Privacy Policy

Last updated: 21 February 2026

Version 2.2

1. Who we are

Clarica (“Clarica”, “we”, “us”, “our”) operates from England.

Our role depends on the type of data:

• Data controller for your account data, billing data, and usage data — we determine the purposes and means of processing this data to provide and manage the Service.
• Data processor for any personal data about care home residents that you enter into our AI tools — your care home is the data controller for this data, and we process it solely on your instructions to deliver the Service. This is governed by our Data Processing Agreement.

This privacy policy explains how we collect, use, and protect your personal data when you use our website and AI-powered compliance tools for UK care homes.

We process your data in accordance with UK data protection law (the UK General Data Protection Regulation and the Data Protection Act 2018, as amended by the Data Use and Access Act 2025).

If you have any questions about this policy or your personal data, please contact us at privacy@clarica.co.uk.

2. What data we collect

Account data

When you create an account, we collect the following information that you provide to us:

• Email address
• Full name
• Organisation name
• Service type (e.g. residential, nursing)
• Location

If you sign in using Google, we receive your email address and name from Google. We do not receive your Google password.

Billing data

When you subscribe to a paid plan, we store the following billing metadata:

• Your payment processor customer identifier
• Subscription status (active, cancelled, etc.)
• Billing period dates

Your card details are held by our payment processor only. Clarica never sees or stores your card number.

Conversation data (including health data)

When you use our AI tools, we store the following conversation data to enable you to resume conversations and reference past work:

• Your messages (the text you type into our AI tools)
• AI-generated responses
• Conversation metadata (title, tool used, timestamps)
• Operational memories (facts about your care home you share with the AI). To protect residents, our system automatically blocks personal identifiers (such as names, NHS numbers, dates of birth, and health conditions) from being saved as operational memories.

Your conversations may include special category data, particularly health data about care home residents (for example, medical conditions, care needs, medications, or assessments). This data is entered by you as part of using our care plan, policy, and document tools. We process this data solely to provide the service you have requested — see Section 3 for the additional lawful basis that applies.

Clarica acts as a data processor for resident health data. Your care home remains the data controller and is responsible for ensuring it has an appropriate lawful basis to enter resident data into the platform. We process resident data only on your instructions and in accordance with our terms of service.

Conversation data is scoped to your care home — all team members with access to a home can view its conversations. You can delete individual conversations, export all your data, or erase everything from your account settings.

Usage data

We track aggregate token counts per month (a measure of how much you use the AI tools) for fair usage enforcement. This is a numerical total, not a record of what you typed.

Technical data

Like all websites, our hosting provider automatically collects standard technical data including IP addresses and browser user-agent strings. This data is retained by our hosting provider per their standard retention period (typically 72 hours).

3. How we use your data

We use your personal data for the following purposes:

• Account management and service delivery — creating and maintaining your account, authenticating your identity, and delivering the AI compliance tools you have subscribed to
• Billing and subscription management — processing payments, managing your subscription, and providing access to your chosen plan
• Usage monitoring — tracking aggregate token usage to enforce fair use limits and ensure service quality for all users
• Service security and fraud prevention — protecting our platform and users from misuse, unauthorised access, and security threats

Lawful bases

Special category data (health data)

When you enter resident information into our AI tools — such as medical conditions, care needs, medications, or assessments — this constitutes special category data (specifically health data) under UK GDPR Article 9. Processing special category data requires an additional lawful basis beyond the Article 6 bases listed above.

Our additional lawful basis for processing health data is:

• Article 9(2)(h) — processing necessary for the provision of health or social care — processing is necessary for the management of health or social care systems and services, read together with Schedule 1, Part 1, Paragraph 2(2)(f) of the Data Protection Act 2018 (management of health care or social care systems or services)

This basis applies because Clarica’s tools are used by registered care providers to produce care documentation (care plans, policies, and compliance documents) as part of their regulated care delivery. The processing is carried out under the responsibility of a health or social care professional, or by a person who owes a duty of confidentiality under law.

Important: Your care home, as the data controller for resident data, is responsible for ensuring that entering resident information into Clarica is appropriate and proportionate. We recommend you include Clarica in your care home’s Data Protection Impact Assessment and ensure your residents’ privacy notices reflect your use of AI-assisted documentation tools.

4. How we use AI

Clarica provides AI-powered tools to help care home managers with compliance tasks such as writing policies, generating care plans, and creating documents. This section explains exactly what happens to your data when you use these tools.

What happens when you use an AI tool

When you use one of our AI tools, your input is sent to a third-party AI language model provider for processing. The provider generates a response based on your input and returns it to you through our platform.

What is stored

We store the following data to enable you to resume conversations, reference past work, and collaborate with team members:

• Your messages and AI-generated responses (full conversation content)
• Conversation metadata (title, tool used, timestamps, token count)
• Operational memories (facts about your care home)
• Saved documents (policies, care plans, generated documents)

All conversation data is stored in our database with row-level security ensuring only your care home’s team members can access it. Data is encrypted in transit and at rest.

Data retention controls

You can configure how long conversation data is retained (6 to 36 months, defaulting to 24 months). Expired data is automatically purged. You can also delete individual conversations at any time or erase all data from your account settings.

Our AI provider retains API logs for a limited period for service reliability purposes, after which they are automatically deleted. These logs are not accessible to Clarica.

No training

Your data is never used to train, fine-tune, or improve AI models. This applies to both Clarica and our AI provider. Your inputs are used solely to generate a response to your request and for no other purpose.

AI disclaimer

AI-generated content is not professional advice. All outputs from Clarica’s AI tools must be reviewed by a qualified professional before use. Our tools are designed to assist care home managers, not to replace professional judgement. You are responsible for verifying that any AI-generated content is appropriate, accurate, and compliant with current regulations before relying on it.

5. Who we share data with

We share your data with the following categories of service providers, each of which has an appropriate data processing agreement in place:

• Cloud hosting provider — hosts our website and delivers content to your browser
• AI language model provider — processes your inputs when you use our AI tools and returns responses. This includes any health or special category data you enter. Our AI provider is contractually prohibited from using your data for training and operates under a data processing agreement. See our Subprocessors page for details including data locations
• Payment processor — handles billing, subscriptions, and payment card processing
• Database provider — stores your account data, subscription information, and usage records
• OAuth provider — only involved if you choose to sign in with Google; handles authentication tokens

We do not sell your personal data to anyone.

All of our service providers have appropriate data processing agreements in place. We only share the minimum data necessary for each provider to fulfil its function.

6. Data retention

We retain your data for the following periods:

• Account data — retained until you delete your account. When you delete your account, all associated data is permanently removed.
• Conversation data — retained for a configurable period (default 24 months). You can adjust this between 6 and 36 months from your account settings. Expired conversations are automatically purged. You can also delete individual conversations or erase all data at any time.
• Billing data — retained until you delete your account. Our payment processor retains its own records independently in accordance with its terms of service.
• Usage data — retained until you delete your account.
• Technical logs — retained by our hosting provider per their standard retention period (typically 72 hours).
• Audit logs — minimal records of account deletions and data erasure events are retained for regulatory compliance purposes. These contain only timestamps and anonymised identifiers, not conversation or health data.

7. Your rights

Under UK data protection law, you have the following rights regarding your personal data:

• Right of access — you can request a copy of the personal data we hold about you
• Right to rectification — you can ask us to correct any inaccurate data we hold about you
• Right to erasure — you can ask us to delete your personal data (you can also do this directly by deleting your account)
• Right to restriction — you can ask us to limit how we process your data in certain circumstances
• Right to data portability — you can request your data in a structured, commonly used format
• Right to object — you can object to processing based on legitimate interests

How to exercise your rights

You can exercise your rights by emailing us at privacy@clarica.co.uk. You can also:

• Export your data — download your conversations, memories, preferences, document history, and usage data as a structured JSON file from your account settings (self-service data portability)
• Erase your data — delete all conversations, messages, memories, and document history from your account settings (self-service erasure)
• Delete your account — permanently remove your account and all associated data from your account settings

We will respond to your request within one month. If your request is particularly complex, we may extend this by a further two months, in which case we will let you know within the first month.

If you are not satisfied with how we handle your request, you have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

8. Data breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where required by law
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Document the breach, including its nature, the categories of data affected, and the measures taken to address it

Where Clarica is acting as a data processor for your care home’s resident data, we will notify you (the data controller) within 72 hours of becoming aware of any breach involving that data, in accordance with our Data Processing Agreement. This enables you to fulfil your own notification obligations to the ICO and to affected data subjects.

9. Cookies and tracking

We use the following categories of cookies and tracking technologies:

Essential cookies (always active)

We use essential cookies for authentication session management via our database provider (Supabase). These cookies are strictly necessary for the service to function and cannot be switched off.

Analytics (optional — requires your consent)

With your consent, we use PostHog to collect anonymised usage data including page views and feature usage events. This helps us understand how people use Clarica so we can improve the service. PostHog stores data in the EU. No analytics data is collected until you give consent.

Error tracking (optional — requires your consent)

With your consent, we use Sentry to capture error reports and session replays when errors occur. This helps us find and fix bugs quickly. Sentry may capture technical details about the error (such as browser type and the page you were on) but does not capture passwords or payment details. No error tracking data is collected until you give consent.

Managing your preferences

When you first visit Clarica, a cookie consent banner lets you accept all, reject all, or choose which optional cookies to allow. You can change your preferences at any time by clicking “Manage cookies” in the website footer. We do not use any advertising cookies or sell data to third parties.

10. Children’s data

Our service is designed for care home managers and professionals. It is not directed at children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@clarica.co.uk and we will delete it promptly.

11. International transfers

Some of our service providers operate outside the United Kingdom, including our AI language model provider (United States) and database provider (United States / EU). This means personal data — including health data you enter into our AI tools — may be transferred outside the UK for processing.

Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:

• UK International Data Transfer Agreements (IDTAs) or standard contractual clauses
• Transfers to countries or territories with an adequacy decision from the UK Secretary of State
• Data processing agreements with each provider that impose obligations no less protective than UK GDPR

Full details of each subprocessor’s location and applicable transfer safeguards are available on our Subprocessors page. You can also contact us for further information about the specific safeguards in place.

12. Changes to this policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or by displaying a prominent notice on our website before the changes take effect.

Previous versions of this policy are available on request by emailing privacy@clarica.co.uk.

13. Contact us

If you have any questions about this privacy policy, your personal data, or wish to exercise any of your rights, please contact us:

• Email: privacy@clarica.co.uk
• Post: Clarica, England