Privacy Notice

Crimson Care Limited

Last updated: 23 June 2026

This is the Privacy Notice for Crimson Care Limited ('Crimson Care', 'we', 'us', 'our'). Crimson Care is a residential dementia care home located at Crimson Manor, 185 Scar Lane, Milnsbridge, Huddersfield, West Yorkshire, HD3 4PZ.

As part of the services we provide, we are required to process personal data about our residents, our staff, and in some instances, the friends, relatives and legal representatives of our residents and staff. 'Processing' can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This notice explains:

• What personal data we hold and why

• The lawful basis on which we process it

• Who we share it with

• How long we keep it

• Your rights in relation to your data

This Privacy Notice applies to residents, their families and legal representatives, staff and job applicants, and visitors to our website.

Contact   us

If you have any questions or concerns   about how we use your personal data, please contact us:

Crimson Care Limited

Crimson Manor, 185 Scar Lane,   Milnsbridge, Huddersfield, West Yorkshire, HD3 4PZ

Email: office@crimsoncare.co.uk

Website: www.crimsoncare.co.uk

Company number: 8231484

In order to provide safe, high-quality, person-centred dementia care, we need to keep certain records about you. We may process the following types of data:

• Your basic details and contact information — including your name, address, date of birth, and next of kin details

• Financial details — including details of how you pay for your care, your funding arrangements (whether self-funded, Local Authority or NHS funded), and invoicing information

• Legal documents — including Lasting Power of Attorney documentation, Deprivation of Liberty Safeguards (DoLS) authorisations, and advance care planning documents

We also record the following special category data, which requires a higher level of protection:

• Health and social care data — including your physical and mental health information, dementia diagnosis and care records, medication records, risk assessments, care plans, body maps and daily care notes

• Mental capacity assessments — records of your capacity to make decisions and any best interest decisions made on your behalf under the Mental Capacity Act 2005

• Equality and diversity data — including your race, ethnic origin, religion and sexual orientation, where this is relevant to providing person-centred care

We need this data in order to provide high-quality, safe and person-centred dementia care. By law, we must have a lawful basis for processing your personal data.

• Legal obligation — we process your data because we are required to do so under the Health and Social Care Act 2012, the Mental Capacity Act 2005, and other applicable legislation

• Contract — we process your data as necessary for the performance of your care contract with us

• Legitimate interests — we process some data in our legitimate interests as a care provider, where those interests are not overridden by your rights

• 9(2)(h) — Processing is necessary for the provision of health and social care and the management of health and social care systems

• 9(2)(b) — Processing is necessary for obligations and rights in the field of employment and social security and social protection law (including safeguarding)

• 9(2)(j) — Processing is necessary for reasons of public interest, including sharing data with our regulator the Care Quality Commission (CQC)

In addition to the above, we satisfy the common law duty of confidentiality in our use of health and care information because:

• You have provided us with your consent — either implicitly (to enable us to provide your care) or explicitly (for other specific uses such as sharing information with named family members or friends)

• We have a legal obligation to collect, share and use the data

• The public interest in using the data overrides the duty of confidentiality in specific circumstances (for example, sharing information with the police or safeguarding teams to prevent or detect serious harm)

We complete a formal consent to share information and mental capacity assessment with all residents at the point of admission. Where a resident has capacity, they are asked to confirm who they consent to information about their care being shared with, including named family members, friends and carers. Where a resident lacks capacity, a best interest decision is made in accordance with the Mental Capacity Act 2005, with the decision and reasoning documented in the resident's care record. All active consents are reviewed monthly as part of each resident's care plan review.

The same capacity assessment and consent process is applied to all other matters requiring consent as they arise, including vaccinations, administration of medications and any other care or treatment decisions. For any other ad-hoc consents required as part of service delivery, consent is obtained or a best interest decision is made as appropriate, and all are included in the monthly care plan review cycle.

In order to provide you with high-quality care and support, we may share your personal data with the following third parties:

• Other health and care professionals — including GPs, community nurses, allied health professionals, hospitals, pharmacies, social workers and other health and social care providers involved in your care

• The Local Authority — including social care teams, DoLS teams and safeguarding teams

• Your family, friends or legal representatives — with your consent or in your best interests

• The Care Quality Commission (CQC) — as required by our regulatory obligations, including statutory notifications

• The police or other law enforcement agencies — where we are required to do so by law or court order, or to prevent or detect serious harm

We communicate with you and share information face to face, by telephone, by email, by post and via WhatsApp Business (with your consent). We receive information from other health and care professionals by secure email, NHS mail, by post and by hand.

We review our data processing on an annual basis to assess whether the national data opt-out applies. At this time, we do not share any confidential patient or service user data for planning or research purposes for which the national data opt-out would apply. If this changes, we will update this notice and apply the appropriate opt-out process.

You can find out more about the national data opt-out at https://www.nhs.uk/your-nhs-data-matters/

In order to employ and support our staff, we need to keep certain records about you. We may process the following types of data:

• Your basic details and contact information — including your name, address, date of birth, National Insurance number and next of kin details

• Financial details — including your bank details, salary information, tax details and pension information

• Employment records — including your contract of employment, application form, references, right to work documentation, training records and appraisals

• DBS check records — we record that an enhanced DBS check has been completed and the date and certificate number, but we do not retain a copy of the certificate itself

We also record the following special category data:

• Health data — including fit notes, information relevant to statutory sick pay, maternity or paternity pay, and any workplace adjustments required

• Equality and diversity data — including your race, ethnic origin, religion and sexual orientation, where you have chosen to provide this information

We require this data to contact you, pay you, ensure you receive the training and support you need to perform your role, and to comply with our legal obligations as your employer.

• Legal obligation — we process your data because we are required to do so under UK employment law

• Contract — we process your data as necessary for the performance of your employment contract

• Legitimate interests — we provide data about your training to Skills for Care's Adult Workforce Data Set (NMDS-SC), which allows Skills for Care to produce reports about workforce planning in the social care sector

• Public task — we are required to provide data to our regulator the CQC as part of our regulatory obligations

• 9(2)(b) — Processing is necessary for obligations and rights in the field of employment and social security and social protection law (including processing for sick pay and maternity/paternity pay)

Where we request criminal records information, this is because we have a legal obligation to do so under the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We record that a check has been completed but do not retain the certificate.

As your employer, we may share your personal data with the following third parties where we have a legal reason to do so:

• HM Revenue and Customs (HMRC) — for tax and payroll purposes

• Our auto-enrolment pension scheme provider — for pension administration purposes

• Skills for Care (NMDS-SC) — for workforce data reporting

• The Disclosure and Barring Service (DBS) via our umbrella body — for pre-employment checks

• The Care Quality Commission (CQC) — as required by our regulatory obligations

• The police or other law enforcement agencies — where we are required to do so by law or court order

We communicate with staff face to face, by telephone, by email, via Microsoft 365, and via ConnectTeam and RotaCloud which are used for internal communications and rota management.

As part of our work providing care and support to our residents, it may be necessary for us to hold the following information about you:

• Your basic details and contact information — including your name, address, telephone number and email address

• Your relationship to the resident and, where applicable, details of any Lasting Power of Attorney

• Legitimate interests — we hold next of kin and emergency contact information for residents in our legitimate interests as a care provider

• Legal obligation — we hold LPA documentation where relevant as required by the Mental Capacity Act 2005

• Consent — where you have provided consent for us to communicate with you about a resident's care

We communicate with families and legal representatives face to face, by telephone, by email, by post and via WhatsApp Business where consent has been given.

We may share information about you with other health and care professionals involved in a resident's care where this is necessary and proportionate, for example to confirm next of kin or LPA arrangements.

When you visit our website at www.crimsoncare.co.uk, we may collect the following information:

• Contact information — including your name and email address if you submit an enquiry via our contact form

• Technical information — including your IP address, browser type, device type and pages visited, collected automatically via cookies and similar technologies

• Contract / pre-contract — to respond to your enquiry about our care services

• Legitimate interests — to understand how our website is used and to improve the experience for visitors

Our website uses cookies to improve your experience. By continuing to use the website you agree to our use of cookies. You can find more information about the cookies we use and how to manage them in our Cookie Policy on our website.

Please note that communications over the internet, such as emails and enquiry forms, are not fully secure unless encrypted. We take reasonable steps to protect any information you send us.

Your personal data is stored securely using a combination of cloud-based software systems and physical records. Our main systems include:

• Log my Care — our digital care management system, hosted on UK-based servers

• Microsoft 365 / OneDrive — for organisational documents and email, hosted on UK/EU Microsoft servers

• Google Drive — for operational records, hosted on UK/EU Google servers

• Xero — for financial and payroll records, hosted on UK/EU servers

• JotForm — for electronic forms including HR and admission forms, hosted on US servers (protected by Standard Contractual Clauses)

• Physical records — some historic records are stored in locked filing cabinets and a locked storage room on-site, accessible only to authorised management staff

Where data is transferred outside the UK (for example to US-based software providers), we ensure that appropriate safeguards are in place, including Standard Contractual Clauses, in accordance with UK GDPR.

We retain personal data for the periods set out in the NHS Records Management Code of Practice, which also applies to adult social care providers. In general:

• Resident care records — 8 years from the end of care (or until the resident's 25th birthday if they were a minor when admitted)

• Staff employment records — 7 years after employment ends

• Financial records — 7 years in line with HMRC requirements

• Visitor records — 3 months

After the relevant retention period, data is securely destroyed. Paper records are shredded using a cross-cut shredder or via a secure shredding service. Digital data is permanently deleted from our systems.

We may take photographs of residents as part of person-centred care records and activities documentation. We may also use photographs for our newsletter, social media channels and press/newspaper purposes.

Separate consent is obtained at the point of admission for the use of photographs. Our consent form is structured in sections so that residents or their representatives can consent to or decline each type of use independently. Photography consent is reviewed as part of the monthly care plan review process.

Under UK GDPR, you have the following rights in relation to your personal data. We will always respond to your request as soon as possible and at the latest within one month.

1. Right of access — You have the right to request a copy of all personal data we hold about you (a Subject Access Request). We will not usually charge for this.

2. Right to rectification — You have the right to ask us to correct any data we hold about you which is inaccurate or incomplete.

3. Right to erasure — You have the right to ask us to delete personal data which is no longer necessary for the purpose for which it was collected. Note that we may not always be able to comply with erasure requests where we have a legal obligation to retain data.

4. Right to restriction — You have the right to ask us to restrict processing of your data in certain circumstances, for example while we consider a rectification request.

5. Right to object — Where we are processing your data based on legitimate interests or public task, you have the right to object to that processing.

6. Right to withdraw consent — Where we are processing your data based on your consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing carried out before you withdrew consent.

7. Right to data portability — Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your data in a structured, machine-readable format.

To exercise any of these rights, please contact us using the details in the Introduction section of this notice. You may be asked to provide proof of identity before we can action your request.

If you are unhappy with how we have handled your personal data or responded to a request, you have the right to make a complaint to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information   Commissioner's Office

Wycliffe House, Water Lane, Wilmslow,   Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: https://ico.org.uk/make-a-complaint/

We may update this Privacy Notice from time to time, for example when our data processing activities change or when legislation changes. The current version will always be published on our website at www.crimsoncare.co.uk. The date at the top of this notice shows when it was last updated.

You can request a copy of this notice at any time by contacting us at office@crimsoncare.co.uk or by writing to us at the address above.