Privacy Policy

Last updated: January 2025

1. Who We Are

SENTRION™ is a clinical decision-support platform for adult social care. We take privacy seriously — particularly because the data processed through our system relates to the health of vulnerable adults. This policy explains what data we collect, how we use it, and your rights.

2. Data Controller vs Data Processor

For resident health data entered into SENTRION™, your organisation is the Data Controller — you decide what data is collected and why. SENTRION™ is the Data Processor — we store and process it on your behalf under your instruction. For data about your staff accounts and usage of the platform, SENTRION™ is the Data Controller.

3. What Data We Collect

Resident health data (special category)

Names, dates of birth, diagnoses, observations, risk assessments, escalation records, and handover notes. This data is entered by your staff and remains under your control.

Staff account data

Names, email addresses, roles, login timestamps, and IP addresses. Used to manage access and maintain the audit trail required by CQC Regulation 17.

Usage and audit data

Every action taken in the system is logged (what was done, by whom, when, and from which IP address). This is a clinical and regulatory requirement and cannot be disabled.

Demo request data

Name, email, and organisation details submitted via the contact form. Used only to follow up on your enquiry.

4. Legal Basis for Processing

  • Resident health data: Vital interests and legitimate interests in providing safe care (UK GDPR Article 9(2)(c) and (h))
  • Staff account data: Legitimate interests in operating a secure service and meeting regulatory obligations
  • Audit logs: Legal obligation under CQC Regulation 17 (Good Governance)
  • Demo enquiries: Consent (you chose to submit the form)

5. Data Storage and Security

All data is stored on encrypted servers hosted by Railway (US-based infrastructure with EU-equivalent protections). Data is encrypted in transit (HTTPS/TLS) and at rest. Access is role-based — staff only see data relevant to their role. Every login is logged. Sessions expire after 15 minutes of inactivity.

6. Data Retention

Resident health records are retained for a minimum of 8 years following the last entry (in line with NHS Records Management Code of Practice). Staff account data is retained for 3 years after account closure. Audit logs are retained for 10 years. You may request deletion subject to these minimum retention requirements.

7. Data Sharing

We do not sell, rent, or share your data with third parties for marketing purposes. Data may be shared only: (a) with sub-processors necessary to operate the service (hosting, database); (b) when required by law or a regulatory authority; (c) with your explicit written consent.

8. Your Rights

Under UK GDPR, you have the right to: access your personal data; correct inaccurate data; request erasure (subject to retention requirements); object to processing; data portability; and to lodge a complaint with the ICO (ico.org.uk).

9. Cookies

We use only a single session cookie, strictly necessary for you to remain logged in. We do not use tracking, analytics, or advertising cookies.

10. Contact

For privacy enquiries, data subject requests, or to request a Data Processing Agreement, contact us via the demo request form on our homepage. We will respond within 30 days.