Last updated 7 May 2026 · UK GDPR compliant · Care At Home (CareAH)
Care At Home (CareAH) is an online marketplace connecting families seeking home care with CQC-registered care agencies across England. CareAH is operated by IIT Software Limited, a company registered in England and Wales (Company No. 06372333). We are registered as a data controller with the Information Commissioner's Office (ICO), registration number ZC105746.
We collect: (a) account information you provide at registration (name, email address, phone number); (b) care preference data (postcode, care type, hours required, medical conditions relevant to care); (c) usage and analytics data; (d) payment information processed securely by Stripe -- we never store card numbers. For care agencies we also collect CQC registration details, business address, and staff DBS certificate references.
Pre-registration newsletter signups. When you sign up via our CQC Registration Checklist page, we collect your email address (required), and optionally your name, company name, planned launch month, and region. We also record your browser user-agent and the page you came from. We use this to send you a confirmation email and occasional updates relevant to your pre-registration journey. You can unsubscribe at any time.
We use your data to: match families with suitable care agencies; process bookings and payments; send service-related communications; comply with our legal obligations; improve our platform. We do not sell your personal data to third parties.
We process your data under the following lawful bases: contract performance (to deliver the service you signed up for); legitimate interests (to improve our platform, prevent fraud); legal obligation (UK GDPR, Care Act 2014); consent (for marketing communications, which you may withdraw at any time).
We share limited data with: care agencies you enquire with or book; Stripe for payment processing; Supabase for secure database hosting (UK/EU servers); Resend for transactional email delivery; analytics providers (anonymised data only). All processors are contractually bound to protect your data.
We retain account data for the duration of your account plus 7 years for legal and financial compliance. You may request deletion of your account and personal data at any time.
Under UK GDPR you have the right to access, correct, erase, restrict, port, or object to processing of your personal data. To exercise any right, please use our contact form. You also have the right to complain to the ICO at ico.org.uk.
We use essential cookies to keep you logged in and analytics cookies (with your consent) to understand how the platform is used. You can manage cookie preferences via your browser settings.
We use TLS 1.3 encryption for all data in transit and AES-256 encryption at rest. Access to personal data is restricted to authorised personnel only. We conduct regular security reviews.
Where you use our service as an agency manager or care worker, we log: (a) page views, with URL path and timestamp; (b) key actions you take on the platform, such as creating or cancelling a subscription, claiming an agency, or generating timesheets; (c) technical context including IP address, browser or device user-agent, and metadata describing each specific action. We do not log activity by family users in this way. The lawful basis is our legitimate interest in fraud prevention, dispute resolution, and service security. Activity log records are retained for 90 days, after which they are automatically deleted. You may request access or deletion under the rights set out in Section 7.
For all privacy and data-related requests, please contact us at our contact form.