Evalucom Consulting Ltd Privacy and Cookies Policy
1. Introduction
We are committed to safeguarding the privacy of our website visitors and CarePulse platform users. In this Privacy and Cookies Policy (“Policy”), “Evalucom” or “we” or “us” or “our” refers to Evalucom Consulting Ltd. For the purpose of the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, where we act as a data controller, the data controller is Evalucom Consulting Ltd.
Our Policy explains:
What information we collect and why we collect it;
How we use that information;
The options you have over the way we use information; and
The cookies we use when you access our website and platform (see Cookies section below).
Please read this Policy carefully.
2. What information we collect
We collect and process the information set out in this section in the course of your use of:
(a) our website - https://www.evalucom.co.uk/ as a visitor; or
(b) our platform – CarePulse as a registered user (the “Services”):
(a) If you are a visitor on our website, we collect:
Enquiry data – name, email address and any other additional details provided by you when you make an enquiry either through our website form or via email. The lawful basis for this processing is our legitimate interests, namely the proper administration of our business and Services.
Recruitment data – your CV, cover letter and any other additional information provided by you when you apply for our job opportunities. Recruitment data is processed for the purposes of processing your application if you apply for a job with us. The legal basis for this processing is our legitimate interests, namely to grow our business.
(b) If you are a registered CarePulse user, and / or if we provide you and your organisation with our Services, we collect:
Contact information – your name, email address, telephone number, job title and organisation. We may also receive this information from other persons in your organisation who are authorised to provide these details on your behalf. Please note that your organisation’s privacy policy should set out the way your personal data is handled by your organisation. The lawful bases for this processing are: (i) performance of contract with your organisation in order to contact you, provide our Services and to register you as a user of CarePulse and/or CarePulse eProcurement; and/or (ii) our legitimate interests, namely the proper administration of our business and Services when you use CarePulse.
Usage data – information about your IP address, geographical location, as well as information about the timing, frequency and pattern of your Service use. The lawful basis for this processing is our legitimate interests, namely monitoring and improving our Services.
(c) For all users:
Where we rely on legitimate interests as our lawful basis for processing your data, we have carefully assessed these interests against your privacy rights, ensuring our processing is proportionate and necessary.
Our website and platform are not intended for children, and we do not knowingly collect data relating to children.
We do not collect any special categories of data about you (i.e. information about your race or ethnicity religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
3. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
4. Providing your personal data to others
Health and social care providers (including care homes and domiciliary care providers) using CarePulse
We regularly share contact information of data subjects identified as the point of contact with NHS organisations and local authorities so that they can contact your organisation regarding the services you deliver.
All Service users
We may also disclose your personal data to third parties:
in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets; or
if we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets; or
if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or
to protect our rights, property, or safety or that of our affiliated entities and our users and any third party we interact with the to provide the Services; or
Other than as set out above and save insofar as is necessary in order for us to carry out our obligations arising from any contracts entered into between your organisation and us, we will not share your data with third parties unless we have procured your express consent to do so.
All third-party recipients of your data are required to respect the security of your personal data and to treat it in accordance with applicable laws.
5. Our sub-processors
In order to provide our Services, we have engaged sub-processors. Additional details in relation to our obligations as a data processor are set out in the data processing agreement between us and your organisation.
Our sub-processors are:
Name | Purpose | Contact details |
Amazon Web Services | To store data when you use our CarePulse platform | |
Posthog Cloud | Product analytics and session recording for the CarePulse platform, Cost Model and eProcurement modules. Processes user email, role, organisational affiliations, and behavioural data including clicks, navigation, and session recordings (with form inputs masked). Data hosted on PostHog European Cloud servers. | |
SendGrid | Email delivery | |
Heroku | Hosting | |
Vercel | Hosting | |
OpenAI, L.L.C. | AI processing and analytics to support CarePulse product features and related consulting services. Data is not used to train OpenAI’s models. | |
Anthropic | AI processing and analytics to support CarePulse product features and related consulting services. Data is not used to train Anthropic’s models. | |
Microsoft Corporation | Cloud infrastructure and productivity services (Azure, Microsoft 365) used to store CarePulse data. | |
Dropbox Sign | eSignature implementation | |
ClickUp (Mango Technologies, Inc.) | Project and task-management platform used by Evalucom teams to coordinate service delivery. | |
Supabase | Data storage | |
Functional Software, Inc. (Also known as Sentry) | Error monitoring | |
Convex Systems, Inc. (“Convex”) | Cloud backend platform used to operate and support the CarePulse service (including application backend processing and data storage/management) | |
WorkOS | Authentication management for CarePulse eProcurement |
6. How we protect your information
We believe that it is important for the personal information you provide to be used responsibly. As such, we have internal policies in place to protect your personal information from accidental loss, use or access in an unauthorised way, misuse, alteration or unintentional destruction. Employees within our organisation who have access to your information have been trained to maintain the confidentiality of such information and access to your personal data is limited to those who have a genuine business need to know it. We adopt industry-recognised security standards and measures (including Cyber Essentials accreditation) to protect your data.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the website or platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
7. Keeping your personal data up to date
If your personal details change you may update them by accessing the relevant page on CarePulse or by contacting us using the details below. We will endeavour to update your personal data within 14 working days of any new or updated personal data being provided to us, in order to ensure that the personal data we hold about you is as accurate and up to date as possible.
8. Where we store your personal data
Your information is securely stored in the cloud, hosted by Microsoft 365 and Amazon Web Services. The servers are located in the UK and the Republic of Ireland.
We aim to store and process personal data within the UK and/or the European Economic Area (EEA) where possible. However, some of our service providers (including Convex and WorkOS) may process and/or store personal data in other countries, including the United States, in order to provide the Services and related support.
Where we transfer personal data outside the UK and/or the EEA to a country that is not subject to an adequacy decision, we ensure that appropriate safeguards are in place. These safeguards may include the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, and/or other lawful transfer mechanisms recognised under applicable data protection laws, together with appropriate risk assessments and due diligence.
If you would like further information about where your personal data is stored or the safeguards used for international transfers, please contact us using the details below.
9. Your rights
In this section we have summarised the rights that you have under the UK GDPR in relation to the personal data that we collect from you.
You may exercise any of your rights in relation to your personal data by contacting us using the contact details at the bottom of this page.
In summary, your principal rights include:
access to your personal data and to certain other supplementary information that this Policy is already designed to address;
require us to correct any mistakes in your information which we hold;
require the erasure of personal data concerning you in certain situations;
receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
object at any time to processing of personal data concerning you for direct marketing;
object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
object in certain other situations to our continued processing of your personal data;
otherwise restrict our processing of your personal data in certain circumstances;
claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation. If you would like to exercise any of those rights, please:
email us at info@evalucom.co.uk;
let us have enough information to identify you (e.g. registration details);
let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility bill or bank statement); and
let us know the information to which your request relates.
You will not have to pay a fee to access your personal data or to exercise any of your other rights. We may charge a reasonable fee, or refuse to comply, if your request is clearly unfounded, repetitive or excessive. Our response will be based on a search of our records that is reasonable and proportionate to the request. We will respond to a valid request within one calendar month, starting from the date we receive enough information to identify you and to action your request. If we ask you for further information or proof of identity, the response period will not start until you have provided this. If your request is particularly complex, or if you have made several requests, we may extend the response period by up to a further two months and will tell you in writing.
10. Data retention
Your personal data is stored only as long as is necessary for us to carry out the above purposes.
The length of time we keep your personal data depends on what it is and whether we have ongoing need to keep it. When there is no longer a need to keep the data, we will delete or anonymise the data in accordance with our data retention policies and practice.
If your data is stored in relation to a contract between you and a public authority (including NHS Integrated Care Boards), we will hold a record of that information for 6 years following expiry of the contract.
CarePulse user accounts
Your data will be retained while you have an active CarePulse account. You can close your CarePulse user account at any time through your account page or by contacting us at CarePulse@CarePulse.co.uk. We will retain your personal data for 30 days following closure of your account.
Where you have created an account on CarePulse but it is not being used, we will close your account automatically after 3 years of inactivity.
CarePulse eProcurement user details
If your data is collected in relation to the CarePulse eProcurement system, then if the outcome of your application is successful and you subsequently enter into a contract, we will hold a record of your information for 6 years following expiry of the contract.
If your application is not successful, or you are successful but do not enter into a contract, or you do not submit your application, we will hold a record of your professional contact information for up to 3 years following the application deadline.
Enquiry data
If you contact us to enquire about our Services, we will hold your information for a period of 1 year from the date of the enquiry unless you register for our Services in which case, we will hold your data in accordance with the retention periods set out above.
Recruitment data
If you apply for a job opportunity with us, we will hold your information for a period of 1 year from the date of your application unless you are employed by us in which case we will continue to hold your information as part of your employment record.
11. Cookies
We use only cookies that are strictly necessary for the operation of our website and the CarePulse platform (including the Cost Model and eProcurement modules). These cookies are exempt from the consent requirement under the Privacy and Electronic Communications Regulations because they are essential for the services to function. We do not set any cookies for advertising, marketing, third-party profiling, or cross-site tracking on your device.
The strictly necessary cookies we use are listed in the table below.
You may block these cookies by adjusting your browser settings. If you do, parts of our website, CarePulse, the Cost Model or the eProcurement module may not function correctly, including the ability to log in and stay logged in.
Cookie type | Cookie details | Website and/or CarePulse |
Necessary | csrftoken: A randomly generated passphrase that acts as security protection to prevent other sites from making requests on your behalf Expiry period: 1 year | Main CarePulse |
Necessary | sessionid: A Django-generated identifier that links your browser to your server-side session. It keeps you signed in and maintains session state as you move between pages. Expiry period: 1 month | Main CarePulse |
Necessary | __Host-__convexAuthJWT: Authentication token that keeps you logged in. Expiry period: session | Cost Model |
Necessary | __Host-__convexAuthRefreshToken: Refresh token used to maintain your authenticated session. Expiry period: session | Cost Model |
Necessary | wos-session: Authentication session cookie that keeps you logged in. Expiry period: session | eProcurement |
12. Product analytics and session recording
We use PostHog to understand how our platform is used and to investigate and resolve issues. PostHog acts as our data processor and stores the data on its European Cloud servers. PostHog does not set any cookies or other persistent identifiers on your device; the analytics tool runs in your browser memory only and is cleared when you close your browser tab.
For each visit, PostHog captures aggregate usage data (which pages are visited and in what order), individual click and navigation events, errors generated by the platform, and session recordings of how you interact with the platform. Form input contents (anything you type into a text field, dropdown or similar) are masked before the recording leaves your browser. Session recordings are retained for 90 days and then deleted automatically.
Together with these events, we send PostHog the following identifiers so that we can associate analytics data with your user account: your email address, your role on the platform and the organisations you are associated with.
The lawful basis for this processing is our legitimate interests in monitoring and improving the platform, investigating and resolving issues experienced by users, and maintaining a stable and secure service. We have carried out a legitimate interests assessment to balance this against your privacy rights and consider the processing to be proportionate, given the masking of form inputs, the limited retention period, the absence of any third-party use of the data, and the professional context in which the platform is used.
You can object to this processing at any time by contacting us using the details below. If you object, we will exclude your account from session recording and behavioural event capture.
13. Use of Artificial Intelligence (AI) in Our Services
As part of our ongoing commitment to efficiency and innovation, we may use AI systems to support the delivery of our services. These systems may assist with tasks such as data analysis, communication drafting, or customer support.
All AI tools we use are subject to robust oversight and are deployed in accordance with applicable data protection laws, including the UK GDPR and the Data Protection Act 2018. We ensure that any personal data processed by AI is handled lawfully, fairly, and transparently, with appropriate safeguards in place.
Where AI is used in a way that materially influences decisions or communications affecting you, we retain human oversight and are happy to explain how the technology supports our work.
We do not currently use AI to make solely automated decisions that produce legal effects or similarly significant effects on you. Where AI assists with tasks such as drafting, classification or analysis, a member of our team reviews the output before it is acted on. If we introduce features that involve solely automated decision-making with legal or similarly significant effects, we will tell you in advance, explain in plain language how the system works and what data it uses, and give you the right to request human review and to contest the decision.
14. Changes to this Policy
This Policy may be changed from time to time. We will post any changes and you will be notified of such change to this Policy on our website. Your continued use of our Services shall be deemed as your acceptance of the varied Policy.
15. Contact us
If you have questions or comments about our administration of your personal information, please contact us at info@evalucom.co.uk. You may also use this address to communicate any concerns you may have regarding our compliance with this Policy.
Evalucom Consulting Ltd. VAT Registration No.: 899541850 Company number: 6195102 Registered Address: 20-22, Wenlock Road, London, England, N1 7GU
16. How to complain to us
If you are unhappy with how we have handled your personal data, you can complain to us. To complain to us, please email us at info@evalucom.co.uk with the subject line "Data protection complaint".
We will acknowledge your complaint within 30 days of receiving it and respond without undue delay. We aim to resolve most complaints within one month of receipt. If your complaint is particularly complex, or if we need more information from you, we will let you know and explain how long we expect to take.
Our complaints process is operated in line with our duties under section 103 of the Data (Use and Access) Act 2025. If you remain dissatisfied with our response, or if we have not responded to your complaint within a reasonable time, you can complain to the Information Commissioner’s Office, whose details are set out below.
Address: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Helpline number: 0303 123 1113 ICO website: https://www.ico.org.uk
This Policy was last updated on: 15 June 2026.