top of page
Care learner by penta-06.png

Privacy Policy

Introduction & Organisational Info:

Welcome to CareLearner (www.carelearner.co.uk), a product of Pentafold Ltd. We are dedicated to serving our customers and contacts to the best of our abilities. Part of our commitment involves the responsible management of personal information collected through our website pentafold.co.uk, and any related interactions. Our primary goals in processing this information include:

  • Enhancing the user experience on our platform by understanding customer needs and preferences.

  • Providing timely support and responding to inquiries or service requests.

  • Improving our products and services to meet the evolving demands of our users.

  • Conducting necessary business operations, such as billing and account management.

It is our policy to process personal information with the utmost respect for privacy and security. We adhere to all relevant regulations and guidelines to ensure that the data we handle is protected against unauthorized access, disclosure, alteration, and destruction. Our practices are designed to safeguard the confidentiality and integrity of your personal information, while enabling us to deliver the services you trust us with.

​Your privacy is our priority. We are committed to processing your personal information transparently and with your safety in mind. This commitment extends to our collaboration with third-party services that may process personal information on our behalf, such as in the case of sending invoices. Rest assured, all activities are conducted in strict compliance with applicable privacy laws.

Scope and Application:

Our privacy policy is designed to protect the personal information of all our stakeholders, including website visitors, registered users, and customers. Whether you are just browsing our website carelearner.co.uk, using our services as a registered user, or engaging with us as a valued customer, we ensure that your personal data is processed with the highest standards of privacy and security. This policy outlines our practices and your rights related to personal information.

Data Storage and Protection:

Data Storage:

  • Personal information is stored in secure servers located in the following locations: undefined. For services that require international data transfer, we ensure that such transfers comply with all applicable laws and maintain data protection standards equivalent to those in our primary location.

  • Data Hosting Partners: We partner with reputable data hosting providers committed to using state-of-the-art security measures. These partners are selected based on their adherence to stringent data protection standards.

Data Protection Measures:

Encryption: To protect data during transfer and at rest, we employ robust encryption technologies. Access Control: Access to personal information is strictly limited to authorized personnel who have a legitimate business need to access the data. We enforce strict access controls and regularly review permissions. Security Audits and Monitoring: Regular security audits are conducted to identify and remediate potential vulnerabilities. We also monitor our systems for unusual activities to prevent unauthorized access.

Data Processing Agreements:

When we share your data with third-party service providers, we do so under the protection of Data Processing Agreements (DPAs) that ensure your information is managed in accordance with GDPR and other relevant data protection laws. These agreements mandate that third parties implement adequate technical and organizational measures to ensure the security of your data.

Transparency and Control:

We believe in transparency and providing you with control over your personal information. You will always be informed about any significant changes to our sharing practices, and where applicable, you will have the option to consent to such changes.

Your trust is important to us, and we strive to ensure that your personal information is disclosed only in accordance with this policy and when there is a justified reason to do so. For any queries or concerns about how we share and disclose personal information, please reach out to us at contact@carelearner.co.uk or +44 03301229636.

User Rights and Choices:

At Pentafold LTD, we recognise and respect your rights regarding your personal information, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We are committed to ensuring you can exercise your rights effectively. Below is an overview of your rights and how you can exercise them:

Your Rights:

  • Right of Access (Article 15 GDPR): You have the right to request access to the personal information we hold about you and to obtain information about how we process it.

  • Right to Rectification (Article 16 GDPR): If you believe that any personal information we hold about you is incorrect or incomplete, you have the right to request its correction or completion.

  • Right to Erasure (‘Right to be Forgotten’) (Article 17 GDPR): You have the right to request the deletion of your personal information when it is no longer necessary for the purposes for which it was collected, among other circumstances.

  • Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we restrict the processing of your personal information under certain conditions.

  • Right to Data Portability (Article 20 GDPR): You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit those data to another controller.

  • Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal information, under certain conditions, including processing for direct marketing.

  • Right to Withdraw Consent (Article 7(3) GDPR): Where the processing of your personal information is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  • Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable data protection laws.

Exercising Your Rights:

To exercise any of these rights, please contact us at contact@carelearner.co.uk or +44 03301229636. We will respond to your request in accordance with applicable data protection laws and within the timeframes stipulated by those laws. Please note, in some cases, we may need to verify your identity as part of the process to ensure the security of your personal information.

We are committed to facilitating the exercise of your rights and to ensuring you have full control over your personal information. If you have any questions or concerns about how your personal information is handled, please do not hesitate to get in touch with us.

Cookies and Tracking Technologies:

At Pentafold LTD, we value your privacy and are committed to being transparent about our use of cookies and other tracking technologies on our website carelearner.co.uk. These technologies play a crucial role in ensuring the smooth operation of our digital platforms, enhancing your user experience, and providing insights that help us improve.

Understanding Cookies and Tracking Technologies:

Cookies are small data files placed on your device that enable us to remember your preferences and collect information about your website usage. Tracking technologies, such as web beacons and pixel tags, help us understand how you interact with our site and which pages you visit.

How We Use These Technologies:

  • Essential Cookies: Necessary for the website’s functionality, such as authentication and security. They do not require consent.

  • Performance and Analytics Cookies: These collect information about how visitors use our website, which pages are visited most frequently, and if error messages are received from web pages. These cookies help us improve our website.

  • Functional Cookies: Enable the website to provide enhanced functionality and personalization, like remembering your preferences.

  • Advertising and Targeting Cookies: Used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and help measure the effectiveness of the advertising campaign.

Your Choices and Consent:

  • Upon your first visit, our website will present you with a cookie consent banner, where you can:

  • Accept All Cookies: Consent to the use of all cookies and tracking technologies.

  • Reject Non-Essential Cookies: Only essential cookies will be used to provide you with necessary website functions.

  • Customize Your Preferences: Choose which categories of cookies you wish to allow.

Changes to Our Cookie Use:

  • We may update our use of cookies and tracking technologies to improve our services or comply with legal requirements. We will notify you of any significant changes and seek your consent where necessary.

  • Should you have any questions or concerns about our use of cookies and tracking technologies, please do not hesitate to contact us at contact@carelearner.co.uk or +44 03301229636. Your privacy and the integrity of your personal data are of utmost importance to us.

Direct Marketing and Communications:

At Carelearner (Pentafold LTD), we may use your personal information to send you direct marketing communications about our products, services, promotions, and other relevant information that we believe may be of interest to you. We are committed to ensuring that our direct marketing practices are transparent, lawful, and in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Obtaining Consent for Direct Marketing:

  • Opt-In Consent: We will obtain your explicit opt-in consent before sending you direct marketing communications, where required by law. This means that you will have the opportunity to actively consent to receiving marketing messages from us before we send them to you.

  • Unsubscribe Option: Every direct marketing communication we send will include clear instructions on how to unsubscribe or opt-out from receiving future marketing communications. You can exercise your right to opt-out at any time, and we will promptly honor your request to stop sending you marketing messages.

Types of Direct Marketing Communications:

We may use your personal information to send you direct marketing communications via various channels, including:

  • Email

Managing Your Preferences:

You have control over the direct marketing communications you receive from us. You can manage your communication preferences by using the unsubscribe link provided in our marketing emails or text messages.

CareLearner Mobile App Privacy Policy

The CareLearner mobile app will collect only the data strictly needed to provide its features (e.g. scanning documents, reporting incidents, HR forms). It will request camera and local storage access only when you initiate a relevant action, explaining each use clearly. All captured images, documents and metadata are transmitted over TLS and stored encrypted, and shared with third parties only under strict Data Processing Agreements. Processing is based on lawful bases (typically Article 6(1)(b) contract and 6(1)(f) legitimate interests, or explicit consent for optional features) and in line with UK GDPR/ICO guidance. Users retain full control: they can deny or revoke permissions at any time, and enjoy all GDPR rights (access, deletion, portability, etc.). We provide detailed in-app notices and a clear privacy section describing what data is collected, why, how long it is kept, and how users can manage it. The table below compares Android vs. iOS permission behaviors, and sample UI text is given for permission prompts and consent dialogs.

Regulatory Context and Guidance

CareLearner is a UK-based service (Pentafold Ltd) and must comply with the UK GDPR and Data Protection Act 2018. The Information Commissioner’s Office (ICO) stresses transparency, data minimisation and purpose limitation under Article 5 GDPR, and the necessity to justify retention periods. Under Article 6 GDPR we rely on contract (for core features) and legitimate interests (where processing is expected and low-impact), with explicit consent for any optional uses. We will document these lawful bases in the policy.

 

Apple’s App Store guidelines explicitly require that privacy policies “identify what data… the app collects” and “explain its data retention/deletion policies and how a user can revoke consent”. Android’s Developer Policy (Play Store) similarly requires apps to use modern permission flows: for example, apps with one-off photo needs must use the system photo picker (not broad storage permissions). In practice, we follow both Apple’s and Google’s recommendations by requesting only the necessary permissions at runtime with clear purpose strings, and by leveraging the OS file/photo picker instead of unlimited file access

Data Collected and Purposes

The app collects:

  • Images & Videos: Captured via camera for purposes like incident reporting, document scanning (ID, certificates), profile photos, e-signature capture, etc. Users always trigger the camera explicitly; no recording occurs in background. Images may include embedded metadata (timestamps, geolocation tags if camera GPS is on).

  • Documents/Files: PDFs or image files selected via the file picker or camera (e.g. for onboarding, HR leave forms, policy acknowledgements). We use platform file pickers rather than broad storage permissions, so the app only gains access to the files the user selects.

  • Metadata: File names, upload timestamps, and any device-generated metadata (e.g. GPS location in an incident photo, if the user enables location).

  • Device Information: Non-sensitive device identifiers such as model, OS version, and a unique app installation ID or push token (used to personalize the service, send notifications, or sync data across devices). We do not collect any advertising identifiers without consent.

  • Usage Data: Anonymized analytics about app usage (e.g. feature clicks, crash logs) may be collected to improve the service. Any analytics providers we use store data in GDPR-compliant regions (e.g. EU data centres) and only collect non-identifying information

Purposes: All collected data is used solely to provide and improve the CareLearner service. For example, camera images are uploaded to your account to support functions like the LMS and incident management, as described in-app. Document images and PDFs become part of your user or employee record (for HR, compliance or training). Metadata helps with synchronising content and audit trails. We do not use the camera or files for unrelated purposes (no hidden recording or data mining). Any optional features (such as in-app photo galleries) will be explicitly labelled and will require separate consent.

Lawful Basis for Processing

Processing of personal data in the app is primarily justified under Article 6(1)(b) GDPR (“contract”) and Article 6(1)(f) GDPR (“legitimate interests”):

  • Contract (Article 6(1)(b)): Much of the data processing is necessary to perform our contract with the user’s organisation (e.g. an employer or client) – such as managing training records, employee HR forms, leave requests and safety incident logs. Per ICO guidance, if data processing is necessary to deliver the contractual service, it is lawful on this basis without separate consent.

  • Legitimate Interest (Article 6(1)(f)): We also rely on our own legitimate interests for certain internal purposes that users would reasonably expect, provided we have balanced this against individual privacy. For example, anonymized analytics and improving app security are legitimate interests, as long as they have minimal impact on privacy. We will document these interests in a Legitimate Interests Assessment.

  • Consent (Article 6(1)(a)): Where processing is neither strictly contractual nor clearly expected (e.g. if we introduce new optional features), we will seek explicit opt-in consent. Android/iOS permission grants are not treated as GDPR consent by themselves; hence we will also use clear consent checkboxes or toggles in-app for any processing that requires it. Consent can be withdrawn at any time without affecting prior lawful processing.

We do not intentionally collect any special-category data (health, biometrics, etc.) via the app. If the user uploads a document containing health or sensitive information, they do so voluntarily for a specified purpose (e.g. medical certificates).

User Rights and Choices:

At Pentafold LTD, we recognise and respect your rights regarding your personal information, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. We are committed to ensuring you can exercise your rights effectively. Below is an overview of your rights and how you can exercise them:

Your Rights:

  • Right of Access (Article 15 GDPR): You have the right to request access to the personal information we hold about you and to obtain information about how we process it.

  • Right to Rectification (Article 16 GDPR): If you believe that any personal information we hold about you is incorrect or incomplete, you have the right to request its correction or completion.

  • Right to Erasure (‘Right to be Forgotten’) (Article 17 GDPR): You have the right to request the deletion of your personal information when it is no longer necessary for the purposes for which it was collected, among other circumstances.

  • Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we restrict the processing of your personal information under certain conditions.

  • Right to Data Portability (Article 20 GDPR): You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit those data to another controller.

  • Right to Object (Article 21 GDPR): You have the right to object to the processing of your personal information, under certain conditions, including processing for direct marketing.

  • Right to Withdraw Consent (Article 7(3) GDPR): Where the processing of your personal information is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  • Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal information violates applicable data protection laws.

To exercise these rights, users can contact us at contact@carelearner.co.uk or +44 117 486 9045. We will respond within the legally mandated timeframe (typically one month) as stated in our privacy policy. Note that if a processing activity is based on contract (Article 6(1)(b)), the right to object does not apply, but users can still request deletion or portability. All rights (including withdrawing consent) are clearly documented in the policy

Permission Requests (Android vs iOS)

The app will request permissions at runtime and only when needed. In Android we will use standard runtime permission dialogs, typically triggered by user action. In iOS we include the required NSCameraUsageDescription and NSPhotoLibraryUsageDescription strings in the app’s Info.plist, which the system displays when asking for camera or photo access. All purpose-strings and pre-permission prompts will clearly state why each permission is needed (as Apple’s guidelines mandate). For example, iOS might show “CareLearner needs camera access to scan documents and capture incident photos,” matching the text in our UI.

We will never prompt for a permission without context. Before the system dialog, the app will show an in-app notice explaining the feature (e.g. “The app will now ask to use your camera to take a photo of your ID. You can choose to allow or deny.”). This aligns with best practices that permissions should only be requested as part of a user action and with full explanation. If a user declines, the feature depending on it is skipped, and we either disable it gracefully or offer an alternative (e.g. manual entry or file upload from the device).

In all cases, users are free to change permissions in their device settings at any time. The app will not access the camera or files without the user’s explicit approval each time. Importantly, as the CNIL (French regulator) has noted, technical permission grants alone do not count as GDPR consent; we therefore separate the OS permission from any additional consent needed for processing the resulting data, as discussed above.

Android vs. iOS Permission Comparison

Permission Feature
Android
IOS
Core Functionality
Must ensure app still runs without optional permission.
Apple guidelines require fallback if permission denied (e.g. manual entry instead of location)
Behavior When Denied
Denial prevents camera use; user can still choose images via picker or skip that feature.
Denial means no photo library access; user can still upload via document picker or use “Share > CareLearner” options.
Grant Scope
Grant is for full camera or all images (unless using picker). Re-request possible if user retries.
Grant is for camera or (optionally) full photo library. Users can change to limited (“Selected”) mode. Re-request possible only via app settings once declined.
Permission UI Text
System permission dialog uses app name (no custom message). We provide our own pre-dialog text.
The system prompt includes our NS…UsageDescription text. We craft this string to match the brief explanation given in-app
Photo Library / Storage Access
On Android 13+: READ_MEDIA_IMAGES/READ_MEDIA_VIDEO for broad access. However, for one-time uploads we will use the system photo picker (no permission needed)
NSPhotoLibraryUsageDescription string triggers prompt “Allow access to photos?”. iOS 14+ lets user select “Only Selected Photos” (limited access) by default. If needed, we use the PHPicker (system picker) to let users choose files.
File/System Storage
Prefer Storage Access Framework / ACTION_OPEN_DOCUMENT for picking any file (no permission). We will not request broad MANAGE_EXTERNAL_STORAGE.
Use UIDocumentPicker (no extra permission) to let users choose PDFs or files.
Camera Access
Declared android.permission.CAMERA. Requested at runtime with system prompt (“Allow CareLearner to take pictures and record video?”). We can precede this with a custom rationale dialog.
NSCameraUsageDescription is included; system prompt shows our string (e.g. “CareLearner needs camera access to capture photos of documents”). Explicit only when app requests.

Data Security and Storage

All data collected by the app is secured both in transit and at rest. Network communications with our servers use strong encryption (HTTPS/TLS v1.2+). On the server side, data (images, documents, logs, etc.) is encrypted at rest using industry-standard methods. Our hosting providers are reputable, GDPR-compliant data centres in the EU/UK with robust security certifications. We enforce strict access controls (principle of least privilege) so only authorised personnel can access user data.

We also encrypt any backups of user data. Daily backups are stored securely and can only be accessed by designated administrators. All third-party processors (e.g. cloud hosting, analytics) operate under signed Data Processing Agreements ensuring they implement equivalent technical and organisational safeguards. Regular security audits and monitoring are conducted to detect and address vulnerabilities or misuse.

Data Retention and Deletion

CareLearner will retain personal data only as long as needed for the purposes described. Per ICO guidance, retention periods are justified by the purpose of processing. For example, training records and HR documents may be kept as long as employment or audit requirements dictate; incident reports might be archived after investigations conclude. Data that is no longer needed will be securely deleted or anonymized.

We apply a “storage limitation” principle: data is kept only while one of its original purposes still applies. We regularly review stored data and purge items when appropriate (for instance, removing old training logs or outdated profile images). Users have the right to ask us to delete their personal data earlier (“right to erasure”): we will promptly honor any valid request to delete user-specific data (images, documents, account info) once it’s no longer required. This is explicitly noted in the privacy policy and reiterated in-app.

Third-Party Services and Analytics

Where the app uses third-party services (e.g. cloud hosting, analytics SDKs), we ensure they comply with GDPR. Any transfer of personal data to processors is governed by a GDPR-compliant Data Processing Agreement. These partners are vetted to guarantee they apply at least the same level of protection as CareLearner provides.

Consent Withdrawal and Opt-Out

Users can revoke any permission at any time via the device settings, and the app will immediately respect that choice (e.g. disabling the camera features if permission is revoked). For non-essential processing (such as analytics or marketing communications), users can opt out via app settings or by contacting us. All permission requests are optional and not mandatory for core functionality. As Apple’s guidelines advise, we provide alternatives for users who decline permissions (for example, allowing document upload without camera, or manual data entry instead of auto-location). No functionality is unduly withheld if a user refuses a permission outside of the feature that needs it.

Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us:

Email: contact@carelearner.co.uk
​General Support: info@carelearner.co.uk
Company: Pentafold LTD

bottom of page