Book a Demo

Privacy Policy

Effective date: 1 April 2026

1. Who we are

Caio (“we”, “us”, “our”) provides compliance infrastructure for recruitment agencies operating in education, healthcare, and social care. This privacy policy explains how we collect, use, store, and protect personal data when you visit our website, use our platform, or otherwise interact with us.

Our registered address is in the United Kingdom. For data protection purposes, Caio is the data controller.

2. What data we collect

We collect different types of personal data depending on how you interact with us:

Website visitors

  • Technical data: IP address, browser type, device information, pages visited, and referring URL
  • Cookie data: preferences and analytics cookies (see Section 8)

Contact form submissions

  • Name, email address, company name, sector, and message content
  • Enquiry type (demo request, register interest, general enquiry, partnership)

Platform users (agency staff)

  • Account credentials and contact details
  • Usage data and activity logs within the platform

Candidate data (processed on behalf of agencies)

  • Identity documents, DBS certificates, Right to Work evidence, references, training certificates, and health clearances
  • Compliance check results and status records

When processing candidate data, we act as a data processor on behalf of the recruitment agency (the data controller). Our processing is governed by a Data Processing Agreement with each agency client.

3. How we use your data

We use personal data for the following purposes:

  • To provide our services: executing compliance checks, managing candidate records, and generating audit trails
  • To respond to enquiries: processing contact form submissions and demo requests
  • To improve our website: analysing visitor behaviour to improve content and user experience
  • To comply with legal obligations: maintaining records as required by applicable regulations
  • To communicate with you: sending service-related updates and, where you have opted in, marketing communications

4. Legal basis for processing

We process personal data under the following legal bases as defined by UK GDPR:

  • Contract: where processing is necessary to perform our contract with you or your organisation
  • Legitimate interests: where processing is necessary for our legitimate business interests, such as improving our services and ensuring platform security, provided these do not override your rights
  • Consent: where you have given specific consent, such as for marketing communications
  • Legal obligation: where processing is required to comply with applicable law

5. Data sharing

We do not sell personal data. We share data only in the following circumstances:

  • Service providers: we use trusted third-party providers for hosting, email delivery, and analytics. These providers process data on our behalf under contractual obligations
  • Regulatory bodies: where required by law, we may disclose data to regulatory authorities
  • Agency clients: compliance outcomes and candidate data are shared with the agency that submitted the candidate, in accordance with our Data Processing Agreement

We do not transfer personal data outside the United Kingdom unless adequate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

6. Data retention

We retain personal data only for as long as necessary for the purpose it was collected:

  • Contact form submissions: retained for up to 24 months unless you request earlier deletion
  • Platform user accounts: retained for the duration of the client relationship and for 12 months thereafter
  • Candidate compliance data: retained in accordance with the Data Processing Agreement with the relevant agency. We follow sector-specific retention guidelines, including not retaining DBS certificate copies for longer than 6 months
  • Website analytics data: retained for up to 26 months

7. Your rights

Under UK GDPR, you have the following rights:

  • Access: request a copy of the personal data we hold about you
  • Rectification: request correction of inaccurate data
  • Erasure: request deletion of your data where there is no compelling reason for continued processing
  • Restriction: request restriction of processing in certain circumstances
  • Portability: request your data in a structured, commonly used format
  • Objection: object to processing based on legitimate interests or for direct marketing purposes
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, contact us at privacy@usecaio.com. We will respond within 30 days.

8. Cookies

Our website uses cookies to improve functionality and analyse usage. We use the following types of cookies:

  • Strictly necessary cookies: required for the website to function. These cannot be disabled
  • Analytics cookies: help us understand how visitors use the website. We use privacy-respecting analytics that do not track individuals across sites
  • Preference cookies: remember your settings and preferences

You can manage cookie preferences through your browser settings.

9. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit and at rest
  • Role-based access controls
  • Regular security assessments
  • Incident response procedures

10. Changes to this policy

We may update this privacy policy from time to time. Significant changes will be communicated via our website. The effective date at the top of this page indicates when the policy was last updated.

11. Contact us

If you have questions about this privacy policy or how we handle your data, contact us at:

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.