Privacy Policy
1. Who we are
KingCare is a trading name of Mandy Support Ltd, a company registered in England and Wales. We operate a software-as-a-service platform for children's residential care providers.
Data Controller: Mandy Support Ltd
ICO Registration: ZB763838
Contact: branson@kingcare.uk
Registered address: Leicester, England, United Kingdom
2. What personal data we collect
2.1 Account holders (staff, managers, administrators)
- Full name and email address
- Job role and organisation name
- Login credentials (passwords are hashed; we never store plaintext)
- Account activity logs (login timestamps, actions taken)
- Billing contact information and payment method tokens (via Stripe — we do not store card numbers)
2.2 Children's records (entered by your staff)
Your staff enter records about the children in your care. This data is your data — you are the Data Controller for children's records; KingCare acts as Data Processor. See our Data Processing Agreement for full details.
Types of children's data your staff may enter include: names, dates of birth, incident records, daily logs, health and wellbeing notes, education information, and Annex A assessment responses.
2.3 Technical and usage data
- IP addresses and browser/device information (for security logging)
- Pages visited and features used (aggregated, not sold or shared)
- Error logs and diagnostic information
3. Legal basis for processing
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Providing the KingCare service | Art. 6(1)(b) — performance of a contract |
| Account management and billing | Art. 6(1)(b) — performance of a contract |
| Security logging and fraud prevention | Art. 6(1)(f) — legitimate interests |
| Legal obligations (tax, regulatory) | Art. 6(1)(c) — legal obligation |
| Marketing emails (if opted in) | Art. 6(1)(a) — consent |
For children's special category data (health, wellbeing) processed on your behalf, the basis is Art. 9(2)(g) — substantial public interest, under Schedule 1 DPA 2018 (safeguarding).
4. Where your data is stored
All data is stored within the United Kingdom. We use Microsoft Azure UK South (London) as our primary database region. We do not transfer personal data outside the UK without adequate safeguards.
Our infrastructure sub-processors include:
- Microsoft Azure — database hosting (UK South)
- Render.com — application hosting (US-based; data in transit only, no persistent storage)
- Stripe — payment processing (UK/EU compliant; standard contractual clauses apply)
5. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data (active) | Duration of subscription + 90 days after cancellation |
| Account data (exported on request) | Deleted within 30 days of export confirmation |
| Children's records | Per your instructions as Data Controller (see DPA) |
| Billing records | 7 years (HMRC requirement) |
| Security logs | 12 months |
6. Your rights under UK GDPR
You have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion ("right to be forgotten")
- Restriction — limit how we process your data
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — for any processing based on consent
To exercise any right, email branson@kingcare.uk. We will respond within 30 days. If you are unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
The KingCare application uses the following cookies and local storage:
- Authentication cookie — session management; strictly necessary; expires on logout or after 14 days of inactivity
- Anti-forgery token — CSRF protection; strictly necessary; session-scoped
- kc-onboarding-dismissed — localStorage item; remembers if you dismissed the setup checklist; no personal data; cleared when you clear browser storage
We do not use third-party analytics cookies or advertising cookies.
8. Security
We implement the following technical and organisational measures:
- All data in transit encrypted with TLS 1.2+
- All data at rest encrypted using Azure SQL Transparent Data Encryption
- Passwords hashed using ASP.NET Core Identity (PBKDF2 with HMAC-SHA256)
- Role-based access control — staff only see data relevant to their role
- Multi-tenant data isolation — each organisation's data is logically separated
- Regular dependency updates and security patching
9. Children's data
Children in residential care are a vulnerable group. We treat their data with the highest level of care:
- Children's records are only accessible to staff within the same organisation
- Inspector accounts have read-only access scoped to a single inspection period
- We never use children's data for training AI models or for any purpose other than providing the service
- We do not sell, rent or share children's data with any third party
10. Changes to this policy
We may update this policy to reflect changes in law or our practices. We will notify account holders by email at least 14 days before material changes take effect. The current version is always available at kingcare.uk/privacy-policy.html.
11. Contact
For any privacy questions or to exercise your rights:
Email: branson@kingcare.uk
Subject line: "Privacy Request — [your name]"