DOVEVA PRIVACY POLICY

Effective date: 9 February, 2026

This Privacy Policy explains how Doveva Ltd (“Doveva”, “we”, “us”, “our”) collects, uses, shares and protects personal data when you use our website, apps and services, and what controls you have over your personal information.

1) Who we are (Data Controller)

Doveva is the data controller for the personal data described in this Privacy Policy, unless we tell you otherwise.

Company name: Doveva Ltd
Email: Info@doveva.co.uk
Phone: 07502359849
ICO Registration reference: ZC089449

If you have questions about this policy or your data, contact us using the details above.

2) The laws we follow

We process personal data in line with the UK GDPR and the Data Protection Act 2018.

3) What this policy covers

This policy applies when you:

  • visit our website;
  • create an account;
  • use the Platform to find, book, deliver, manage, or pay for care;
  • message or communicate with other users through the Platform (including community features);
  • contact our support team; or
  • interact with our marketing, ads, or events.

It does not cover third-party websites/apps you reach via links from our Platform.

4) The types of personal data we collect

We collect different data depending on whether you are a care recipient, family, care provider/organisation, or care professional.

  1. Data you give us directly

This may include:

  • Identity & contact details: name, date of birth (where required), email, phone, address, profile photo.
  • Account details: login credentials, preferences, settings, verification status.
  • Care needs information (care seekers/recipients): schedule needs, care requirements, risk notes, routines, preferences, accessibility needs, location for visits.
  • Professional profile data (care professionals): qualifications, training, experience, availability, references, DBS-related information, work history, right to work details (where required), profile bio and documents you upload.
  • Organisation data (providers): business name, role/title, staff who administer the account, site addresses, booking requirements, invoicing contacts.
  • Communications and content: messages, emails, support tickets, complaints, safeguarding reports, community posts, and reviews.
  • Payments & billing: billing address, invoices, payout details (we do not store full card details – see Section 8).
  1. Data we collect automatically

When you use the Platform, we may collect:

  • Device and technical data: IP address, device identifiers, operating system, app version, browser type, crash logs.
  • Usage data: pages viewed, features used, searches, booking actions, timestamps, referral URLs.
  • Location data: approximate location from IP; precise location only if you enable it in your device/app settings.
  1. Data we receive from others

We may receive data from:

  • a family member, attorney, or organisation arranging care for someone else;
  • referees, training providers, or verification services;
  • payment and payout providers;
  • fraud prevention and security services; and/or
  • public sources where lawful and relevant.

5) Special category data and criminal offence data (important)

Special category data

This can include health-related information about a care recipient (and sometimes a care professional), for example mobility needs, medication support requirements, disabilities, or safeguarding notes.

We only process special category data where a valid legal basis applies, such as:

  • it is necessary for care arrangements you request;
  • it is needed for safeguarding and safety; and/or
  • you (or an authorised person) have provided it, and it is necessary to deliver the service.

Criminal offence data

Where required for trust and safety, we may process criminal offence data relating to checks such as DBS-related information and/or verification outcomes. We handle this with strict access controls and only where lawful.

6) How we use your data (purposes)

We use personal data to:

Core Platform operations

  • create and administer accounts;
  • match individuals/families/providers with suitable care professionals;
  • facilitate bookings, schedules, changes, cancellations and continuity;
  • enable messaging, community participation, reviews, and service coordination;
  • provide customer support.

Trust, safety, compliance and safeguarding

  • verify identity and eligibility (including right to work where applicable);
  • support background checks and validation processes using standard verification providers;
  • detect, prevent and investigate fraud, abuse, policy breaches, and off-platform payment attempts;
  • manage complaints, incidents, disputes, and safeguarding concerns;
  • comply with legal obligations and respond to lawful requests.

Payments and business administration

  • process payments and payouts via payment technology providers (for example Stripe);
  • manage invoices, fees, refunds (where applicable), and chargebacks;
  • keep accounting and tax records.

Improving the Platform

  • maintain, troubleshoot, test and improve performance and features;
  • analyse usage to make the Platform easier and safer to use.

Marketing (where permitted)

  • send service updates and onboarding messages;
  • send marketing communications where you’ve opted in or where we can rely on legitimate interests (and you can opt out at any time);
  • measure the effectiveness of ads and campaigns (see cookies and analytics below).

7) Our lawful bases for processing

Under UK GDPR we must have a lawful basis. Depending on the context, we rely on:

  • Contract: to provide the Platform and related services you request (e.g., account, matching, bookings, payments).
  • Legal obligation: to meet legal, regulatory, tax, and safeguarding requirements.
  • Legitimate interests: to run and improve our business responsibly (e.g., preventing fraud, securing systems, improving user experience). We balance this against your rights.
  • Consent: for certain activities (e.g., some marketing, optional location permissions, certain cookies). You can withdraw consent at any time.
  • Vital interests / public interest (where applicable): where necessary to protect someone’s life, or for safeguarding-related needs in line with law.

8) Payments and financial data

Payments and payouts are typically handled by third-party payment providers (for example Stripe or similar providers we may use). These providers process payment details in line with their own privacy notices.

We generally store only what we need for billing and reconciliation (e.g., last 4 digits, payment status, transaction IDs, invoices), never full card details.

9) Who we share data with

We may share personal data where necessary to run the Platform, including with:

  • Other users (as part of the service):
    • care seekers/providers may see a care professional’s profile, availability, and relevant verification status;
    • care professionals may see booking details needed to deliver care (e.g., location, schedule, care notes that are necessary and appropriate).
  • Service providers (“processors”):
    hosting, cloud infrastructure, analytics, communications tools, customer support systems, identity verification and background check providers, fraud detection, insurance/claims administration (where relevant), and payment providers.
  • Professional advisers:
    lawyers, auditors, insurers, and consultants where needed.
  • Authorities and regulators:
    where required by law or where necessary for safeguarding, fraud prevention, or public safety. This may include cooperating with the Information Commissioner’s Office and, where relevant, care regulators.
  • Business transfers:
    if Doveva is involved in a merger, acquisition, reorganisation, or sale of assets, data may be shared as part of that process (with appropriate protections).

We restrict access to personal data to people who need it to do their job, and we use contracts and due diligence to enforce confidentiality and security.

10) Data sharing, supply, and commercial use of data

Doveva may use data to operate, improve, and grow the Platform and its services.

  • Anonymised / aggregated data: Doveva may create and share or supply anonymised and/or aggregated data (where individuals are not identifiable) for analytics, research, benchmarking, product development, commercial partnerships, and business purposes.
  • Identifiable personal data: Doveva will only share, supply, or otherwise commercialise identifiable personal data where lawful, which may include where:
    • you have provided valid consent (where required); and/or
    • there is another lawful basis under UK GDPR that applies and the sharing is consistent with this Privacy Policy and applicable law.

Where required by law, Doveva will provide appropriate transparency and controls.

11) International transfers

We aim to store and process data in the UK. Some suppliers may process data outside the UK.

Where personal data is transferred internationally, we use appropriate safeguards, such as adequacy regulations and/or UK-approved contractual protections (such as the UK International Data Transfer Agreement or UK Addendum).

12) Data security

We use organisational and technical measures designed to keep your data secure, including access controls, least-privilege permissions, secure hosting, monitoring, and incident response processes.

No system is 100% secure. If we identify a personal data breach that creates a risk to your rights and freedoms, we will notify affected individuals and/or regulators where legally required.

13) How long we keep your data (retention)

We keep personal data only for as long as necessary for the purposes described in this policy, including legal, accounting, dispute resolution, and safeguarding needs.

Typical examples:

  • Account and Platform records: while your account is active, and for a reasonable period after closure.
  • Messages, community content, reviews, and booking records: retained to support continuity, safety, moderation, and dispute handling.
  • Financial records (invoices, payments): commonly retained for up to 6 years (and sometimes longer where required by law).
  • Verification records: retained while needed to support trust and compliance, then deleted or anonymised where appropriate.

You can request deletion, but we may need to keep certain data where we have a legal obligation or a legitimate reason.

14) Your rights

You have rights under data protection law, including:

  • access to your data;
  • rectification;
  • erasure (in certain cases);
  • restriction of processing;
  • data portability (in certain cases);
  • objection (including to direct marketing);
  • withdraw consent (where processing is based on consent); and
  • rights related to automated decision-making (see Section 15).

To exercise your rights, contact us using the details in Section 1. We may need to verify your identity before acting on a request.

15) Automated decision-making and matching

Doveva may use automated tools to support matching, ranking, fraud prevention, and operational efficiency (for example, suggesting suitable care professionals based on availability, location, skills and preferences).

Where a decision has a significant effect on you and is made solely by automated means, you can request:

  • a human review,
  • an explanation, and
  • the ability to contest it.

16) Marketing preferences

You can opt out of marketing at any time by using the unsubscribe link in our emails and/or contacting us.

Service/transactional messages (e.g., booking confirmations, safety updates) are not marketing and may still be sent.

17) Cookies, analytics and advertising

We use cookies and similar technologies to:

  • make the website work properly,
  • remember preferences,
  • understand site usage, and
  • measure marketing performance.

Where required, we will ask for your consent before placing non-essential cookies. You can manage cookies via our cookie banner/settings and your browser controls.

18) Children

The Platform is intended for adults. If care is being arranged for a person under 18, an adult with appropriate authority must manage the account and provide necessary consents.

If you believe a child has provided personal data to us without proper authority, contact us so we can investigate and take appropriate action.

19) Third-party links

Our Platform may link to external sites. We are not responsible for their privacy practices. Review their policies before providing personal data.

20) How to complain

If you’re unhappy with how we handle your data, contact us first and we’ll take it seriously.

You also have the right to complain to the UK data protection regulator: Information Commissioner’s Office.

21) Changes to this policy

We may update this Privacy Policy to reflect changes to the Platform, legal requirements, or how we process data. We’ll post the updated version on our website and app. Where changes are significant, we may provide additional notice.