Privacy Policy
1. Overview
Astra Homes Ltd is a company registered in England and Wales (Company Number 04660818), with its registered office at 21 Mount Ephraim Lane, London, England, SW16 1JF (“the Company” or “Astra Homes”). The Company operates the website www.astra-homes.co.uk (the “Website”).
The Company takes the security and privacy of personal data seriously and is committed to complying with its legal obligations under the Data Protection Act 2018 (the “2018 Act”), the Data (Use and Access) Act 2025 (the “DUAA”), the UK GDPR, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). We respect your personal data, and our use of your personal data is subject to the relevant legislation.
2. Who this notice is for
This privacy notice applies to all users of the Website, including: visitors who simply browse the Website; enquirers who submit an enquiry form, request a brochure or other information, or arrange a visit; and current and prospective residents (and their representatives) who use any forms available on the Website to provide information to us in connection with their care.
Where you submit information to us through the Website in connection with your care as a resident (or as a prospective resident), the way in which we then handle that information is also governed by our Privacy Notice — Residents, which provides more detailed information about how we use information about residents. This Website Privacy Notice and the Residents Privacy Notice work together: this notice tells you what happens when you interact with the Website; the Residents Privacy Notice tells you what then happens once we hold that information about you in connection with your care.
3. Controller
The Company is the data controller in respect of personal data submitted through the Website. This means that the Company is responsible for deciding how it holds and uses personal information about you. The Company is registered with the Information Commissioner’s Office (“ICO”). The Company’s registration number is Z8457189.
4. Cookies
The Website uses cookies and similar technologies to operate, to improve the user experience, and (where you have given your consent) for analytics and functional purposes. The use of cookies on the Website is governed by a separate Cookies Policy, which can be accessed from the footer of every page of the Website.
The Cookies Policy explains in detail: what cookies are; what cookies the Website sets and what each category of cookie does; the consent framework operated by the cookie banner displayed when you first visit the Website; how you may withdraw your consent or change your preferences; and the relationship between the cookies framework and this Privacy Notice.
Where the Website processes personal data through cookies on the basis of your consent (for example, analytics cookies), you may withdraw your consent at any time by using the cookie preferences controls available in the footer of the Website. The withdrawal of consent does not affect the lawfulness of any processing carried out before the consent was withdrawn.
5. What data we collect when you use the Website
Depending on how you interact with the Website, we may collect the following categories of personal data:
Technical Data — your IP address, browser type and version, operating system and platform, time zone setting, the pages of the Website you visit, the time and duration of your visit, and the website you came from (the “referring page”). This information is collected automatically through the Website’s server logs and (where you have consented) through cookies. Further information about the use of cookies is set out in our Cookies Policy.
Enquiry Data — where you submit an enquiry through the Website (for example, by completing an enquiry form, requesting a brochure, asking us to call you back, or arranging a visit to the home), we will collect the personal data you provide in connection with that enquiry. This will typically include your name, contact details (telephone number, email address, and postal address), the relationship of the person you are enquiring on behalf of to you, and any information about the prospective resident’s needs and circumstances that you choose to provide to us.
Resident Form Data — where you (as a current resident, prospective resident, or representative of either) complete any form on the Website connected with your care or admission, we will collect the personal data you provide through that form. This may include: identity and contact data, family and representative data, financial or funding-related information, information about your or the resident’s health needs, capacity, mobility, dietary requirements, religion and beliefs, and other information necessary for us to provide care safely and appropriately. Some of this data falls within the definition of “Special Categories of Personal Data” (special category data) under Article 9(1) UK GDPR.
Correspondence Data — if you contact us through the Website by email, through a contact form, or by any other route, we will collect and retain a record of that correspondence and our response.
Feedback Data — if you provide feedback to us through the Website (whether about the Website itself or about the service we provide), we will collect the information you provide.
Recruitment Data — if you apply for a position with the Company through the Website, we will collect the recruitment data submitted. Further information about how we process recruitment data is set out in our Privacy Notice — Candidates.
Marketing Data — if you opt in to receive marketing communications from us (for example, a newsletter or updates about our service), we will collect the information necessary to deliver those communications and to record your consent. You may withdraw your consent at any time using the unsubscribe link in any communication, or by contacting us using the details in section 14.
6. Lawful bases for processing your data
We process the personal data set out in section 5 above on the following lawful bases:
Performance of a contract or taking steps prior to entering into a contract — where you are a prospective or current resident (or their representative) and are submitting information through the Website in connection with the contract for the resident’s care.
Legitimate interests — where we use Technical Data to ensure the security and proper functioning of the Website, to investigate suspected misuse of the Website, and to improve the service we provide. Our legitimate interests in this processing are limited to what is necessary for those purposes, and we take into account the interests, rights and freedoms of the individuals concerned.
Consent — where you have voluntarily provided information through the Website for a specific purpose (for example, by opting in to receive marketing communications, or by consenting to the use of non-essential cookies). Where we rely on your consent to process your data, you may withdraw that consent at any time.
Compliance with legal obligations — where we are required to process data to comply with our legal or regulatory obligations (for example, in response to a properly served legal request, or to comply with our obligations under the Health and Social Care Act 2008).
Where we collect special category data through Website forms (in particular, health data submitted by or in respect of a prospective or current resident), we will rely on one or more of the following additional lawful bases under Article 9 UK GDPR: Article 9(2)(h) (the processing is necessary for the provision of health or social care) — this is the principal basis on which we process health data submitted through resident-facing forms; Article 9(2)(a) (explicit consent); and where engaged, Article 9(2)(c) (vital interests) and Article 9(2)(f) (legal claims).
7. Why we use your personal data
We use the personal data collected through the Website for the following purposes:
- to operate, secure and maintain the Website;
- to respond to your enquiries about our care home, our services, or any other matter you raise with us through the Website;
- to provide you (or your representative) with information about the home (for example, brochures, fee information, visit arrangements);
- to process information you submit through resident-facing forms (whether at the point of enquiry, prior to admission, during admission, or during the course of your stay);
- to communicate with you about your enquiry, your application, your admission, or your care;
- to process any recruitment applications you submit through the Website;
- to send you marketing communications you have opted in to receive;
- to monitor and improve the Website and to understand how it is being used;
- to investigate and prevent any misuse of the Website;
- to comply with our legal, regulatory and contractual obligations;
- to establish, exercise or defend legal claims; and
- for any other lawful purpose disclosed to you at the point at which we collect the relevant data.
8. Who we share information with
We share personal data collected through the Website only where it is necessary to do so for the purposes described in this notice, and only with parties who themselves have a proper basis to receive the data. The principal categories of recipient are:
Our staff — the relevant members of our staff (in particular, the staff handling enquiries, admissions and care delivery) who need access to the data in order to perform their roles.
Our service providers — the providers of the technical infrastructure that supports the Website (including web hosting, email infrastructure, content management systems, and form-processing services). Where these providers process personal data on our behalf, they do so as processors under written agreements which require them to comply with the UK GDPR.
Our professional advisers — including our solicitors, accountants, auditors and insurers, where their involvement is necessary in connection with the operation of the Company or with a specific enquiry or matter.
Healthcare and social care professionals — where you have submitted information about a current or prospective resident through resident-facing forms, we may share that information (to the extent appropriate) with the healthcare professionals and local authority teams involved in the resident’s care.
Regulators — the CQC, the local authority, the Information Commissioner’s Office, and any other regulator or statutory body where we are required to share information by law or where it is in the substantial public interest to do so.
Law enforcement — where we are required to disclose personal data in connection with a properly served legal request, or where disclosure is necessary to investigate, prevent or take action regarding suspected unlawful activity.
In the event of a sale, transfer or restructuring of the Company — we may share data with prospective purchasers or transferees. Any recipient would be bound by confidentiality obligations before any data is shared.
We do not sell your personal data to any third party, and we do not share personal data collected through the Website with any third party for that third party’s own marketing purposes without your explicit consent.
9. International transfers
The Website and the systems supporting it are operated primarily in the United Kingdom, and the personal data collected through the Website is stored on servers located in the United Kingdom or the European Economic Area. In limited circumstances, personal data may be processed, stored or accessed from outside the UK (for example, where a service provider has operations or support teams located overseas, or where data is hosted in data centres outside the UK).
Where we transfer personal data outside the UK, we will only do so where we are satisfied that appropriate protections are in place and the transfer is lawful under the UK GDPR. This will include one or more of the following:
Adequacy regulations: transfers may be made to countries or territories that the UK has determined provide an adequate level of protection for personal data (including, where applicable, EEA countries and other countries recognised as adequate under UK law).
UK–US Data Bridge: where we transfer personal data to the United States, we may do so to organisations that are certified under the UK Extension to the EU–US Data Privacy Framework (the UK–US Data Bridge), where applicable.
Appropriate safeguards: where adequacy does not apply, we will use appropriate safeguards, such as the UK Information Commissioner’s International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (as applicable), together with any additional measures required.
Derogations: in rare cases, we may rely on a limited statutory exception (derogation) permitted by the UK GDPR (for example, where the transfer is necessary to protect vital interests).
We will take a risk-based approach and, where required, conduct and document a transfer risk assessment and implement supplementary measures (such as encryption and access controls) to protect your personal data. If you would like further information about the safeguards used for particular transfers, please contact the DPO.
10. Data security
We have put in place appropriate technical and organisational measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:
- the use of secure (HTTPS) connections across the Website;
- encryption of personal data in transit and (where appropriate) at rest;
- limited access to personal data on a need-to-know basis, supported by user authentication and role-based access controls;
- the use of vetted service providers who themselves operate appropriate security measures;
- ongoing review of our security framework, supported by our wider Data Security Policy.
We have put in place procedures to deal with any suspected data security breach. Where we are legally required to do so, we will notify you, the Information Commissioner’s Office, and any other applicable regulator (including, where engaged, the CQC) of a suspected breach.
Despite these measures, the transmission of information through the internet is not entirely secure. We cannot guarantee the security of personal data transmitted to or through the Website, and any transmission is at your own risk to that extent. Once we have received your information, we apply the security measures described above.
11. Data retention
We will not retain your personal data for longer than necessary for the purposes set out in this notice. Different retention periods apply to different categories of data. In summary:
- Technical Data is retained for the period necessary to operate and secure the Website, typically a limited period of months.
- Enquiry Data is retained for the duration of the enquiry and for a reasonable period thereafter, to enable us to respond to any follow-up questions.
- Resident Form Data is then folded into the resident’s care records and is retained for the periods set out in our Privacy Notice — Residents and our Data Retention Policy. For adult social care records, the baseline retention period is at least 8 years from the date the person ceases to be a resident, or from the date of their death, in line with the Records Management Code of Practice for Health and Social Care.
- Recruitment Data is retained for the period set out in our Privacy Notice — Candidates.
- Marketing Data is retained for as long as you remain opted in to receive marketing communications, plus a limited period thereafter to record your withdrawal of consent.
- Correspondence Data is retained for the period set out in our Data Retention Policy.
Details of the specific retention periods that apply to particular categories of data are available in our Data Retention Policy, which is available from the DPO. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.
12. Your rights
Under the UK GDPR (as amended by the Data (Use and Access) Act 2025), you have a number of rights in respect of the personal information we hold about you.
Right to be informed about the collection and use of your personal data. This Privacy Notice, together with the documents referred to in it, provides you with this information.
Right to access (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. You will not have to pay a fee, unless your request is unfounded, repetitive or excessive. We try to respond to all legitimate requests within one month; occasionally it may take us longer if your request is particularly complex or you have made a number of requests. Please note that we may need to stop the clock while we are awaiting ID or clarification needed to locate the data.
Right to request correction of the personal information that we hold about you, where it is incomplete or inaccurate.
Right to request erasure of your personal information. In certain circumstances you have the right to ask for some (but not all) of the information we hold and process to be erased. The right to erasure may not apply where we are required by law to retain the data (in particular, for resident care records).
Right to object to processing of your personal information where we are relying on a legitimate interest. You also have the right to object where we are processing your personal information for direct marketing purposes.
Right to request restriction of processing of your personal information in certain circumstances, for example if you want us to establish its accuracy.
Right to request the transfer of your personal information to another party in certain circumstances.
Right to withdraw consent at any time, where we are processing your personal data on the basis of your consent. The withdrawal of consent does not affect the lawfulness of any processing carried out before the consent was withdrawn.
Rights in relation to automated decision-making and profiling — you will not be subject to decisions that have a significant impact on you based solely on automated decision-making.
If you want to exercise any of these rights, please contact the DPO using the details set out in section 14. We will respond to your request within one calendar month.
13. Children
The Website is not directed at children. The Company is a care provider for older adults and does not knowingly collect personal data about children through the Website. If you become aware that a child has provided personal data to us through the Website, please contact us using the details in section 14 and we will take steps to remove the data.
14. Your queries and complaints
Our Data Protection Officer, James Freeman, is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, or wish to exercise any of your rights set out above, please contact him by emailing james@astra-homes.co.uk, by calling the home, or by writing to 21 Mount Ephraim Lane, London, England, SW16 1JF.
If you have any concerns about how your data is being processed, or in relation to any of your rights, you may raise a data protection concern or complaint with us by contacting James Freeman. We will acknowledge your concern or complaint within 30 days and respond without undue delay.
We hope that our DPO can resolve any query or concern you raise about our use of your information. However, if you feel that we have failed to address your concerns appropriately, you can contact the Information Commissioner at ico.org.uk/concerns/ or by telephone on 0303 123 1113 for further information about your rights and how to make a formal complaint.
15. Changes to this notice
We will review and update this notice regularly in accordance with our data protection and regulatory obligations. The current version of this notice is always available on the Website. The date on which this notice came into force is shown in the document footer.
Schedule
| Information we collect | How we collect it | Why we collect it | How we use or share it |
|---|---|---|---|
| Technical Data (IP address, browser type, operating system, pages visited, time and duration of visit, referring page) | Automatically through Website server logs and (where consented) cookies | Legitimate interests: to operate and secure the Website; to investigate misuse; to understand how the Website is used. | Used internally to operate and improve the Website. Shared with our hosting and analytics service providers (as processors). See the Cookies Policy for further detail. |
| Enquiry Data (name, contact details, relationship, information about the prospective resident) | From you, when you submit an enquiry through the Website | Performance of a contract or taking steps prior to entering into a contract. Legitimate interests in responding to enquiries. | Used to respond to your enquiry, to provide you with information about the home, and (where applicable) to progress an admission. Shared internally with the admissions team and (where applicable) the relevant care staff. |
| Resident Form Data (identity, contact, family, financial, health, capacity, mobility, dietary, religion and beliefs, and other care-related information) | From you (or the resident, or the resident’s representative), through forms made available on the Website | Performance of the contract for care; Article 9(2)(h) UK GDPR (provision of health or social care) and (where engaged) Article 9(2)(a), 9(2)(c) and 9(2)(f). | Folded into the resident’s care records and used to inform the resident’s care plan. See the Privacy Notice — Residents for further detail. |
| Correspondence Data (records of emails, contact form submissions and other communications with us) | From you, through the Website | Legitimate interests: to maintain a record of communications. Performance of a contract or taking steps prior to a contract. | Retained as part of the relevant matter file. Shared internally with the staff handling the relevant matter. |
| Feedback Data | From you, through any feedback function on the Website | Legitimate interests: to improve the Website and the service we provide. | Used to inform improvements. Anonymised where possible before being shared more widely. |
| Recruitment Data (CV, application form, cover letter and supporting information) | From you, through any recruitment function on the Website | Taking steps prior to entering into an employment contract. Legitimate interests. | See the Privacy Notice — Candidates for further detail. |
| Marketing Data (email address and consent records) | From you, when you opt in to receive marketing communications | Consent. | Used to send you the communications you have opted in to receive. May be shared with our email-marketing service provider (as a processor). |