2. Consent
By using our website, you hereby consent to our Privacy Policy and agree to its terms.
3. License
The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal information.
If you contact us directly, we may receive additional information about you such as your name, email address, phone number, the contents of the message and/or attachments you may send us, and any other information you may choose to provide.
When you register for an Account, we may ask for your contact information, including items such as name, company name, address, email address, and telephone number.
4. How we collect your personal data
Directly
Personal data is collected directly from individuals in various ways:
Submitted Information: Information that you share with us by filling in forms or sharing documents with us both digitally and in paper format.
Office Visits: Data collected during visits to our office.
Meeting Attendances: Information gathered during meetings.
Surveys: We may ask you to complete surveys for research purposes.
Job Applications: Information provided during job applications.
Business Relationships: Data collected when establishing a business relationship or performing professional services.
Indirectly
Personal data is collected indirectly from various sources:
Public Registers and Public Data
Framework Agreements
Internet Searches
News Articles
Business Clients: When our clients engage us to perform professional services, we may review workforce data that includes personal data.
5. Categories of personal data we collect
We may obtain the following two categories of personal data through either direct interactions, client engagements, suppliers, job applications or other situations including those described in this Policy.
Personal Data
Common personal data collected includes:
Workforce Personal Details: Job role, contact details, working hours, etc.
Aggregated Data: Anonymized personal data and special categories of personal data for analysis purposes.
Special Categories of Personal Data
We usually do not collect special categories of personal data. If we do, it is with explicit consent unless obtained indirectly for legitimate purposes.
6. Content liability
In order to process personal data, we must have a lawful basis for doing so.
The processing of personal data is permitted under the following UK GDPR condition:
GDPR Article 6 (1) (f) – It is necessary for our legitimate interests in being able to provide tools and services that will benefit healthcare organisations.
The processing of special categories of personal data is permitted under the following UK GDPR condition:
GDPR Article 9 (2) (h) – processing is necessary for medical or social care treatment or, the management of health or social care systems and services.
GDPR Article 9 (2) (j) – It is necessary for reasons that are in the public interest in the area of public health. We provide tools and services to public healthcare organisations that help them to monitor and improve the standards and quality of care that they offer. Our processing is thus designed to benefit patients and society as a whole through facilitating better healthcare in the UK
Some of our NHS clients provide us with pseudonymised patient-level healthcare data that we use for our analyses; here we act as the data processor and our NHS client acts as the data controller who is acting in the public interest.
We may depend on the following lawful bases when collecting and using personal data to perform our business activities and provide our services:
Legal obligations and public interests: We may process personal data to meet certain regulatory and public interest obligations or mandates
Legitimate interests: We may rely on legitimate interests based on our evaluation that the processing is fair, reasonable and balanced.
Consent – we may rely on your freely given consent
Contract – we may process personal data in order to perform contractual obligations
7. Why we need personal data
We will always endeavour to explain our rationale for collecting personal data and maintain transparency throughout. We process employee and patient data for the purpose of helping healthcare organisations to identify areas of opportunity in performance or efficiency and work with them to improve. Reasons can include:
Providing professional advice and delivering reports related to our professional services
Promoting our professional services to existing and prospective business clients
Fulfilling employment or contractual obligations
For business intelligence and analytical services to enable us to predict future trends and plan our services
To benchmark performance and spend against similar health systems in England
Identify improvements in operational efficiency and monitor the impact of implemented changes
Understand the drivers of activity and spend in a system and use this to develop a forward plan
Analyse patient outcomes, quality and activity metrics and use this to develop plans to improve
Seeking qualified candidates
SOPHIA Platform: Product Privacy Notice
What is SOPHIA?
SOPHIA is a cloud-based governance, policy management and operational workflow platform developed and operated by Carradale Futures. It is used by organisations in healthcare, education and other regulated sectors to manage standard operating procedures (SOPs), policies, checklists and staff compliance records. SOPHIA is hosted on Microsoft Azure in the UK South region and is accessed by staff via a web browser or mobile device. It is not a clinical system and does not connect to electronic patient record systems, prescribing systems or any other health IT infrastructure in standard deployment.
Our Role: Data Controller or Data Processor
How we handle your personal data under SOPHIA depends on your relationship with the platform. If you are a member of staff at an organisation that has deployed SOPHIA — for example an NHS Trust, a hospital, a pharmacy group or a higher education institution — then your employer is the data controller and Carradale Futures acts as a data processor on their behalf. Our obligations in that context are set out in a Data Processing Agreement with your employer, and you should refer to your employer's own privacy notice for information about how your personal data is used. If you are a prospective customer, website visitor or general business contact, Carradale Futures acts as the data controller and this privacy policy applies in full. If you are a Carradale Futures employee or contractor, please refer to the employment section of this policy.
What Personal Data Does SOPHIA Collect and Process?
When SOPHIA is deployed by an organisation, it processes the following categories of personal data relating to the organisation's staff. Staff identity data includes names, work email addresses, job roles and site allocations, provided by the deploying organisation as part of platform setup, and is processed on the lawful basis of contract — specifically the performance of our service agreement with the deploying organisation. Authentication data includes Microsoft account identity claims and session tokens for users who log in via Microsoft Single Sign-On, and hashed passwords and login timestamps for users who authenticate with an email address and password. This is also processed on the basis of contract. Platform usage data is generated automatically when staff use the platform and includes SOP completion records, policy acknowledgements, step-level progress, role selections and the timestamps of those actions. This is processed on the basis of legitimate interests, specifically to maintain an accurate governance audit trail for the deploying organisation. Audit log data, also generated automatically, records all significant user actions such as document edits, approvals, logins and report exports. This is processed on the basis of legitimate interests in maintaining platform integrity, security monitoring and regulatory compliance. Where a Team Lead has configured a particular SOP to require an identifier, Team Members may enter a pseudonymous patient or case reference number at the point of starting that SOP. This is a reference only — not a clinical record — and Carradale Futures processes it solely as a data processor on behalf of the deploying organisation, which determines the lawful basis for that processing. Staff work email addresses are also used to send platform notifications, review reminders and account confirmation emails, processed on the basis of contract.
What SOPHIA Does Not Process
SOPHIA does not process patient clinical records, diagnoses, medications, test results, treatment plans or any other clinical data. It does not use NHS numbers for identification purposes. It does not connect to electronic patient record systems, patient administration systems or any other NHS clinical infrastructure in standard deployment. It does not process financial data relating to patients. The only patient-adjacent data element in SOPHIA is the optional pseudonymous identifier field described above, which holds a reference number only.
Where Your Data Is Stored
All SOPHIA platform data is stored within the United Kingdom on Microsoft Azure, UK South region. Data is encrypted at rest using AES-256 and encrypted in transit using TLS 1.2 or higher at all points. No platform data is stored outside the United Kingdom except as described in Section C below.
Data We Receive About You From Your Employer
If your employer deploys SOPHIA, they may provide your name, work email address, job role and site allocation to Carradale Futures as part of the platform setup process. This constitutes indirect collection of personal data under UK GDPR Article 14. In this case your employer is the data controller for this information and Carradale Futures processes it solely for the purpose of operating SOPHIA on your employer's behalf. You should refer to your employer's privacy notice for information about how your employer uses your data. You may also contact our Data Protection Officer directly if you have questions about how Carradale Futures specifically handles it.
9. Sharing personal data with third parties
Sometimes we may share personal data with trusted third parties to help us deliver effective and quality services.These recipients are either contractually bound to safeguard the data we entrust them or will sign an agreement to ensure this is the case. Your personal data will be used only for specific client work and for research in the public interest. The data we share with our NHS clients will not be identifiable unless specifically requested to do so by the data controller.
Recipients that we engage with can include:
Parties that support us as we provide services (e.g. IT system support, providers of telecommunication systems, document production services and cloud-based software services)
Sub-contractors and partner organisations involved in delivering our professional services
Professional advisers such as lawyers and insurers
Recruitment service providers
Law enforcement and regulatory agencies
We do not share your personal information with marketing and advertising companies. We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.
The SOPHIA platform stores and processes all data within the United Kingdom. Primary hosting is on Microsoft Azure, UK South region.
10. Cookies
Our website may use cookies. Where cookies are used, a statement will be sent to your internet browser explaining the use of cookies.
11. Your data protection rights
Your rights are outlined below. To submit a request, please email albavargas@carradalefutures.com
The right of access to personal data
You have the right to access your personal data held by us.
The right of rectification
You have the right to request the correction of personal data held by us to the extent that it is inaccurate or incomplete.
The right to data portability
You have the right (in certain circumstances) to obtain personal data in a format to allow you to transfer it to another organisation.
The right to withdraw consent
You have the right to withdraw consent at any time, and the process to withdraw consent will be as easy as the process to give consent.
The right to object
You have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling).
This right also applies to direct marketing and processing for purposes of scientific/historical research and statistics.
The right to restrict processing
You have the right (in certain circumstances) to “block” or suppress the processing of your personal data.
The right to object to automated decision making (including profiling)
You have the right (in certain circumstances) to object to automated decisions (including profiling) based upon the processing of personal data and request human involvement.
The right to erasure/to be forgotten
You have the right (in certain circumstances) to request the deletion of personal data where there is no compelling reason for its continued processing.
We may request specific information from you to help us confirm your identity and therefore ensure your rights. This will help us guarantee that personal data is not disclosed to any person who has no right to receive it.
No fee is required to make a request. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.
12. Personal data security
The measures we use to ensure personal data security include:
Putting in place policies and procedures to protect personal data from loss, misuse, alteration or destruction.
Making sure that access to personal data is limited only to those who need access to it and that confidentiality is maintained.
Applying pseudonymisation and anonymisation techniques to further protect the data.
Please be aware that the transmission of data via the Internet is not always completely secure. Whilst we will do our utmost to protect the security of your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk.
Caldicott Principles
Where SOPHIA is deployed in NHS or healthcare settings, Carradale Futures is committed to upholding the Caldicott Principles that govern the use of patient and service user information. In practice this means that service user information within the platform is only accessed for a justified purpose and that the minimum necessary personal data is processed. All Carradale Futures staff and contractors with access to data receive appropriate information governance and data protection training. Data is never used in ways that could identify individuals without clear justification and authorisation from the relevant data controller.
NHS Data Security Standards
Carradale Futures complies with the NHS Data Security and Protection Toolkit and the ten NHS Data Security Standards. We hold ISO/IEC 27001:2022 certification for our Information Security Management System. Our security posture is reviewed on an ongoing basis and our DSPT submission is maintained as current. We apply zero-trust security principles, enforce encryption of data at rest and in transit, and operate strict role-based access controls across all platform environments.
Data Protection Impact Assessments
Carradale Futures has completed a Data Protection Impact Assessment for the SOPHIA platform. Our DPIA framework is maintained and reviewed whenever significant changes are made to platform functionality, data flows or processing activities.
13. Retention periods
We retain personal data to:
Provide our services
Stay in contact with you
Comply with applicable laws, regulations and professional obligations that we are subject to
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by applicable law, regulation or contract.
Personal data held in connection with SOPHIA platform user accounts, such as staff names, email addresses and role assignments, is retained for the duration of the client contract with the deploying organisation plus twelve months following contract termination or account deactivation, unless the deploying organisation requests earlier deletion. SOP and policy completion records, policy acknowledgements, audit logs and pseudonymous patient or case identifiers are retained as directed by the deploying organisation as the data controller, in accordance with their own retention schedule. For NHS clients this will typically align to the NHS Records Management Code of Practice or equivalent sector standard. Website visitor data and general enquiry data is retained for three years from the date of last interaction, unless a business relationship is established. Marketing and sales contact data is retained for three years from the date of last interaction, or until consent is withdrawn, whichever is sooner. Data held in connection with contractual and professional services engagements is retained for seven years from the end of the relevant contract, in accordance with our legal obligations. Personal data submitted by unsuccessful job applicants is held for twelve months after the recruitment exercise is completed, after which it is deleted. Employee data is retained for the duration of employment and for such further period as required by our retention schedule, and is then deleted or anonymised.
Where Carradale Futures acts as a data processor for a deploying organisation, retention decisions are made by that organisation as the data controller. We will delete or return data upon contract termination in accordance with the terms of the relevant Data Processing Agreement.
Personal data is disposed of securely when retention periods expire. Where data is no longer required for its original purpose but must be held for legal or regulatory reasons, it is restricted so that it cannot be accessed for other purposes.
14. Job applicants, current and former employees
Personal details you provide in your application for a job opening at CF will be used by us to process your application in accordance with the GDPR and other applicable laws.
Third parties
We may also share your data with approved organisations for fraud prevention purposes or with other third-party suppliers working on our behalf, such as employment verification service providers.
Data retention
In all instances, we take steps to ensure that an adequate level of protection is given to your personal data. Any information provided will only be stored for the necessary amount of time required, after which it will be safely destroyed. By submitting your application you are agreeing to your data being processed in accordance with these terms.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Upon employment
Once a person has taken up employment with CF, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete or anonymise it.
15. Visits to our websites
Standard internet log information and visitor behavior patterns is collected. We do not identify individuals and do not associate data from the website with any personally identifying information.
16. External links
Our website (https://www.carradalefutures.com/) may contain links to other websites. This privacy notice does not cover those links. We encourage you to read the privacy statements of other websites you visit.
External links are selected and reviewed when the page is published. However, we are not responsible for the content of external websites we have no control over. The content on external websites can be changed without our knowledge or agreement.
Some of our external links may be to websites which also offer commercial services. The inclusion of a link to an external website from our website should not be understood to be an endorsement of that website or the site’s owners, their products or services.
17. Email communications
Emails sent to us, including attachments, may be monitored for security and compliance purposes. Ensure that any email you send to us is within the bounds of the law.
18. Complaints
You have the right to lodge a complaint with the Information Commissioner's Office if you believe that Carradale Futures has not handled your personal data in accordance with data protection law. You do not need to contact us before raising a complaint with the ICO, though we would welcome the opportunity to address any concern you have directly and at the earliest opportunity.
The ICO can be contacted by telephone on 0303 123 1113, online at ico.org.uk/concerns, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
19. Changes to this privacy policy
Reviewed regularly and updated as needed.
Last updated: May 2026.