top of page

Privacy Notice

This is Epona's privacy notice

Introduction
This document explains how we collect, handle and use the personal data you enter onto our platform. It tells you how we use it responsibly, and how we keep it safe and secure.
There are a few things that we have to tell you to comply with data protection legislation (the UK GDPR and Data Protection Act 2018, and the EU GDPR).


Who are we?
We are My Epona Limited (‘Epona’) a privately owned company registered in England. We provide a software platform that is downloaded to the operating system of your mobile phone, tablet or desk device. It is designed to promote independence, dignity and safety through a Positive Behaviour Support (‘PBS’) evidence-based model.


We have to tell you who the Controller of the data is, so that is Epona. We are not required to have a specific Data Protection Officer but we do have support and training for data protection. You can contact us at fran@eponacares.com.


What data we need
We collect, store and use personal data and information that you provide to us including the following:
The person being cared for.

  • Name;

  • Address and contact details;

  • Date of Birth; 

  • Relatives / Family details;

  • Behavioural observations;

  • Support plans and risk assessments;

  • Staff entered notes and incident reports about you;

  • Sensitive medical or psychological information including your health data;

  • Racial or ethnic data if this is required for case context;

Carers and staff.

  • Name;

  • Details such as employee or employee number;

  • Training and qualification records;

  • Work location;

  • Biometric or audio data where carers and care partners use file uploads for notes or observations.

General

  • Your voice or that of relatives / Family or Carers when they use the Voicenote facility.

  • Location data is using mobile devices or GPS data if tagged on images;

  • Login credentials of staff using the platform;

  • Enquiry data such as name and contact number/email.

  • We collect information from the payment system for any licence fees.

​​

If you subscribe to our marketing, newsletter or mailing lists, we will collect and use your name, email address and preferences. 


We will operate a waiting list and for this we will need to collect name and contact details.


How we get the data and information, and why we have it.

The majority of data and information we process about you is provided by you, a family member or by a carer when:

  • They register you on Epona.

  • They make observations or reports and enter these on Epona.

  • You subscribe to our mailing lists and/or marketing.

  • You contact us to make an enquiry.


When a family member uses the system they will be providing their data and information.


When a carer uses the system they will input data about you, your relatives or family members and themselves where this is relevant to the uploaded information or task completed.


We use this personal data and information to provide and maintain the service that our platform provides to support your care and generation of reports or similar. 


The data will also be used in AI to undertake analysis of the behavioural, quality of life and context to assist in generating personalised PBS plans, Identify early signs of risk or deterioration, provide quality assurances against best-practice PBS frameworks and to provide evidence for inspections or commissioning obligations. A person always checks this before they are used elsewhere.


Why we need it – our legal or lawful bases

Data Protection legislation requires us to identify a legal basis to process your personal data. We have identified the following that apply to personal data and the use of Epona.

  • CONSENT

    • Where you or your family provide personal data or information this is with Consent.

    • Where you, your family or the carer / care partner have subscribed to our mailing list, newsletter or marketing. In this instance you are able to withdraw or remove your consent at any time by contacting us at fran@eponacares.com 

  • PUBLIC TASK and PROVIDING HEALTH OR SOCIAL CARE

    • When used in a health or care setting it will be to support the processing that is necessary for a Public Task (delivery or health or care services); and

    • Necessary to support the provision of a health or social care service.

  • LEGAL OBLIGATION

    • Where we have to collect certain information such as payment details as we have to comply with financial regulations and legislation e.g. HMRC for tax purposes.

  • LEGITIMATE INTEREST

    • To enable us to provide secure and unique logins for carers and staff.

    • To enable us to operate and administer our business, and to ensure that we can business plan effectively, we have a Legitimate Interest in processing some limited personal information. This helps us to remain accountable. 


Children’s data
Although our platform is not meant for a child to access it, we acknowledge that this could happen, especially where a child is older. Therefore we take into account the Age-Appropriate Design Code (‘Children’s Code’) from the Information Commissioner’s Office. This means that we will not profile children who use our platform and we will keep any data collected from a child to a minimum. We will ensure that we have appropriate technical and organisational measures in place to protect the child.


Where a child is 13 years or over, under the UK GDPR they will generally be able to give their own consent to the processing of their personal data.


Where a child is under 13 years of age, we will seek parental consent from someone who has Parental Responsibility for that child.


Where the data collected relates to the child as a person being cared for, for the special category (health and care type data) we will rely on the lawful basis of provision of Health and social care (article 9(2)(h) of GDPR). 


How we store your data
Keeping your personal data safe and secure, and building your trust when using the service is important to us and we have policies and procedures to do this. We implement all appropriate and reasonable technical and organisational measures to protect your personal data and prevent unauthorised access or disclosure.


For example, we use a world-renowned cloud-based storage service that has very high levels of security and confidentiality. We aim to use the UK service but this may be based in EU so we have undertaken all necessary checks and ensure that we have a contract in place.


We have undertaken considerable due diligence around the use of AI and use a local LLM (Large Language Model).


Any devices that we use are protected and all software including antivirus/firewall is kept up to date. For added assurance, we have contracts in place for any external service providers.


Sharing your data
We will share your data with those caring for you and your relatives / family where this is indicated as this will enable them to complete the observations and reports, and to provide you with a good service. We may be required to share your data with other organisations such as a local council, or with a care organisation, but we will ensure that suitable agreements are in place and this is discussed with you or your nominated representative.


We do not allow any other third parties to have access to your personal data unless we are required to share your data with them by law or we are ordered to do so by a Court.


We do not
We do not sell, rent or trade your personal data.


We do not knowingly undertake any International Transfers of your data to countries outside the UK and EU/EEA.


Automated Decisions making and profiling
We do use your personal data for automated decision-making as defined in the data protection legislation, using the AI to assist in generating reports and plans. However, a person always checks this before they are used.


The AI will also perform structured profiling of individuals, but only for the purposes of delivering Positive Behaviour Support (PBS) and Quality of Life (QoL) monitoring within a regulated care context.


How long we keep it
We have a retention schedule which details how long we keep data for. 


We will keep your personal data described in line with the NHS Records Management retention obligations for health-related data. Where the platform is not used for health services, we will keep the data for the length of the contract with you or the care provider. 


We will also keep certain date for a period that is required by law, for example financial records or HMRC records will be kept for 6 years. We may keep personal data for longer if have consented to us keeping it or you have asked us to keep it. 


When we no longer need to keep your personal data, or you chose to delete your account, we will then dispose of this by secure and permanent deletion (electronic records).


What are your rights?
You have a number of rights relating to the processing of your personal data. Importantly, this Privacy Notice meets the first right – the right to be informed.


You can ask to see the personal data that we hold about you (known as a Subject Access Request), or even as us to correct it or have it deleted (known as the right to erasure or to be forgotten). There are other rights such as restricting processing, data portability, objecting to processing, or rights linked to automated decision making.


You are not required to pay any fee for exercising your rights or making a request. If you do wish to do this, we usually have one month to respond to you. Please contact us at fran@eponacares.com 


Where you have provided personal data with consent, you can withdraw this consent at any time. You can do this by clicking the ‘opt out’ link in any emails we send to you, or by sending an email to fran@eponacares.com with the subject “withdraw consent” if you wish to do this. We must tell you that when you opt-out for us to use your data for your account, we will not be able to continue to provide the Epona platform to you and this may impact your care.


More information on your rights can be found on the Information Commissioner’s website at https://ico.org.uk/ 


Complaints
If you wish to raise a complaint on how we have handled your personal data, you can contact us and we will investigate the matter as we would like the opportunity to resolve this with you. In line with the obligations of the Data (Use and Access) Act 2025, we will have up to one month in which to respond to a complaint.

​

If you are not satisfied with our response or believe we are processing your personal data in a way that is not in accordance with the law you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or via their website at https://ico.org.uk/ 

 

Date published: September 2025                 Version: 1.0

​

bottom of page