This Privacy Policy explains how CareTrack Oy (“CareTrack”, “we”, “us”) collects and uses personal data when you visit our website, create an account, or use the CareTrack platform. We process personal data in accordance with Regulation (EU) 2016/679 (GDPR), the Finnish Data Protection Act (Tietosuojalaki 1050/2018), and other applicable European and Finnish legislation.
1. Data controller and contact
For personal data relating to our website, customer accounts, billing, and platform administration, the data controller is:
CareTrack Oy
Your address, Helsinki, Finland
Business ID (Y-tunnus): 1234567-8
For questions about this policy or to exercise your data protection rights, contact our Data Protection Officer (DPO) or privacy team:
privacy@caretrack.com
2. Controller and processor roles
CareTrack is typically used by social service organizations (“Customers”) to manage casework involving families and staff. In most cases:
- Your organization (Customer) is the data controller for personal data about families, case records, messages, documents, and staff that it enters or manages in CareTrack.
- CareTrack acts as a data processor on the Customer’s instructions when hosting and processing that casework data on their behalf, under a data processing agreement (DPA).
- CareTrack is the data controller for account registration data, authentication logs, marketing contact form submissions, and other data we collect directly from users for operating the service.
Finnish public-sector customers
Where a Finnish municipality or other public authority uses CareTrack, additional rules may apply under Finnish public administration information management legislation. The Customer remains responsible for lawful basis and documentation; we support compliance through contractual safeguards, security measures, and data subject request tooling.
3. Personal data we process
Depending on how you use CareTrack, we may process the following categories of personal data:
- Identity and contact data — name, email address, phone number, job title, organization name, postal address.
- Account and authentication data — username, password hash, OAuth identifiers (Google/Microsoft), login timestamps, IP address, session data.
- Professional and casework data — family member names, relationships, case notes, weekly plans, activity logs, visit records, documents, messages, and attachments uploaded by authorized staff or family portal users.
- Special category data — where permitted by law, social care and health-related information contained in case files (GDPR Article 9). Such data is processed only on documented instructions from the Customer as controller, or where another lawful basis applies.
- Technical and usage data — device type, browser, audit logs, error reports, and security event records.
- Communication data — content of support requests, contact form messages, and email correspondence with us.
4. Purposes and lawful bases
We process personal data only where we have a valid legal basis under GDPR Article 6 (and Article 9 where special categories apply). Typical purposes include:
- Providing the service (Art. 6(1)(b) contract) — creating accounts, delivering staff and family portals, messaging, case management, documents, and AI-assisted features configured by the Customer.
- Legitimate interests (Art. 6(1)(f)) — securing the platform, preventing abuse, improving reliability, and communicating essential service updates, balanced against your rights.
- Legal obligation (Art. 6(1)(c)) — retaining records where required by accounting, tax, or applicable Finnish or EU law.
- Consent (Art. 6(1)(a)) — where explicitly requested, e.g. optional marketing communications or non-essential cookies. You may withdraw consent at any time.
- Special category data in social care (Art. 9(2)(h) or national law) — processing necessary for social care, occupational health, or the provision of health or social care, subject to professional secrecy and appropriate safeguards as implemented by the Customer.
5. Finnish data protection law
In Finland, GDPR is supplemented by the Data Protection Act (1050/2018). Relevant aspects include:
- National provisions on the age of consent for information society services (generally 13 years in Finland).
- Rules on processing personal identity codes (henkilötunnus) — we do not require a Finnish personal identity code unless your organization chooses to store it as part of casework, in which case the Customer must ensure a lawful basis.
- The right to lodge a complaint with the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto) if you believe your data has been processed unlawfully.
- Potential restrictions on data subject rights where Finnish law permits, e.g. for important public interest or legal claims — applied only where strictly necessary and documented.
Supervisory authority
Office of the Data Protection Ombudsman
Lintulahdenkuja 4, 00530 Helsinki, Finland
Website: https://tietosuoja.fi/en/
6. Recipients and subprocessors
We do not sell personal data. We share data only as necessary to operate CareTrack:
- Within your organization — according to roles and permissions set by your administrator.
- Infrastructure and hosting providers — EU/EEA-based or equivalent hosting where possible; subprocessors bound by GDPR-compliant agreements.
- Authentication providers — Google or Microsoft when you choose single sign-on (subject to their privacy policies).
- AI service providers — only when Professional AI features are enabled, under strict contractual controls and human review workflows; prompts may contain casework context only as configured by the Customer.
- Professional advisers — lawyers, auditors, or insurers under confidentiality obligations.
- Authorities — when required by binding law or court order.
7. International transfers
We aim to store and process personal data within the European Economic Area (EEA). If data is transferred outside the EEA (for example to a cloud subprocessor in the United States), we ensure appropriate safeguards under GDPR Chapter V, such as the European Commission’s Standard Contractual Clauses (SCCs) and supplementary technical and organizational measures.
8. Retention
We retain personal data only as long as necessary for the purposes described above:
- Account data — for the duration of the subscription and a reasonable period afterward for backups, billing, and dispute resolution.
- Casework data — according to the Customer’s retention policies and applicable Finnish archival or social care record-keeping requirements; the Customer may export or request deletion subject to legal minimum retention.
- Contact and marketing inquiries — typically up to 24 months unless a longer period is required.
- Security and audit logs — typically 12–24 months unless needed for incident investigation.
9. Your rights under GDPR
If we act as controller for your data, you have the following rights under GDPR Articles 15–22 (subject to limitations in Finnish law where applicable):
- Right of access — obtain confirmation and a copy of your personal data.
- Right to rectification — correct inaccurate or incomplete data.
- Right to erasure (“right to be forgotten”) — in certain circumstances, e.g. data no longer necessary or consent withdrawn.
- Right to restriction — limit processing in defined situations.
- Right to data portability — receive data you provided in a structured, machine-readable format where processing is based on contract or consent.
- Right to object — to processing based on legitimate interests or direct marketing.
- Rights related to automated decision-making — CareTrack does not make solely automated decisions with legal or similarly significant effects without human oversight; AI outputs require staff review before affecting families.
Casework held by your agency
If your personal data is processed in a family file or case managed by a social service organization, please contact that organization first as data controller. They may use CareTrack tools (including family data deletion requests) to handle your request. You may also contact us at privacy@caretrack.com and we will assist the controller where appropriate.
Response times
We respond to valid requests without undue delay and within one month as required by GDPR Article 12, which may be extended by two further months for complex requests. We may request proof of identity where necessary to protect data subjects.
10. Security measures
We implement appropriate technical and organizational measures under GDPR Article 32, including encryption in transit (TLS), access controls, role-based permissions, audit logging, secure development practices, and staff confidentiality training. See our Security page for an overview.
11. Cookies and similar technologies
We use essential cookies for authentication, session management, security, and locale preferences. Non-essential analytics or marketing cookies, if introduced, will be offered only with your consent in line with the ePrivacy Directive and Finnish national implementation. See our Cookie Policy for details. You can control cookies through your browser settings.
12. Children and vulnerable data subjects
CareTrack may process information about children and vulnerable adults as part of social care casework on instructions from the Customer. Such processing demands heightened care, lawful basis under Article 9, and professional secrecy. Family portal access for minors is managed by the Customer. We do not knowingly offer direct self-registration to children under 13 for staff accounts.
13. Personal data breaches
We maintain procedures to detect, report, and investigate personal data breaches. Where we act as processor, we notify the Customer without undue delay. Where we act as controller, we notify the Finnish Data Protection Ombudsman within 72 hours when required under GDPR Article 33, and affected individuals when required under Article 34.
14. Changes to this policy
We may update this Privacy Policy to reflect legal, technical, or business changes. We will post the revised version on this page and update the “Last updated” date. Material changes affecting processing as controller will be communicated to account holders where appropriate.
