Important: Recordsafe is an AI-assisted tool that generates automated suggestions. These may contain errors or inaccuracies. Analysis results do not constitute professional compliance advice and should always be verified by qualified professionals.
1. Our Commitment
Recordsafe is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We treat data protection as a fundamental part of our service design, not an afterthought.
This document outlines the specific measures we take to ensure GDPR compliance across all aspects of our platform.
2. Lawful Basis for Processing
We process personal data under the following lawful bases:
- Contract Performance (Article 6(1)(b)): Processing account data to provide the Service you have subscribed to
- Legitimate Interest (Article 6(1)(f)): Security monitoring, fraud prevention, and service improvement through anonymised analytics
- Legal Obligation (Article 6(1)(c)): Retaining billing records as required by UK tax law
- Consent (Article 6(1)(a)): Marketing communications (opt-in only)
3. Data Processing Activities
3.1 What We Process
| Data Category | Purpose | Retention |
|---|---|---|
| Account details (name, email) | Authentication & service delivery | Until account deletion + 30 days |
| Billing information | Payment processing | 7 years (legal obligation) |
| Usage analytics | Service improvement | 12 months (then anonymised) |
| Care documentation text | Real-time analysis | Not retained (transient processing) |
| Audit logs | Security & compliance | 12 months |
3.2 What We Do NOT Process
- We do not store the content of care notes permanently
- We do not build profiles of residents or patients
- We do not use submitted text to train AI models
- We do not share personal data with third parties for marketing
4. Data Protection by Design
In accordance with Article 25 of UK GDPR, we implement data protection by design and by default:
- Data Minimisation: We collect only what is necessary for service delivery
- Purpose Limitation: Data is used only for the stated purposes
- Storage Limitation: Clear retention periods with automatic purging
- Pseudonymisation: Analysis audit logs are pseudonymised where possible
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256)
5. Data Subject Rights
We facilitate all data subject rights under UK GDPR:
- Right of Access (Article 15): Request a copy of your data within 30 days
- Right to Rectification (Article 16): Correct inaccurate personal data
- Right to Erasure (Article 17): Request deletion of your data
- Right to Restrict Processing (Article 18): Limit how we use your data
- Right to Data Portability (Article 20): Receive your data in a portable format
- Right to Object (Article 21): Object to processing based on legitimate interest
To exercise your rights, email privacy@Recordsafe.ai. We will verify your identity and respond within 30 calendar days.
6. Sub-Processors
We use the following sub-processors, each with appropriate data processing agreements:
- Stripe Inc. / Paddle: Payment processing (PCI DSS Level 1 compliant)
- Google Cloud (Gemini API): Optional AI text analysis (EU/UK data processing addendum)
- UK-based hosting provider: Server infrastructure (ISO 27001 certified)
We notify users of any changes to sub-processors and allow objections within a reasonable period.
7. International Data Transfers
Primary data storage and processing occurs within the United Kingdom. Where data is transferred outside the UK (e.g., to AI providers), we ensure:
- Adequate protection via Standard Contractual Clauses (SCCs)
- Data processing agreements with all recipients
- Assessment of the legal framework in the recipient country
8. Data Breach Procedures
In the event of a personal data breach:
- We will notify the ICO within 72 hours of becoming aware of a qualifying breach
- Affected data subjects will be notified without undue delay where there is a high risk to rights and freedoms
- We maintain a data breach register documenting all incidents and remedial actions
9. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) before implementing any processing activity that is likely to result in high risk to individuals, including:
- New AI model deployments
- Changes to data collection practices
- New sub-processor engagements
10. Data Protection Officer
Our Data Protection Officer can be contacted at:
- Email: dpo@Recordsafe.ai
11. Supervisory Authority
Our lead supervisory authority is the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
You have the right to lodge a complaint with the ICO if you believe your data protection rights have been infringed.
Disclaimer: While Recordsafe takes data protection seriously, our automated analysis tool may produce inaccurate results. Suggestions are provided for informational purposes only and must be verified independently. Recordsafe is not liable for regulatory outcomes influenced by its suggestions.