Privacy notice

Last reviewed Version 2.1

About this notice

This notice tells you how Safebreaks Devon CIC collects, uses, and protects your personal information when you use this website.

If you are, or become, a service user with Safebreaks, we share a separate privacy notice that covers the personal information we handle as part of your care. That notice goes further than this one, because we need more information to deliver care well. This website notice only covers what happens on the website.

Who we are

Safebreaks Devon CIC is a community interest company registered in England and Wales. Our company number is 12106234. Our registered office is Riviera House, Salisbury Road, Newton Abbot, Devon TQ12 2DF.

We are the data controller for the personal information we collect through this website.

We are registered with the Information Commissioner's Office under registration number [ICO_NUMBER_TBC].

Our data protection lead is Luke Williams. You can reach him at info@safebreaks.co.uk.

What personal information we collect

From our contact form

When you fill in our enquiry form we collect:

  • Your name and your relationship to the person needing support
  • Your email address and phone number
  • Your preferred way to be contacted
  • The type of service or service area you are asking about
  • Anything you write in the message field
  • How you heard about us

Technical information from your device

When you visit any page on this website, our hosting provider (Vercel) automatically records:

  • Your IP address
  • The type of browser and device you are using
  • The pages you view and the time of each request
  • The website that referred you to us, if any

This information is used to keep the site secure, diagnose technical problems, and understand site performance. It is not linked to your identity unless you also submit the contact form.

This website uses strictly necessary cookies only. Those are small files the site needs to work and to remember your cookie preference. We do not currently use analytics, advertising, or tracking cookies. The cookie banner on your first visit confirms your choice, which we store in your browser so the banner does not reappear.

Why we use your information and our lawful basis

We use your information only for the purposes below. UK data protection law requires us to identify a lawful basis for each purpose. Ours are:

To respond to your enquiry. Lawful basis: Article 6(1)(b) of the UK GDPR, steps taken at your request before entering into a contract, where your enquiry is about a service you or a family member may receive. Where the enquiry is general or does not lead to a service, our lawful basis is Article 6(1)(f), our legitimate interest in responding properly to people who contact us. You can ask for a summary of our legitimate interests assessment at any time.

To keep a short internal record of enquiries. Lawful basis: Article 6(1)(f), our legitimate interest in operational oversight, safeguarding review, and continuous improvement of our service.

To meet our safeguarding duties. Lawful basis: Article 6(1)(c), legal obligation, under the Care Act 2014 section 42, the Children Act 2004 section 11, and related statutory guidance. Where special category data is involved, our additional basis is Article 9(2)(h), provision of health or social care.

To keep the website running securely. Lawful basis: Article 6(1)(f), our legitimate interest in operating a safe and functional website.

To store a record of your cookie choice. Lawful basis: Article 6(1)(c), legal obligation under the Privacy and Electronic Communications Regulations (PECR).

Providing your information is voluntary

You are not required by law to give us your information through this website. You can choose not to use the contact form. The only consequence of not providing your information is that we will not be able to reply to you, because we will not know who you are or how to reach you.

Special category data and information about other people

Special category data means information about health, disability, ethnicity, religion, sexual orientation, or similar. We do not ask for special category data on our contact form and we ask you not to include it in your message.

Our work is in care, so enquiries sometimes include information about someone else, for example a family member who needs respite care. If you tell us about someone else's care needs, we treat that information carefully. Our lawful basis for handling any health or care information in an enquiry is Article 9(2)(h) of the UK GDPR, provision of health or social care. We use it only to decide whether we can help and to give you a useful response.

If you need to share detailed health or care information to get the best response, we will ask you for it through a secure channel once we are in contact with you. Please do not include that detail in the website form.

Children's data

This website is aimed at adults making enquiries about respite and short break services. It is not directed at children. We do not knowingly collect information from children through the website.

If an enquiry is about care for a child, we expect the adult making the enquiry to provide the information on the child's behalf, under their parental responsibility or legal role.

Who we share your information with

Service providers who process information for us

We use the following providers to run the website and deliver our emails. They handle your data only under our instructions and under contracts that meet UK GDPR requirements.

  • Vercel Inc.: hosts this website and automatically logs technical request data (see above).
  • Resend, Inc.: delivers email notifications from the contact form to our staff.
  • Microsoft Corporation (Microsoft 365): hosts the inboxes our staff use to read and reply to your enquiry.
  • Sanity.io: runs the content management system behind the website. Sanity does not receive your contact form data.

Other recipients

We may also share information:

  • With the local authority, the police, or other relevant bodies where we have a safeguarding duty to do so, or where we are required to by law
  • With the Care Quality Commission, where we are required to share information as part of regulatory oversight
  • With our professional advisers (solicitors, accountants, insurers) where we need legal, financial, or insurance advice and sharing is strictly necessary
  • With a successor organisation if Safebreaks Devon CIC is ever restructured, merged, or transferred, on equivalent data protection terms

We do not sell your information. We do not share it with marketing companies. We do not use it for advertising.

International transfers

Some of our service providers are based outside the UK. Where that is the case, we only transfer personal data where there is a lawful mechanism to do so:

  • Vercel, Inc. is based in the United States. Transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  • Resend, Inc. is based in the United States. Transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  • Microsoft 365: our tenant is hosted in United Kingdom data centres. Personal data in our email inboxes stays within the UK.
  • Sanity.io is based in Norway, an EEA country with equivalent protection under UK adequacy regulations.

How long we keep your information

We keep contact form submissions, and any related email correspondence, for up to 12 months from the date of your enquiry, and then delete them. If you become a service user with us, a separate retention period applies under our service records policy.

Technical log data from our hosting provider is kept for a short period (typically up to 30 days) for security and performance purposes, then rotated out.

We keep records of safeguarding disclosures for longer where we are required to by law or regulatory guidance.

How we keep your information secure

We take appropriate technical and organisational measures to protect your personal information, including:

  • Transport Layer Security (TLS) encryption for all website traffic and email in transit
  • Access controls on our email and content systems, so only authorised staff can see enquiries
  • Multi-factor authentication on staff accounts that can see enquiries
  • Reviewed supplier contracts with each of the service providers listed above
  • Staff awareness of data protection responsibilities

No system is perfectly secure. If we ever experience a data breach that is likely to affect your rights and freedoms, we will report it to the Information Commissioner's Office within 72 hours and, where required, inform you directly.

Automated decision-making and profiling

We do not use automated decision-making or profiling that produces legal or similarly significant effects on you.

Marketing

We do not currently send marketing emails or newsletters. If we introduce a newsletter or similar communication in future, we will update this notice and collect your explicit consent before adding you to any marketing list. You will always be able to opt out at any time.

Your rights

Under UK data protection law you have the right to:

  • Access: ask for a copy of the information we hold about you
  • Rectification: ask us to correct information that is wrong or incomplete
  • Erasure: ask us to delete your information, subject to legal exceptions
  • Restriction: ask us to limit how we use your information
  • Portability: ask for a copy of your information in a portable format, where applicable
  • Objection: object to us using your information where our basis is legitimate interest
  • Withdraw consent: withdraw any consent you have given us, where consent is the basis for processing

To exercise any of these rights, email info@safebreaks.co.uk or write to our registered office. We will respond within one calendar month. There is no charge unless your request is manifestly unfounded or excessive.

Complaints

If you are unhappy with how we have handled your information, we would like to hear from you first so we can try to put it right. Email info@safebreaks.co.uk.

You also have the right to complain directly to the Information Commissioner's Office:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Changes to this notice

We will update this page if our practices change. The version number and review date at the top of this page tell you when it was last updated. If changes are significant, we will also flag them on the website.

Notify Me, calendar notifications

If you sign up to the Notify Me service on our website, we collect your email address for the specific purpose of notifying you when we add a new event or closure to our calendar.

Lawful basis: your consent, given by signing up and confirming your email address via the link we send you.

What we hold: your email address, the date and time you signed up, the page you signed up from, and a record of confirmations and unsubscribes. We do not combine this list with any care records or enquiry records.

How long we keep it: until you unsubscribe. You can unsubscribe at any time using the one-click link at the bottom of any Notify Me email, or by emailing info@safebreaks.co.uk.

Who we share it with: we use Resend (Resend Labs Inc) to deliver these emails. Resend is our data processor for this purpose and processes email addresses on our instructions only.

Your rights: you can ask us to confirm what we hold, correct it, or delete it at any time, by emailing info@safebreaks.co.uk.

Contact

Data protection queries: info@safebreaks.co.uk

General enquiries: via our contact form