Skip to main content
CareShield

Privacy Policy

Last updated: 21 April 2026

1. Who we are

CareShield is operated by HWProtect Ltd (trading as CareShield), a company registered in England and Wales. We provide a documentation and evidence management platform for UK health and care workers.

For data protection enquiries, contact: privacy@hwprotect.com

2. What data we collect

  • Account information: Your name, email address, and password (stored as a secure hash).
  • Profile information: Profession, employer, sector, region, regulatory body, and registration number — provided by you during onboarding.
  • Incident records: The incident details you enter, including dates, descriptions, severity, and any third-party names you include.
  • Evidence files: Files you upload to the Evidence Vault, stored encrypted in Supabase Storage.
  • Wellbeing Diary: The mood, energy, stress, sleep, and reflection data you record. Your written reflections are encrypted at rest and are only accessible to you.
  • Usage data: Standard server logs (IP address, browser type, pages visited) for security and debugging purposes.

3. How we use your data

  • To provide and operate the CareShield service.
  • To pre-fill incident report fields using your profile (profession, employer, region).
  • To process AI-structured reports via Anthropic's Claude API — only the raw description you enter is sent; no personal profile data is transmitted to Anthropic.
  • To generate export documents (PDF bundles) at your request.
  • To send service notifications (new flags from your union rep, support ticket replies).

4. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract (Article 6(1)(b)): Providing the service you have signed up for.
  • Legitimate interests (Article 6(1)(f)): Service security, fraud prevention, and product improvement.
  • Consent (Article 6(1)(a)): Where you have explicitly consented (e.g. cookie consent).

5. Data sharing

We do not sell your personal data. We share data only with:

  • Supabase: Our database and storage provider (EU/EEA hosting available).
  • Anthropic: The raw text of incident descriptions sent to the Smart Log AI feature. No name, employer, or profile data is included.
  • Your union rep: Only when you explicitly flag an incident for union review.
  • Recipients of export links: Only when you generate and share a link.

6. Data retention

  • Your incident records and evidence files are kept for as long as your account is active.
  • Deleted items are moved to "Recently Deleted" and permanently removed after 30 days.
  • On account closure, all personal data is deleted within 30 days.

7. Your rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate personal data.
  • Erase your personal data ("right to be forgotten").
  • Portability — receive your data in a machine-readable format (Article 20).
  • Restrict processing of your data.
  • Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@hwprotect.com. We will respond within 30 days.

8. Cookies

We use strictly necessary cookies for authentication and session management. See our Cookie Policy for details.

9. Wellbeing Diary & Crisis Signposting

CareShield's Wellbeing Diary is a personal journalling tool to help you reflect on how you're feeling. It is not a clinical or medical service and does not constitute mental health assessment, diagnosis, or treatment.

Your diary entries (including your written reflections) are encrypted at rest and are accessible only to you. CareShield staff cannot access your diary content. We do not use artificial intelligence or external services to read or analyse your diary entries.

CareShield uses automated, private, client-side pattern matching to detect language that may suggest a user is in crisis. This process happens entirely on your device before your entry is saved. No diary text is sent to CareShield's servers for this purpose. If crisis language is detected, CareShield will display a screen with UK crisis support resources. This is automatic and confidential — no human at CareShield is alerted. No authorities are contacted.

This processing is carried out under UK GDPR Article 9(2)(c) — protection of vital interests — where the processing is necessary to protect the vital interests of the data subject.

If you are experiencing a mental health crisis, please contact:

  • Samaritans: 116 123 (free, 24 hours a day, 7 days a week)
  • NHS urgent mental health support: 111, option 2
  • Shout crisis text line: text SHOUT to 85258 (free, 24/7)

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk

Terms of ServiceAboutCookie PolicyBack to app