Privacy Policy
Effective: 29 April 2026 · Last updated: 8 May 2026
1. Who we are
Swipe360 is a staff scheduling service for care homes, operated by Swipe360 Limited (the “Company”, “we”, “us”), registered in England and Wales, company number 17207506, registered office 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ.
ICO registration number: under review.
For privacy questions, contact: support@swipe360.co.uk.
This policy explains how we collect and use personal data when you visit swipe360.co.uk (the “Site”) or use our application at app.swipe360.co.uk (the “Service”).
2. Who this policy applies to
| Role | What we collect | Our role |
|---|---|---|
| Visitors to swipe360.co.uk | Browser metadata, contact-form input | Controller |
| Trial signups & customer admins | Account info, billing | Controller |
| End users (managers, staff in customer organisations) | Account info, scheduling data | Processor acting on behalf of the customer (the controller) |
For end-user data, the customer (your employer) decides what is collected and why; we process it under their instructions per a separate Data Processing Agreement.
3. What we collect and why
3.1 Site visitors
- IP address, browser type, pages viewed (via standard server logs)
- Anything you type into the contact form (name, email, message)
Lawful basis: legitimate interest (running and securing a website; replying to enquiries).
3.2 Account holders (customer admins)
- Name, email, role
- Hashed password (bcrypt, never plain text)
- Login timestamps, failed login attempts (for lockout)
- Billing email and a customer reference held by our payment processor (we do not see card numbers)
Lawful basis: contract performance (delivering the service), legal obligation (tax/accounting), legitimate interest (security).
3.3 End users (your employees)
On behalf of customer organisations, we store:
- Name, work email, phone (optional), role, department
- Contracted hours, shift preferences, available days
- Shift assignments, leave requests, sick episodes, clock-in records
- Optional: gender (used only for staffing rules the customer configures)
We do not collect: home address, date of birth, national insurance number, ethnicity, health information beyond sick-day flags, or payroll bank details.
Lawful basis: the customer’s contract with you (their employee) and their legitimate interest as your employer to schedule work. We act under their instructions.
4. Where data is stored
All structured personal data is held in the United Kingdom, in encrypted PostgreSQL databases hosted by an enterprise cloud infrastructure provider in a London data-centre region.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
5. Sub-processors
We engage a small number of trusted third-party providers to deliver the service. These fall into the following categories:
- Cloud infrastructure provider — hosting, database storage and backup, primarily in the United Kingdom
- Transactional email provider — delivering account, password, notification and announcement emails
- Payment processor — handling subscription billing (card data is held directly by the payment processor, never by us)
- Optional AI assistant provider — only where customers enable our in-app help assistant; processes only the text typed into the chat under a zero-retention contract
- DNS and content delivery provider — routing requests; processes request metadata only
Where any provider is located outside the UK or European Economic Area, transfers are protected by the UK International Data Transfer Addendum, applicable adequacy decisions or equivalent lawful safeguards.
A current list of named sub-processors is available on request by emailing support@swipe360.co.uk, and is provided to all paying customers as part of the Data Processing Agreement. We will give customers at least 30 days notice before adding or replacing a sub-processor.
6. How long we keep data
| Data type | Retention |
|---|---|
| Account & scheduling data | Active life of your subscription (monthly or annual, rolling). If your subscription ends or is deactivated, all customer data is permanently deleted 30 days after deactivation. |
| Transactional email delivery logs | 24 hours |
| Server logs | 90 days |
| Database backups | 30 days rolling |
| Audit log | 7 years (CQC inspection window) |
| Billing records | 7 years (HMRC requirement) |
| Contact-form submissions (visitors to swipe360.co.uk) | 12 months |
Deletion on request
You can ask us to delete your personal data at any time by emailing support@swipe360.co.uk. We will permanently delete the data from our production systems, with backups overwritten in our normal 30-day rolling cycle. We may retain limited records where we are legally required to (for example, billing records under HMRC rules, or audit logs required for CQC compliance) — these are listed in the table above.
Automatic deletion after deactivation
If your subscription is cancelled, terminated or otherwise deactivated and is not reactivated within 30 days, all account, staff and scheduling data belonging to your organisation will be automatically and permanently deleted. You can request immediate hard deletion at any time during this 30-day window by emailing support@swipe360.co.uk.
7. Cookies
We use only the minimum cookies needed to run the service:
- Session token (essential — keeps you logged in)
- CSRF token (essential — security)
We do not use advertising cookies or third-party analytics tracking by default. If you opt in to product analytics in future, we will update this policy and seek your consent.
8. Your rights (UK GDPR)
You have the right to:
- Access — ask what data we hold on you
- Rectification — fix inaccurate data
- Erasure (“right to be forgotten”) — delete your data, where lawful
- Portability — receive your data in a machine-readable format
- Object — to processing based on legitimate interest
- Restrict — limit how we use your data
- Withdraw consent — where we relied on consent
- Complain to the ICO — ico.org.uk, 0303 123 1113
To exercise rights: email support@swipe360.co.uk.
If you are an end user (employee in a customer organisation), please contact your employer first — they decide what data is held about you. We will support them in handling your request.
We respond within 30 days (extendable to 90 days for complex cases).
9. Security
- Passwords hashed with bcrypt
- Account lockout after multiple failed login attempts
- All data encrypted in transit and at rest
- Audit log of every change to scheduling data
- Access controls — staff can only see data for their own home
- Annual third-party security review (planned for 2027)
- Breach notification within 72 hours to affected customers and the ICO
10. Children
The Service is not designed for, marketed to, or intended for anyone under 16, and we do not knowingly collect personal data from children through our website or sign-up process.
Where the Service is used by a customer organisation (your employer), that organisation is the data controller and is responsible for determining whose personal data is entered into the Service. Customers must not enter personal data of any individual under 16 into the Service. Swipe360 acts as a data processor in this context and does not select, validate or verify whose data the customer chooses to upload.
If you believe a child’s data has been entered into the Service, please contact your employer in the first instance and email support@swipe360.co.uk so we can assist with removal.
11. Changes to this policy
If we make material changes, we will notify customers by email at least 30 days in advance and post the updated policy here with a new effective date.
12. Contact
Data Protection Lead: Praveena Prasanna
Email: support@swipe360.co.uk
Postal: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ