and power of attorney status for the people whose records you manage.

2.4 Documents you upload

Photographs and scans of letters, prescriptions, discharge summaries, benefit correspondence, and any other documents you choose to store.

2.5 Household and sharing data

Which households you belong to, your role in each household (owner, editor, viewer, or emergency only), and invitation records.

2.6 Emergency share data

When you generate an emergency QR code, a subset of health information (conditions, medications, allergies, DNACPR status, next of kin) is made accessible via a unique link. This is explained further in section 11.

2.7 Usage data

Pages visited, features used, device type, and browser type. We do not use third-party analytics trackers. We do not sell or share usage data with advertisers.

2.8 Payment data

If you subscribe to CareBee Plus, payment is processed by Stripe. We never see or store your full card details.

3. Lawful basis for processing

Under UK GDPR, we rely on the following lawful bases:

Account data and usage data: legitimate interests (running and improving the service).
Health and care records (special category data): explicit consent. You actively choose to enter this data. We process it solely to provide the service to you and the family members you authorise. You can withdraw consent and delete your data at any time.
Contract performance: processing your payment and managing your subscription.

The Article 9 condition for processing special category (health) data is explicit consent.

4. How we use your data

4.1 To provide the service

Storing and displaying your records, sharing them with household members you invite, generating emergency summaries.

4.2 To power AI features

When you use document scanning, entitlements checking, or drug interaction checking, the relevant data is sent to our AI provider for processing. It is used solely to return results to you. We do not use your health data to train AI models. See section 12 for full details.

4.3 Service communications

Account verification, password resets, trial expiry notices, and weekly digests (if you enable them).

4.4 Service improvement

We analyse aggregated, anonymised usage patterns to understand how people use CareBee and to make it better. We never use identifiable health data for this purpose.

5. Who we share your data with

Household members you invite, at the access level you set.
Anyone who scans an emergency QR code you generate (they see only the emergency summary, not your full record). See section 11.
Supabase: our database and infrastructure provider. Supabase processes your data on our behalf under a data processing agreement. Supabase is SOC 2 Type II compliant and hosts data in the EU (London region).
Anthropic:when you use AI features, the relevant document or data is sent to Anthropic's API for processing. Anthropic does not retain your data for model training purposes. See Anthropic's data processing terms for details.
Stripe: if you subscribe to CareBee Plus, Stripe processes your payment. We never see your full card number.

We do not sell your data. We do not share your data with advertisers. We do not share identifiable health data with any third party for their own purposes.

6. Data storage and security

All data is stored on Supabase infrastructure, EU hosted (London region).
Data is encrypted in transit (TLS 1.3) and at rest using AES-256.
Access to records is controlled by row-level security: you only see households you have been invited to.
We use role-based access control: owner, editor, viewer, and emergency-only levels.
Supabase is SOC 2 Type II certified.
We conduct regular security reviews.

If we become aware of a data breach that affects your rights and freedoms, we will notify you and the ICO in accordance with UK GDPR requirements.

7. How long we keep your data

Account and records: kept for as long as your account is active.
Account deletion: all personal data and records are permanently deleted within 30 days of account deletion.
Person record deletion: data is permanently deleted within 30 days.
Documents: deleted when you delete them, or when your account is deleted.
Emergency share links: deactivated links are purged within 30 days.
Anonymised, aggregated usage data: may be retained indefinitely for service improvement.

8. Your rights under UK GDPR

You have the following rights regarding your personal data. To exercise any of these, email privacy@carebee.co.uk or use the data management tools within the app.

Right of access: you can ask for a copy of all the data we hold about you. We will respond within one month.
Right to rectification: if any data we hold about you is inaccurate, you can ask us to correct it.
Right to erasure: you can ask us to delete your data. You can also delete your own records and your account directly within the app at any time.
Right to restrict processing: you can ask us to limit how we process your data in certain circumstances.
Right to data portability: you can request your data in a machine-readable format (JSON).
Right to object: you can object to our processing of your data on grounds of legitimate interests.
Right to withdraw consent: you can withdraw your consent for us to process your health data at any time by deleting your records or your account.
Right to complain:if you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Children

CareBee may be used to store health records for children as part of family and carer management. This data is entered and managed by a parent or legal guardian, who provides consent for its storage and use.

We do not knowingly allow children under the age of 13 to create their own CareBee accounts. If you believe we have collected data from a child under 13 without appropriate consent, please contact privacy@carebee.co.uk.

10. Cookies

We use only essential session cookies required for you to stay logged in to CareBee. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. You cannot opt out of essential session cookies without losing the ability to use the service.

11. Emergency QR codes

When you generate an emergency QR code, anyone with the link can view a summary of critical health information without logging in. Only generate a QR code if you have the authority to share that information.

When you generate an emergency QR code for someone, a read-only summary of critical health information (conditions, medications, allergies, DNACPR status, and next of kin details) is accessible via a unique URL. Anyone who has this URL can view this summary without logging in to CareBee.

You can deactivate an emergency QR code at any time from within the app. Deactivated links stop working immediately. The summary data associated with deactivated links is purged within 30 days.

By generating an emergency QR code, you confirm that you have the authority to share the health information it contains.

12. AI processing

When you use AI-powered features, including document scanning, benefits and entitlements checking, and drug interaction checking, the relevant data is sent to Anthropic's API for processing.

The data is used solely to return results to you.
Anthropic does not retain your data for the purpose of training AI models.
We process only the minimum data necessary for each feature.
AI-generated results are always presented for your review before being saved to your record.

We will update this section if we add new AI features or change AI providers.

13. Changes to this policy

If we update this privacy policy in a way that materially changes how we handle your health data, we will notify you by email and within the app at least 14 days before the changes take effect. Continued use of CareBee after that date constitutes acceptance of the updated policy.

Minor or clarifying changes may be made without notice. The "Last updated" date at the top of this page always reflects the most recent version.

14. Contact us

For questions about this privacy policy, to exercise your data rights, or to report a concern, contact: privacy@carebee.co.uk

We aim to respond to all data queries within 5 working days.

CareBee Ltd. Registered in England and Wales.