Facebook Linkedin Instagram

Our Privacy Policy

Introduction
ZAV Group is committed to protecting the privacy and rights of individuals whose personal
data we collect and process. This Privacy Policy explains what personal data we collect, why
we collect it, how we use and store it, who we share it with, how long we keep it, and the
rights available to data subjects under UK GDPR and related laws.

Data controller and contact details

ZAV Group (ZAV GROUP LTD) is the data controller for personal data collected through our

websites, services and business operations.

  • Registered address: 33 Roebuck Road, Hainault Business Park, Ilford, IG6 3TZ.
  • General enquiries: info@zavgroup.co.uk.
  • Referrals: referrals@ZSTcare.co.uk.
  • Data protection officer or privacy contact: dataprotection@zavgroup.co.uk.

Personal data we collect

  • Personal identity and contact data: names, job titles, phone numbers, postal and email addresses for staff, partners, referrers, parents and carers.
  • Child and client data: child initials, date of birth, gender, health and medical history, care plans, risk assessments, behavioural records and safeguarding information submitted with referrals and during placements.
  • Recruitment and employment data: CVs, employment history, references, right to work documentation, DBS checks and training records for job applicants and staff.
  • Financial and transactional data: invoicing, payment records and bank details where required for suppliers or payroll.
    • Technical and usage data: IP addresses, device and browser information, cookie identifiers and analytics data collected when you visit our websites.
    • Communications data: content of emails, phone calls, and messages where required for service delivery, referrals, complaints and enquiries.

Sources of personal data

We collect data directly from individuals, from placing local authorities and professionals during the referral process, from job applicants and staff, and from third parties such as referral agencies, educational providers and external clinicians when necessary for care planning. We also collect technical data automatically via website analytics and cookies. We make clear what data we require to provide a service and what data is optional.

Lawful bases for processing personal data

We process personal data only where we have a lawful basis under UK GDPR. Common lawful bases we rely on include:

  • Legal obligations: to meet statutory obligations, regulatory requirements and safeguarding duties.
  • Contractual necessity: to deliver care services, training, software provisioning or employment contracts.
  • Vital interests: to protect the life or safety of a child or vulnerable person in emergency situations.
  • Legitimate interests: where processing is necessary for our organisational operations, service improvement, fraud prevention and business communications, provided those interests do not override individual rights.
  • Consent: where required, for specific marketing communications or non-essential processing, obtained freely and withdrawable at any time.

How we use personal data

We use personal data to:

  • Assess, match and manage referrals and placements, including risk assessments and care planning.
  • Provide and manage care services and training, including clinical and therapeutic interventions.
  • Administer payroll, recruitment, supplier payments and contractual obligations.
  • Operate, maintain and improve our software products and IT services.
  • Communicate with referrers, families, professionals, and staff about services, appointments and required actions.
  • Ensure safeguarding, compliance, and incident reporting duties are met.
  • Fulfil legal and regulatory reporting requirements.

Special category and sensitive data

We may process special category data (for example, health data, details of offences, and information relating to a child’s welfare or safeguarding) when necessary for the provision of social care, safeguarding and health services. Processing special category data is carried out only where we have an appropriate legal basis and additional safeguards in place, and only to the extent necessary to provide safe, effective care and to meet statutory duties.

Sharing personal data and third parties

We share personal data only as required and proportionate for service delivery, safeguarding and legal compliance. Typical recipients include:

  • Local authorities, placing social workers and commissioning bodies for placement management.
  • Healthcare professionals and specialist therapists are involved in a child’s care.
  • Education providers and alternative curriculum partners.
  • Our group companies (e.g., Logicode, InkitCare, TES London) where data sharing is necessary to deliver integrated services.
  • External auditors, regulators and law enforcement where required by law.
  • IT and cloud service providers who host or process data on our behalf under contract and appropriate security provisions.

All data sharing is governed by data processing agreements, and only when a lawful basis exists.

International transfers

Where we transfer personal data outside the UK, we do so only where adequate safeguards are in place, for example, by using UK-approved transfer mechanisms, standard contractual clauses or by ensuring the recipient is in a jurisdiction with an adequate level of protection.

Data retention and deletion

We retain personal data only for as long as necessary for the purposes for which it was collected, including any legal or regulatory retention periods. For children’s case records and care documentation, retention periods reflect statutory guidance and local authority requirements, and records are retained for an appropriate period after case closure. Where data is no longer required, we securely delete or anonymise it.

Security measures and data storage

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or misuse. Measures include encrypted storage, secure backups, role-based access controls, strong password policies, staff training, regular security reviews and incident response procedures. Our IT infrastructure and cloud providers are assessed for security and contractual protection before use.

Cookies and online tracking

We use cookies and similar technologies to improve website performance, functionality and analytics. We present clear, user-friendly cookie information and obtain consent where required for non-essential cookies. Users can control cookie settings through their browser and via any cookie banner controls on our site.

Data subject rights

Under UK GDPR, individuals have the right to:

  • Be informed about how their personal data is used.
  • Access their personal data and receive a copy (right of access).
  • Rectify inaccurate or incomplete data (right to recyification).
  • Request erasure of personal data in certain circumstances (right to erasure).
  • Request restriction of processing in certain circumstances (right to restriction).
  • Object to processing based on legitimate interests or direct marketing (right to object).
  • Request portability of data provided in a structured, commonly used and machine-readable format (right to data portability).
  • Withdraw consent where processing is based on consent.
  • Requests to exercise any of the above rights should be submitted to dataprotection@zavgroup.co.uk. We will respond to valid requests in line with statutory timescales and may require verification of identity. Where we cannot comply with a request, we will explain the reasons and options for review.

Complaints and supervisory authority

If you have concerns about how we process your personal data, please contact our data protection lead at dataprotection@zavgroup.co.uk so we can investigate and resolve your concern. You also have the right to complain to the Information Commissioner’s Office (ICO) about our processing of personal data.

Children and parental responsibility

When collecting data about children, we take extra care to ensure lawful processing and appropriate parental or guardian involvement where required. We only collect and process the minimum necessary personal data to deliver care and support.

Automated decision making and profiling

We do not generally make decisions based solely on automated processing that produces legal effects concerning individuals. If we introduce any automated decision-making or profiling that has a significant effect on individuals, we will notify affected people and provide meaningful information about the logic involved, the significance and the envisaged consequences.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in law, technology or our services. Material changes will be communicated via our website and, where appropriate, direct communications.

How to contact us

For questions about this Privacy Policy or to exercise your rights, Contact: dataprotection@zavgroup.co.uk or write to Data Protection Lead, ZAV Group, 33 Roebeck Road, Hainault Business Park, Ilford, IG6 3TZ.

Legal and regulatory notes

This policy is designed to meet UK GDPR and ICO guidance on privacy notices and required transparency about processing activities.

ZAV Group empowers communities through expertise in IT, training, care solutions, and child services.

Useful Links

Our Companies

Contact Us

33 Roebuck Road, Hainault Business Park, Ilford, England, IG6 3TZ

+44 20 8798 2579
+44 78 7713 1313

info@zavgroup.co.uk

Copyright 2025, ZAV Group. All Rights Reserved.

Scroll to Top