We're Expanding Across South Wales — Join Our Support Team →

TIFA Life
Legal

Privacy Notice

How TIFA Life processes personal data — for visitors, for referrers, and for the young people referred to us for placement.

Last updated:

Some details below — ICO registration number, postal correspondence address, and the formally appointed Data Protection Officer — are pending finalisation and will be updated in this notice as they are confirmed.

On this page

  1. 1. Who we are
  2. 2. What this notice covers
  3. 3. What data we collect
  4. 4. Why we collect it and our lawful bases
  5. 5. Who we share data with
  6. 6. How long we keep it
  7. 7. Where data is stored
  8. 8. Your rights
  9. 9. Changes to this notice
  10. 10. Contact
Section 1

Who we are

This privacy notice is published by TIFA Life Ltd, a company registered in England and Wales. References to “TIFA Life”, “we”, “our” and “us” in this notice mean TIFA Life Ltd.

  • Registered office: registered in England and Wales. Registered office address available on request — please email hello@tifa.co.uk.
  • ICO registration number: registration in progress at the time of publication. The registration number will be added here once issued.
  • Data Protection contact: hello@tifa.co.uk (interim arrangement; fractional Data Protection Officer appointment is in progress).

For the purposes of UK GDPR, TIFA Life Ltd is the data controller for personal data we collect through our website and the referral process described below.

Section 2

What this notice covers

This notice applies to:

  • All visitors to life.tifa.co.uk.
  • All people whose data is submitted via our online referral form.
  • Personal data we receive about referrers (typically Local Authority staff making referrals on behalf of a young person).
  • Personal data we receive about young people who are the subject of those referrals.

It does not cover personal data we hold about TIFA Life staff, or about young people who are already living in placement with us — those are covered by separate notices provided directly to those individuals.

Section 3

What data we collect

From referrers (Local Authority staff)

  • Name, job title and the Local Authority you work for.
  • Direct contact details — phone number and email address.
  • Source-attribution data: how you heard about TIFA Life, and the page on our website you arrived from (where available).
  • Technical metadata: your IP address and browser user-agent string at the moment you submit the referral form (used as an audit trail and to help us detect form abuse).

From referrers about young people

When a referral is submitted, we collect the following information about the young person — provided by the referrer in their professional capacity:

  • Initials only (we do not collect full name at referral stage — this is a deliberate data-minimisation choice).
  • Date of birth and gender.
  • Care status (e.g. Looked After, Care Leaver, UASC, Section 17).
  • A brief description of the presenting situation.
  • Any known risks or considerations the referrer chooses to share.
  • Which statutory documents (Care Plan, PEP, Health Assessment, Pathway Plan, Risk Assessment) are available.
  • Preferred location/area for placement and placement urgency.

Some of this information is special category data under UK GDPR Article 9 (e.g. data concerning health, or revealing information about a child’s welfare). We treat it accordingly — see Section 4.

From all visitors

  • Standard server logs — IP address, timestamp, page URL, response status, and user-agent string. Generated automatically by our hosting platform when you load any page. Retained for 30 days.
  • No cookies are set by TIFA Life. The site does not use first-party analytics, advertising pixels, or tracking cookies of any kind. Browsers may make standard requests to our hosting and CDN providers when loading pages and images — see Section 5.
  • The site uses Google Fonts to render typography. When your browser loads a font file, your IP address is necessarily visible to Google as part of that HTTP request. We do not pass any other data to Google.
Section 4

Why we collect this data and our lawful bases

Referrer data

Purpose: to operate the referral process — to acknowledge a referral, ask follow-up questions, return a written suitability decision, and (where applicable) progress to placement.

  • Article 6(1)(f) — legitimate interests: running a referral process is a core part of how we deliver our service to commissioning Local Authorities. We have considered the impact on referrers and judged the processing to be proportionate (referrers are operating in their professional capacity and are providing data they expect us to act on).
  • Article 6(1)(a) — consent: for the source-attribution fields (“How did you hear about TIFA Life?”, hidden referring-page metadata). You can choose not to answer the source-attribution question; it is not required to progress a referral. Your consent can be withdrawn at any time by emailing us.

Young person’s data submitted via referrals

Purpose: to assess placement suitability, plan the placement and (where the placement proceeds) deliver supported accommodation under appropriate safeguards.

  • Article 6(1)(e) — public task: the processing is necessary in connection with the official authority of the placing Local Authority, on whose behalf the referrer is acting.
  • Article 9(2)(b) — social protection: for special category data, our condition for processing is the provision of supported accommodation under statutory frameworks (Social Services and Well-being (Wales) Act 2014 and equivalents).
  • We rely on the referrer’s explicit confirmation, given via the form’s consent checkbox, that they are authorised to share this information for the stated purpose. If you submit a referral and do not have that authorisation, please do not complete the form.

Visitor server logs

Article 6(1)(f) — legitimate interests: needed to operate, secure and maintain the website (e.g. troubleshooting outages, identifying abusive traffic).

Section 5

Who we share data with

We share referral data only with the people and organisations needed to act on the referral:

  • TIFA Life staff with assessed need — typically the safeguarding lead, allocated keyworker, and service manager for the area. Access is limited to those who need the data to do their role.
  • The placing Local Authority and other statutory partners (e.g. allocated social worker, leaving-care team, designated safeguarding lead) — who already hold the underlying records and are part of the young person’s care planning.
  • Sub-processors we use to operate the website and the referral form (see below). These organisations process data only on our written instructions, under signed data-processing agreements.

We do not share referral data with marketing, advertising, analytics, or data-broker third parties of any kind. We do not sell personal data.

Sub-processors

Provider Purpose Region
Resend Email delivery — sends the internal referral notification and the confirmation email to the referrer. Configured for UK / EU delivery infrastructure.
Vercel Hosting and serverless function execution for the website and the referral API endpoint. London region (Vercel lhr1).

Both providers act as data processors under signed processor agreements, with appropriate safeguards under UK GDPR. We will update this notice if we add or change sub-processors.

Section 6

How long we keep it

We hold personal data for no longer than is needed for the purpose it was collected for.

Data type Retention period
Referrer contact data (where no ongoing engagement) 12 months from last contact
Referral data where no placement progresses 12 months
Referral data where a placement progresses Duration of the placement, plus 7 years (statutory retention for safeguarding records)
Standard website server logs 30 days

After these periods, data is deleted or fully anonymised. Anonymised data may be retained indefinitely for service-improvement and reporting purposes.

Section 7

Where data is stored

All personal data we process is stored within the UK or the European Economic Area (EEA).

  • Email infrastructure (Resend): configured for UK / EU delivery.
  • Hosting (Vercel): London region (lhr1) — referral form serverless functions execute in the UK.
  • Internal records: stored on UK-based or EEA-based business systems used by TIFA Life staff.

If, in future, we need to transfer personal data outside the UK and EEA, we will only do so with appropriate safeguards under UK GDPR (e.g. the UK’s International Data Transfer Agreement, or an adequacy decision) and we will update this notice before doing so.

Section 8

Your rights

Under UK GDPR you have the following rights in relation to personal data we hold about you:

  • Access — to ask for a copy of the personal data we hold about you.
  • Rectification — to ask us to correct inaccurate or incomplete data.
  • Erasure — to ask us to delete data, where the lawful basis for keeping it no longer applies. (Note: where we hold data under a statutory retention requirement, the right to erasure may be limited.)
  • Restriction — to ask us to limit how we use your data while a query is being resolved.
  • Portability — to receive your data in a portable, machine-readable format (where the processing is carried out by automated means and is based on consent or contract).
  • Objection — to object to processing based on legitimate interests, including direct marketing (we do not use your data for direct marketing).
  • Consent withdrawal — to withdraw consent at any time, where consent is the lawful basis (e.g. for the source-attribution fields).

To exercise any of these rights, email hello@tifa.co.uk. We will respond within 30 days; if your request is complex we may extend this by up to a further two months and will tell you why.

Right to complain to the regulator

If you are unhappy with how we have handled your personal data, you have the right to complain to the UK’s Information Commissioner’s Office (ICO):

We’d encourage you to come to us first so we have a chance to put things right — but the ICO route is always available to you.

Section 9

Changes to this notice

We will update this notice as our practices change — for example, when we add or change sub-processors, or when we add new ways of collecting data on the website.

Material changes (changes that affect your rights or expand the data we collect) will be flagged on the homepage for 30 days from the date of the change, and the “Last updated” date at the top of this page will be revised. Non-material edits (typo corrections, link updates) may be made without a homepage notice.

Section 10

Contact

  • For any privacy questions or to exercise your rights: hello@tifa.co.uk.
  • For DPO-level escalation: a fractional Data Protection Officer is in the process of being appointed. In the interim, please contact us at hello@tifa.co.uk and your enquiry will be handled by the senior team.
  • By post: please email us in the first instance and we will provide the relevant postal address for any correspondence that needs to be sent in writing.

This notice is published under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, in particular Article 13 (information to be provided to data subjects).

⚠ Emergency placement needed?
24/7 Available: 01792 677275