Privacy policy

Effective date: 9 May 2026 · Last updated: 9 May 2026

1. About this policy

This privacy policy explains how the Taylormade Care platform ("the Platform", "we", "us") collects, uses, and protects personal data. It applies to childminders, nursery staff, and parents who use the Platform at app.taylormade-care.co.uk.

2. Who we are

The Platform is operated by Robert Taylor, a sole trader, who is the data controller under the UK General Data Protection Regulation (UK GDPR) for personal data processed about Platform account holders.

For data-protection enquiries, contact us at privacy@taylormade-care.co.uk.

ICO (Information Commissioner's Office) registration is currently pending and will be linked here once issued.

3. The Platform's role

The Platform provides multi-tenant childcare-management software. Each childminder or nursery using the Platform is the data controller for the children, parents, and staff they manage in the Platform; we act as their data processor for that information. We are the data controller only for the childminder's own account information (name, login email, business contact details, configuration settings).

4. Information we collect

From childminder account holders

• Name, email address, and a hashed password (we never store passwords in plain text)
• Business name, address, phone, registration / Ofsted URN if provided
• Bank details if entered for invoicing
• Any other settings and content the childminder enters into their account

From parents of children in care

Where a parent uses a magic-link to view their child's record, we record the timestamp of any acknowledgement they make (e.g. "Sign as read" on accident or medical notes) and the IP address from which they signed for audit purposes.

About children in care (entered by the childminder)

• Name, date of birth, photo, allergies, medical notes, parent contact details
• Day-to-day records: diary entries, observations, attendance, accidents, medical notes, milestones

This information is entered by the childminder for the purpose of running their childcare service and is held by the Platform on the childminder's behalf.

From third-party sign-in (Google/Microsoft)

If a childminder chooses to connect a Gmail or Outlook account so that parent emails are sent from their real address, we receive from Google or Microsoft only:

• The email address of the connected account
• An OAuth refresh token and short-lived access token (used solely to send emails on the childminder's behalf)

We do not read incoming mail, the connected mailbox's contents, contacts, calendar, or any other data. The OAuth scopes we request are listed in section 9.

5. How we use information

• To provide the Platform's features (record-keeping, parent communication, invoicing, etc.)
• To send transactional emails (e.g. accident-record notifications) on a childminder's behalf via their connected Gmail or Outlook account, or via SMTP fallback
• To secure accounts and detect misuse
• To respond to support enquiries

We do not sell personal data, share it for advertising, or use it to train machine-learning models.

6. Lawful bases (UK GDPR Article 6)

• Contract — to provide the Platform to childminders who have signed up
• Legitimate interest — to keep the Platform secure and to improve it
• Consent — for Gmail/Outlook integration (you can disconnect at any time in Settings)
• Legal obligation — where required by law (e.g. to retain financial records)

7. Sub-processors and third parties

We use a small number of trusted sub-processors to operate the Platform:

• Hetzner Online GmbH (Germany) — server hosting and automated backups
• Google LLC — only when a childminder connects their Gmail account; used to send mail on their behalf
• Microsoft Corporation — only when a childminder connects their Outlook account; used to send mail on their behalf
• Porkbun LLC — domain registration and DNS

We do not use third-party advertising or analytics services on the Platform.

8. Data retention

• Childminder account data is retained while the account is active and for up to 30 days after account closure, after which it is deleted from active systems and from backups within a further 90 days.
• Children's records are retained while the childminder's account is active. Childminders are responsible for retention obligations under their Ofsted/regulatory duties.
• OAuth refresh tokens are deleted immediately when the childminder clicks "Disconnect" or revokes access from their Google / Microsoft account.
• Server access logs are retained for up to 30 days.

9. Use of Google and Microsoft user data (for OAuth)

When a childminder connects Gmail, we request the OAuth scopes https://www.googleapis.com/auth/gmail.send, openid, email, and profile. These let us send mail strictly on the connected user's behalf and identify which account is connected. We do not read inbox content.

When a childminder connects Outlook, we request the Microsoft Graph delegated permissions Mail.Send, offline_access, openid, email, profile, and User.Read. These let us send mail strictly on the connected user's behalf and identify which account is connected. We do not read inbox content.

The Platform's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not transfer this data to third parties, do not use it for advertising, and humans do not read this data except (a) with the user's explicit consent, (b) for security investigations, or (c) to comply with applicable law.

10. Sharing and disclosure

We do not share personal data with any party other than the sub-processors listed in section 7, except where required by law (court order, regulator, etc.). We will notify affected users of any such disclosure where we are legally permitted to do so.

11. Your rights

Under UK GDPR you have the right to:

• access a copy of your personal data;
• have inaccurate data corrected;
• have your data erased ("right to be forgotten") subject to legal exceptions;
• restrict or object to processing;
• data portability;
• withdraw consent at any time (e.g. by disconnecting Gmail/Outlook in Settings).

To exercise any of these rights, email privacy@taylormade-care.co.uk. We will respond within one calendar month.

12. Children's data

The Platform records personal data about minors in the care of the connected childminder, including names, dates of birth, photos, allergies, and medical information. This data is entered by the childminder, who is the data controller and is responsible for obtaining the relevant consent from parents/carers under UK GDPR (Articles 7 and 8). The Platform processes this data only to provide the Platform's features.

13. Cookies

The Platform uses a single technical cookie (ld_session) that holds a signed identifier so you stay logged in. We do not use cookies for tracking, analytics, or advertising.

14. Security

Passwords are hashed with bcrypt. All traffic is served over HTTPS with auto-renewing certificates. Backups are encrypted at rest. Access to the underlying server is restricted to the operator using SSH key-based authentication.

15. International transfers

Personal data is stored on servers in the European Union (Germany). Where data is transferred to Google or Microsoft (e.g. when a childminder uses their Gmail/Outlook account), Google and Microsoft are subject to UK adequacy decisions and Standard Contractual Clauses where applicable.

16. Changes to this policy

If we make material changes to this policy, we will notify Platform account holders by email. The latest version is always available at app.taylormade-care.co.uk/privacy.

17. Complaints

If you have a complaint we have not been able to resolve, you have the right to lodge it with the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

18. Contact

Robert Taylor (sole trader) · privacy@taylormade-care.co.uk