Privacy Policy

BlueLight Workforce ("we", "our", "us") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform.

We operate as a workforce management platform connecting healthcare clinicians, private ambulance providers, training instructors, and training providers within the UK healthcare sector.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

Personal Information: - Full name, email address, and contact telephone number - Professional qualifications and certifications (HCPC registration, FREC levels, etc.) - Employment history and clinical experience - DBS certificate details and verification status - Driving license information - Right to work documentation - Professional indemnity insurance details

Account Information: - Login credentials (passwords are securely hashed) - Account preferences and settings - Communication preferences

Compliance Documents: - Uploaded certificates and credentials - Document expiry dates - Verification status and history

Usage Data: - IP addresses and device information - Browser type and version - Pages visited and features used - Session duration and timestamps

Professional Data: - Availability schedules - Shift applications and bookings - Course enrollments and completions - Performance reviews and feedback

We use your personal data for the following purposes:

Platform Operations: - Creating and managing your account - Matching clinicians with suitable shifts and opportunities - Processing shift applications and course bookings - Facilitating communication between users

Compliance & Verification: - Verifying professional qualifications and credentials - Tracking document expiry dates and sending renewal reminders - Maintaining compliance audit trails - Conducting DBS and right to work checks

Communication: - Sending account notifications and updates - Alerting you to relevant opportunities - Providing customer support - Sending essential service announcements

Platform Improvement: - Analysing usage patterns to improve our services - Developing new features and functionality - Ensuring platform security and preventing fraud

Legal Obligations: - Complying with healthcare sector regulations - Responding to lawful requests from authorities - Maintaining required records for regulatory purposes

We process your personal data under the following legal bases:

Contract Performance: Processing necessary to fulfil our contract with you, including account management, shift matching, and payment processing.

Legal Obligation: Processing required to comply with healthcare regulations, employment law, and tax requirements.

Legitimate Interests: Processing for our legitimate business interests, including platform security, fraud prevention, and service improvement, where these do not override your rights.

Consent: Where required, we obtain your explicit consent for specific processing activities, such as marketing communications. You may withdraw consent at any time.

We may share your data with:

Healthcare Providers: When you apply for shifts, relevant information is shared with the provider to facilitate the booking.

Training Providers: Course enrollment details are shared with training providers to deliver their services.

Verification Services: We work with authorised third parties to verify DBS certificates, professional registrations, and right to work status.

Service Providers: We use trusted third-party services for: - Cloud hosting and data storage (Vercel, Supabase) - Payment processing (Stripe) - Email communications - Analytics and monitoring

Legal Requirements: We may disclose information when required by law, court order, or regulatory authority.

We never sell your personal data to third parties for marketing purposes.

Your data is primarily stored and processed within the UK and European Economic Area (EEA). Where we use service providers outside these regions, we ensure appropriate safeguards are in place:

- Standard Contractual Clauses approved by the UK ICO - Adequacy decisions by the UK government - Binding Corporate Rules where applicable

We regularly review our data transfer mechanisms to ensure ongoing compliance with UK data protection law.

We retain your personal data for as long as necessary to:

- Provide our services to you - Comply with legal obligations - Resolve disputes and enforce agreements

Specific Retention Periods: - Active account data: Duration of account plus 2 years - Compliance documents: 7 years after document expiry - Financial records: 7 years (legal requirement) - Audit logs: 7 years - Marketing preferences: Until withdrawn

You may request deletion of your account at any time. Some data may be retained in anonymised form for statistical purposes.

Under UK GDPR, you have the following rights:

Right of Access: Request a copy of your personal data we hold.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure: Request deletion of your data in certain circumstances ("right to be forgotten").

Right to Restriction: Request limited processing of your data.

Right to Data Portability: Receive your data in a structured, machine-readable format.

Right to Object: Object to processing based on legitimate interests or for direct marketing.

Rights Related to Automated Decision-Making: Request human review of automated decisions that significantly affect you.

To exercise these rights, contact us at privacy@bluelightworkforce.uk or submit a request through your account settings. We will respond within 30 days.

We implement robust security measures to protect your data:

Technical Measures: - Encryption of data in transit (TLS/SSL) and at rest - Secure password hashing using bcrypt - Regular security audits and penetration testing - Multi-factor authentication options - Automated security monitoring and alerting

Organisational Measures: - Staff training on data protection - Access controls and role-based permissions - Incident response procedures - Regular policy reviews

Document Security: - Secure cloud storage for uploaded documents - Access logging and audit trails - Automatic expiry alerts for time-sensitive documents

In the event of a data breach, we will notify affected individuals and the ICO within 72 hours where required by law.

Data Controller: BlueLight Workforce Ltd Email: privacy@bluelightworkforce.uk

Data Protection Officer: For data protection queries, contact our DPO at dpo@bluelightworkforce.uk

Complaints: If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF Website: ico.org.uk Telephone: 0303 123 1113

We encourage you to contact us first so we can address your concerns directly.

Policy Updates: This policy was last updated on 27 February 2026. We may update this policy periodically and will notify you of significant changes via email or platform notification.