Privacy Notice

1. Who we are

Rate My Care Ltd (company number 15603776) is a company registered in England and Wales. Our registered office is 19 Faraday Road, London, W10 5NZ.

When we process personal data on behalf of an NHS Trust or other healthcare provider, we act as a data processor. The Trust remains the data controller. When we process data for our own purposes (e.g. managing your account, website analytics), we act as the data controller. For questions about this notice, contact us at privacy@ratemycare.com.

2. What data we collect

We may collect the following types of personal data:

• Identity data — name, date of birth, NHS number (where provided by the Trust).
• Contact data — email address, telephone number, postal address.
• Feedback data — patient experience feedback, Friends and Family Test (FFT) responses, complaints, compliments, and PALS enquiries.
• Special category data — health data, ethnicity, religion, disability, and other demographic information collected under explicit consent or for reasons of substantial public interest.
• Technical data — IP address, browser type and version, device information, time zone, operating system.
• Usage data — information about how you use our website and platform.

3. How we collect your data

We collect personal data through:

• Patient feedback forms submitted via our platform, the NHS App, or in-person kiosks.
• Direct correspondence with our team (email, phone, or in writing).
• Data shared with us by NHS Trusts and healthcare providers in the course of service delivery.
• Automated technologies such as cookies when you interact with our website.
• Account registration and profile management.

4. How we use your data

We process your data under the following legal bases:

• Article 6(1)(e) UK GDPR — processing is necessary for the performance of a task carried out in the public interest (supporting NHS patient experience improvement).
• Article 9(2)(h) UK GDPR — processing of special category data is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems.
• Article 6(1)(a) UK GDPR — where you have given consent, for example when providing optional demographic data or subscribing to communications.
• Article 6(1)(f) UK GDPR — legitimate interests, such as improving our services, maintaining security, and preventing fraud.

Where we act as a data processor on behalf of an NHS Trust, we process data only in accordance with the Trust's instructions and our data processing agreement. The Trust's own privacy notice will apply to how they use your data.

5. Who we share your data with

We may share your personal data with:

• The NHS Trust or healthcare provider responsible for your care (as the data controller).
• Our hosting and infrastructure providers (see section 7 below).
• Analytics providers who help us improve our platform.
• Professional advisers including lawyers, auditors, and insurers.
• Regulators and authorities where required by law (e.g. the Information Commissioner's Office, the Care Quality Commission).

We do not sell your personal data to any third party.

6. International transfers

We store and process data within the United Kingdom and the European Economic Area. Where any data is transferred outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses approved by the Information Commissioner's Office, or an adequacy decision.

7. Data security

We take the security of your data seriously. Our technical and organisational measures include:

• Hosting on Microsoft Azure UK regions with ISO 27001 and NHS DSPT-compliant infrastructure.
• Encryption at rest using AES-256.
• Encryption in transit using TLS 1.2 or higher.
• Password hashing using SHA-256 with salting.
• Role-based access controls and audit logging.
• Regular security assessments and penetration testing.

8. Data retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Patient feedback data is retained in accordance with the data retention schedule agreed with the relevant NHS Trust. Where we act as controller, we retain account data for the duration of the account and for up to 12 months after account closure. Anonymised and aggregated data may be retained indefinitely for research and service improvement.

9. Your legal rights

Under UK GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your data in certain circumstances.
• Restriction — request that we restrict processing of your data.
• Portability — request transfer of your data to another organisation.
• Objection — object to processing based on public interest or legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at privacy@ratemycare.com. We will respond within one month.

10. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO). You can contact the ICO at ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.

11. Cookies

Our website uses cookies and similar technologies. For full details on the cookies we use and how to manage them, please see our Cookies Policy.

12. Payments

Where payments are made for our services, these are processed by our third-party payment provider. We do not store your full payment card details on our systems. Payment processing is subject to the payment provider's own privacy policy.

13. National Data Opt-Out

We respect the NHS National Data Opt-Out. Where we process confidential patient information for purposes beyond individual care, we will check the National Data Opt-Out register and ensure that the wishes of patients who have opted out are honoured. For more information about the National Data Opt-Out, visit digital.nhs.uk.

14. Children's privacy

Our platform is not directed at children under 13. We do not knowingly collect personal data from children under 13. Where feedback is submitted on behalf of a child, it should be submitted by a parent, guardian, or carer. If you believe we hold data about a child under 13 that was collected without appropriate consent, please contact us at privacy@ratemycare.com and we will take steps to delete it.

15. Changes to this notice

We may update this privacy notice from time to time. Any changes will be posted on this page with an updated revision date. Where changes are significant, we will notify you by email or through a notice on our platform.