Privacy Policy
Atara Care - a service provided by Digital Care Home Ltd
Effective date: 10 April 2026
Last updated: 10 April 2026
1. Who We Are
Atara Care is a cloud-based care management SaaS platform for residential care homes in the United Kingdom. It is operated by Digital Care Home Ltd.
Website: www.ataracare.com
Email: privacy@ataracare.com
We are registered with the Information Commissioner's Office (ICO).
2. Who This Policy Applies To
This policy applies to:
- Care home organisations that subscribe to Atara Care
- Care home staff and administrators who use the platform
- Residents and family members whose data is entered into the platform by care homes
- Visitors to www.ataracare.com
3. Our Role: Processor and Controller
3.1 Data Processor
For personal data stored inside the Atara Care platform — resident records, staff records, and family portal data — the care home is the Data Controller and Digital Care Home Ltd is the Data Processor.
We process this data only on the documented instructions of the care home. We do not use it for our own purposes, sell it, or use it to train general-purpose AI models.
Each customer has a Data Processing Agreement (DPA) with us, as required by Article 28 UK GDPR.
3.2 Data Controller
For data collected via our website, marketing activity, and account administration, Digital Care Home Ltd is the Data Controller.
4. What Data We Collect
4.1 Platform Data (as Processor)
Care homes may enter the following categories of personal data into Atara Care:
- Resident data: identity, contact details, health and care records, risk assessments, care plans, medication records, incident reports, daily notes, and mental capacity and consent records
- Staff data: identity, contact details, employment details, training and compliance records, rostering and attendance, and user account information
- Family/representative data: identity, contact details, relationship to resident, portal access logs, and messages
Much of this constitutes special category data (in particular health data) under UK GDPR Article 9.
The care home determines the lawful basis for processing this data and is responsible for informing residents, staff, and families about its use.
4.2 Website and Account Data (as Controller)
We collect the following in our own right:
- Account data: name, work email, job title, organisation name, and login activity
- Billing data: organisation details, billing contact, and invoice history (card details are handled by our payment processor only)
- Support data: content of support tickets, emails, and any screenshots or exports shared with us
- Website data: IP address, browser type, device type, pages visited, and session duration
- Enquiry data: name, email address, organisation, and message content submitted via contact or demo request forms
5. Why We Use Personal Data
5.1 As Processor
We process customer platform data solely to provide and operate the Atara Care SaaS service and its modules, provide technical support and resolve incidents, and maintain platform security, backups, and performance.
5.2 As Controller
| Purpose | Lawful Basis |
|---|---|
| Providing and managing Atara Care subscriptions and accounts | Contract — Article 6(1)(b) UK GDPR |
| Responding to enquiries and support requests | Contract / Legitimate interests — Article 6(1)(b)/(f) |
| Sending service and security communications | Contract / Legitimate interests — Article 6(1)(b)/(f) |
| Improving our website and platform via usage analytics | Legitimate interests — Article 6(1)(f) |
| Meeting tax, accounting, and legal obligations | Legal obligation — Article 6(1)(c) |
| Marketing emails to existing customers or prospects | Legitimate interests — Article 6(1)(f); or consent where required |
We do not use the new “recognised legitimate interests” lawful basis introduced by the Data (Use and Access) Act 2025 at this time.
6. Automated Decision-Making
Atara Care includes predictive analytics features (for example falls risk scoring, deterioration alerts, and staffing forecasts) in Module 10. These are decision-support tools only and require human review by qualified care home staff before any action is taken.
Because these analytics process resident health data (special category data), we maintain safeguards aligned with UK GDPR and the Data (Use and Access) Act 2025:
- All outputs require mandatory human review
- No solely automated decision is made about any resident
- Residents can contest algorithmic recommendations and request human intervention
- A Data Protection Impact Assessment (DPIA) covers the predictive analytics module
7. Cookies
We use strictly necessary, analytics, and functional cookies on www.ataracare.com.
Under the Data (Use and Access) Act 2025, analytics and low-risk functional cookies may be placed without prior consent where a clear opt-out is provided. Strictly necessary cookies require no consent. We do not use advertising or tracking cookies.
Full details of every cookie we use, its purpose and duration, and how to manage your preferences are set out in our Cookie Policy.
8. How We Share Data
8.1 Sub-Processors
To deliver the Atara Care service, we use a small number of third-party suppliers who process personal data on our behalf. All are bound by written data processing agreements. Our current sub-processor list is available on request.
8.2 Other Sharing
We share personal data only:
- With the care home and their authorised users
- With our sub-processors, as described above
- With professional advisers (legal, financial) under confidentiality obligations
- Where required by law, regulation, or valid legal process
We do not sell personal data to any third party.
8.3 International Transfers
Some sub-processors may process data outside the UK. Where this occurs, we implement appropriate safeguards, such as the ICO's International Data Transfer Addendum (IDTA) or equivalent Standard Contractual Clauses. We do not transfer resident health data outside the UK/EEA without explicit justification and appropriate safeguards.
9. Data Retention
9.1 Platform Data
We retain customer platform data for the duration of the contract and as instructed in the DPA. On contract termination, customers have 90 days to export their data before secure deletion.
Care homes are responsible for their own retention schedules for resident and staff records, typically guided by the NHS Records Management Code of Practice 2021.
9.2 Data We Control
| Data Type | Retention Period |
|---|---|
| Account and billing data | Duration of contract + 7 years (legal/tax obligations) |
| Support tickets | 3 years after closure |
| Website enquiry data | 2 years from last contact |
| Security and access logs | 7 years |
| Marketing contact data | Until opt-out or 3 years of inactivity |
10. Security
We apply technical and organisational security measures appropriate for a healthcare SaaS platform, including:
- Encryption in transit (TLS) and at rest
- Role-based access controls (RBAC) with unique accounts
- Multi-factor authentication (MFA) for admin access
- Access to production systems limited to authorised personnel
- Regular patching and security updates
- Cloud infrastructure hosted with reputable providers
- Backups with tested restore procedures
We align our practices with ICO accountability guidance and NHS DSPT expectations for IT suppliers. For more information, see our Security page.
11. Your Rights
11.1 Rights Over Platform Data
For resident, staff, or family data stored in Atara Care, please contact your care home directly. They are the Data Controller and are responsible for handling your rights request. We support care homes as their processor in responding to these requests.
11.2 Rights Over Our Own Data (Website, Accounts, Marketing)
Under UK GDPR and the Data (Use and Access) Act 2025, you have the right to access, rectification, erasure, restriction, portability, objection, and rights regarding automated recommendations.
To exercise your rights, email privacy@ataracare.com with your name and a description of your request. We will respond within one calendar month. Under the Data (Use and Access) Act 2025, where clarification is reasonably required to identify relevant data, the response clock pauses until you respond.
11.3 Right to Complain
Under the Data (Use and Access) Act 2025 (in force 19 June 2026), you have a formal right to complain directly to us. We will acknowledge complaints within 30 days and respond without undue delay.
You may also complain to the ICO: www.ico.org.uk | Phone: 0303 123 1113
We ask that you contact us first so we can try to resolve your concern.
12. Children
Atara Care is a business-to-business platform. Our website and marketing are not directed at individuals under 18. Where care homes use the platform for residents under 18, the care home (as Data Controller) is responsible for applying appropriate children's data protection safeguards under UK GDPR and the Data (Use and Access) Act 2025.
13. Changes to This Policy
We will update this policy when required by law, regulatory guidance, or changes to our services. The “Last Updated” date at the top reflects the current version. For material changes we will notify customers by email with reasonable notice.
The current version is always available at www.ataracare.com/privacy.