Privacy Policy

1. Overview

Roam Nurses Limited ("we," "us," or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our platform that connects UK-qualified nurses with NHS trusts, private hospitals, care homes, and other healthcare employers.

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Data Controller: Roam Nurses Limited (product of Roam Health Ltd)
Registered Office: London, United Kingdom
Contact Email: hello@roamnurses.co.uk
Data Protection Officer: hello@roamnurses.co.uk
ICO Registration: Roam Health Ltd is registered with the Information Commissioner's Office as a data controller

As the data controller, we determine the purposes and means of processing your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us using the details above.

3. Information We Collect

3.1 Nurse Personal Information

Basic Profile Data:

• Full name (first name and last name) - Required
• Email address - Required
• Phone number - Optional
• Profile photograph - Optional (but improves visibility to employers)
• Location (postcode and city) - Required
• Willingness to relocate - Optional

Professional Registration:

• NMC PIN (Nursing and Midwifery Council registration number) - Optional (but we verify this for platform matching purposes if provided)
• NMC register part (Adult, Mental Health, Learning Disability, Children, Midwifery, SCPHN) - Required for matching
• NMC registration date - Optional
• NMC verification status - We verify NMC PIN against NMC register if you provide it (for platform quality and smart matching only)

NMC Verification: When you provide your NMC PIN, we verify it against the NMC register to ensure platform quality and improve matching accuracy. However, employers remain fully responsible for conducting their own NMC verification checks for employment purposes.

Professional Experience:

• Years of experience in nursing - Optional (improves job matching)
• Current NHS band (e.g., Band 5, Band 6, Band 7) - Optional (helps match with appropriate level positions)
• Specialties and years of experience in each specialty (e.g., A&E, ICU, Theatre) - Optional (critical for accurate job matching)
• Previous employment history (employer names, job titles, start/end dates) - Optional (shared with employers only with your explicit consent)
• Employment gap explanations (if provided) - Optional
• Hospital experience in last year - Optional

Why we collect employment history: This optional information helps us match you with suitable positions and allows employers (with your consent) to verify your experience. You control when and if this is shared.

Education & Qualifications:

• Highest education level (Diploma, BSc, MSc, PhD) - Optional (improves matching accuracy)
• Professional certifications (BLS, ILS, ALS, Mentorship, Prescribing, etc.) - Optional (helps match with roles requiring specific qualifications)
• Certification dates and expiry dates - Optional

Job Preferences:

• Preferred contract types (Permanent, Fixed-term, Bank) - Required for matching
• Preferred shift patterns (Days, Nights, Long days, Rotation, Flexible) - Required for matching
• Preferred care settings (NHS Acute, NHS Community, Private Hospital, Care Homes, GP Surgery) - Required for matching
• Preferred work locations (cities/postcodes) - Optional (improves location-based matching)
• Job search priority (Career advancement, Compensation, Work-life balance) - Optional

Supporting Documentation:

• CV/Resume (uploaded PDF or Word document) - Optional (but strongly recommended - nurses with CVs are 3x more likely to receive interview requests)
• Professional references (name, contact details, occupation, relationship, workplace) - Optional (shared with employers only with your explicit consent)

Why we collect CVs and references: These optional documents significantly improve your chances of securing interviews and allow employers (with your consent) to conduct thorough vetting during the hiring process.

Pre-Employment Checks (Self-Attested):

We collect:

• Right to work in the UK: Yes/No (self-attested)
• UK trained nurse: Yes/No (whether qualified in UK vs overseas)
• British or Irish passport holder: Yes/No (indicates right to work without visa sponsorship)
• DBS online update service subscriber: Yes/No (allows employers to check DBS status with nurse consent)
• Employment history provided: Yes/No (whether nurse has completed employment history section)
• Professional references provided: Yes/No (whether nurse has added references)

3.2 Employer Personal Information

• Organisation name, type, and logo
• CQC rating (for UK healthcare providers)
• Contact person details (name, job title, phone, email)
• Location information (headquarters and multiple sites)
• Recruitment information (annual hires, vacancies, agency spend)
• Job postings (titles, descriptions, requirements, salary, benefits)

3.3 Technical Information

• IP address, browser type, device information
• Pages visited and time spent on platform
• Cookies and tracking technologies
• Session identifiers and usage analytics

4. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

• Contract (Article 6(1)(b)): Providing matching services, managing accounts, facilitating interviews
• Legitimate Interests (Article 6(1)(f)): Platform improvement, fraud prevention, analytics, marketing to existing users
• Consent (Article 6(1)(a)): Marketing to prospective users, optional data collection for enhanced matching, sharing pre-employment details with employers
• Special Category Data (Article 9(2)(a)): Health-related professional information (nursing specialties, NMC registration) based on your explicit consent

Note: When you provide optional information (such as NMC PIN, employment history, CV, or references), you consent to us using this data to improve job matching and, where you explicitly agree, sharing it with employers to facilitate the recruitment process.

5. How We Use Your Data

We use your personal data for:

• Creating and managing profiles
• Matching nurses with suitable job opportunities - optional information like specialties, experience, qualifications, and CV significantly improves matching accuracy
• Verifying NMC registration status - when you provide your NMC PIN, we verify it against the NMC register to ensure platform quality and accurate matching (employers must still conduct their own verification for employment purposes)
• Facilitating interview requests and scheduling
• Processing communications between nurses and employers
• Improving our matching algorithms and platform features
• Providing customer support
• Sending relevant notifications and updates
• Preventing fraud and ensuring platform security
• Complying with legal obligations

Why we ask for optional information: While you can create a basic profile with just required fields, providing optional information (such as your NMC PIN, employment history, CV, specialties, and certifications) enables us to match you more accurately with relevant job opportunities and helps employers assess your suitability for specific roles.

6. Progressive Data Disclosure System

Stage 1: Browsing/Searching (Before Interview Request)

Employers CAN see:

• First name and last initial only (e.g., "Sarah J." not "Sarah Johnson")
• Profile photograph
• City and postcode (general location)
• Specialties and years of experience
• Education level and certifications
• Current NHS band
• NMC register part and verified status
• Job preferences (shifts, care settings, contract types)
• Match score for specific jobs

Employers CANNOT see:

• Full last name
• Email address or phone number
• CV/Resume
• Employment history
• References
• NMC PIN
• Pre-employment check details

Stage 2: After Nurse Accepts Interview Request

Additionally visible to employer:

• Full name (first name and last name)
• Email address for direct contact
• CV/Resume (full document download)
• Self-attested pre-employment check summaries (Yes/No indicators only):
  • Right to work in UK: Yes/No (self-attested, not verified)
  • Employment history provided: Yes/No (NOT the actual history)
  • References provided: Yes/No
  • UK trained: Yes/No
  • DBS online subscribed: Yes/No
  • British/Irish passport: Yes/No

Still NOT visible:

• Phone number (shared only when nurse manually inputs it for direct contact)
• Full employment history details (employer names, dates, positions)
• Professional references (names, contact details)
• NMC PIN number

Stage 3: After Nurse Provides Explicit Consent

When a nurse checks the consent box: "If I am successful with this interview, I am happy to share my references, employment history and NMC pin with the employer (if provided)"

Additionally visible to employer:

• Full employment history details (employer names, job titles, start/end dates, gap explanations)
• Professional references (names, contact details, relationships, workplaces)
• NMC PIN number (for employer verification)

All consent actions are logged with timestamps for accountability.

What We Do NOT Do

• ❌ We do NOT sell nurse or employer personal data to third parties
• ❌ We do NOT share full nurse name or email before interview acceptance
• ❌ We do NOT share nurse phone numbers (nurses manually input these only when choosing direct contact)
• ❌ We do NOT share full employment history details or references without explicit consent
• ❌ We do NOT allow unverified employers to access nurse data
• ❌ We do NOT verify pre-employment checks (except NMC status for platform purposes only - employers must conduct comprehensive verification for employment)
• ❌ We do NOT share optional information (employment history, references, NMC PIN) without your explicit consent
• ❌ We do NOT use your data for purposes unrelated to recruitment
• ❌ We do NOT replace employer responsibility for conducting proper pre-employment verification checks

7. Third-Party Service Providers

We share personal data with third-party service providers who process data on our behalf:

• Supabase (Database and Hosting): All personal data stored on Supabase cloud infrastructure (UK/EU data centers, GDPR compliant)
• NMC (Nursing and Midwifery Council): We verify NMC PINs against the NMC register to validate registration status for platform quality and matching purposes only
• Onfido (Identity Verification): Optional identity verification service (document images and biometric data processed by Onfido)
• Email Service Providers: For sending transactional emails (interview notifications, platform updates)
• Analytics Providers: Anonymised usage data for platform improvement
• Payment Processors: For employer billing (no nurse payment data)

All service providers are bound by data processing agreements and only process data according to our instructions.

8. International Data Transfers

We primarily store and process your data within the United Kingdom. Where we use service providers located outside the UK/EEA, we ensure appropriate safeguards are in place:

• Adequacy decisions recognized by the UK Information Commissioner's Office (ICO)
• Standard Contractual Clauses approved for international transfers
• Binding Corporate Rules for multinational service providers

Specific transfers: Supabase (UK/EU data centers), Onfido (GDPR compliant with appropriate safeguards)

9. Data Retention

Employer Account Deletion Process

When an employer requests account deletion, we conduct an administrative review (maximum 1 month) to:

• Verify all financial obligations are settled
• Ensure no outstanding payments for interview requests or successful hires
• Check for suspicious activity (e.g., collecting nurse data to circumvent platform fees)
• Confirm all active interview requests have documented outcomes

Expedited deletion: If you're compliant with all checks, we can facilitate faster removal. Contact us at hello@roamnurses.co.uk to request expedited processing.

Legal basis: This review process is permitted under GDPR Article 17(3) for legal compliance (contractual obligations, tax law) and legitimate interests (fraud prevention, protecting platform integrity).

10. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of the personal data we hold about you, including categories of data, purposes of processing, recipients, and retention periods.

Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data. Most information can be updated directly in your profile settings. You can also add or remove optional information at any time.

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data where it's no longer necessary, you withdraw consent, or you object to processing.

For Nurses: Use the "Delete Account" option in settings or contact us. Your data will be permanently deleted within 30 days.

For Employers: Employer account deletion requests go through an administrative review process to ensure:

• All contractual and financial obligations are settled
• No outstanding payments for interview requests or hires
• No suspicious activity (e.g., gathering nurse data to circumvent payment)
• All active interview requests have documented outcomes

This review process takes a maximum of 1 month from your deletion request. If you require faster deletion and are compliant with all checks, we can facilitate expedited removal. This delay is permitted under GDPR Article 17(3) for legal compliance and fraud prevention purposes.

Note: Certain records (billing, payment history) will be retained for 7 years as required by UK tax law, even after account deletion. These records are anonymised where possible.

Right to Restrict Processing (Article 18)

Request limitation of processing while we verify accuracy or assess your objection.

Right to Data Portability (Article 20)

Receive your personal data in a structured, machine-readable format (CSV, JSON) to transfer to another service.

Right to Object (Article 21)

Object to processing based on legitimate interests or direct marketing. Use unsubscribe links in emails or contact us.

Right to Withdraw Consent

Where processing is based on consent (e.g., sharing pre-employment information, identity verification), you can withdraw consent at any time.

How to Exercise Your Rights:

Contact us at hello@roamnurses.co.uk with your request. We will respond within one month.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Technical Measures:

• Encryption: TLS/SSL for data in transit, AES-256 for data at rest
• Authentication: Supabase Authentication with secure session management
• Access Control: Row-Level Security (RLS) policies ensure users can only access their own data
• File Storage: Signed URLs with 60-second expiry for CV downloads
• Infrastructure: Hosting on Supabase (SOC 2 Type II certified), regular backups, DDoS protection

Organisational Measures:

• Staff training on data protection and security
• Access controls (need-to-know basis only)
• Data processing agreements with all third-party providers
• Incident response procedures for data breaches

Your Role in Security:

• Use a strong, unique password
• Don't share login credentials
• Log out on shared devices
• Report suspicious activity immediately

Despite these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but commit to notifying you and relevant authorities of any data breaches as required by law.

12. Cookies and Tracking Technologies

Types of Cookies:

• Essential Cookies: Authentication, session management, security (cannot be disabled)
• Functional Cookies: Remember preferences, settings, language (1 year)
• Analytics Cookies: Usage analytics, performance monitoring - internal only, NO third-party analytics (1 year)

You can control cookies through browser settings. We respect "Do Not Track" (DNT) browser settings.

13. Marketing Communications

We may send you:

• Job opportunities matching your profile
• Platform updates and new features
• Career guidance and industry insights
• Invitations to relevant events

Legal Basis: Legitimate interest for existing users (with easy opt-out), explicit consent for prospective users.

How to Opt Out: Click "unsubscribe" in emails, update notification preferences in account settings, or contact us. You'll still receive essential service-related communications (interview notifications, account security alerts).

14. Children's Privacy

Our platform is intended for professional healthcare workers and is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. Student nurses who are 18 or older may use the platform.

15. Fraud Prevention and Platform Integrity

We take platform integrity seriously and have measures in place to prevent abuse, including:

• Employer verification: Employers must be verified before accessing nurse data
• Payment enforcement: Employers must settle all financial obligations before account deletion
• Activity monitoring: We monitor for suspicious patterns (e.g., excessive candidate viewing without legitimate hiring activity)
• Data access logging: All access to nurse data by employers is logged for audit purposes

Why this matters: These measures protect nurses from employers who might attempt to collect candidate data without fair compensation or bypass platform fees. This is a legitimate interest under GDPR Article 6(1)(f).

16. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in practices, technology, or legal requirements. We will notify you of material changes by:

• Email notification (sent 30 days before changes take effect)
• Prominent notice on our platform
• In-app notification when you next log in

Changes take effect 30 days after notification, unless immediate changes are required for legal compliance or security. Continued use after the effective date constitutes acceptance.

17. Contact Us & Complaints

For any questions about this Privacy Policy or to exercise your rights:

Email: hello@roamnurses.co.uk
Data Protection Officer: hello@roamnurses.co.uk

We aim to respond within 5 business days. For requests to exercise your data rights, we will respond within one month as required by UK GDPR.

Right to Lodge a Complaint

If you believe we have not handled your personal data appropriately, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office (ICO)
Website: www.ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage you to contact us first so we can address your concerns directly, but you have the right to contact the ICO at any time.