Legal
Privacy Notice
Effective date: 24 April 2026. This notice applies to all users of DailyLife.UK, including B2B subscribers and their staff, and B2C individual account holders.
1. Who we are
The data controller for DailyLife.UK is Andrea Technology Solutions Ltd, a company registered in England and Wales. DailyLife.UK is one product in the Andrea Technology Solutions portfolio. Where multiple products share underlying identity infrastructure, each product acts as an independent controller for the data it processes.
For privacy enquiries, contact us at privacy@dailylife.uk.
2. What data we collect and why
2.1 Account and identity data
| Data | Purpose | Lawful basis |
|---|---|---|
| Email address | To create and authenticate your account, and to send transactional notifications. | Contract (Article 6(1)(b)); Legitimate interests (Article 6(1)(f)) |
| Full name | To identify you within your organisation and in communications. | Contract |
| Password (hashed, never stored in plain text) | To secure your account. | Contract |
| IP address and user agent at registration | To record consent and for fraud prevention. | Legal obligation (UK GDPR Article 7); Legitimate interests |
2.2 Staff and employment data (B2B subscribers)
| Data | Purpose | Lawful basis |
|---|---|---|
| Job title, department, site assignment | To structure workforce records and rota planning. | Contract (with employer); Legitimate interests |
| Contact details (phone, address) | For operational communications and payroll. | Contract; Legal obligation |
| Right-to-work documents | UK legal requirement for employers. | Legal obligation (Immigration Act 2014) |
| DBS reference and expiry | Compliance requirement for care-sector roles. | Legal obligation; Substantial public interest (Schedule 1 DPA 2018) |
| Emergency contact information | Duty of care / health and safety. | Legitimate interests; Legal obligation |
| Date of birth | Age verification for age-restricted shifts; payroll. | Legal obligation; Contract |
| NI number (encrypted at application layer) | Payroll and statutory reporting. | Legal obligation |
| Bank sort code and account number (encrypted) | Payment of wages. | Contract; Legal obligation |
NI numbers and bank details are encrypted before storage using AES-256 at the application layer. They are never returned in API responses to anyone other than the data subject themselves.
2.3 Scheduling and operational data
| Data | Purpose | Lawful basis |
|---|---|---|
| Shift records, timesheets, attendance | To manage rotas and calculate pay. | Contract; Legal obligation (Working Time Regulations 1998) |
| Leave requests and decisions | To manage statutory and contractual leave entitlements. | Contract; Legal obligation |
| Training records and certificates | Compliance and workforce competency. | Legal obligation; Legitimate interests |
| Appraisal notes | Performance management and record-keeping. | Legitimate interests; Contract |
2.4 CMS content and care-home data
| Data | Purpose | Lawful basis |
|---|---|---|
| Gallery posts and associated images | Publishing approved content to your organisation's public website via HMAC-signed webhook. | Contract; Consent (for any identifiable resident) |
| Resident consent records | To document lawful basis before any resident appears in published content. | Legal obligation; Consent (Article 9(2)(a) for special-category subjects) |
| Events and careers listings | Publishing to your public website. | Contract; Legitimate interests |
Any content featuring identifiable care-home residents is classified as special-category data. Explicit, documented consent is mandatory before publication. Manager overrides are logged in our audit trail.
2.5 Usage and technical data
| Data | Purpose | Lawful basis |
|---|---|---|
| Session cookies (HttpOnly, Secure, SameSite=Lax) | Authentication and session continuity. | Contract; Legitimate interests |
| Anonymised analytics events (Google Analytics 4, server-side) | Product improvement. No PII is sent to GA4. | Legitimate interests |
| Error and performance logs | Platform stability. Logs contain record IDs, not personal data. | Legitimate interests |
3. How we protect your data
- Encryption in transit: TLS 1.3 enforced on all connections. HSTS enabled on all subdomains.
- Encryption at rest: AES-256 on all storage volumes. Application-layer encryption for sensitive PII fields (NI, bank details).
- Access controls: Role-based row-level security. Staff see only their own data; managers see their organisation. ATS site administrators use mandatory two-factor authentication.
- Audit trail: Every sensitive action is recorded in an append-only audit log, tagged by product, user, and data classification. Entries cannot be modified or deleted.
- Data residency: All data is stored and processed within the UK/EU (Supabase EU region; Google Cloud
europe-west1, Belgium). No personal data is transferred outside the UK/EU. - No PII in logs: Application and infrastructure logs contain record identifiers, not names, emails, or other personal data.
4. Who we share data with
We do not sell personal data. We share data only with the following categories of processor, under data processing agreements, where necessary to deliver the service:
- Database and authentication: Supabase Inc., operating from EU-region infrastructure.
- Cloud hosting and compute: Google Cloud Platform (
europe-west1region only). - Transactional email delivery: Brevo (formerly Sendinblue), EU-based SMTP relay. Only email address, name, and the content of transactional emails are shared.
- Payment processing: Stripe Payments Europe Ltd, for billing only. Card details never touch our servers.
- AI features (opt-in): Vertex AI (Google Cloud
europe-west1). Only content you explicitly submit to an AI feature is processed. No care-home resident data is submitted without your initiation.
B2B organisations are controllers for their own staff and resident data. DailyLife.UK acts as a processor for that data and will execute a Data Processing Agreement on request.
5. How long we keep data
| Data | Purpose |
|---|---|
| Account and identity data | 7 years after account closure (Employment Records statutory minimum) |
| Staff employment records (timesheets, leave, training) | 6 years minimum; 7 years for care-sector compliance records |
| CMS content and consent records | For the duration of your subscription plus 2 years |
| Audit logs | 7 years (ICO accountability obligation) |
| Session data (cookies) | Up to 30 days, or until you sign out |
| Anonymised analytics | Up to 26 months (GA4 standard) |
| Backups | Rolling 30-day backup retention |
6. Your rights under UK GDPR
You have the following rights. Requests can be submitted to privacy@dailylife.uk. We will respond within one calendar month.
- Right of access (Article 15): Request a copy of all personal data we hold about you.
- Right to rectification (Article 16): Ask us to correct inaccurate or incomplete data.
- Right to erasure (Article 17): Ask us to delete your data where there is no legal basis to retain it. Employment and statutory records may be subject to retention obligations that limit this right.
- Right to data portability (Article 20): Receive your data in a structured, machine-readable format.
- Right to restrict processing (Article 18): Ask us to limit how we use your data while a dispute is resolved.
- Right to object (Article 21): Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent: Where processing is based on consent (e.g. CMS resident content), you may withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.
7. Cookies
DailyLife.UK uses strictly necessary session cookies for authentication (HttpOnly, Secure, SameSite=Lax). These are required to use the service and cannot be declined. We use anonymised, cookieless analytics (server-side GA4 with IP anonymisation) for product improvement. No advertising or tracking cookies are used. You may clear session cookies via your browser at any time, which will sign you out.
8. Children
DailyLife.UK is a workplace management platform for adults. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided us with personal data, please contact privacy@dailylife.uk.
9. Changes to this notice
We may update this notice when our practices change or when required by law. Material changes will be communicated to registered users by email at least 14 days before they take effect. The effective date at the top of this page is updated on every revision. Continued use of the service after the effective date constitutes acceptance of the updated notice.
10. How to complain
If you are unhappy with how we have handled your data, please contact us first at privacy@dailylife.uk. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
11. Contact
Andrea Technology Solutions Ltd
Privacy enquiries: privacy@dailylife.uk
General support: support@dailylife.uk