Privacy Policy
Hande Enterprise Ltd ("Hande", "we", "us") is committed to protecting your privacy and handling your personal data transparently. This policy explains how we collect, use, store, and share personal data when you visit our website, use our platform, or interact with us.
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
Hande Enterprise Ltd is a company registered in England and Wales. Our registered address and contact details are:
- Email: hello@handeapp.co.uk
- Website: handeapp.co.uk
- Data Protection Contact: dpo@handeapp.co.uk
2. Our role: controller and processor
We act in two capacities depending on the data involved:
As a data controller
We are the data controller for personal data we collect directly from you, including:
- Website visitor data (analytics, enquiry forms)
- Account holder information (name, email, role)
- Billing and subscription data
- Marketing communications
As a data processor
When care providers use Hande to manage records about young people, staff, incidents, and care plans, the care provider is the data controller and Hande acts as the data processor. We process this data solely on the controller's instructions and in accordance with our Data Processing Agreement.
Care providers using Hande are responsible for ensuring they have a lawful basis to collect and process the personal data they enter into the platform, including obtaining any necessary consents.
3. What data we collect
Data you provide directly
- Account registration: Full name, email address, job title, organisation name
- Contact forms: Name, email, phone number, message content
- Billing: Organisation name, billing address (payment card details are processed by our payment provider and never stored on our servers)
Data collected automatically
- Technical data: IP address, browser type, operating system, device type
- Usage data: Pages viewed, features used, session duration, referring URL
- Cookies: See our Cookie Policy for details
Data processed on behalf of care providers
When care providers use the platform, we process data they enter, which may include:
- Young person records (names, dates of birth, placement details, local authority information)
- Care plans, risk assessments, and support plans
- Incident reports and safeguarding records
- Daily logs, keywork session notes, and meeting minutes
- Staff profiles, training records, and DBS check information
- Rota schedules, shift handover notes
This data may include special category data under UK GDPR (such as health information, ethnicity, or data relating to children). Care providers are responsible for ensuring they have an appropriate lawful basis and, where required, explicit consent for processing this data.
4. How we use your data
| Purpose | Lawful basis |
|---|---|
| Providing and maintaining the Hande platform | Performance of a contract |
| Processing account registration | Performance of a contract |
| Responding to enquiries and support requests | Legitimate interests |
| Sending service updates and product communications | Legitimate interests |
| Processing payments and billing | Performance of a contract |
| Improving the platform and developing new features | Legitimate interests |
| Ensuring security and preventing fraud | Legitimate interests |
| Complying with legal obligations | Legal obligation |
| Sending marketing communications (where opted in) | Consent |
5. Who we share your data with
We do not sell your personal data. We share data only with the following categories of recipients, and only to the extent necessary:
| Recipient | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Platform infrastructure and database hosting | United Kingdom / EEA |
| Email service provider | Transactional and notification emails | United States (with appropriate safeguards) |
| Error monitoring service | Identifying and resolving technical issues | United States (with appropriate safeguards) |
| Payment processor | Subscription billing | United Kingdom / EEA |
All third-party providers are bound by data processing agreements and are required to implement appropriate technical and organisational measures to protect your data.
6. International data transfers
Your data is primarily stored and processed within the United Kingdom and the European Economic Area. Where we use service providers based outside the UK (such as email delivery or error monitoring services based in the United States), we ensure appropriate safeguards are in place, including:
- UK adequacy regulations
- International Data Transfer Agreements (IDTAs)
- Standard Contractual Clauses approved by the ICO
7. Data security
We take the security of your data seriously and implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls with multi-tier permission system
- Organisational data isolation (multi-tenant architecture with row-level security)
- Regular security reviews and dependency updates
- Secure authentication with session management
- Automated backups with point-in-time recovery
No system is completely secure. If we become aware of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay, as required by UK GDPR.
8. Data retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data: For the duration of your subscription, plus 30 days after termination to allow for reactivation
- Contact form enquiries: 12 months from submission
- Billing records: 7 years to comply with UK tax and accounting obligations
- Platform usage logs: 12 months
- Care records (processed on behalf of providers): As instructed by the data controller, in accordance with their retention policy and regulatory requirements. Care providers should note that Ofsted regulations may require retention of children's records for specified periods
When data is no longer required, it is securely deleted or anonymised.
9. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — request a copy of the data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal obligations)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests or direct marketing
- Right to withdraw consent — where processing is based on consent, withdraw at any time
To exercise any of these rights, contact us at dpo@handeapp.co.uk. We will respond within one month.
If you are a young person, staff member, or other individual whose data has been entered into Hande by a care provider, you should direct your request to the care provider in the first instance, as they are the data controller for that information.
10. Children's data
Hande is designed for use by care professionals managing services for children and young people. The platform is not intended for direct use by children. All data relating to children and young people is entered and managed by authorised care provider staff.
We recognise the particular sensitivity of children's data and apply enhanced safeguards, including strict access controls, audit logging, and organisational data isolation.
11. Automated decision-making
Hande uses AI-assisted features to help care professionals draft reports and identify compliance gaps. These features are assistive tools — they do not make automated decisions that produce legal or similarly significant effects on individuals. All AI-generated content is reviewed and approved by care staff before use.
12. Changes to this policy
We may update this privacy policy from time to time. Where changes are material, we will notify you by email or through an in-platform notification. The "Last updated" date at the top of this page indicates when the policy was most recently revised.
13. Complaints
If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
We would appreciate the opportunity to address your concern directly before you contact the ICO. Please reach out to us at dpo@handeapp.co.uk first.
14. Contact us
If you have any questions about this privacy policy or our data practices, contact us:
- Email: dpo@handeapp.co.uk
- General enquiries: hello@handeapp.co.uk