Features Pricing Login Start free trial

Privacy Policy

Last updated: 7 April 2026

1. Introduction

This Privacy Policy explains how Purinode ("we", "us", "our") collects, uses, stores, and protects your personal data when you use Trine, our CQC compliance tracking platform for UK care providers.

Trine is designed to help regulated care providers manage compliance actions, evidence, inspection readiness, and staff accountability across single services and multi-site groups.

We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data controller

The data controller responsible for your personal data is:

Purinode
Email: privacy@trine.uk

If you have any questions about this policy or how we handle your data, please contact us using the details above.

3. What personal data we collect

We collect data that you provide directly, data generated through your use of the platform, and limited technical data collected automatically.

3.1 Account and identity data

  • Full name
  • Email address
  • Password (stored as a one-way cryptographic hash — we never store plaintext passwords)
  • Role and permissions within your organisation (e.g., company admin, care home manager, staff, viewer)

3.2 Organisation and care home data

  • Company name, address, and CQC provider ID
  • Care home names, addresses (line 1, line 2, city, postcode), phone numbers, and email addresses
  • CQC location IDs
  • Membership and role assignments (which users belong to which company and care home)

3.3 Compliance and operational data

  • Compliance actions (titles, descriptions, owners, statuses, due dates, categories, domains, regulations)
  • Evidence files and metadata (filenames, document dates, expiry dates, evidence types, storage locations, notes)
  • Evidence register entries linking files to regulations and controls
  • System control completions and action history audit trails
  • Inspection readiness scores, readiness snapshots, and trend data
  • Evidence expiry automation run history

3.4 Technical and usage data

  • IP address and browser user agent (collected in server logs)
  • Authentication tokens and session identifiers (stored in your browser's local storage)
  • Timestamps of account creation, login, and data modifications
  • Dashboard scope selections and navigation state (stored in your browser's session storage for continuity)

4. How we use your data

We use your personal data for the following purposes:

4.1 Service delivery

  • Authenticating your identity and managing secure access to your account
  • Providing the Trine platform, including all compliance tracking, evidence management, and readiness scoring features
  • Scoping data access to your company and care home(s) using our multi-tenant access control model
  • Generating compliance readiness scores, evidence health summaries, weekly readiness trend snapshots, and "what changed" delta reports
  • Running evidence expiry automation to create follow-up actions for expired or expiring evidence

4.2 Communications

  • Sending transactional emails (password resets, account verification)
  • Notifying you of material changes to our terms or this privacy policy

4.3 Security and integrity

  • Detecting and preventing unauthorised access, fraud, and abuse
  • Maintaining audit trails of compliance actions and evidence changes
  • Enforcing role-based access controls and tenant data isolation

4.4 Product improvement

  • Analysing aggregated, anonymised usage patterns to improve platform features
  • Diagnosing technical issues and improving performance

5. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

Legal basis Applies to
Performance of a contract (Art. 6(1)(b)) Providing the Trine service, managing your account, processing your compliance data
Legitimate interest (Art. 6(1)(f)) Improving our product, ensuring platform security, preventing fraud, maintaining audit trails
Legal obligation (Art. 6(1)(c)) Complying with applicable laws, responding to lawful requests from authorities
Consent (Art. 6(1)(a)) Optional marketing communications (where applicable — you may withdraw consent at any time)

6. Data sharing and third parties

We do not sell, rent, or trade your personal data.

We may share your data with the following categories of third parties, strictly for the purposes described in this policy:

  • Cloud infrastructure providers — for hosting, database services, and file storage. All providers are bound by data processing agreements and process data on our behalf only.
  • Email service providers — for sending transactional emails (password resets, notifications).
  • Professional advisors — legal, accounting, or compliance advisors where necessary.
  • Law enforcement and regulators — where we are legally required to disclose data, or to protect our rights, safety, or property.

We ensure that all third-party processors provide sufficient guarantees regarding data protection and are compliant with UK GDPR requirements.

7. International data transfers

Where your data is transferred outside the United Kingdom, we ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • Adequacy decisions by the UK government
  • Other legally recognised transfer mechanisms

8. Data retention

We retain your personal data for as long as necessary to fulfil the purposes described in this policy:

  • Active accounts — data is retained for the duration of your subscription and active use of the platform.
  • Closed accounts — upon account closure or deletion request, we will delete or anonymise your personal data within 90 days.
  • Compliance records — action history, evidence audit trails, and readiness snapshots may be retained for up to 7 years after account closure to support regulatory compliance obligations of care providers.
  • Server logs — technical logs are retained for up to 12 months for security and diagnostic purposes.
  • Legal holds — if we are subject to a legal obligation or dispute, relevant data may be retained for the duration of that obligation.

9. Your rights under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
  • Right to restrict processing (Art. 18) — request that we limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20) — receive your data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21) — object to processing based on legitimate interests or direct marketing.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Rights related to automated decision-making (Art. 22) — Trine does not currently make decisions based solely on automated processing that produce legal or similarly significant effects on you.

To exercise any of these rights, please contact us at privacy@trine.uk. We will respond within one month, as required by UK GDPR.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

10. Data security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit — all connections use HTTPS/TLS encryption.
  • Password hashing — passwords are stored using industry-standard one-way hashing algorithms (bcrypt). We never store or transmit plaintext passwords.
  • Role-based access control — users can only access data within their assigned company and care home scope. Super-admin, company admin, care home manager, staff, and viewer roles enforce the principle of least privilege.
  • Multi-tenant data isolation — each company's and care home's data is logically isolated using tenant-scoped queries and access guards throughout the application.
  • Bearer token authentication — secure JWT-based authentication with token expiry and session management.
  • Audit trails — key actions (evidence uploads, replacements, control completions) are logged with timestamps for accountability.
  • Regular backups — database backups are performed regularly and stored securely.

While we take all reasonable steps to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any breach in accordance with our legal obligations.

11. Data breach notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Art. 33.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
  • Document the breach, its effects, and the remedial actions taken.

12. Cookies and local storage

Trine uses the following browser storage mechanisms:

Type Purpose Duration
Local storage (auth token) Authenticating your session Until logout or token expiry
Session storage (dashboard state) Preserving your navigation context (scope, filters) across page refreshes Browser session only
Local storage (UI preferences) Remembering sidebar collapse state and nav group preferences Persistent until cleared

We may introduce optional analytics and functional cookies in the future. If we do, we will request your explicit consent via the cookie preferences banner before enabling them. We do not use third-party advertising cookies, tracking pixels, or cross-site tracking. We do not participate in ad networks.

13. Children's privacy

Trine is a business-to-business platform designed for use by care provider organisations and their staff. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will take steps to delete it promptly.

14. Data Protection Impact Assessments

Where required by UK GDPR Art. 35, we conduct Data Protection Impact Assessments (DPIAs) before implementing new processing activities that are likely to result in high risk to individuals' rights and freedoms. This includes assessments for new features involving sensitive compliance data or changes to our data processing architecture.

15. Changes to this privacy policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or platform features. When we make material changes:

  • We will update the "Last updated" date at the top of this page.
  • We will notify registered users via email or an in-app notification.
  • Where required by law, we will seek your renewed consent before applying changes that affect how we process your data.

We encourage you to review this policy periodically.

16. Contact us

If you have any questions, concerns, or requests regarding this privacy policy or our data practices, please contact us:

Purinode
Email: privacy@trine.uk

For data protection enquiries, you can also contact our Data Protection Lead at the same email address.