PathoSensePathoSense
Sign inRequest access

Privacy notice

How we handle personal data under the UK GDPR and Data Protection Act 2018.

Last updated: 28 June 2026

PathoSense Healthtech Limited ("PathoSense", "we") is the data controller for personal data about visitors to our marketing site and account holders of the PathoSense platform. When you use PathoSense as part of your employment with a care provider, your provider is the data controller for clinical and resident data and PathoSense acts as a data processor under a written Data Processing Agreement.

1. Information we collect

  • Account data: name, work email, role, organisation, hashed password, sign-in timestamps.
  • Tenant configuration: care home name, CQC registration number, locations, user roles.
  • Clinical workflow data: IPC audit responses, incident pseudonyms, outbreak signals, antimicrobial reviews, lab references. We do not require NHS number, date of birth or full resident name.
  • Operational telemetry: page views, feature usage, error reports — used to keep the service safe and reliable.

2. Lawful bases

  • Performance of contract (your subscription).
  • Legal obligation (CQC and UKHSA notification duties on behalf of your provider).
  • Legitimate interests (security, fraud prevention, service improvement).
  • Consent (marketing emails — withdrawable at any time).

3. Sharing

We share data only with the sub-processors listed in our DPA — UK and EU-hosted infrastructure providers, transactional email delivery and observability tooling. We never sell personal data and we never use clinical data to train AI models outside your tenant.

4. Retention

Audit, IPC and outbreak records are retained for the period your provider configures, defaulting to seven years to align with NHS records management. Marketing data is retained for two years from last engagement.

5. Your rights

You have the right to access, rectify, erase, restrict or port your personal data, and to object to processing. Contact your registered manager for clinical records, or privacy@pathosense.org.uk for account data. You can complain to the UK Information Commissioner's Office at any time.

6. Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access is gated by role, tenant isolation is enforced at the database layer with row-level security, and every clinical action is recorded in an immutable audit trail. See our security and trust page for more.

7. Contact

Email dpo@pathosense.org.uk for any privacy enquiry.