Privacy Policy

Last updated: 02 March 2026 Version 1.0

Print
Your privacy is important to us. This privacy policy explains how Our Complex Child collects, uses, stores, and protects your personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Contents
  1. Who We Are
  2. Data We Collect
  3. Lawful Basis for Processing
  4. How We Use Your Data
  5. Special Category Data
  6. Data Sharing
  1. Data Retention
  2. Your Rights
  3. Data Security
  4. Cookies
  5. Children's Privacy
  6. Contact Us

1. Who We Are (Data Controller)

Our Complex Child is a healthcare management platform designed to help families caring for children with complex medical needs.

Data Controller: Our Complex Child
Contact Email: privacy@ourcomplexchild.com
Data Protection Contact: dpo@ourcomplexchild.com
Registered in: United Kingdom

We are registered with the Information Commissioner's Office (ICO) as required under UK data protection law.

2. Data We Collect

2.1 Account Information
  • Name (first and last name)
  • Email address
  • Password (encrypted)
  • Date of birth
  • Relationship to child (e.g., parent, guardian)
  • Phone number (optional)
2.2 Child Profile Information
  • Child's name and date of birth
  • NHS number (optional)
  • Gender and ethnicity
  • Medical conditions and diagnoses
  • Allergies and comorbidities
2.3 Medical and Care Information
  • Medications and dosages
  • Medication administration records
  • Appointments and medical consultations
  • Emergency contacts and protocols
  • Care protocols and procedures
  • Advanced Care Plans
  • Healthcare professional contacts
  • Daily care entries and notes
2.4 Technical Data
  • IP address
  • Browser type and version
  • Device information
  • Login timestamps
  • Usage patterns and page views

3. Lawful Basis for Processing (Article 6)

We process your personal data under the following lawful bases:

Processing Activity Lawful Basis
Account creation and authentication Contract - Necessary to provide our service
Storing medical/care records Explicit Consent - You consent at registration
Security monitoring and audit logs Legitimate Interest - Protecting your account
Newsletter communications Consent - Optional opt-in at registration
Legal compliance Legal Obligation - Required by law

4. How We Use Your Data

We use your personal data to:

  • Provide and maintain our healthcare management platform
  • Enable you to record and manage your child's care information
  • Generate care packets and reports for healthcare providers
  • Send important service notifications (e.g., appointment reminders)
  • Improve our platform and user experience
  • Ensure security and prevent fraud
  • Comply with legal obligations
We do NOT:
  • Sell your personal data to third parties
  • Use your data for advertising purposes
  • Make automated decisions that significantly affect you
  • Process your data for purposes beyond those stated

5. Special Category Data (Article 9)

Health Data: The medical and health information you store about your child is classified as "special category data" under UK GDPR and receives enhanced protection.

We process this special category data based on:

  • Article 9(2)(a) - Explicit Consent: You provide explicit consent when you register and agree to our terms
  • Article 9(2)(h) - Healthcare Purposes: Processing is necessary for the management of health care systems and services

Additional safeguards for health data:

  • Encryption at rest and in transit
  • Access controls and authentication
  • Audit logging of all data access
  • Regular security assessments

6. Data Sharing and Third Parties

6.1 Service Providers (Data Processors)

We use the following third-party services to operate our platform:

Provider Purpose Location
Microsoft Azure Cloud hosting and database UK (UK South region)
SendGrid / Email Provider Transactional emails UK/EU

All service providers have signed Data Processing Agreements (DPAs) and comply with UK GDPR requirements.

6.2 When We May Share Data
  • With your consent: When you generate care packets to share with healthcare providers
  • Legal requirements: If required by law, court order, or regulatory authority
  • Vital interests: In emergencies to protect life
6.3 International Transfers

Your data is primarily stored in the UK. If data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.

7. Data Retention

We retain your personal data for as long as necessary to provide our services and comply with legal obligations:

Data Type Retention Period Reason
Account data Until account deletion Service provision
Medical records Until account deletion Healthcare management
Audit logs 2 years Security and compliance
Deleted account data 30 days in backup Accidental deletion recovery

When you delete your account, all personal data is permanently removed within 30 days, including from our backup systems.

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data.

Right to Erasure (Article 17)

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Article 18)

Limit how we process your data in certain circumstances.

Right to Data Portability (Article 20)

Receive your data in a machine-readable format.

Right to Object (Article 21)

Object to processing based on legitimate interests.

Exercise Your Rights: You can access, download, or delete your data at any time from your Personal Data settings.
Right to Withdraw Consent

You can withdraw your consent at any time. This won't affect the lawfulness of processing based on consent before withdrawal. To withdraw consent, contact us at privacy@ourcomplexchild.com or delete your account.

Right to Complain

If you're unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

9. Data Security (Article 32)

We implement appropriate technical and organisational measures to protect your personal data:

Technical Measures
  • TLS 1.2+ encryption in transit
  • AES-256 encryption at rest
  • Secure password hashing (PBKDF2)
  • Two-factor authentication available
  • Account lockout after failed attempts
Organisational Measures
  • Regular security assessments
  • Comprehensive audit logging
  • Role-based access controls
  • Secure cloud infrastructure (Azure UK)
  • Breach detection and response procedures
Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  1. Notify the ICO within 72 hours of becoming aware
  2. Notify affected individuals without undue delay if the breach is likely to result in high risk
  3. Document the breach and our response

10. Cookies

We use cookies to operate our service. Here's what we use:

Cookie Type Purpose Duration
.AspNetCore.Identity.Application Essential Authentication session 24 hours
.AspNetCore.Antiforgery Essential Security (CSRF protection) Session
CookieConsent Essential Remember cookie preferences 1 year
We only use essential cookies required for the website to function. We do not use analytics or advertising cookies.

11. Children's Privacy

Our platform stores information about children as provided by their parents or legal guardians. We take extra care to protect children's data:

  • Only parents/guardians can create accounts and enter child data
  • We verify the user's relationship to the child during registration
  • Child data receives the same (or greater) protection as adult data
  • We do not knowingly collect data directly from children

The age of digital consent in the UK is 13. Our service is intended for use by adults managing care for children.

12. Contact Us

If you have questions about this privacy policy or how we handle your data:

General Privacy Enquiries

privacy@ourcomplexchild.com

Data Protection Contact

dpo@ourcomplexchild.com

We aim to respond to all privacy-related enquiries within 30 days.

13. Changes to This Policy

We may update this privacy policy from time to time. When we make significant changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email if the changes significantly affect your rights
  • Request renewed consent if required for new processing activities

We encourage you to review this policy periodically.