Legal

Privacy Policy

Last updated: 5 May 2026

1. Who we are

Compass North Solutions (UK) Ltd ("we", "us", "our") operates the Compass North platform, a family care coordination service. We are the data controller for personal data processed through this platform.

For data protection enquiries, contact us at: privacy@cns-uk.co.uk

2. What data we collect

We collect and process the following categories of personal data:

  • Account data: name, email address, role
  • Child records: name, date of birth, care-related notes
  • Health and wellbeing data: mood logs, sleep, medication records (special category data)
  • Safeguarding records: incident reports, risk assessments (special category data)
  • Communications: messages sent between users on the platform
  • Documents: files you upload relating to children in your care
  • Usage data: login times, actions taken within the platform

3. Legal basis for processing

We process your data under the following lawful bases:

  • Contract: to provide the platform services you have signed up for
  • Legitimate interests: platform security, fraud prevention, service improvement
  • Legal obligation: where required by UK law
  • Consent: for optional features such as email notifications

For special category data (health, safeguarding), we rely on substantial public interest under Schedule 1, Part 2, DPA 2018 — specifically the safeguarding of children and individuals at risk.

4. How we use your data

  • To provide and operate the Compass North platform
  • To enable authorised family members and professionals to access shared records
  • To send notifications you have opted into
  • To maintain security and prevent unauthorised access
  • To comply with legal obligations

We do not sell your data. We do not use your data for advertising. Compass North products are ad-free.

5. Data sharing

We share data only in the following circumstances:

  • Within the platform: with other users you have explicitly authorised to access your family's records
  • Service providers: Supabase (database and authentication infrastructure, EU/UK data centres); Vercel (hosting)
  • Legal requirement: if required by a court order or statutory obligation

6. Data retention

We retain your data for as long as your account is active. If you delete your account, your personal data will be deleted within 30 days, except where we are required to retain it by law.

Safeguarding records may be retained for longer periods in accordance with statutory guidance for child protection records.

7. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Rectification of inaccurate data
  • Erasure ("right to be forgotten") in certain circumstances
  • Restriction of processing in certain circumstances
  • Data portability — receive your data in a machine-readable format
  • Object to processing based on legitimate interests
  • Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at privacy@cns-uk.co.uk. We will respond within one month.

8. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising, analytics, or tracking cookies.

9. Security

All data is encrypted in transit (TLS) and at rest. Access to data is controlled by Row Level Security policies — no database query can return data a user is not authorised to view. We conduct regular security reviews.

10. Complaints

If you have a concern about how we handle your data, please contact us first at privacy@cns-uk.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or call 0303 123 1113.