Privacy Policy
Last updated: 22 May 2026
CaseFlo Limited ("CaseFlo", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store and share personal data when you use our platform at caseflo.co.uk or engage with our services. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
CaseFlo Limited is registered in England and Wales (Company No. 17181579). Our registered office is 16 Kirchen Road, London W13 0TY. We provide AI-assisted case management and document generation software to UK fostering agencies and independent social workers.
Data Protection Contact: cheyenne@caseflo.co.uk
2. What this policy covers
This policy covers personal data processed through:
- The CaseFlo web platform (caseflo.co.uk)
- Our AI document generation features
- Communications with our team
- Our marketing website
It does not cover third-party websites we may link to.
3. The two roles CaseFlo plays
CaseFlo operates in two distinct capacities under data protection law:
As a Data Controller — when we collect and use personal data for our own purposes, such as managing your account, processing payments, and communicating with you about our services.
As a Data Processor — when your organisation (the Data Controller) uses our platform to process personal data about foster carers, children, and families. In this capacity, we act only on your written instructions. Our Data Processing Agreement (DPA) governs this relationship and is available on request.
4. What personal data we collect
4.1 Account and contact data
Name, email address, job title, organisation name, phone number (optional), and account credentials.
4.2 Usage and platform data
Login timestamps, features used, documents created or edited, section completion status, and platform activity logs.
4.3 Client data (processed on your behalf)
When you use CaseFlo to prepare fostering assessments and case documents, you may input personal data about foster carer applicants, household members, children, and referees. CaseFlo processes this data solely on your instructions as Data Processor.
4.4 Technical data
IP address, browser type, device type, operating system, and cookies. See our Cookie Policy for details.
4.5 Audio recordings (when used)
Where you choose to use our optional meeting recording features, CaseFlo captures audio from your browser microphone (and, where you select it, the audio of a meeting tab you've shared). Audio is transmitted to our transcription provider (AssemblyAI) for speech-to-text conversion. We process audio in two ways:
- Batch: the full recording is uploaded after you stop, then transcribed.
- Live streaming: audio chunks are transmitted directly from your browser to AssemblyAI over an encrypted WebSocket, allowing real-time transcription. In this flow, audio does not transit CaseFlo's servers.
Audio is processed for transcription only and is not retained by AssemblyAI beyond the immediate processing window. CaseFlo retains the resulting transcript and any documents generated from it according to your organisation's instructions as Data Controller. Before recording, the social worker confirms in-product that they have informed meeting attendees the meeting is being recorded.
5. Why we process your data and our lawful basis
| Purpose | Lawful Basis |
|---|---|
| Providing and managing your CaseFlo account | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of a contract (Art. 6(1)(b)) |
| Sending service-related communications (e.g. security alerts, updates) | Legitimate interests (Art. 6(1)(f)) |
| Improving the platform through aggregated usage analytics | Legitimate interests (Art. 6(1)(f)) |
| Sending marketing communications about CaseFlo features and news | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Complying with legal obligations (e.g. financial records) | Legal obligation (Art. 6(1)(c)) |
| Processing fostering case data on behalf of your organisation | Contract with the Data Controller (Art. 6(1)(b)) + Art. 28 DPA |
6. How long we keep your data
| Data type | Retention period |
|---|---|
| Account data | Duration of subscription + 12 months after termination |
| Fostering assessment documents | As instructed by your organisation (Data Controller) |
| Payment records | 7 years (legal requirement) |
| Usage logs | 12 months rolling |
| Marketing preferences | Until you withdraw consent or request deletion |
| Correspondence with CaseFlo | 3 years |
7. Who we share your data with
We do not sell your data. We share it only with the following sub-processors who assist us in delivering the platform:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Workspace | Internal communication and document collaboration | USA (SCCs in place) |
| Vercel | Web hosting and deployment infrastructure | USA (SCCs in place) |
| Supabase | Database hosting and authentication | USA (SCCs in place) |
| Anthropic | AI language model for document generation | USA (SCCs in place) |
| AssemblyAI | Audio transcription (batch upload, live streaming, and short-form voice notes) | USA (SCCs in place) |
| Sentry | Error monitoring and platform reliability | USA (SCCs in place) |
| CloudConvert | Document export and file conversion | Germany (EU adequacy) |
8. International transfers
Some of our sub-processors operate outside the UK. Where data is transferred to countries that do not have an adequacy decision from the UK Information Commissioner's Office (ICO), we rely on Standard Contractual Clauses (SCCs) or other appropriate safeguards approved under UK GDPR.
9. How we protect your data
We use the following technical and organisational measures to protect personal data:
- Encryption in transit (TLS/HTTPS) and at rest
- Role-based access controls limiting data access to authorised personnel
- Regular security reviews and penetration testing
- Multi-factor authentication for platform access
- Contractual data protection obligations with all sub-processors
10. Your rights under UK GDPR
You have the following rights regarding your personal data:
- Right of access — You may request a copy of the personal data we hold about you.
- Right to rectification — You may ask us to correct inaccurate or incomplete data.
- Right to erasure — You may ask us to delete your data in certain circumstances.
- Right to restriction — You may ask us to restrict processing of your data while a dispute is resolved.
- Right to data portability — You may request your data in a structured, machine-readable format.
- Right to object — You may object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
To exercise any right, email cheyenne@caseflo.co.uk. We will respond within one month.
11. Marketing communications
We will only send you marketing communications if you have opted in. You may unsubscribe at any time by clicking the unsubscribe link in any marketing email or emailing cheyenne@caseflo.co.uk.
12. Cookies
We use cookies to operate and improve the platform. For full details, see our Cookie Policy.
13. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email or an in-platform notice. Continued use of CaseFlo after the effective date of any change constitutes acceptance.
14. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF