Privacy Policy

Last updated: 4 April 2026

1. Who We Are

Zelicra Warden is a product of Zelicra ("we", "us", "our"). We are the Data Controller for personal data processed through the Warden platform.

• Contact: privacy@zelicra.com
• Website: warden.zelicra.com

2. What Data We Collect

We collect the following categories of personal data:

• Account data: name, email address, role, care home name
• Usage data: login timestamps, acknowledgment timestamps, IP addresses
• Notice content: text and PDF attachments uploaded by managers
• Technical data: browser type, device information (for push notifications), session identifiers
• Acknowledgment tracking: Managers can see when staff opened and acknowledged each notice, including timestamps and IP addresses. This data is used for CQC compliance evidence. Staff are informed of this tracking when they use the system.

3. How We Use Your Data

We use your personal data for the following purposes:

• To provide the Warden service, including sending notices and tracking acknowledgments
• To send email notifications via Brevo, our email service provider
• To send push notifications (where you have granted permission)
• To generate compliance reports and PDF exports
• To maintain audit logs for regulatory compliance
• To improve the service and fix issues

We will never sell your data. We will never share your data with third parties for marketing purposes. We will never use your data for advertising.

4. Legal Basis (UK GDPR)

We process your personal data under the following legal bases:

• Legitimate interests: providing the service you signed up for, maintaining security, and preventing fraud
• Contract: processing necessary to fulfil our service agreement with your care home
• Consent: for push notifications and any marketing communications (which you may withdraw at any time)
• Legal obligation: retaining records required for regulatory compliance (e.g., CQC)

5. Where We Store Your Data

Your data is stored and processed in the following locations:

• Primary servers: Hetzner data centre in Germany, European Union
• Email delivery: Brevo (formerly Sendinblue), EU-based and GDPR compliant

The European Union has adequate data protection standards recognised by the United Kingdom. We have Data Processing Agreements in place with all sub-processors.

6. Data Retention

• Account data: retained while your account is active, deleted within 30 days of account closure (subject to legal retention requirements)
• Notice content: retained for 7 years to serve as CQC compliance evidence
• Audit logs: retained for 7 years
• Email logs: retained for 12 months

On request, we will delete your data after account closure, subject to any legal retention requirements.

7. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation, you have the following rights:

• Right to access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete data
• Right to erasure: request deletion of your personal data (right to be forgotten)
• Right to restrict processing: request that we limit how we use your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@zelicra.com. We will respond within 30 days.

8. Data Security

We take the security of your data seriously and implement the following measures:

• All data is transmitted over HTTPS with TLS encryption
• Passwords are hashed using bcrypt
• CSRF protection on all forms and state-changing requests
• Role-based access control (managers, staff, administrators)
• Comprehensive audit logging of all data changes
• Session hardening with secure, HTTP-only cookies
• Regular security reviews and updates

9. Cookies

We use a minimal number of cookies, all of which are essential or functional:

• Session cookie (essential): maintains your login session
• Theme preference cookie (functional): stores your light/dark mode choice
• Cookie consent cookie (functional): records that you have acknowledged this notice

We do not use analytics cookies, advertising cookies, or third-party tracking cookies.

10. Children's Data

Zelicra Warden is intended for use by care home staff and managers, who are adults. We do not knowingly collect personal data from anyone under the age of 16. If you believe we have inadvertently collected data from a minor, please contact us immediately at privacy@zelicra.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify registered users via email. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Complaints

If you have concerns about how we handle your personal data:

• Contact us first: privacy@zelicra.com
• If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk