Privacy Policy

Effective date: 7 March 2026

1. Introduction

Brolly Care Management Ltd ("Brolly", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website at brolly.care (the "Website") and use our services, including the free CQC assessment tool.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is:

3. What Data We Collect

We collect different types of data depending on how you interact with our Website:

3.1 Website Analytics (All Visitors)

We use Google Analytics to collect basic, anonymised usage data about how visitors interact with our Website. This includes:

• Pages visited and time spent on each page
• Referring website or source that brought you to our site
• General geographic location (country/city level, not precise location)
• Device type, browser type, and operating system
• Anonymised IP address (IP anonymisation is enabled)

This data is collected in aggregate form and is used solely to understand how our Website is used so we can improve its content and user experience. Google Analytics data does not identify you personally.

3.2 Free Assessment Tool

If you choose to use our free CQC assessment tool, we collect:

• The regulator you select (e.g. CQC, CIW)
• The provider/location ID you enter
• The publicly available CQC data retrieved about your organisation (name, address, ratings, inspection history)

This data is processed in real time to generate your assessment report. We retain a record of assessment requests to follow up with prospective customers and to improve our services.

3.3 Enrolment Information

If you choose to enrol in the Brolly programme, we collect:

• Your full name
• Your email address
• The number of care staff in your organisation
• Your organisation name and CQC location ID

This information is used to create your account, process your subscription, and provide you with our services.

3.4 Contact Form

If you contact us through our Website, we collect the information you provide, such as your name, email address, phone number, and the content of your message.

4. How We Use Your Data

We use the data we collect for the following purposes:

• To provide our services: generating your free assessment report, setting up your account, and delivering the Brolly programme.
• To follow up on enquiries: if you use the assessment tool or contact us, we may reach out to discuss how we can help your organisation. You can opt out of follow-up communications at any time.
• To improve our Website: understanding how visitors use the site through anonymised analytics so we can improve content, navigation, and user experience.
• To process payments: if you subscribe, your payment is processed securely by Stripe. We do not store your full payment card details.
• To comply with legal obligations: where required by law, regulation, or legal process.

5. We Do Not Sell or Share Your Data

We will never provide your personal information to third parties for the purpose of direct marketing, advertising, or any commercial purpose unrelated to the delivery of our services.

6. Third-Party Service Providers

We work with a limited number of trusted third-party service providers who process data on our behalf solely to deliver our services. These include:

• Google Analytics (website analytics) anonymised usage data only
• Stripe (payment processing) handles payment card data securely under PCI DSS compliance
• Anthropic (AI analysis) processes CQC data to generate assessment reports; no personal data is sent unless included in publicly available CQC records
• Mailgun (email delivery) sends transactional emails such as enrolment confirmations

Each of these providers is contractually bound to process your data only as instructed by us and in accordance with applicable data protection laws. They do not have permission to use your data for their own purposes.

7. Legal Basis for Processing

Under the UK GDPR, we process your personal data on the following legal bases:

• Consent: when you voluntarily provide your data through the assessment tool, enrolment form, or contact form. You may withdraw consent at any time by contacting us.
• Contractual necessity: when processing is required to fulfil our subscription agreement with you.
• Legitimate interests: for website analytics, service improvement, and following up with prospects who have used the assessment tool, where such processing does not override your rights and freedoms.
• Legal obligation: where we are required to process data to comply with applicable laws.

8. Cookies

Our Website uses cookies, which are small text files placed on your device when you visit. We use the following types of cookies:

8.1 Essential Cookies

These are necessary for the Website to function correctly, such as maintaining your session while using the assessment tool. These cookies do not collect personal data and cannot be disabled without affecting the Website's functionality.

8.2 Analytics Cookies

We use Google Analytics cookies to collect anonymised information about how visitors use our Website. These cookies help us understand which pages are most popular, how visitors navigate the site, and where improvements can be made. All data collected is aggregated and anonymous.

The Google Analytics cookies we use include:

8.3 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling cookies may affect the functionality of some parts of the Website. For more information on managing cookies, visit aboutcookies.org.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:

• Website analytics data: retained in anonymised form for up to 26 months, as per Google Analytics default settings.
• Assessment data: retained for up to 12 months to allow follow-up and service improvement. After this period, it is anonymised or deleted.
• Enrolment and subscription data: retained for the duration of your subscription and for up to 6 years afterwards to comply with legal and accounting obligations.
• Contact form submissions: retained for up to 12 months unless a business relationship is established.

10. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• HTTPS encryption for all data transmitted between your browser and our servers
• Secure, encrypted storage of personal data
• Access controls limiting who within our organisation can access personal data
• Regular review of our security practices

While we take all reasonable steps to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but are committed to maintaining industry-standard protections.

11. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can ask us to correct any inaccurate or incomplete data.
• Right to erasure: you can request that we delete your personal data, subject to certain legal exceptions.
• Right to restriction: you can ask us to restrict the processing of your data in certain circumstances.
• Right to data portability: you can request your data in a structured, commonly used, machine-readable format.
• Right to object: you can object to the processing of your data where we rely on legitimate interests as our legal basis.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at hello@brolly.care. We will respond to your request within one month, as required by law.

12. International Data Transfers

Some of our third-party service providers (such as Google and Anthropic) may process data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses approved by the Information Commissioner's Office (ICO), to protect your data to UK GDPR standards.

13. Children's Privacy

Our Website and services are intended for use by care service providers and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will update the "Effective date" at the top of this page. We encourage you to review this policy periodically.

15. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

We would appreciate the opportunity to resolve any concerns before you contact the ICO. Please reach out to us first at hello@brolly.care.

16. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us: