← Back to sign in
LEGAL

Privacy Policy

Last updated: 13 May 2026  ·  Effective date: 13 May 2026

Plain English summary: Kinward is a communication platform connecting care homes with residents' families. We collect only the personal data necessary to provide this service. We do not sell your data to anyone. We store your data securely on UK/EU servers. You have full rights over your data under UK GDPR.

Contents

  1. Who we are
  2. What data we collect
  3. How we use your data
  4. Legal basis for processing
  5. Special category data
  6. Who we share data with
  7. How long we keep data
  8. How we protect your data
  9. International data transfers
  10. Your rights
  11. Children's data
  12. Cookies
  13. Changes to this policy
  14. Contact us

1. Who we are

Kinward ("we", "us", "our") operates the Kinward platform at kinward.uk — a software service that enables care homes to communicate care updates to residents' family members.

For the purposes of UK data protection law:

Contact: [email protected]

2. What data we collect

Family members

DataWhy we collect it
Full nameTo identify you within the family portal
Email addressTo create and secure your account; send notifications
Resident's nameTo link your account to the correct resident
Care home nameTo link your account to the correct care home
Messages sentTo enable communication with the care team
Concerns loggedTo record and track concerns you raise
Visit notesTo log family visit activity (family-facing only)
Wellbeing check-insTo support family wellbeing tracking

Care home staff

DataWhy we collect it
Full nameTo identify staff within the platform
Email addressAccount creation, login, notifications
Role (Senior Staff / Manager)To determine access permissions
Reviews authoredAudit trail of care communications
Messages sentCommunication record with families

Resident data

Resident names are stored to link care reviews and family accounts. We do not store clinical records, medical history, diagnoses, medication details, or any other clinical information in structured form. Care notes entered by staff are stored solely for the purpose of generating plain-English summaries for families.

Technical data

We may collect standard technical information including browser type, device type, IP address, and session data for security and platform performance purposes. We do not use this data for advertising or profiling.

3. How we use your data

We do not use your data for advertising, marketing to third parties, or any form of profiling unrelated to the provision of the Kinward service.

5. Special category data

Important: Care notes entered by staff may contain health-related information about residents. This constitutes special category data under UK GDPR Article 9.

Where special category data is processed:

Our legal basis for processing special category data is Article 9(2)(h) — processing necessary for the provision of social care and the management of social care systems — and our Data Processing Agreement with each care home.

6. Who we share data with

We do not sell personal data. We share data only as follows:

Sub-processors

Sub-processorPurposeLocation
Supabase Inc.Database hosting and authenticationEU (West Europe)
Netlify Inc.Website and application hostingUK/EU CDN
Anthropic PBCAI care summary generation (text only)USA (with appropriate safeguards)
Resend Inc.Transactional email deliveryUSA (with appropriate safeguards)

Care homes

Family data is accessible to authorised staff of the relevant care home only. No care home can access data relating to another care home's residents or families.

Legal disclosure

We may disclose personal data where required by law, court order, or regulatory authority. We will notify the relevant data controller where legally permitted to do so.

Business transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. Affected parties will be notified in advance.

7. How long we keep data

Data typeRetention periodReason
Care reviews and summaries8 years from creationUK care regulations and safeguarding requirements
Family messages8 years from creationCare communication records
Concerns8 years from creationSafeguarding obligations
Family accounts (active)Duration of residency + 8 yearsOngoing care relationship
Family accounts (removed)8 years from removalLegal retention requirements
Staff accountsDuration of employment + 6 yearsEmployment law requirements
Technical/security logs90 daysSecurity monitoring

Data is never deleted earlier than these periods without a lawful request from the data controller (care home) and confirmation that no legal hold applies.

8. How we protect your data

We implement appropriate technical and organisational measures to protect personal data, including:

In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the relevant data controller within 72 hours of becoming aware, in accordance with our obligations under UK GDPR Article 33.

9. International data transfers

Some of our sub-processors are located outside the UK and European Economic Area (EEA). Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

10. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

RightWhat it means
Right of accessYou can request a copy of all personal data we hold about you
Right to rectificationYou can ask us to correct inaccurate data
Right to erasureYou can ask us to delete your data, subject to legal retention requirements
Right to restrictionYou can ask us to limit processing of your data in certain circumstances
Right to portabilityYou can request your data in a structured, machine-readable format
Right to objectYou can object to processing based on legitimate interests
Right to withdraw consentWhere processing is based on consent, you can withdraw it at any time

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Some rights may be subject to limitations where legal retention obligations apply.

If you are dissatisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

11. Children's data

The Kinward platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete that data promptly.

12. Cookies

Kinward uses only essential cookies and local storage necessary for the platform to function. We do not use advertising, analytics tracking, or third-party cookies.

Storage itemPurposeType
kinward_userStores your session information to keep you logged inLocal storage — essential
supa_tokenAuthentication token for secure API accessLocal storage — essential

These items are deleted when you sign out. You can also clear them by clearing your browser's local storage at any time, though this will sign you out of the platform.

Because we use only essential storage, we are not required to obtain cookie consent under PECR. No consent banner is displayed.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to registered users by email at least 30 days before taking effect. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

14. Contact us

Data protection enquiries

Email: [email protected]

General contact: [email protected]

Website: kinward.uk

We aim to respond to all privacy-related enquiries within 5 business days and all formal data subject requests within 30 calendar days as required by UK GDPR.