Privacy policy

Last updated: 2026-05-21

1. Who we are

RockSolid 247 Limited, registered in England & Wales, company number 10925171. Registered office: 78 The Boxhill, Coventry, England, CV3 1ER. ICO data-controller registration: ZA527245 (Tier 1). Contact for privacy queries: info@rocksolid247.com.

2. What personal data we collect

We collect personal data in four contexts:

• From applicants and care professionals: full name, contact details, date of birth, address, National Insurance number, right-to-work evidence, DBS certificate details, bank details for payroll, references, optional CV.
• From care recipients and their representatives: name, contact details, care needs, care plans, contact preferences.
• From website visitors: IP address and user-agent (Cloudflare standard logs); any data you submit via the contact form.
• From people who write to us: when you email one of our published addresses or use our contact form, we receive your name, email address, and the subject, content, and any attachments of your message. These messages are sorted by an automated classification system (see “6. Automated handling of inbound correspondence” below).

3. Lawful bases for processing

• Legitimate interest — recruitment, supplier introductions, and efficient triage of the correspondence we receive (see section 6).
• Contract — delivery of agreed care services.
• Legal obligation — CQC parallel safeguarding records, HMRC payroll records, Home Office right-to-work requirements.
• Consent — marketing preferences only, defaulted off.

4. Recipients

• uCheck — DBS check processing, with applicant consent at the point of payment.
• Stripe — payment-card data; we never see or store card details ourselves.
• Anthropic — for inbound messages our rules cannot categorise, a limited extract (sender, subject, and the first 500 characters) is processed solely to suggest a category, under zero-data-retention terms: never stored by Anthropic and never used to train AI models (see section 6).
• HMRC — payroll.
• Local Authority commissioners — case-by-case for placement-specific information.
• Regulators where legally required.

We do not share personal data for marketing purposes and we do not use third-party advertising trackers.

5. Retention periods

• Care-recipient and care-professional records: minimum 7 years post-termination of relationship, longer where law requires.
• Contact-form submissions: 12 months unless the enquiry becomes a working relationship.
• Classified inbound correspondence: retained by category — see section 6.
• Website logs (Cloudflare edge): 30 days.

6. Automated handling of inbound correspondence

When you write to one of our published email addresses, or submit our contact form, your message is processed by an automated classification system. The system sorts each message into a category — for example, regulator, Local Authority commissioner, family, supplier, internal, newsletter, or suspected spam — and routes it to the right person on our team to read and act on. It sorts and routes correspondence; it does not make decisions about you.

How classification works. Most messages are categorised by fixed rules based on the sender — for example, known regulators and Local Authority commissioners are recognised automatically, and their messages are never sent to any third party. Where a message cannot be categorised confidently by those rules, a limited extract — the sender's email address, the subject line, and up to the first 500 characters of the message — is sent to our AI provider, Anthropic, for the sole purpose of suggesting a category. This is done under zero-data-retention terms: Anthropic does not store the extract and never uses it to train AI models. Full message bodies, attachments, and any other content are never sent for this purpose.

Lawful basis. Our lawful basis is legitimate interest — triaging the volume of business correspondence we receive efficiently, so that enquiries reach the right person promptly. We have limited this processing to what is necessary: known senders bypass the AI step, only a short extract is ever shared, and messages are kept only as long as set out below.

How long we keep it. Retention depends on the category:

• Correspondence from regulators, and other records we are required to keep for compliance: 7 years.
• Correspondence from commissioners, families and suppliers: 12 months, or longer where it becomes part of a working relationship.
• Internal correspondence: 12 months.
• Newsletters and other information-only messages: 90 days.
• Suspected spam: 30 days.

Your rights. You can ask us to access or erase correspondence we hold about you (see section 8). When we action an erasure request we permanently remove the message content from our systems, keeping only a minimal record that the request was made and honoured.

No automated decisions about you. This system only sorts and routes messages to a member of our team. It does not make any automated decision that produces legal effects, or similarly significant effects, concerning you (UK GDPR Article 22). A person — not the system — reviews your message and decides how we respond.

7. International transfers

None. All processing is in the UK. Cloudflare's UK edge serves the website. Mailbox storage is at one.com (UK/EU). Outbound transactional email (via Resend) transits under standard contractual clauses.

8. Your rights

Under the UK GDPR you have the right to: access your data, request correction of inaccurate data, request erasure, restrict processing, request portability, object to processing, and withdraw any consent you previously gave. We do not make automated decisions with legal or similarly significant effects about you.

To exercise any of these rights, email info@rocksolid247.com or write to our registered office.

9. Complaints

You have the right to complain to the Information Commissioner's Office at ico.org.uk. We would prefer the chance to resolve any concerns first — please contact us.

10. Updates to this policy

We will update this page when our practices change. Material changes will be flagged on our homepage for at least 30 days. The "Last updated" date at the top of this page records when the current version took effect.

11. Data Protection Officer

RockSolid 247 Limited is not required to formally appoint a Data Protection Officer under UK GDPR Article 37 — we are not a public authority and our core activities do not constitute large-scale systematic monitoring or processing of special-category data at the threshold that mandates a DPO. Privacy queries are handled by the Director and the operations team via info@rocksolid247.com.