1. Introduction
Flexero Ltd ("we", "us", "our") operates the NurseFlex platform. We are committed to protecting your personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we collect, use, store, and share your information.
Data Controller: Flexero Ltd, London, United Kingdom
Contact: privacy@nurseflex.co.uk
2. Data We Collect
| Category | Data Types | Purpose |
|---|---|---|
| Identity | Full name, date of birth, NMC/HCPC PIN | Account creation, compliance verification |
| Contact | Email, phone number, address | Communications, shift notifications |
| Professional | Qualifications, DBS certificate, training records, work history | Compliance management, shift matching |
| Financial | Bank details, national insurance number | Payment processing, tax compliance |
| Usage | Login times, pages visited, device information | Platform improvement, security |
| Location | Postcode, GPS (clock-in only, with consent) | Shift matching, timesheet verification |
3. Legal Basis for Processing
We process your data under the following lawful bases:
- Contract: Processing necessary to provide our services (shift matching, payments, timesheets)
- Legal Obligation: Compliance with employment law, CQC regulations, HMRC requirements
- Legitimate Interest: Platform security, fraud prevention, service improvement
- Consent: Marketing communications, non-essential cookies, GPS location tracking
4. How We Use Your Data
We use your personal data to provide and improve NurseFlex services, match you with appropriate shifts or professionals, verify compliance documents, process payments and generate invoices, send shift notifications and platform updates, comply with healthcare regulations and employment law, and prevent fraud and maintain platform security.
5. Data Sharing
We share data only with the following parties and only as necessary:
- Healthcare organisations: Professional profiles and compliance status for shift bookings
- Payment processors: Financial data for secure payment processing
- Regulatory bodies: NMC, CQC, or HMRC when required by law
- Cloud providers: Encrypted data stored on Cloudflare infrastructure (EU/UK data centres)
We never sell your personal data to third parties.
6. Data Retention
Active account data is retained for the duration of your account plus 6 years (in line with HMRC requirements). Compliance documents are retained for 3 years after expiry. Financial records are retained for 7 years as required by UK tax law. Inactive accounts are anonymised after 24 months of inactivity following notification.
7. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Rectify inaccurate personal data
- Erase your data ("right to be forgotten"), subject to legal retention requirements
- Restrict processing of your data
- Data portability — receive your data in a structured, machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, email privacy@nurseflex.co.uk. We will respond within 30 days.
8. Cookies
NurseFlex uses essential cookies for authentication, security, and platform functionality. With your consent, we also use analytics cookies to understand how users interact with the platform. You can manage your preferences via the cookie banner displayed on your first visit. For more information, see our cookie settings.
9. Security
We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest, role-based access controls, regular security audits, and compliance with NHS Digital security standards. Despite these measures, no internet transmission is 100% secure. We encourage users to protect their login credentials.
10. International Transfers
Your data is primarily stored in UK and EEA data centres. Where data is processed outside the UK, we ensure adequate safeguards are in place, including Standard Contractual Clauses approved by the ICO.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email and platform notification. The "last updated" date at the top of this page indicates when the policy was last revised.
12. Complaints
If you believe we have not handled your data appropriately, please contact us at privacy@nurseflex.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.