Privacy Policy

Last Updated: March 2026

1. Data Controller and Processor

FosterCore ("we", "us", "our") operates the FosterCore Agency Operating System. Under UK GDPR, when your Independent Fostering Agency ("the Agency") uses FosterCore, the Agency is the Data Controller and FosterCore acts strictly as the Data Processor. We process personal data only on documented instructions from the Controller. We do not sell, rent, or monetise any data uploaded to the Platform.

2. Information We Collect

We process the following categories of data on behalf of the Controller:

  • Special Category Data (Article 9): Safeguarding incidents, health/medical status, and care records of looked-after children.
  • Carer Data: Form F assessments, DBS status, training records, supervision records, and financial allowances.
  • Staff Data: Names, email addresses, and role assignments for Authorised Users.
  • Audit Metadata: Immutable access logs identifying which staff accessed which records, including timestamps and IP addresses.
  • Website Visitors: Anonymous analytics data (if cookies are accepted), IP address, browser type, and pages visited.

3. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contract: Processing necessary for the performance of our SaaS service agreement with the Agency.
  • Legal Obligation: Processing necessary to comply with the Fostering Services (England) Regulations 2011, Children Act 1989, and associated statutory requirements.
  • Legitimate Interest: Processing necessary for system security, fraud prevention, and service improvement.
  • Consent: For non-essential cookies and marketing communications (where applicable).

4. Data Residency and Storage

All data is stored exclusively in AWS eu-west-2 (London). Our database (Supabase PostgreSQL), application layer (Vercel Edge), and authentication provider (Clerk) all operate within the UK/EEA. No personal data is transferred outside the UK/EEA without explicit written consent from the Data Controller.

5. Data Retention

Retention periods are aligned with statutory requirements:

  • Active carer records: Retained for the duration of the Agency's subscription.
  • Deregistered carer records: Retained for 10 years post-deregistration (Regulation 30).
  • Looked-after children records: Retained for 75 years from date of birth or 15 years from date of death (Schedule 3).
  • Audit logs: Retained for a minimum of 7 years.
  • Website analytics: Anonymised and retained for 26 months.

Upon termination, data is exported within 10 working days and permanently deleted from live systems within 14 days and backups within 90 days, unless archival retention has been elected.

6. Your Rights

Individuals whose data is processed on the Platform have the following rights under UK GDPR:

  • Right of Access (SAR): Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate data.
  • Right to Erasure: Request deletion, subject to statutory retention requirements.
  • Right to Restrict Processing: Request limitation of processing in certain circumstances.
  • Right to Data Portability: Receive data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests.

Data subjects (e.g., foster carers, staff) should contact their Agency (the Data Controller) to exercise these rights. We will assist the Controller in fulfilling such requests within the statutory 30-day timeframe.

7. Cookies

Our website uses essential cookies required for the Platform to function (session management, CSRF protection). We also offer analytics cookies to understand usage patterns, which are only placed with your explicit consent. You can manage your cookie preferences at any time via our cookie consent banner. For full details, see the cookie categories in our consent dialogue.

8. Sub-Processors

We use the following sub-processors, all with UK/EEA data handling:

  • Supabase (PostgreSQL): Primary database. Locked to eu-west-2 (London).
  • Vercel: Application hosting. Edge execution: lhr1 (London).
  • Clerk: Authentication and identity management. SOC 2 Type II.
  • Google Gemini: AI features. Data is not used for model training.

9. ICO Registration

FosterCore is registered with the Information Commissioner's Office (ICO) in the United Kingdom (registration number: pending). If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the ICO at ico.org.uk.

10. Contact

For data protection enquiries, contact our Data Protection Officer at: dpo@fostercore.uk