Legal

GDPR Statement

How Brolly meets its obligations under UK GDPR and the Data Protection Act 2018.

Last updated: January 2025

1. Our role

Brolly Technologies Ltd acts as a data processor for personal data that customers handle through the Brolly platform, and as a data controller for information you submit to our website or our sales team.

2. Customer data (we are the processor)

When a care provider uses Brolly to document care plans, medication, incidents and so on, the provider remains the data controller. Brolly only processes that data on their documented instructions, as set out in our Data Processing Agreement (DPA). We don't use customer data for marketing, training third-party AI models, or anything outside the contracted purpose.

3. Security measures

  • All data encrypted in transit (TLS 1.2+) and at rest.
  • Role-based access control with audit logs covering every write operation.
  • Hosted in UK data centres with ISO 27001 certification.
  • Regular backups and a tested disaster recovery plan.
  • Staff access granted on least-privilege basis and reviewed quarterly.

4. Sub-processors

We use a small number of sub-processors for hosting, email and transactional services. The current list is available to customers on request. We notify customers in advance of any change and give them an opportunity to object.

5. International transfers

Personal data is stored and processed in the United Kingdom. Where a sub-processor operates outside the UK/EEA, transfers are covered by the UK International Data Transfer Agreement or equivalent safeguards.

6. Data subject rights

When Brolly is the processor, data subject requests should be directed to the provider (the controller). For requests relating to information Brolly holds directly — your enquiry, your demo booking — email hello@brolly.co.uk and we'll respond within one month.

7. Breach notification

In the unlikely event of a personal data breach, we will notify affected customers without undue delay and within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals, as required by Article 33.

8. Data Protection Officer

Contact our data protection lead at hello@brolly.co.uk or in writing at Brolly Technologies Ltd, Leeds, United Kingdom.

See also: Privacy Policy ยท Terms of Service