Home About Services How It Works Find a Carer Join Us Community Understanding Care FAQ Contact
For providers Log in Get started
Legal

Privacy Notice

This notice explains how Hibant Care collects, uses and protects your personal information under UK data protection law.

Last updated: 19 May 2026

This Privacy Notice explains how Hibant Care looks after your personal information, what we collect, why, who we share it with, how long we keep it, and the rights you have. We have written it in plain English, because we think you should be able to understand what happens to your information without needing a lawyer to read it for you.

Caring for someone, or working as a carer, means trusting other people with sensitive things. We take that trust seriously, and protecting your information is part of how we honour it.

1. Who we are

Hibant Care is operated by Hibant Care Ltd, a company registered in England and Wales with company number 17180137. For the information described in this notice, Hibant Care Ltd is the data controller, the organisation responsible for deciding how and why your information is used.

You can reach us about anything in this notice at:

Hibant Care Ltd Email: hello@hibantcare.com Phone: 020 7870 1352

2. What this notice covers

This notice covers the personal information we handle through our website at hibantcare.com, our mobile app, our online portal and our community board (together, the "Platform").

It applies to:

  • families and individuals who use the Platform to arrange care (we call them "Account Holders");
  • carers: the independent, self-employed carers who use the Platform to find work;
  • care recipients: the people who receive care, where information about them is provided to us;
  • community board users; and
  • visitors to our website.

A note on roles. Hibant is an introductory agency. When a carer provides care, the carer keeps their own records about that care (such as care notes). For those care records, the carer is the data controller, not Hibant. The carer is responsible for them, and we do not routinely access them. This notice is about the information Hibant controls.

3. The information we collect

If you are an Account Holder (a family member or someone arranging care), we may collect:

  • your name, contact details (address, email, phone) and date of birth;
  • account login details and your settings and preferences;
  • information you give us about the care being arranged, and about the care recipient, which may include health and care-needs information (see section 6);
  • your messages and communications with carers and with us through the Platform;
  • booking details and payment-related information (note that card and bank details are handled by Stripe, not by us; see section 9); and
  • information about how you use the Platform (see section 14 on cookies).

If you are a carer, we may collect:

  • your name, home address, contact details and date of birth;
  • account login details, and the profile content you choose to upload (your photo, biography, experience, qualifications and rates);
  • verification information: the outcome of identity and right-to-work checks, your Enhanced DBS information, references, Care Certificate or equivalent training, and proof of professional insurance (section 8 explains how we handle this, and what we deliberately do not collect);
  • your self-employment declaration and your Unique Taxpayer Reference (UTR), where provided;
  • your messages and communications through the Platform;
  • booking and payout-related information; and
  • information about how you use the Platform.

If you are a care recipient, we may hold the information an Account Holder provides about you in order to arrange suitable care, which may include health and care-needs information. We only hold what is provided to us for that purpose.

If you use the community board, we collect your posts and contributions and the information you choose to include in them.

If you are a website visitor, we collect limited technical and usage information through cookies and similar technologies, as described in section 14.

4. Where we get your information from

Most of the information we hold comes directly from you, when you register, build a profile, make an enquiry, arrange a booking, post on the community board, or contact us.

We also receive some information from other sources:

  • from referees, when we take up a carer's references;
  • from identity and background-check providers and the DBS Update Service, when verifying a carer;
  • from Stripe, our payment provider, in connection with payments and payouts;
  • from an Account Holder, where they give us information about a care recipient; and
  • automatically, from your device and browser, when you use the Platform.

5. How and why we use your information

We only use your information where the law allows us to. The table below sets out what we use information for, and the legal basis ("lawful basis") for each use.

What we use information forLawful basis
Creating and running your account; providing the introductory service; enabling searches, messaging and bookingsPerformance of our contract with you
Verifying carers: identity, right to work, Enhanced DBS, references, training and insuranceCompliance with our legal obligations and our legitimate interest in a safe, trustworthy platform
Processing payments, and keeping tax, accounting and transaction recordsCompliance with our legal obligations
Keeping the Platform and its users safe: fraud prevention, security, investigating concernsOur legitimate interest in protecting users and the Platform
Safeguarding: acting on, recording and escalating concerns about a person at risk of harmCompliance with legal obligations and our legitimate interest in protecting people; for health or safeguarding information, see section 6
Responding to your enquiries and providing supportPerformance of our contract, and our legitimate interest in helping you
Improving the Platform and our services, and understanding how the Platform is usedOur legitimate interest in developing and improving what we offer
Sending you service messages you need (for example, about a booking or a change to our terms)Performance of our contract, and compliance with legal obligations
Sending you marketing about Hibant, where appropriateYour consent, or our legitimate interest in keeping existing users informed; you can opt out at any time

Where we rely on legitimate interests, we have considered whether our interest is fair to you, and we will not use your information in a way that overrides your rights. You can ask us about this at any time.

6. Health information and the Care Information Organiser

Arranging care sometimes means telling us about a person's health or care needs, for example, a condition, mobility needs, or the kind of support required. Information about health is special category data under data protection law, and it gets extra protection.

We only collect health information that you choose to give us so that we can help arrange suitable care, or where it is needed for a safeguarding concern. We ask you not to share more health detail than is needed for that purpose.

When we handle health information, we do so:

  • with your explicit consent, where you provide health information to help us arrange a suitable introduction; and
  • where it is necessary in the substantial public interest of safeguarding, where a concern about a person at risk arises.

The Care Information Organiser. The Platform may offer a tool called the Care Information Organiser. This is simply a structured way for a family to organise the information they choose to provide about the care they are arranging. It is created and owned by the family. It is not a clinical assessment, a care plan, a risk assessment or medical advice, and Hibant does not write, approve, monitor or update it. We provide the structure; the family provides and controls the content.

Visit records and photos. When a carer records what they did during a visit, for example a care note, an observation about something they noticed, or a photo taken with the person's consent, that record is the carer's own contemporaneous account of the care provided, and the carer is its data controller (see the note on roles in section 2). The Platform stores it securely, shows it to you in your portal, and keeps it for the period set out in section 11. Because a visit record is a point-in-time account of what actually happened, it is kept as it was written: if you later change or remove a medicine from your own list, an earlier signed visit record that referred to it is not rewritten, so the record of what was done that day stays accurate and complete. Any photos are held in a private store, are never made public, and are removed automatically once the record they belong to is deleted.

7. Criminal records and DBS information

To help keep care recipients safe, we verify that carers hold a valid Enhanced DBS check (with a barred-list check where the role allows). DBS information is criminal-records information, which has special protection under data protection law.

We handle this information solely for the purpose of safeguarding people at risk of harm, which is the basis on which we are permitted to process criminal-records information. We treat it as strictly confidential, hold only what we need, and keep it only for as long as section 11 allows.

8. Carer verification and background checks

When we onboard a carer, we verify a defined set of things. It is worth being clear about how we do this, because we have designed it to hold as little sensitive information as possible.

  • Identity is checked by reviewing the carer's identity document. We record the outcome of that check: that identity was verified, when, and the type of document seen. We do not need, and do not keep, long-term copies of identity documents.
  • Right to work is checked and the outcome recorded.
  • The carer's Enhanced DBS is verified, wherever possible through the DBS Update Service, which lets a current certificate be confirmed online. We record the DBS outcome (the certificate number, its date, the type of check and the result). We do not retain a copy of the DBS certificate itself; where we ever see one, it is not kept beyond the short period allowed by the DBS Code of Practice.
  • References, training (the Care Certificate or equivalent) and professional insurance are checked, and we keep a record that they were satisfactory.
  • The carer provides a self-employment declaration and their UTR.

What we deliberately do not collect. We do not routinely ask carers for utility bills or bank statements, and we do not collect proof-of-address documents as a standing requirement. Modern verification does not need them, and holding them would mean holding sensitive documents we do not need. We hold the carer's home address as part of their profile and contact information, but not the underlying documents.

Stripe's separate checks. Because carer payments run through Stripe, Stripe independently carries out its own identity and address verification of carers as part of its regulated payment process. Any documents Stripe asks for are provided directly to Stripe, stay within Stripe's systems, and are never held by Hibant. Stripe acts as a separate data controller for that verification (see section 9).

9. Who we share your information with

We do not sell your personal information, and we share it only where we need to. We may share information with:

  • Carers and Account Holders: to make an introduction work, the relevant information is shared between the family and the carer they choose to engage. We share what is needed for that purpose.
  • Stripe, our payment provider, which processes payments and carer payouts and carries out its own identity and address verification. Stripe is a separate data controller for the information it collects and verifies for those purposes; its own privacy policy applies to that processing.
  • Identity, background-check and DBS verification providers, which help us verify carers.
  • Service providers who help us run the Platform (for example, secure hosting, IT, communications and analytics providers), who act on our instructions and may only use the information to provide their service to us.
  • The emergency services, local authorities, the police, regulators or other authorities, where we need to share information to deal with a safeguarding concern, to protect someone, to comply with the law, or to respond to a lawful request.
  • Our professional advisers, such as lawyers and accountants, where needed.
  • A buyer or successor, if our business is reorganised, sold or transferred, in which case information would be handled in line with this notice.

We never share more than is needed, and we never use card or bank details to do anything you have not asked for; those are held by Stripe, not by us.

10. Where your information is held

We aim to keep personal information within the UK or the European Economic Area wherever we can. Some of our service providers (for example, certain technology providers) may process information outside the UK. Where that happens, we make sure an appropriate safeguard recognised by UK data protection law is in place, such as a UK adequacy decision, or the UK's International Data Transfer Agreement or Addendum, so that your information stays protected to UK standards.

11. How long we keep your information

We keep personal information only for as long as we need it for the purpose we collected it for, or for as long as the law requires. The table below sets out our standard retention periods. Where a period runs from the end of your "membership", that means from when your account is closed.

InformationHow long we keep it
Account and profile information (Account Holders and carers)Duration of membership, then up to 6 years
Care records and visit notes held in the Platform, including any photos (the carer is the data controller; see sections 2 and 6)While the care arrangement is active, then up to 8 years, to support safeguarding and to keep an accurate record of the care provided
Carer identity verification (outcome record)Duration of membership, then a reasonable period
Carer identity document copies (where any copy is taken at all)Deleted within 3 months of verification being completed
Right-to-work check recordsDuration of membership, then 2 years
DBS outcome record (certificate number, date, type, result)Duration of membership, then up to 6 years, to support safeguarding
DBS certificate copy (where ever held)Destroyed within 6 months, in line with the DBS Code of Practice; we keep only the outcome record
References, training and qualification recordsDuration of membership, then a reasonable period
Insurance recordsDuration of membership, then a reasonable period; refreshed as policies renew
Self-employment declaration and UTRDuration of membership, then up to 6 years
Booking, payment, invoice and tax records6 years, as required for tax and accounting
Messages and communications through the PlatformWith the related booking records; otherwise a reasonable period
Enquiries from people who do not go on to registerUp to 12 months
Unsuccessful carer applicationsUp to 6 months
Community board postsWhile your account is active; removed posts are deleted within a reasonable period afterwards
Marketing preferences and marketing listsUntil you unsubscribe, or after 24 months of inactivity
Website analytics and cookie informationUp to 26 months
Anonymised and aggregated informationIndefinitely; once information is anonymised it is no longer personal information (see section 12)

When we no longer need information, we securely delete or anonymise it.

12. Anonymised and aggregated information

We may turn personal information into anonymised and aggregated information, meaning information from which no individual can be identified. Once information has been genuinely anonymised in this way, it is no longer personal information, and data protection law no longer applies to it.

We may use, share and sell anonymised and aggregated information to responsible third parties, such as research, academic and public-health partners, for purposes including research, analysis and improving care services. Where we do this:

  • it is only ever done with information that has been genuinely anonymised, so that no individual (no family, no carer and no care recipient) can be identified or singled out;
  • we apply the Information Commissioner's Office's approach to anonymisation in deciding whether information truly meets that standard; and
  • we require anyone who receives it to commit, by contract, not to attempt to re-identify anyone.

We never share or sell information that still identifies you. If you would prefer that even your anonymised information is not used in this way, you can tell us at and we will do our best to honour that.

A note for review. This section has been drafted to permit the sharing and sale of genuinely anonymised data, as instructed, but scoped tightly: anonymised-only, with a contractual no-re-identification commitment and an opt-out. If you would prefer a more conservative version (for example, "share with research partners" without the word "sell", which sits more softly alongside Hibant's warm, family-trust brand), that is a one-line change; just say the word.

13. Your rights

Data protection law gives you rights over your personal information. You can ask us to:

  • give you access to the information we hold about you;
  • correct information that is wrong or incomplete;
  • delete information, in certain circumstances;
  • restrict or object to how we use information, in certain circumstances;
  • transfer certain information to you or another organisation ("data portability"); and
  • withdraw consent at any time, where we are relying on your consent (this does not affect anything done before you withdrew it).

These rights have some limits, for example, we may need to keep certain information to meet a legal obligation or to deal with a safeguarding matter. We will always explain our reasoning if we cannot fully meet a request.

To exercise any of these rights, contact us at hello@hibantcare.com. We will respond within one month, and we will not charge you for a normal request.

14. Cookies and analytics

Our website uses cookies and similar technologies, small files placed on your device, to make the website work, to keep it secure, and to understand how it is used so we can improve it.

Some cookies are strictly necessary for the website to function, and these are always on. Others, such as analytics cookies, are not necessary, and we will only use them if you agree. When you first visit, you will see a cookie banner that lets you accept or reject non-essential cookies with equal ease, and you can change your choice at any time.

We use analytics tools to produce statistics about how the website is used. You can also control cookies through your browser settings, though turning off some cookies may affect how the website works.

15. Keeping your information secure

We use appropriate technical and organisational measures to protect personal information against loss, misuse and unauthorised access, including access controls, encryption in transit, and confidentiality obligations on our staff and providers. No system can be guaranteed completely secure, but we take security seriously and keep our measures under review. If a serious data breach ever occurs, we will act on it promptly and tell you and the regulator where the law requires.

16. Children

The Platform is intended for adults (18 and over) and is not designed for use by children. We do not knowingly collect information directly from children. Care is sometimes arranged for adults of any age; this notice concerns the adults who use the Platform.

17. Changes to this notice

We may update this notice from time to time, for example, to reflect changes to the Platform or to the law. When we do, we will post the updated version here with a new "last updated" date, and where the change is significant we will let you know directly. Please check back from time to time.

18. How to contact us, and how to complain

If you have any question about this notice, or about how we handle your information, please contact us first. We would genuinely like the chance to help:

Hibant Care Ltd Email: hello@hibantcare.com Phone: 020 7870 1352

If you are not satisfied with how we have handled your information, you have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO):

  • Online: ico.org.uk/concerns
  • Helpline: 0303 123 1113

We would, though, always appreciate the opportunity to put things right ourselves before you approach the ICO.