Last updated 29 May 2026·v1.2
Privacy policy
This policy explains what personal information Carerealm collects about you, how we use it, who we share it with, how long we keep it, and the rights you have under UK GDPR and other applicable data protection laws.
At a glance
- We hold the account details you give us (name, email, password), what you create inside Carerealm (diary entries, forms, files…) and the billing details Stripe gives us.
- We don't sell your data, don't share it with ad networks, and don't allow our sub-processors to use it for their own marketing.
- Optional analytics and session recording are off until you opt in via our cookie banner. You can change your mind on the cookies page.
- Your data lives in the UK and the EU. A small number of sub-processors (Stripe, SendGrid, OpenAI, Firebase) operate in the US under proper safeguards.
- You can ask us for a copy, fix things, or delete your account at any time. Write to [email protected] and we'll respond within 30 days.
Who we are
Carerealm is provided by Rouic Ltd, a company registered in England and Wales with its registered office at Valley House, Valley Road, Plympton, PL7 1RF, United Kingdom ("Rouic", "we", "us"). For everything in this document, Rouic Ltd is the data controller of the personal data we collect about you as a Carerealm user.
When Carerealm is used by a registered care organisation to support the people they care for, that organisation is the controller for the personal data of the people they support, and Rouic Ltd acts as a data processor for them. If you're a care organisation we can sign a Data Processing Agreement (DPA); just ask [email protected].
What we collect and why
We aim to collect the minimum we need to run a good service. Here's the full list, grouped by purpose.
Account data
Name, email address, hashed password, profile picture (if you upload one), your role in your organisation, two-factor authentication secret (if you enable 2FA), and the timestamps of your sign-ins.
Why: we need this to give you access to Carerealm, recover your password, and protect the account from unauthorised use.
Organisation and area data
The content you create inside Carerealm (areas, daily diary entries, reminders, calendar events, eMAR (medication) records, forms, files, contacts, messages and workflow runs), including any personal data about the people your organisation supports.
Why: this is the service. We hold it on behalf of your organisation so the right people can read, write and audit it. Your organisation is the data controller for this content.
Billing data
Your billing email, billing address, VAT number (if you've supplied one), and the subscription / invoice history Stripe shares with us.
Why: we need to bill you and to keep accounting records the law requires. Payment card numbers are never stored or seen by Carerealm. Stripe handles them directly.
Usage and audit data
Every meaningful action inside Carerealm is recorded in an audit log: who did it, what changed, when, from which IP. We also keep server logs of HTTP requests, errors and performance for 30 days.
Why: care records have to be auditable. You (and regulators) need to see who wrote what and when. Server logs help us spot abuse and debug problems.
Analytics & session recording (only if you opt in)
If you've granted analytics consent through the cookie banner we also collect anonymised usage data through Google Analytics 4 and WebRec session recording. All input fields are masked in recordings; we never see what you actually type.
Why: to understand which features are used and where the product trips people up. Off by default, with full detail on the cookies page.
Mobile app diagnostics
The Carerealm iPhone and Android apps include Expo (EAS) Insights, which sends us anonymised technical and usage telemetry: app opens, which app version and update a device is running, platform, device model and OS version. It uses a random, app-specific installation identifier and is not tied to advertising and never leaves the app for cross-app tracking.
What it never sees: none of the care content you record. No diary entries, medication records, forms, messages or the people you support. It is operational telemetry about the app itself, processed by Expo on our behalf as a sub-processor.
Why: so we can confirm an update has reached devices, spot crashes and slowdowns, and prioritise fixes for the platforms and OS versions our users actually run.
Support correspondence
Anything you send us via the support widget, our help inbox, email or suggestion form (including any screenshots or context you share), plus the resolution of the conversation.
Why: so we can reply, follow up, and improve the product based on what people are stuck on.
Legal bases
We rely on one of four legal bases under UK GDPR for everything we do with your data:
| Basis | What we use it for |
|---|---|
| Contract | Providing the Carerealm service to you under our Terms: account access, billing, support, the core product features. |
| Legitimate interests | Securing accounts, preventing fraud and abuse, debugging, improving the product, audit logging for accountability. We balance these interests against your rights every time. |
| Consent | Optional analytics cookies, session recording, the support messenger, and any marketing email you've explicitly subscribed to. |
| Legal obligation | Tax and accounting records, responding to regulator requests, court orders, statutory data-protection obligations. |
Who we share data with
We never sell your data and we don't share it with data brokers. The only advertising-network sharing we do is aggregate conversion events from the marketing site to Google Ads (so we can tell which adverts are worth running): opt-in via the cookie banner, no contact details, no remarketing or audience-targeted ads to you. See the cookies page for the specific cookies and what they do. Beyond that we rely on a small number of carefully-chosen sub-processors to run Carerealm. Where consent is needed (analytics, session recording, support messenger, embedded videos) the service is only loaded once you opt in.
Infrastructure
- Google Cloud Platform: backend hosting, Cloud SQL database, Cloud Storage for uploaded files (UK / EU regions).
- Vercel: Next.js hosting and edge delivery for the marketing site and in-app shell.
- Cloudflare: DNS, CDN and DDoS protection in front of carerealm.com. Cloudflare may set strictly-necessary cookies for bot-protection on the edge.
- Firebase (Google): authentication tokens and Firebase Cloud Messaging for push notifications.
Payments & communications
- Stripe: subscription billing and invoicing. Card data is collected by Stripe's iframes; we never see card numbers.
- Twilio SendGrid: transactional email (sign-in alerts, billing receipts, password resets, reminders).
- Intercom: the support messenger on carerealm.com. Loaded only with your consent. We share your name, email and a hashed user identifier so we can reply to your messages.
AI
- OpenAI: AI features (writing assistance, help search) only when you actively trigger them. Prompts are sent under OpenAI's API terms; they are not used to train OpenAI's models.
Analytics, performance & bot protection
- Google Tag Manager + Google Analytics 4: anonymised usage analytics on the marketing site. Consent-gated.
- WebRec: anonymised session recording for bug-fixing and UX work. All input fields are masked. Consent-gated.
- Vercel Analytics + Speed Insights: first-party aggregate page-view and Core Web Vitals data. Cookie-free, no cross-site tracking.
- Google reCAPTCHA: bot protection on the forgot-password and sign-up forms. Google sets a small number of cookies on its own domain to score whether a request looks human. Loaded only on those pages.
Embedded content & fonts
- Cloudflare Stream: hosts the product videos embedded in the marketing site (iframe). Plays without cookies until you interact with the player.
- Adobe Fonts (Typekit): webfont delivery for our display typeface. Adobe receives a font request from your browser and may set a small first-party cookie for cache efficiency.
A full, up-to-date sub-processor list is available on request to [email protected]. We give customers reasonable notice before material sub-processor changes.
Where your data lives
Carerealm's primary data store and file storage are in the European Union (Google Cloud, europe-west1, with backups in EU multi-region). Cloudflare and Vercel cache static content globally on their edge networks.
A small number of sub-processors process limited data in the United States: Stripe, SendGrid, OpenAI, Firebase. Each transfer relies on the EU–US Data Privacy Framework or Standard Contractual Clauses (SCCs) as additional safeguards, and we don't transfer more than is necessary for the function (e.g. OpenAI only sees the prompt you actually send).
How long we keep things
| What | How long | Why that long |
|---|---|---|
| Active account & content | While your account is open | It's your working data. We hold it as long as you use the service. |
| Closed-account data | Deleted within 90 days* | Lets you change your mind, then we wipe it. *See the care-records note below. |
| Audit logs (in-app actions) | 7 years | Care records have to be auditable for regulators and serious-incident reviews. |
| Billing records | 6 years | HMRC and Companies House retention rules. |
| Backups | Rolling 35-day window | Closed-account data ages out as the window rolls forward. |
| Server / HTTP logs | 30 days | Enough to debug incidents and spot abuse. |
| Analytics & session recordings | Up to 2 years / 90 days | GA4 default; WebRec recordings shorter for least-data. |
| Support correspondence | 3 years | So we can pick up a thread again if you write back. |
A note on care records. Carerealm stores regulated care documentation (diary entries, medication administration records, forms) on behalf of the care organisations that use it, and those records are legally required to show who did what. The author's name on a medication record is part of the record itself. So when you delete your account: your login, sessions, contact details, photo and other profile data are deleted within 90 days as above, but your name remains attributed to the care records you authored for as long as your organisation's account remains active and subject to statutory care-record retention. Once the organisation's account is closed, that attribution is anonymised too. This is the standard approach for regulated care documentation under UK GDPR Article 17(3)(b) (legal-obligation exemption).
Your rights
Under UK GDPR you have the right to:
- Access: get a copy of the personal data we hold about you.
- Rectification: correct anything that's wrong.
- Erasure: ask us to delete your data (subject to legal retention rules above).
- Restriction / objection: limit or object to certain processing, especially anything we do on legitimate-interests grounds.
- Portability: get a machine-readable copy of data you've provided to us.
- Withdraw consent: for anything we do on the basis of consent (analytics, session recording, marketing email).
- Complain: to the Information Commissioner's Office if you think we've handled your data badly. Other EU consumers can complain to their national supervisory authority.
To exercise any of these, email [email protected] from the address tied to your account. We aim to acknowledge within 7 days and respond fully within 30 days. We never charge for handling a request unless it's manifestly excessive.
Children's data
Carerealm is a tool for professional carers and the people they support. Carerealm accounts themselves aren't intended for children under 16, and we don't knowingly create accounts for them. If your organisation supports children or young adults, that content lives under the organisation's account and is the organisation's responsibility as data controller.
Marketing and choice
We don't run ad-network tracking and we don't sell your data. We do, occasionally, send product-update emails to active customers. Those are based on legitimate interest in keeping you informed about a service you pay for, and every one has an unsubscribe link. Any sales / outbound marketing requires you to have actively opted in.
Security
All connections to Carerealm use TLS 1.2 or higher. Passwords are stored as salted bcrypt hashes. We cannot see them. Two-factor authentication is available on every account. Backups are encrypted at rest. The infrastructure we run on (Google Cloud, Vercel) is SOC 2 / ISO 27001 certified. The full picture is on our security page.
If you think you've spotted a vulnerability, email [email protected] with the word "security" in the subject and we'll get back to you the same working day.
Automated decisions and AI
Carerealm doesn't make legally significant decisions about you automatically. The AI features (writing assistance, help search, summarisation) are assistive. They suggest content for a human to review, not autonomous decisions. We do not use your data to train any third-party model.
Changes to this policy
When we make a meaningful change we bump the document version, email active customers, and re-show the cookie banner so you can re-confirm your preferences. Smaller corrections (typos, link fixes, clearer wording) don't trigger a re-prompt but update the "last updated" date at the top.
Contact
Questions, requests, or anything else: [email protected].
Postal: Rouic Ltd, Valley House, Valley Road, Plympton, PL7 1RF, United Kingdom.
Take this with you
Save a PDF copy for your records or share it with your team. It's the same content as this page, branded and dated.