Home
Privacy Policy

How we use and protect your personal data

Introduction

Here at Gladys, your privacy isn't just an afterthought — it's a priority. We're committed to taking good care of your personal data and being transparent about how we use it. This policy outlines what we do with your information, how we protect it, and how you can manage it. You can also look at our Terms and Conditions for more info.

How We Update This Policy

Things change, and our privacy policy might too. We’ll make sure to update this page so you’re always in the know. Check back here from time to time to stay updated.

Using Our Website

While you're browsing our site, we use cookies to make sure everything runs smoothly and to gather insights into user behaviour. You'll get a prompt asking for your consent to use these cookies. Simply visiting doesn’t mean we'll ask you for personal info.

Setting Up an Individual Client Account

Creating an account? We'll need some information about you and anyone you're providing care for. If the person is under 18, we'll verify that you have parental authority. Your account lets you seek care options, chat, schedule visits, and handle payments.

Creating a Business or Organisation Account

If you're setting up an account on behalf of an organisation, we'll ask for similar information. For those under 18, parental consent or authority is a must. For more details, see our Client Privacy policy.

Becoming a Carer at Gladys

As a Gladys carer, you’ll get an online account. Keep your login details secure. You can create your carer profile, search for opportunities, and exchange messages. We’ll also run checks for things like criminal records to keep everyone safe.

Platform Scope

Gladys operates solely as a technology platform connecting clients and carers. We do not collect, store, or manage care plans, medical records, or clinical histories.

Our service data is limited to:

  • Schedules
  • Shift bookings
  • Cancellations
  • Basic operational notes required for billing and scheduling

These records are retained for six years for accounting and regulatory compliance, after which they are securely deleted or anonymised.

Right to Work Checks

In compliance with UK immigration law, we collect and retain documentation proving a carer’s right to work in the UK. This may include copies of passports, visas, biometric residence permits, and Home Office share codes. This data is collected under our legal obligation to prevent illegal working. We store it securely and retain it for the duration of engagement plus two years, after which it is securely deleted. Access is restricted to authorised HR and operations staff.

DBS & Safeguarding

To support safeguarding and compliance, we retain DBS outcomes (clear/not clear, reference, date) for the duration of engagement plus six years. This retention aligns with CQC-recommended practice for long-term care evidence.

We securely delete full DBS certificate copies after six months, while retaining only outcome data thereafter, in line with ICO guidance.

Operational Communications and WhatsApp Groups

When you agree to work with Gladys as a carer, you provide default consent for us to communicate with you through operational systems necessary for delivering our services. This includes, but is not limited to:

  • Transactional messages, notifications, and updates
  • Emails regarding shifts, payments, and service matters
  • Phone calls related to your work with Gladys
  • Messages and notifications sent via our platform or connected third-party systems
  • WhatsApp communications (individual and group)

WhatsApp Groups

  1. Carer Group – All active carers are added to an internal WhatsApp group used for job postings, updates, and operational notices. Participation is optional; carers may opt out at any time, but doing so may limit access to job opportunities.
  2. Client Service Group – For certain client arrangements, carers may be added to a temporary WhatsApp group that includes the client or client’s family and Gladys staff. This is used for direct updates and coordination related to the service.
  3. Facilitation & Mediation – Gladys will remain in any client service group to facilitate communication, mediate issues, and ensure safeguarding. Once the service ends, the group is dissolved.

Profile and Data Sharing with Clients

By joining Gladys, you consent to us sharing your carer profile and relevant work-related information with prospective or confirmed clients for the purpose of matching and arranging care. This may include:

  • Your name and professional experience
  • Skills, qualifications, and training records
  • References and DBS check status
  • Availability and shift preferences
  • Contact details (only once a match is confirmed)

We will only share data with clients for legitimate service delivery purposes and in accordance with this policy.

Contacting Us by Phone

When you call us, our system may note your number. If the call drops, we might ring you back. If we can’t take your call immediately, you can leave a voicemail and we'll get back to you, usually within the next working day.

Sending Us an Email

If you email us, we'll only use your email to reply to your request. We aim to respond within 48 hours, though it may take longer during busy periods.

Participating in Online Surveys

We may invite you to share feedback via surveys. If you choose to participate, we may request your name and contact details for follow-up purposes.

External Links

Our site may include links to other websites. We recommend reviewing their privacy policies, as we are not responsible for how they handle your data.

Data Collection and Storage

Gladys acts as the ‘data controller’ for information you provide to us. The type and amount of data we collect depends on how you interact with us. We will always explain why we need certain details and how we will use them.

Where Your Data is Kept

We aim to keep your data within the UK or the European Economic Area (EEA). If we transfer it outside of these areas, we will ensure appropriate safeguards are in place.

Sharing Your Data

We may share your data with trusted service providers to help us deliver our services. All providers are bound by contract to keep your data secure and confidential.

In some cases, if we cannot directly assist you, we may share your information with a trusted local partner who specialises in your needs. This will only be the minimum information required, and only where GDPR-compliant safeguards are in place.

We will never share your data for marketing purposes without your explicit consent.

Messaging and Device Use

To deliver our services effectively, Gladys may use WhatsApp groups and similar messaging tools to coordinate carers and clients. These groups are used only for operational purposes such as shift reminders, cancellations, and scheduling updates. Carers may be added to a client-specific group during active service, and to a carers’ group for job postings.

Messages sent through WhatsApp are securely captured via our communication partner and transferred into the Gladys system. We retain these records for up to 12 months before deletion. Care plans or detailed medical records are never shared via WhatsApp.

Carers and staff may use personal devices (phones, tablets, laptops) to access Gladys systems. We require these devices to be secured with passwords/biometric login and encryption. If a device is lost or compromised, we suspend access and take steps to protect data.

Where carers or staff are located outside the UK/EU, we apply appropriate safeguards such as the UK–US Data Bridge or the UK International Data Transfer Addendum (IDTA) to ensure personal data remains protected under GDPR standards.


Data Retention Policy

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Once the retention period expires, we securely delete or anonymise the data.

Lawful Basis, Special Conditions & Retention

Data Type Purpose Lawful Basis (Art.6) Special Category / Criminal Condition Retention Period Disposal Method Access
Client onboarding data Service delivery Contract N/A Service + 6 years Permanent deletion Ops/Admin
Carer onboarding data Recruitment & service delivery Contract N/A Engagement + 6 years Permanent deletion Ops/Admin
Right to Work docs Verify eligibility Legal Obligation N/A Engagement + 2 years Secure deletion HR/Ops
DBS outcome (ref, date, clear/not clear) Safeguarding & compliance Legal Obligation DPA Sch.1 Pt.1 para 1 (safeguarding/employment) Engagement + 6 years Secure deletion HR/Ops
DBS certificate copy Initial vetting Legal Obligation ICO guidance – copy retained max 6 months 6 months Secure deletion HR/Ops
Shift logs, schedules, cancellations Service records & billing Contract N/A Service + 6 years Permanent deletion Ops/Admin
Invoices & payments Accounting Legal Obligation N/A 6 years Permanent deletion Finance/Ops
WhatsApp shift updates Service coordination Legitimate Interest N/A 12 months Permanent deletion Ops
Emails (service) Service updates, invoicing Legitimate Interest / Consent N/A Service + 6 years (invoices) Permanent deletion Ops
Marketing lists Marketing communications Consent / Soft opt-in N/A Until withdrawn or 24 months inactivity Permanent deletion Ops/Marketing
Website analytics Optimisation Consent N/A 26 months Anonymisation Marketing
Recruitment (unsuccessful) Candidate records Consent N/A 12 months Permanent deletion HR
AI data structuring Operational data (shifts, expenses) Legitimate Interest Art.9(2)(h) with human review Aligned with service data (see above) Permanent deletion Ops/Admin
Care plans / medical records Not collected by Gladys N/A N/A N/A N/A N/A

AI Usage & Automated Decision-Making

We use AI (e.g., OpenAI GPT-4) to structure operational data such as shift logs, visit time, and expenses. We do not use AI for automated decisions with legal or significantly impactful effects; human review is applied to all AI-generated outputs.

International Data Transfers

When data is transferred outside the UK/EEA (e.g., to US-based providers like OpenAI or Zapier), we put in place robust safeguards using the UK–US Data Bridge or UK IDTA/UK Addendum, and conduct Transfer Risk Assessments (TRAs) to ensure your rights remain protected.

Subject Access Requests (DSAR)

You have the right to request access to your personal data. We will respond within one month of receiving your request. For complex cases, this can be extended by up to 2 additional months, with notice to you. We may require ID verification before responding. In cases involving health data, a “serious harm” test and potential clinical sign-off will be applied.

Your Rights

You have the right to:

  • Request access to the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Withdraw consent for processing where applicable

To request deletion of your personal data, complete our online form:

🔗 Request Data Deletion

If you are unhappy with how we handle your data, you can lodge a complaint with the UK Information Commissioner’s Office (ICO).

How to Reach Us

If you have any questions about this policy or your data, email us at hello@gladys.com.

George Robinson
Last Updated - 01 Sep 2025
10 min read