Privacy Policy

Last updated: April 15, 2026

1. Who We Are

Entity: Tarquin Barnsby trading as AgencySoftware.io

ICO Registration: ZC136598 (Information Commissioner's Office)

Address: Little Waterham Farm, Highstreet R, Faversham, Kent, ME13 9EJ

Role: FosterFlow acts as the Data Controller for independent Carers. For users managed by a Fostering Agency, FosterFlow acts as a Data Processor on behalf of that Agency (the Controller).

Contact: tarquin@tarquinbarnsby.com

2. Special Category Data

Under the UK General Data Protection Regulation (UK GDPR) Article 9, FosterFlow explicitly processes Special Category Data, specifically relating to the health, welfare, and social care of children in the fostering system. We treat all logged data with the absolute highest security constraints.

3. Lawful Basis for Processing

We process your data under the following UK GDPR bases:

  • Contract (Art. 6): To provide the software service you subscribed to.
  • Explicit Consent (Art. 9): For independent carers logging Special Category Data.
  • Substantial Public Interest / Statutory Duty (Art. 9): For Fostering Agencies fulfilling their Ofsted statutory recording obligations.

4. "Zero-Access" Support Protocol

FosterFlow administrators operate under a strict Zero-Access Protocol. We will NEVER access, read, or audit your encrypted or specialized care records unless you provide explicit, written consent via an active support ticket (e.g., to debug a specific missing log). You retain absolute sovereignty over your unshared data.

5. Artificial Intelligence Processing Guarantee

FosterFlow uses AI to transcribe and generate draft reports. We guarantee that ZERO Special Category Data processed by our platform is used by our AI providers (e.g., Google Gemini) to train, fine-tune, or improve their base foundational models. We use strict Enterprise-tier API agreements that enforce zero-data-retention for training purposes.

6. Sub-Processors & International Data Transfers

To provide our services, we use carefully vetted sub-processors. Whenever data is transferred outside the UK/EEA (such as to the United States), it is structurally protected by Standard Contractual Clauses (SCCs) or the UK Extension to the EU-US Data Privacy Framework.

  • Clerk: Authentication and Identity Management
  • Supabase: Primary Database Hosting
  • Cloudflare (R2): Encrypted Audio / Object Storage
  • Google Gemini: Zero-Retention AI Draft Processing
  • Stripe: Payment Processing
  • Mailgun: Transactional Email Delivery

7. Law Enforcement & Safeguarding Subpoenas

FosterFlow respects the absolute privacy of your records. We will only release a standalone Carer's data under a formal statutory warrant, court order, or subpoena issued by law enforcement, the Local Authority Designated Officer (LADO), or Ofsted. We will NOT release data based on informal agency requests or civil disputes without the Carer's explicit consent.

8. Data Retention & Right to be Forgotten

We retain your data for as long as your account is active. If your account becomes inactive and your subscription lapses, your data will be permanently wiped (Cascading Deletion) after 90 days.

Agency Override Rule: If your FosterFlow account is managed or paid for by a Fostering Agency, they are the Data Controller. Because Agencies have a statutory duty to retain records (often for 75 years), you cannot unilaterally delete your account or records from the platform. You must contact your Agency directly to manage your data rights.

9. Your Rights (UK GDPR)

You have the right to:

  • Access & Portability: You can download all your data instantly using the 1-Click DSAR Vault in your Settings.
  • Rectification: Correct inaccurate data via the app. For logs older than 24 hours (which are cryptographically sealed), you must append a formal Amendment.
  • Erasure: Request deletion (subject to the Agency Override Rule).
  • Complaint: Lodge a complaint with the ICO (ico.org.uk).

10. Contact Us

For any privacy questions or to exercise your rights, email tarquin@tarquinbarnsby.com.