Financial Records (invoices, bank statements, tax receipts)
Retention: 6 years after financial year end
Why: Required for HMRC tax audits and Companies Act 2006
Second Spring Companions Limited
Version 1.1 | Last reviewed: 26 April 2026
Non-CQC Regulated Social Companionship and Home Support Service
Social companionship only — not clinical or regulated care
Second Spring Companions provides non-regulated social companionship and home support. We do not provide nursing, medical, or clinical services, regulated personal care, or CQC-regulated activities. Information we hold supports safe matching, attendance, and welfare — not medical diagnosis or treatment.
This privacy notice tells you what to expect us to do with your personal information.
Email: info@secondspringcompanions.co.uk
We collect or use the following personal information to provide our companionship and home support services:
Note on photographs: Photographs are collected only with your explicit written consent and will not be shared with third parties without your further consent. You may withdraw this consent at any time by contacting us.
We also collect the following special category information to provide our services. This information is subject to additional protection due to its sensitive nature:
Article 9 condition (UK GDPR): We process special category data on the basis of substantial public interest for social care purposes (Schedule 1, Part 2, paragraph 18 of the Data Protection Act 2018), and where necessary to protect your vital interests.
We collect or use the following information for safeguarding or public protection reasons:
Special category data collected for this purpose: racial or ethnic origin; health information.
Article 9 condition (UK GDPR): Substantial public interest — safeguarding of children and individuals at risk (Schedule 1, Part 2, paragraph 18, DPA 2018), and vital interests where there is an urgent risk to life.
We collect or use the following personal information for crime prevention and detection purposes:
Special category data collected for this purpose: racial or ethnic origin; religious or philosophical beliefs; health information.
Article 9 condition (UK GDPR): Substantial public interest — prevention or detection of unlawful acts (Schedule 1, Part 2, paragraph 10, DPA 2018).
We collect or use the following personal information to comply with our legal obligations:
Special category data collected for this purpose: health information.
Article 9 condition (UK GDPR): Legal obligation / substantial public interest (Schedule 1, Part 2, paragraph 6, DPA 2018).
We collect or use the following personal information for recruitment of companions and staff:
Special category data collected for this purpose: racial or ethnic origin; religious or philosophical beliefs; health information.
Article 9 condition (UK GDPR): Explicit consent of the data subject, or substantial public interest for equality of opportunity monitoring (Schedule 1, Part 2, paragraph 8, DPA 2018).
We collect or use the following personal information to handle queries, complaints and legal claims:
Special category data collected for this purpose: racial or ethnic origin; health information.
Article 9 condition (UK GDPR): Legal claims / substantial public interest (Schedule 1, Part 2, paragraph 18, DPA 2018).
Under UK data protection law, we must have a lawful basis for collecting and using your personal information. You can find out more about lawful bases on the ICO's website at ico.org.uk.
Which lawful basis we rely on may affect your data protection rights, which are set out briefly below:
If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the details at the top of this notice.
Our legitimate interests are:
Ensuring the safety and wellbeing of elderly clients during visits; maintaining accurate attendance and geolocation logs to verify that companions have arrived and departed safely; retaining health and care need information to match clients with suitable companions and to respond appropriately in an emergency; and processing next of kin details to enable prompt family communication where a client's welfare is at risk.
Our legitimate interests are:
Identifying and responding to signs of abuse, neglect, or exploitation of vulnerable elderly clients; sharing relevant welfare concerns with local authority safeguarding teams, social workers, or emergency services where a client's safety is at serious risk; and maintaining records of safeguarding actions taken to demonstrate our duty of care.
Our legitimate interests are:
Protecting our business and clients from financial fraud, including verifying payment transactions and detecting unusual billing activity; safeguarding our staff and clients from potential abuse or exploitation; and maintaining records of incidents or concerns to support any future police or regulatory investigation.
Our legitimate interests are:
Maintaining accurate financial and operational records to meet HMRC obligations and Companies Act requirements; retaining contractual records to defend or pursue legal claims within the Limitation Act timeframe; and demonstrating compliance with data protection law through documented policies and procedures.
Our legitimate interests are:
Assessing the suitability of candidates to work with vulnerable elderly adults; verifying employment history and qualifications relevant to companionship and home support roles; and retaining records of recruitment decisions to respond to any employment or discrimination claims within the statutory limitation period.
Our legitimate interests are:
Investigating and resolving complaints about the quality or conduct of our services; maintaining correspondence records to provide continuity of care and accurate service history; and retaining evidence of decisions made in relation to client or family concerns to protect our business in the event of a legal claim.
We retain personal information only for as long as is necessary for the purposes set out in this notice, or as required by law. Our retention schedule is as follows:
| Category of data | Retention period | Why |
|---|---|---|
| Financial Records (invoices, bank statements, tax receipts) | 6 years after financial year end | Required for HMRC tax audits and Companies Act 2006 |
| Client Care Records (care plans, matching profiles, daily visit notes) | 6 years after service ends | Matches the Limitation Act 1980 for contract or negligence claims |
| Safeguarding Records (incident reports, welfare concerns) | 6 years from last contact | Recommended for adult social care to ensure evidence is available for inquiries |
| Recruitment Records (CVs and interview notes for unsuccessful candidates) | 6 months after decision | Allows time for potential discrimination claims |
| Employee Records (contracts, DBS check numbers, training logs) | 6 years after leaving employment | Necessary for references, pension queries, and PAYE compliance |
| Communication Logs (emails/messages with families and clients) | 3 years after query resolved | Kept for service quality and history of care provided |
Financial Records (invoices, bank statements, tax receipts)
Retention: 6 years after financial year end
Why: Required for HMRC tax audits and Companies Act 2006
Client Care Records (care plans, matching profiles, daily visit notes)
Retention: 6 years after service ends
Why: Matches the Limitation Act 1980 for contract or negligence claims
Safeguarding Records (incident reports, welfare concerns)
Retention: 6 years from last contact
Why: Recommended for adult social care to ensure evidence is available for inquiries
Recruitment Records (CVs and interview notes for unsuccessful candidates)
Retention: 6 months after decision
Why: Allows time for potential discrimination claims
Employee Records (contracts, DBS check numbers, training logs)
Retention: 6 years after leaving employment
Why: Necessary for references, pension queries, and PAYE compliance
Communication Logs (emails/messages with families and clients)
Retention: 3 years after query resolved
Why: Kept for service quality and history of care provided
For more information on how long we store your personal information, or to request details about the criteria we use to determine retention periods, please contact us using the details above.
We use the following organisations to process personal data on our behalf:
| Organisation | Purpose |
|---|---|
| Tally | Catching and filtering website form submissions. |
| Notion | Secure cloud storage of records and professional email communication. |
| Tide Platform | Managing our business banking and generating invoices for services rendered. |
| WhatsApp (Meta) | Encrypted, real-time operational communication between our staff and client families. |
Tally
Catching and filtering website form submissions.
Notion
Secure cloud storage of records and professional email communication.
Tide Platform
Managing our business banking and generating invoices for services rendered.
WhatsApp (Meta)
Encrypted, real-time operational communication between our staff and client families.
We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information:
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you without undue delay. Where required, we will also report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. We maintain an internal record of all data breaches, including those that do not require notification.
We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you. All decisions relating to your care and service provision are made by our staff.
Our website (secondspringcompanions.co.uk) may use cookies or similar technologies. Where this is the case, we provide a separate Cookie Policy explaining what cookies we use, why we use them, and how you can manage your preferences. If you have questions about our website cookies, please contact us using the details above.
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place. The table below summarises these transfers:
| Organisation | Category | Country | How transfer complies with UK law |
|---|---|---|---|
| Tally | Website Form & Data Collection Processor | European Union | UK Addendum to EU Standard Contractual Clauses (SCCs) |
| WhatsApp (Meta) | Encrypted Operational Communication Platform | United States & other countries | UK International Data Transfer Addendum (IDTA) to EU SCCs |
| Notion | Cloud Storage and Records Platform | United States | Standard Contractual Clauses (SCCs) / UK IDTA |
Tally
WhatsApp (Meta)
Notion
For further information or to obtain a copy of the appropriate safeguard for any of the above transfers, please contact us using the contact details provided above.
If you have any concerns about our use of your personal data, please raise them with us first using the contact details at the top of this notice. We will respond promptly and take your concerns seriously.
If you remain unhappy after raising a complaint with us, you can also complain to the ICO:
Information Commissioner's Office