0333 004 0177
Submit Referral
Lamora Healthcare Ltd is committed to protecting and respecting your privacy. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law.
Last reviewed: March 2025 | Version: 2.0 | Controller: Lamora Healthcare Ltd, The Gatehouse, Gatehouse Way, Aylesbury, Buckinghamshire, HP19 8DB | Contact: enquiries@lamorahealthcare.co.uk
Lamora Healthcare Ltd (“Lamora Healthcare”, “we”, “us”, “our”) is a health and social care organisation registered in England and Wales. We are the data controller for the personal data we process in connection with our services, website, and employment activities.
We are registered with the Care Quality Commission (CQC) for the regulated activity of Personal Care. Our registered office address is The Gatehouse, Gatehouse Way, Aylesbury, Buckinghamshire, HP19 8DB.
If you have any questions about how we handle your personal data, or wish to exercise any of your rights, please contact us at:
We collect personal data across several distinct activities.
2.1 Website Visitors
When you visit our website we may collect: IP address, browser type and version, pages visited, time and date of visit, and time spent on pages. This data is collected automatically through server logs and is used solely to monitor the security and performance of our website. It is not linked to any personally identifiable information.
2.2 General Enquiries and Contact Forms
When you submit a general enquiry via our website or contact us by telephone or email, we collect your name, email address, telephone number, and the content of your message. We use this information solely to respond to your enquiry. We do not use it for marketing purposes without your explicit consent.
2.3 Professional Referrals
When a professional makes a referral on behalf of an individual requiring care, we collect the referrer’s name, job title, organisation, and contact details; and the referred individual’s name, date of birth, address, NHS number (where provided), care needs summary, relevant health and risk information, funding source, and next of kin details. This information is necessary to assess and arrange appropriate care. We process this data under Articles 6(1)(b), 6(1)(c), and 9(2)(h) UK GDPR.
2.4 Service User and Care Data
For individuals who receive care from Lamora Healthcare, we collect and process detailed personal and health data including: full name and contact details; date of birth and NHS number; medical history, diagnoses, medication, and clinical assessments; mental capacity assessments and deprivation of liberty documentation where relevant; care plans, risk assessments, and daily care records; incident reports and safeguarding documentation; next of kin and emergency contact details; financial information relating to care funding; and consent records. This data is necessary to provide safe, lawful, and effective care services.
2.5 Family Members and Next of Kin
Where family members or next of kin contact us or are involved in care planning, we collect their name, relationship to the service user, contact details, and any information they share during those interactions. We use this information to facilitate communication and involve families in care as appropriate and with the service user’s consent.
2.6 Job Applicants and Employees
During recruitment we collect: name and contact details; employment history and references; qualifications and training records; right to work documentation; Disclosure and Barring Service (DBS) application information and certificate details; health information relevant to the role where applicable; and equal opportunities monitoring data (optional). For successful applicants, this data forms the basis of an employment record. We process recruitment data under Article 6(1)(b) UK GDPR and, where special category data is involved, under Article 9(2)(b) and the Data Protection Act 2018 Schedule 1 conditions.
2.7 Commissioners, Contractors, and Business Contacts
We collect and retain contact details and relevant professional information for commissioners, NHS teams, local authority contacts, contractors, and other business partners. We process this data under Articles 6(1)(b) and 6(1)(f) UK GDPR.
UK GDPR requires us to have a lawful basis for processing personal data. We rely on the following bases depending on context:
Much of the personal data we process in connection with our care services is “special category data” under UK GDPR — specifically health data, data concerning disability, and in some cases data about criminal convictions in relation to DBS checks. We process special category data under the following conditions:
We use personal data only for the purposes for which it was collected or purposes that are compatible with those original purposes. Specifically:
We do not use personal data for automated decision-making or profiling, and we do not sell personal data to any third party under any circumstances.
We share personal data only where there is a lawful basis or legal duty to do so. Recipients may include:
We do not share personal data with any third party for marketing or commercial purposes. Where we engage data processors, we ensure appropriate contractual protections are in place in accordance with Article 28 UK GDPR.
We do not routinely transfer personal data outside the United Kingdom. Where any transfer to a country outside the UK occurs — for example, through the use of cloud-based software services — we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, such as use of the UK International Data Transfer Agreement (IDTA) or equivalent adequacy mechanisms.
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law or regulatory guidance.
| Type of Data | Retention Period |
|---|---|
| Care records (adult) | Minimum 8 years from last contact, per NHS Records Management Code of Practice |
| Care records (young person under 18 at time of care) | Until age 25, or 8 years from last contact, whichever is longer |
| Employee records (active) | Duration of employment |
| Employee records (former) | 7 years from end of employment |
| Unsuccessful job applications | 6 months from date of decision |
| DBS certificate records | 6 months from date of check (date, level, and outcome only) |
| Safeguarding records | Minimum 10 years, or until subject reaches age 25 if a child — whichever is longer |
| Incident and accident reports | Minimum 10 years from date of incident |
| Website enquiries and contact form submissions | 12 months from date of submission |
| Financial and invoicing records | 7 years from end of the relevant financial year (HMRC requirement) |
| Website server logs | 90 days |
At the end of the applicable retention period, personal data is securely destroyed or anonymised in accordance with our Records Management Policy.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, or disclosure. Our security measures include:
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) within 72 hours as required by Article 33 UK GDPR. Where the breach is likely to result in high risk to you personally, we will also notify you directly without undue delay.
Our website uses cookies. A cookie is a small text file placed on your device when you visit a website. We use the following categories of cookies:
We do not use advertising cookies, social media tracking cookies, or cookies that share your data with third parties for commercial purposes. You can control cookies through your browser settings at any time.
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions, particularly where we process data in connection with regulated care activities or legal obligations.
To exercise any of these rights, contact us at enquiries@lamorahealthcare.co.uk or by post. We may verify your identity before processing a request. We will respond within one calendar month, or notify you if an extension of up to two further months is required.
Lamora Healthcare provides supported accommodation for young people aged 16 to 25, some of whom may be under 18 at the time of placement. Where we process personal data relating to individuals under the age of 18, we apply additional care and safeguards in line with our safeguarding obligations and the requirements of the Children Act 1989, Children and Families Act 2014, and relevant statutory guidance.
Our website is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 through our website. If you believe a child under 16 has submitted personal data through our website without appropriate consent, please contact us immediately at enquiries@lamorahealthcare.co.uk.
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK supervisory authority for data protection:
We would appreciate the opportunity to address your concerns before you approach the ICO. Please contact us in the first instance at enquiries@lamorahealthcare.co.uk.
We review this Privacy Policy at least annually and whenever there is a material change to how we process personal data. The current version is always published on this page. Where changes are significant, we will take reasonable steps to notify affected individuals.
This policy was last reviewed and updated in March 2025 (Version 2.0).