Privacy Policy
Last updated: 20 April 2026
1. Introduction
This Privacy Policy explains how ABR Grace Solutions (“we”, “us”, “our”) collects, uses, stores, shares and protects your personal information when you:
- Visit our website www.abrgracesolutions.co.uk (the “Website”);
- Use our domiciliary (home) care services;
- Enquire about or apply for employment or engagement with us;
- Otherwise interact with us.
We are committed to protecting and respecting your privacy. We are a domiciliary care agency registered with the Care Quality Commission (CQC) under provider ID 1-14796517463, and we are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZB577264
This policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
The data controller responsible for your personal information is:
ABR Grace Solutions
Company number: 14180202
Suite 11, Malmarc House, 116 Dewsbury Rd, Leeds
Email: info@abrgracesolutions.co.uk
Telephone: +44 7401 301687
For any data protection queries, please contact us using the details above.
3. Information We Collect
We may collect and process the following categories of personal information:
3.1 Service Users (Clients) and Their Representatives
| Category | Examples |
|---|---|
| Identity Data | Full name, date of birth, gender, marital status, title |
| Contact Data | Home address, email address, telephone numbers |
| Health & Medical Data (Special Category) | Medical history, GP and consultant details, current medications, allergies, care and support needs, mental health information, physical health conditions, dietary requirements |
| Financial Data | Funding information (e.g., local authority funding, NHS Continuing Healthcare, self-funding), bank details for invoice payment |
| Next of Kin / Emergency Contact Data | Name, relationship, contact details of your next of kin or emergency contacts |
| Care Records | Care plans, risk assessments, daily care records, incident and accident reports, complaints records |
| Communication Data | Records of correspondence and communication with us |
| Equality & Diversity Data (Special Category) | Ethnic origin, religious beliefs, sexual orientation (where relevant to care provision) |
3.2 Website Visitors
| Category | Examples |
|---|---|
| Technical Data | IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, device type |
| Usage Data | Information about how you use our Website, including pages visited, time spent, and navigation paths |
| Contact / Enquiry Data | Name, email address, telephone number, and any information you include in a contact form submission or live chat |
| Cookie Data | See our Cookie Policy for details |
3.3 Employees, Workers, Volunteers and Job Applicants
| Category | Examples |
|---|---|
| Identity Data | Full name, date of birth, gender, National Insurance number, photograph |
| Contact Data | Home address, email address, telephone numbers |
| Recruitment Data | CV/application form, interview notes, references, right to work documentation |
| Background Check Data (Special Category where applicable) | DBS (Disclosure and Barring Service) check results, professional registration details |
| Employment Data | Employment contract, job role, work history, training records, supervision and appraisal records, disciplinary and grievance records |
| Financial Data | Bank account details, tax information, payroll records |
| Health Data (Special Category) | Occupational health reports, sickness absence records, health declarations |
4. How We Collect Your Information
We collect personal information through:
- Direct interactions: When you fill in forms on our Website, contact us by telephone, email, post, or in person, request or receive our care services, apply for a job, or provide feedback.
- Referrals: From local authorities, Integrated Care Boards (ICBs), NHS Trusts, GPs, hospitals, other healthcare providers, and social workers.
- Third parties: Including previous employers (references), the Disclosure and Barring Service, professional bodies (e.g., NMC), and your family members or representatives acting on your behalf.
- Automated technologies: When you visit our Website, we may automatically collect Technical Data and Usage Data through cookies and similar technologies. Please see our Cookie Policy.
5. How We Use Your Information and Our Legal Bases
We will only use your personal information where the law allows us to. Under the UK GDPR, we rely on the following lawful bases:
5.1 Service Users (Clients)
| Purpose | Lawful Basis |
|---|---|
| To assess your care and support needs and create a personalised care plan | Legitimate interests (providing appropriate care); Legal obligation (CQC regulatory requirements); Vital interests (where necessary to protect your life) |
| To provide domiciliary care services to you | Performance of a contract (our care service agreement with you); Legitimate interests |
| To process health and medical data | Explicit consent or Provision of health or social care (UK GDPR Article 9(2)(h) and Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018) |
| To manage billing, invoicing and payments | Performance of a contract; Legitimate interests |
| To comply with legal and regulatory obligations (e.g., CQC, safeguarding, health and safety) | Legal obligation |
| To handle complaints, incidents, accidents and safeguarding concerns | Legal obligation; Vital interests; Legitimate interests |
| To communicate with your GP, other healthcare professionals, next of kin (with your consent where appropriate) | Provision of health or social care; Vital interests; Consent |
| To improve the quality of our services | Legitimate interests |
5.2 Website Visitors
| Purpose | Lawful Basis |
|---|---|
| To respond to your enquiries | Legitimate interests; Consent (where applicable) |
| To administer and improve our Website | Legitimate interests |
| To use analytics to understand Website usage | Consent (via cookie consent mechanism) |
| To send marketing communications (only where you have opted in) | Consent |
5.3 Employees, Workers, Volunteers and Job Applicants
| Purpose | Lawful Basis |
|---|---|
| To manage the recruitment process | Legitimate interests; Taking steps prior to entering into a contract |
| To manage the employment or engagement relationship | Performance of a contract; Legal obligation |
| To conduct DBS checks | Legal obligation; Substantial public interest (Schedule 1, Part 2, DPA 2018) |
| To administer payroll, benefits and pensions | Performance of a contract; Legal obligation |
| To manage training, supervision and performance | Performance of a contract; Legitimate interests |
| To comply with legal obligations (e.g., tax, employment law, health and safety, CQC) | Legal obligation |
6. Special Category Data
Some of the personal information we process is classified as “special category data” under the UK GDPR. This includes data relating to health, racial or ethnic origin, religious beliefs, and criminal records (DBS checks).
We process special category data in reliance upon the following conditions:
- Explicit consent (UK GDPR Article 9(2)(a));
- Employment, social security and social protection obligations (Article 9(2)(b));
- Vital interests where you are physically or legally incapable of giving consent (Article 9(2)(c));
- Provision of health or social care treatment or management of health or social care systems (Article 9(2)(h)), read together with Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018;
- Substantial public interest conditions under Schedule 1, Part 2 of the Data Protection Act 2018, including safeguarding of children and individuals at risk.
We maintain an Appropriate Policy Document as required by the Data Protection Act 2018, which is available upon request.
7. Who We Share Your Information With
We may share your personal information with the following categories of recipients, only where there is a lawful basis and a genuine need to do so:
- Care staff providing your domiciliary care services;
- Your GP, consultants, nurses, pharmacists and other healthcare professionals involved in your care;
- Local authorities, social services and social workers (e.g., for commissioning, safeguarding or funding purposes);
- NHS bodies, including ICBs, NHS Trusts, and NHS Continuing Healthcare teams;
- The Care Quality Commission (CQC) as our regulator;
- Safeguarding boards and statutory agencies where required for safeguarding purposes;
- HM Revenue & Customs, the Health and Safety Executive, and other government bodies where required by law;
- The Disclosure and Barring Service (DBS);
- Professional indemnity and liability insurers;
- Solicitors and legal advisers where necessary for legal proceedings or advice;
- IT service providers who host and maintain our Website and care management systems (who act as our data processors under appropriate contractual terms);
- Payroll providers and pension administrators (for employee data);
- Your family members, advocates or representatives, where you have given consent or where it is in your vital interests;
- Courts, tribunals and law enforcement agencies, where required by law or court order.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
8. International Transfers
We do not routinely transfer your personal information outside the United Kingdom. In the event that any transfer outside the UK is necessary (for example, where a third-party service provider hosts data outside the UK), we will ensure that appropriate safeguards are in place as required by the UK GDPR, such as:
- Transfers to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State;
- Use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses.
9. Data Security
We have implemented appropriate technical and organisational measures to protect your personal information against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include:
- Encryption of data in transit and at rest;
- Access controls and password-protected systems;
- Regular security assessments and penetration testing;
- Staff training on data protection and information security;
- Secure storage (physical and electronic) of care records;
- Data Processing Agreements with all data processors;
- Incident response and data breach procedures.
While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
10. Data Retention
We will retain your personal information only for as long as is necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting or reporting requirements.
The table below sets out our general retention periods:
| Data Category | Retention Period |
|---|---|
| Service user care records | A minimum of 8 years from the end of the care relationship (or longer where required, e.g., 25 years from date of birth for children) |
| Service user financial records | 7 years from the date of the last transaction |
| Employee/worker records | 6 years after the end of employment |
| DBS certificates | No longer than 6 months from the date of receipt (in accordance with DBS Code of Practice) |
| Recruitment records (unsuccessful candidates) | 6 months from the date of the recruitment decision (unless consent is given to retain for longer) |
| Website enquiry data | 2 years from the date of the enquiry, unless further contact is made |
| Complaints and incident records | 10 years from the date of the complaint/incident |
| Safeguarding records | Indefinitely or as required by the relevant safeguarding board |
At the end of the retention period, we will securely delete or anonymise your personal information.
11. Your Rights
Under the UK GDPR, you have the following rights in relation to your personal information:
- Right of access — You have the right to request a copy of the personal information we hold about you (commonly known as a “Subject Access Request” or SAR).
- Right to rectification — You have the right to request that we correct any inaccurate or incomplete personal information we hold about you.
- Right to erasure — You have the right to request that we delete your personal information in certain circumstances (also known as the “right to be forgotten”).
- Right to restriction of processing — You have the right to request that we restrict the processing of your personal information in certain circumstances.
- Right to data portability — You have the right to request that we transfer your personal information to another organisation, or directly to you, in certain circumstances.
- Right to object — You have the right to object to the processing of your personal information where we are relying on legitimate interests as the legal basis, or where we are processing your data for direct marketing purposes.
- Rights related to automated decision-making and profiling — You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
- Right to withdraw consent — Where we rely on your consent to process your personal information, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before you withdraw your consent.
How to Exercise Your Rights
To exercise any of these rights, please contact us using the details in Section 2. We will respond to your request within one calendar month of receiving it, in accordance with UK GDPR requirements. In certain circumstances, we may extend this period by a further two months, in which case we will inform you and explain the reasons for the delay.
We may ask you to verify your identity before acting on your request. There is no fee for making a request, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.
12. Direct Marketing
We will only send you direct marketing communications (such as newsletters, service updates or promotional materials) where you have given us your explicit consent to do so, or where we have a legitimate interest and you have not opted out.
You can opt out of receiving marketing communications at any time by:
- Clicking the “unsubscribe” link in any marketing email;
- Contacting us at info@abrgracesolutions.co.uk or +44 7401 301687.
13. Children’s Information
Our Website is not directed at children under the age of 18. We do, however, provide care services to individuals of all ages, including children and young people. Where we process the personal information of children in connection with our care services, we do so in accordance with this Privacy Policy and with the additional safeguards required by law, including obtaining consent from a parent or guardian where appropriate.
14. Links to Other Websites
Our Website may contain links to other websites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s website. We have no control over, and assume no responsibility for, the content, privacy policies or practices of any third-party websites. We strongly advise you to review the privacy policy of every website you visit.
15. Complaints
If you are unhappy with how we have handled your personal information, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us in the first instance using the details in Section 2.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by updating the “Last updated” date at the top of this policy and, where appropriate, providing additional notice on our Website.
We encourage you to review this Privacy Policy periodically.
