Privacy Notice
3ripple Health ("3ripple States", "we", "us", "our") is committed to protecting your personal information and your right to privacy. This notice explains who we are, what personal data we collect about you, how we use it, and your rights under UK data protection law.
1. Who we are
3ripple Health is a domiciliary care provider registered in England and Wales. We provide personal care, companionship and support services to adults in their own homes across Wales.
Company number: 14785972
Registered office: 182-184 High Street North, East Ham, London, England, E6 2JA
Data Controller: 3ripple States Limited
ICO Registration number: ZC106036
Contact for data protection queries: compliance@3ripple.com
2. The personal data we collect
We collect and use the following categories of information about you:
- Identity and contact details your name, address, telephone number and email address.
- Health and care information details of your medical conditions, diagnoses, medications, mobility needs, mental capacity assessments, and care and support needs. This is special category data under UK GDPR.
- Family and next-of-kin details contact information for people you choose to involve in your care.
- Financial information where relevant to funding arrangements (e.g. local authority direct payments), limited to what is strictly necessary.
- Communications records notes from care reviews, telephone calls and written correspondence.
- Records of care delivery visit logs, care notes and incident reports created during service delivery.
3. How we collect your information
- Directly from you (or your representative) during the referral and assessment process.
- From health professionals, social workers and other care agencies involved in your care, with your consent.
- From family members or advocates where you have asked them to act on your behalf.
- During the delivery of your care service.
4. Why we use your information (our lawful basis)
We use your personal data only where the law permits. The principal lawful bases are:
| Purpose | Lawful basis |
|---|---|
| Carrying out the care and support services agreed in your care plan | Contract performance (Article 6(1)(b) UK GDPR); provision of health or social care (Article 9(2)(h) UK GDPR) |
| Keeping records required by law (Care Inspectorate Wales; HMRC) | Legal obligation (Article 6(1)(c) UK GDPR) |
| Protecting you or others from harm in an emergency | Vital interests (Article 6(1)(d) / Article 9(2)(c) UK GDPR) |
| Keeping our services safe and improving quality | Legitimate interests (Article 6(1)(f) UK GDPR) |
| Sending you information about our services that may interest you (optional) | Consent (Article 6(1)(a) UK GDPR) you may withdraw consent at any time |
5. Who we share your information with
We do not sell your personal data. We may share it with:
- Health and social care professionals involved in your care (e.g. your GP, district nurse, local authority social worker).
- Family members or representatives you have nominated.
- Regulators such as the Care Inspectorate Wales (CIW) when carrying out inspections or investigations.
- Our technology suppliers who process data on our behalf under written data processing agreements.
- Law enforcement or other authorities where we are required to do so by law.
All our third-party suppliers are contractually required to handle your data securely and in accordance with UK GDPR. Full details are set out in our supplier Data Processing Agreements, available on request.
6. How long we keep your information
We keep your personal data for as long as necessary to deliver your care and meet our legal obligations:
- Care records: 8 years from the date your service ends (or, if you were under 18 at any point, until your 25th birthday), in line with Welsh Government guidance.
- Financial records: 6 years after the end of the relevant financial year, as required by HMRC.
- Recruitment and employment records (for staff): 6 years after employment ends.
- CCTV footage (if used): 30 days unless retained for a specific investigation.
After these periods, data is securely deleted or anonymised.
7. Keeping your data secure
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. These include encrypted data storage, role-based access controls, staff data protection training, and regular security reviews. We hold a UK-registered encryption key and process data only within the UK and European Economic Area.
8. Your rights
Under UK data protection law, you have the right to:
- Access: request a copy of the personal data we hold about you (a "Subject Access Request").
- Rectification: ask us to correct inaccurate data.
- Erasure: ask us to delete your data in certain circumstances.
- Restriction: ask us to restrict how we use your data while a dispute is resolved.
- Data portability: receive your data in a machine-readable format.
- Object: object to processing based on our legitimate interests.
- Withdraw consent: withdraw consent at any time where processing is based on consent.
We will respond to Subject Access Requests within one calendar month. To exercise any right, please write to us at compliance@3ripple.com or at our registered address.
9. Right to complain
If you are unhappy with how we handle your personal data, you have the right to complain to the UK's data protection regulator:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Helpline: 0303 123 1113
Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
10. Changes to this notice
We review and update this privacy notice at least annually. The date at the top of this page shows when it was last revised. Significant changes will be communicated to current service users directly.
11. Contact us
For any questions about this notice or how we handle your data:
Email: compliance@3ripple.com