Privacy Policy

Orvia Healthcare Ltd (“ORVIA”, “we”, “us”, “our”)

Last updated: 23 May 2026

1. Who We Are

ORVIA Healthcare is a human-centred safeguarding, governance and operational oversight organisation. We help families, professionals, care providers and commissioners understand concerns about care, safety, culture, accountability and operational reality.

We are not a consultancy. We are not a regulator, an emergency service, the police, CQC, a local authority safeguarding team, the NHS or a legal representative.

Data Controller: Orvia Healthcare Ltd

Company Registration: 16123685 (England and Wales)

Registered Address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

ICO Registration: ZC152311

Data Protection Officer: john.mcgill@orviahealthcare.co.uk

2. What This Policy Covers

This policy explains how we collect, use, store and protect your personal information when you:

Visit our website

Contact us through our enquiry forms

Engage with our services

Subscribe to our communications

Interact with us by email, phone or other means

3. What Information We Collect

We may collect:

Contact information — your name, email address, phone number

Enquiry details — the reason you are contacting us (we ask you to share only what is needed at the initial stage)

Organisation details — if you contact us on behalf of a care provider, commissioner or professional body

Website usage data — how you use our website, which pages you visit, and technical information such as your browser type and IP address

Communication records — emails, messages and notes from our interactions with you

Important: We do not ask you to send detailed safeguarding records, medical information, evidence files or confidential case material through our website forms. If we need more detail, we will explain how to share it safely.

4. How We Use Your Information

We use your information to:

Respond to your enquiry

Provide our services (safeguarding reviews, governance reviews, operational oversight, family support)

Communicate with you about your engagement with us

Improve our website and services

Meet our legal and regulatory obligations

Protect the safety and wellbeing of people involved in our work

5. Our Lawful Basis for Processing

Under UK GDPR, we process your personal data on the following bases:

Consent — where you have given us clear permission (e.g. subscribing to communications)

Contract — where processing is necessary to fulfil a service agreement with you

Legitimate interest — where processing is necessary for our legitimate business purposes (e.g. responding to enquiries, improving our services), provided this does not override your rights

Legal obligation — where we are required by law to process your data (e.g. safeguarding duties, tax obligations)

Our lawful bases for processing include: legitimate interests (providing our services, responding to enquiries, improving our website), consent (marketing communications), and contract performance (service delivery). Where we process special category data, we do so on the basis of substantial public interest or explicit consent.

6. How We Store and Protect Your Information

We take the security of your information seriously. We use:

Microsoft 365 as our primary operating environment

SharePoint as our controlled document and evidence store

Encrypted email and secure communication channels

Access controls to limit who can see your information

Regular security reviews of our systems and processes

Our Microsoft 365 environment is configured within the UK/EEA region. Data processed through our systems is stored in accordance with Microsoft’s UK and European data centre commitments.

We conduct Data Protection Impact Assessments where required, particularly for activities involving sensitive personal data. Our approach to data protection is reviewed regularly to ensure it remains proportionate and effective.

7. How Long We Keep Your Information

We keep your information only for as long as we need it. Our general approach:

Website enquiries: retained for up to 12 months after your last contact, unless an engagement is agreed

Client engagement records: retained for the duration of the engagement plus a retention period appropriate to the nature of the work

Financial records: retained for 7 years in line with HMRC requirements

Safeguarding-related records: retained in line with professional safeguarding retention guidance

We retain personal data only for as long as necessary for the purpose it was collected. Enquiry data is retained for up to 12 months after our last contact. Service records are retained for the duration of the engagement plus 6 years. Marketing data is retained until you withdraw consent. We review retention regularly and delete data that is no longer required.

8. Who We Share Your Information With

We do not sell your personal information. We may share your information with:

Our team members — only those who need access to do their work

Service providers — such as our website hosting provider, email service, and IT support, under appropriate data processing agreements

Professional advisers — such as legal, accounting or insurance providers where necessary

Statutory bodies — where we are required by law or where there is a safeguarding duty to report (e.g. local authority safeguarding teams, police, CQC)

If we ever need to share your information for safeguarding reasons, we will do so in line with UK safeguarding legislation and guidance, and we will tell you unless doing so would put someone at risk.

9. Cookies

Our website uses cookies. Please see our Cookie Policy for full details of the cookies we use and how to manage your preferences.

10. Your Rights

Under UK data protection law, you have the right to:

Access — request a copy of the personal information we hold about you

Rectification — ask us to correct inaccurate information

Erasure — ask us to delete your information (subject to legal requirements)

Restriction — ask us to limit how we use your information

Data portability — receive your information in a structured format

Object — object to processing based on legitimate interest

Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at Hello@orviahealthcare.co.uk.

11. Children and Young People

We do not knowingly collect personal data from children under 13 through our website. If our work involves concerns about children or young people, we handle all information with the highest level of care and in line with safeguarding legislation.

12. International Transfers

We aim to keep your data within the UK and European Economic Area. If any of our service providers process data outside the UK, we ensure appropriate safeguards are in place in line with UK GDPR requirements.

We do not routinely transfer personal data outside the UK. Where any transfer is necessary (for example, through cloud-based services), we ensure appropriate safeguards are in place, including UK adequacy decisions or standard contractual clauses.

13. Automated Decision-Making

We do not use automated decision-making or profiling that has a legal or significant effect on you. Where we use AI tools to support our work, human judgement remains the final decision layer in all safeguarding, governance and oversight matters.

14. Changes to This Policy

We may update this policy from time to time. Any changes will be published on this page with an updated date. We encourage you to review this policy regularly.

15. Complaints

If you are unhappy with how we have handled your personal information, please contact us first at Hello@orviahealthcare.co.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO):

Website: ico.org.uk

Helpline: 0303 123 1113

16. Contact Us

Orvia Healthcare Ltd

Email: Hello@orviahealthcare.co.uk

Phone: 0114 399 8231

Address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE