Privacy Policy

1. Who we are

Profync Limited is a healthcare workforce compliance platform registered in England and Wales. We help hospitals, care homes and healthcare staffing organisations track and manage the compliance deadlines of their clinical staff, including professional registrations, visa expiry dates and right-to-work documents.

For the purposes of UK GDPR and the Data Protection Act 2018, Profync Limited is the data controller for data collected through our website and platform, and a data processor for personal data provided to us by our organisational clients about their workers.

Registered company: Profync Limited, registered in England and Wales at Companies House.
Contact: privacy@profync.co.uk
Website: profync.co.uk

2. What data we collect

We collect two categories of data depending on whether you are a healthcare professional (worker) or an organisational client (HR team or compliance manager).

For healthcare professionals (workers):

Full name and contact details including email address and mobile phone number
Professional registration numbers such as NMC PIN, GMC licence number, HCPC registration number
Registration and expiry dates for all tracked credentials
Visa type, visa expiry date and Biometric Residence Permit expiry date where applicable
Passport expiry date
DBS certificate date
Profession and employer organisation
Record of reminders sent and confirmation of renewal

For organisational clients (HR and compliance teams):

Name, job title and work email address of the HR contact
Organisation name and type
Mobile number for urgent escalation alerts
Subscription plan and billing information processed via Stripe

For website visitors:

Name, organisation and email address submitted via the pilot request form
Basic analytics data collected to understand how visitors use our website

3. How we use your data

We use personal data solely for the purpose of delivering the Profync compliance reminder service. We do not use personal data for marketing, profiling or any purpose unrelated to compliance deadline management.

Specifically, we use data to:

Calculate compliance deadline dates and generate automated reminder schedules
Send reminder notifications to healthcare professionals by email, WhatsApp and SMS
Provide HR and compliance managers with a real-time dashboard of their workforce compliance status
Generate CQC-ready compliance reports for organisational clients
Escalate urgent alerts to Directors of Nursing and HR leads when deadlines are imminent
Maintain records of reminders sent for audit purposes
Process subscription payments and manage client accounts

We never sell personal data. We never share worker data with third parties for commercial purposes. Worker data is only used to send compliance reminders and provide compliance dashboards to the employing organisation.

4. Legal basis for processing

Under UK GDPR, we process personal data on the following legal bases:

Legitimate interests (Article 6(1)(f)): processing worker compliance data to prevent regulatory harm to the worker, the employing organisation and patient safety
Contract (Article 6(1)(b)): processing organisational client data to deliver the services agreed in our subscription agreement
Consent (Article 6(1)(a)): where a worker registers directly on the Profync platform, they provide explicit consent for their compliance data to be processed and for reminders to be sent

For special category data such as health-related professional registration information, we rely on the substantial public interest condition under Schedule 1 of the Data Protection Act 2018, specifically the prevention of unlawful acts and the protection of vulnerable individuals in care settings.

5. Where your data is stored

All Profync data is stored in the United Kingdom. Our database is hosted on Supabase, which uses Microsoft Azure infrastructure located in the West Europe (London) region. Data does not leave the UK.

UK data only. All worker data, organisational data and reminder logs are stored exclusively on UK-based servers. We do not transfer personal data to countries outside the UK or the European Economic Area.

We implement the following technical and organisational security measures:

Row Level Security (RLS) enabled on all database tables so each organisation can only access their own workers' data
All data transmitted over HTTPS with TLS encryption
API keys and environment variables stored securely and never exposed in client-side code
Admin control panel protected by authentication with password access
Regular database backups retained securely

6. How long we keep your data

We retain personal data only for as long as necessary to deliver the compliance reminder service and meet our legal obligations.

Worker compliance data: retained for the duration of the organisation's active subscription, plus 12 months after the subscription ends to allow for account reactivation
Reminder logs: retained for 3 years for audit and CQC compliance reporting purposes
Organisational client data: retained for the duration of the contract plus 6 years in accordance with UK tax and accounting law
Pilot request data: retained for 12 months from the date of submission

Organisations may request deletion of all their data and their workers' data at any time by contacting privacy@profync.co.uk. We will action deletion requests within 30 days.

7. Who we share data with

We share data only with the sub-processors necessary to deliver the Profync service. All sub-processors are contractually bound to process data only on our instructions and in accordance with UK GDPR.

Supabase: database hosting and storage, UK (London) servers
Resend: email delivery for compliance reminders, GDPR compliant
360dialog / WhatsApp Business API: WhatsApp reminder delivery
Twilio: SMS reminder delivery
Stripe: payment processing for organisational subscriptions
Vercel: website and platform hosting

We do not share data with regulators such as the NMC, GMC or HCPC, the Home Office, the CQC or any other public body unless required to do so by law.

We do not sell, rent or trade personal data with any third party for any commercial purpose.

8. Your rights

Under UK GDPR you have the following rights regarding your personal data:

Right to access: request a copy of the personal data we hold about you
Right to rectification: request correction of inaccurate or incomplete data
Right to erasure: request deletion of your personal data where there is no lawful reason to continue processing it
Right to restrict processing: request that we limit how we use your data
Right to data portability: request your data in a structured, machine-readable format
Right to object: object to processing based on legitimate interests
Right to withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@profync.co.uk. We will respond within 30 days.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Cookies

The Profync website uses minimal cookies. We do not use advertising cookies or third-party tracking cookies.

Session cookies: used to maintain your login session on the compliance dashboard and admin panel. These are deleted when you close your browser.
Analytics cookies: if we use analytics tools to understand website traffic, these are anonymised and do not identify individual visitors.

You can disable cookies in your browser settings. Disabling session cookies will prevent you from staying logged in to the dashboard.

10. Contact us

For any questions about this Privacy Policy, to exercise your rights or to raise a data protection concern, please contact us: