Privacy policies

Please use the below links to view the relevant privacy notice to you

• Website privacy notice
• Candidate privacy notice
• Patient privacy notice

Website Privacy Notice 

This Privacy Notice explains how   

• ICS Operations Limited (trading as Xyla),   
• Pulse Healthcare Limited (trading as Xyla and Pulse Nursing at Home),   
• Pulse Heathcare Limited (trading as Ellea),  
• Carehome Selection Limited (trading as Xyla),   
• Independent Clinical Services Limited (trading as Thornbury community Services) and   
• CHS Healthcare Software Limited (trading as Xyla),   

collect, use, store, and share personal data when we act as:  

• A Data Controller – when we determine the purpose and means of processing personal data, such as when we provide direct services to individuals. 
• A Data Processor – when we process personal data on behalf of and under the instructions of another organisation (such as the NHS, local authorities, Care Commissioning Groups or other clients).

1. Information We Collect 

We may collect the following categories of personal data through your use of our website: 

• Contact information (e.g., name, email address, phone number) 
• Technical data (e.g., IP address, browser type, operating system, and browsing behaviour) 
• Information you provide through forms (e.g., inquiry forms, subscription requests) 

We may also use cookies and similar tracking technologies. Cookies are small files that are sent to your device when you visit a website or app. They stay on your device and are sent back to the website or app they came from when you visit it again. For more information about cookies please visit www.allaboutcookies.org. You can control and delete cookies through your browser settings for more information on how to do this please visit www.allaboutcookies.org/manage-cookies. 

We use the following Cookies on our website: 

Type of Cookie	Definition	How we use that Cookie
Session Cookies	A Cookie that will only be stored on a device’s memory during the current browser session. Once the session has been closed the Cookie will be deleted	These Cookies will allow a more streamlined use of our website. You will be able to navigate around our website and we’ll remember the pages you visited so you can easily find and reach them again
Permanent Cookies	A Cookie that will be permanently stored on your device’s and will remember information each time you revisit a website	These Cookies will allow you to save login details for your next visit. These cookies are enabled through your web browser, not our website. You can view your Permanent Cookies within your web browser settings
Targeted Advertising Cookies	A Cookie that will remember the things you’re interested in on our website and remind you of these things through targeted adverts, sent via third-party platforms	After you have visited our website we may send you personalised adverts via third-party platforms such as Facebook, Google or LinkedIn. These adverts are delivered to you so we can continue to engage with you and display new opportunities that may be of interest
Site Analytical Cookies	A Cookie that will allow an anonymised analysis of how visitors navigate and use a website	We use Google Analytics to receive anonymised reports on how long visitors stay on our website, whether they apply for jobs and which of our jobs and web pages are getting the most views and interactions. This information allows us to improve user experience and make sure the content is relevant and interesting
Third-Party Cookies	A Cookie that will appear in third-party embedded content on a website, enabling the third-party to monitor engagement with that content	We may embed third-party content onto our websites if we believe it is of interest to our website visitors or to improve their experience. This third-party content will carry a Cookie so that the content owner can measure how many people are engaging with that piece of content. We don’t control the settings of these Cookies. We recommend you check the third-party websites for more information about their cookies policy and how to manage them

2. How We Use Your Information 

We use your personal data to: 

• Respond to inquiries and provide customer support 
• Improve our website and services 
• Comply with legal obligations 

3. Sharing of Information 

We may share your personal data: 

• With service providers that support our website operations 
• If required by law or to protect our rights 

We do not sell or rent your personal data to third parties. 

4. Data Security 

We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, use, or disclosure. 

5. Your Rights 

Depending on your location, you may have rights to access, correct, delete, or restrict the use of your personal data. To exercise any of these rights, please contact us at dpo@acaciumgroup.com. 

6. Third-Party Links 

Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of such sites. 

7. Additional Notices 

We maintain specific privacy notices for different categories of individuals. If you are: 

• A patient, please read our Patient’s Privacy Notice. 
• A job applicant or candidate, please read our  Candidate’s Privacy Notice. 

8. Contact Us 

If you have any questions or concerns about this notice, please contact: 
Data Protection Officer 
Acacium Group  
9 Appold Street  
London  
EC2A 2AP  

Email: dpo@acaciumgroup.com  

Candidate privacy notice

1. Introduction  

We are committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws.  

This Privacy Notice explains how   

• Pulse Healthcare Limited (trading as Xyla and Pulse Nursing at Home),   
• ICS Operations Limited (trading as Xyla),   
• Carehome Selection Limited (trading as Xyla),   
• Pulse Heathcare Limited (trading as Ellea),  
• Independent Clinical Services Limited (trading as Thornbury community Services) and   
• CHS Healthcare Software Limited (trading as Xyla),   

collect, use, store, and share personal data when we act as:  

• A Data Controller – when we determine the purpose and means of processing personal data, such as when we provide direct services to individuals. .  
• A Data Processor – when we process personal data on behalf of and under the instructions of another organisation (such as the NHS, local authorities, Care Commissioning Groups or other clients).  

2. What Personal Data We Collect and Process  

Depending on our role as a data controller or processor, we may process the following types of personal data:  

a) When Acting as a Data Controller  

When using AI for these purposes, we may process the following categories of personal data: 

• Personal Identifiers: Name, email address, phone number, location (city, region) 
• Professional Information: Job titles, work history, skills, certifications, industry experience, achievements, employment preferences 
• Job Preferences: Desired salary, preferred roles or sectors, location preferences, availability 
• Uploaded Documents: CVs, resumes, cover letters, and any additional documents you provide 
• Educational Background: Degrees, diplomas, institutions attended, grades, certifications 
• Metadata from CVs: Extracted keywords, formatting attributes, structure of experience and qualifications 
• Occupational Health Data 

b) When Acting as a Data Processor  

In some cases, we act as a data processor on behalf of third-party organisations—such as NHS Trusts, local authorities, or care providers—who are the data controllers. This means that we process your personal data strictly under their instructions and in line with a formal data processing agreement. 

What This Means for You: 

• We Do Not Decide How Your Data Is Used: 
  The third-party organisation (the data controller) decides why and how your personal data is collected and processed. We only carry out processing activities as directed by them. 
• What Data Is Involved: 
  The types of personal data we process may include your CV, qualifications, employment history, references, and diversity information, depending on the instructions of the data controller. 
• Why We Process Your Data: 
  We process your data to support recruitment and placement activities on behalf of the organisation you are applying to, or being considered by. We do not use your data for our own independent purposes. 
• How Your Data Is Shared: 
  We only share your personal data with the data controller and, where necessary, their authorised third parties. We do not share your data for marketing or any unrelated purposes. 
• Data Retention: 
  We retain your personal data only for as long as instructed by the data controller. Once the processing is complete or our agreement with the controller ends, we will either return or delete your data as directed—unless we are legally required to keep it for a specific period. 

For information on who your data controller is, please contact dpo@acaciumgroup.com.  

3. Lawful Basis for Processing  

We process personal data under one or more of the following lawful bases, depending on our role:  

a) When Acting as a Data Controller 

We process personal data in connection with our AI recruitment tools under the following lawful bases: 

• Article 6(1)(f) – Legitimate Interests: To improve the recruitment experience through efficiency and accuracy, provided such interests are not overridden by your rights and freedoms. 
• Article 6(1)(b) – Contractual Obligation: When processing is necessary for taking steps prior to entering into a contract with you (e.g. submitting your application to a client). 
• Article 9(2)(b) – Employment: which allows processing necessary for employment, social security, and social protection purposes, as authorised by law. 
• Article 6(1)(a) – Consent: In specific cases, particularly for the use of automated formatting or enhancements, we may seek your consent. 

b) When Acting as a Data Processor  

We process data based on the lawful basis provided by the data controller and under their instructions. We do not determine the purpose or legal basis for processing in this capacity, this information can be found on the data controller’s privacy notice, if you need help to locate this please contact dpo@acaciumgroup.com. 

   

4. How We Use Personal Data  

As part of our recruitment and placement services, we utilise Artificial Intelligence (AI) technologies to support candidate-job matching and CV reformatting. These tools are used to enhance efficiency, fairness, and quality in how we assess applications and present candidate profiles to potential employers. 

Purpose of Processing Using AI 

• AI-Powered Job Matching – To match candidates with appropriate roles based on qualifications, experience, job preferences, and employer criteria. 
• CV Reformatter – To restructure CVs for clarity, consistency, and presentation in line with industry standards, improving the likelihood of successful job placement. 

Safeguards and Human Oversight 

• No Solely Automated Decision-Making: AI decisions are reviewed by recruitment professionals; no final decisions are made by the system alone. 
• Fairness and Non-Discrimination: AI tools are evaluated regularly to ensure they operate fairly and are not biased or discriminatory. 
• Transparency: You may request an explanation of how the AI system works or ask for human review of a decision made using AI. 
• Security Measures: Data processed through AI tools is protected by access controls, encryption, and secure infrastructure. 

5. How We Keep Data Secure  

We take appropriate technical and organisational measures to protect personal data, including:  

• Access Controls: Limiting access to authorised personnel only.  
• Regular Security Audits: Monitoring and improving data protection measures.  
• Encryption: Protecting data in storage and transmission.  
• Data Minimisation: Collecting only the necessary information for specific purposes.  
• Secure Disposal: Ensuring data is safely destroyed when no longer needed.  

6. Who We Share Data With  

In the course of providing recruitment and placement services, we may share your personal data with third parties where it is necessary for progressing your application, securing employment, or meeting legal obligations. These include: 

• Clients and Prospective Employers: We may share your CV, professional history, and relevant details with organisations that are seeking to fill positions that match your profile. 
• Recruitment Platforms and Job Boards: Where appropriate and with your consent, we may upload anonymised or reformatted versions of your CV to recruitment platforms or job boards to increase your visibility and access to opportunities. 
• Technology Partners: Providers of applicant tracking systems (ATS), CV parsing tools, and AI-based job matching services that support our recruitment operations. 
• Employment Screening Providers: Third parties who assist with background checks, reference checks, right-to-work verification, or credential validation. 
• Payroll and Umbrella Companies: Where applicable, your information may be shared with trusted partners for payroll administration or contractor engagement purposes. 
• Legal, Regulatory and Compliance Bodies: Such as the HMRC, or other authorities when required by law, or in response to legal processes, safeguarding investigations, etc. 
• Group Companies: Other entities within our corporate group for the purpose of providing you with alternative or extended career opportunities, operational efficiency, or to meet compliance requirements. 

We may also share personal data between entities within our corporate group for several legitimate reasons, including:  

• Service Delivery & Operational Efficiency – Ensuring smooth operations by sharing data for administrative, HR, IT, finance or customer service purposes.  
• Security & Fraud Prevention – Protecting against security threats, cyber risks, and fraud by implementing centralised monitoring and threat detection.  
• Regulatory Compliance & Risk Management – Meeting legal obligations, conducting internal audits, and managing risks across the organisation.  
• Research & Analytics – Using aggregated or pseudonymised data to improve products, services, and customer experiences.  

To ensure that intra-group data sharing is lawful, transparent, and secure, we implement the following safeguards:  

• Data Sharing Agreements (DSAs) – We establish formal agreements between group entities that define the purpose, scope, and legal basis for data sharing.  
• Lawful Basis for Processing – Data is shared only where there is a valid legal basis.  
• Purpose Limitation – Personal data is only used for the intended and disclosed purposes, preventing unauthorised or excessive use.  
• Cross-Border Transfers – If data is transferred between group entities in different countries, we ensure compliance with international data protection laws through mechanisms such as International Data Transfer Agreement (IDTA).  
• Access Controls – Only authorised personnel with a legitimate need can access shared data, following strict role-based access policies.  

Any third parties that process data on our behalf must comply with strict data protection requirements.  

7. International Data Transfers  

We may share personal information to third parties outside of the United Kingdom (UK). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws.   

Where personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:  

• Standard Contractual Clauses plus International Data Transfer Addendum  
• An exception as defined in Article 49 of the UK GDPR  
• International Data Transfer Agreement  

8. How Long We Keep Personal Data  

We retain personal data in accordance with our data retention schedule and other relevant guidelines. Retention periods vary depending on the type of record and legal requirements. Once retention periods expire, data is securely deleted or anonymised. 

9. Your Data Protection Rights  

Under data protection laws, you have rights regarding your personal data, including:  

• Right to Access: You can request a copy of your personal data.  
• Right to Rectification: You can ask us to correct inaccurate or incomplete data.  
• Right to Erasure: You can request deletion of your data where appropriate.  
• Right to Restrict Processing: You can ask us to limit processing in certain circumstances.  
• Right to Data Portability: You can request a transfer of your data to another provider.  
• Right to Object: You can object to processing based on legitimate interests.  

If we are acting as a data processor, you should contact the data controller (e.g., NHS Trust, local authority) to exercise these rights.  

10. Data Breaches and Incident Reporting  

We have procedures in place to manage data breaches. If a data breach occurs:  

• We will assess the impact and take action to contain the breach.  
• If acting as a data processor, we will notify the data controller without undue delay.  
• If required, we will report the breach to the Information Commissioner’s Office (ICO) and affected individuals.  

  11. How to Complain  

If you have any concerns about our use of your personal data, you can make a complaint to us using our contact details below.  

If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO here.  

12. Contact Information  

If you have questions about this Privacy Notice or wish to exercise your data rights, please contact:  

Data Protection Officer (DPO)  
Acacium Group  
9 Appold Street  
London  
EC2A 2AP  

Email: dpo@acaciumgroup.com  

13. Policy Review and Amendments  

We keep this Policy under regular review. This Policy was last updated on 25/04/25  

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.  

Patient privacy notice

1. Introduction

We are committed to protecting the privacy and security of personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable laws. This Privacy Notice explains how

• ICS Operations Limited (trading as Xyla),
• Pulse Healthcare Limited (trading as Xyla and Pulse Nursing at Home),
• Carehome Selection Limited (trading as Xyla),
• Independent Clinical Services Limited (trading as Thornbury community Services) and
• CHS Healthcare Software Limited (trading as Xyla),

collect, use, store, and share personal data when we act as:

• A Data Controller – when we determine the purpose and means of processing personal data, such as when we provide direct services to individuals.
• A Joint Data Controller – when we, in conjunction with another party, determine the purpose and means of processing personal data.
• A Data Processor – when we process personal data on behalf of and under the instructions of another organisation (such as the NHS, local authorities, or care commissioning groups).

2. What Personal Data We Collect and Process

Depending on our role as a data controller or processor, we may process the following types of personal data:

a) When Acting as a Data Controller/Joint Data Controller

We process personal data to provide health and social care services; manage patient records; recruit healthcare professionals; and meet legal obligations. This may include:

• Personal Identifiers: Name, date of birth, gender, address, contact details, photos, account user information, NHS number.
• Health and Medical Information: Diagnosis, treatment history, prescriptions, weight, height, blood pressure, resting heart rate, care plans, test results etc.
• Social Care Data: Support plans, safeguarding information, social worker reports.
• Next of Kin & Emergency Contact Details.
• Financial Information: Billing details, funding arrangements.

b) When Acting as a Data Processor

We process personal data on behalf of third-party organisations (such as NHS Trusts, local authorities, or care providers) under a formal data processing agreement. In these cases, we process data, including diversity and inclusion data, strictly according to their instructions and do not determine the purpose of processing.

• Purpose of Processing: We do not determine why or how the data is collected or used; we only carry out processing activities as directed by the data controller.
• Scope of Processing: The type of personal data we process, the categories of individuals it relates to, and the specific ways in which it is used are all defined by the data controller.
• Limited Use: We do not use the personal data for any purpose other than fulfilling the controller’s instructions, and we do not share it with third parties except under the instructions of the data controller.
• Retention and Deletion: We only retain personal data for as long as required by the data controller’s instructions and delete or return it upon their request or at the end of our agreement. However, in certain circumstances, we may hold personal data in fulfilment of our legal obligation.

For information on who your data controller is, please contact dpo@acaciumgroup.com.

3. Lawful Basis for Processing

We process personal data under one or more of the following lawful bases, depending on our role:

a) When Acting as a Data Controller/Joint Data Controller

• Article 6(1)(c) (Legal Obligation): When required to comply with legal or regulatory obligations.
• Article 6(1)(b) (Contractual Obligation): When providing care or recruitment services under a contract or in order to take steps prior to entering into a contract with you.
• Article 6(1)(f) (Legitimate Interest): When it is necessary for the purposes of the interests pursued by us.
• Article 6(1)(a) (Consent): when you have given consent for one or more specific purposes.
• Article 9(2)(h) (Provision of Health and Social Care): When processing special category data for the management of healthcare and social care services.

b) When Acting as a Data Processor

We process data based on the lawful basis provided by the data controller and under their instructions. We do not determine the purpose or legal basis for processing in this capacity, this information can be found on the data controller’s privacy notice, if you need help to locate this please contact dpo@acaciumgroup.com

4. How We Use Personal Data

We use personal data for purposes including, but not limited to:

• Delivering healthcare and social care services.
• Managing patient and service user records.
• Coordinating care with other health and social care providers.
• Processing referrals and funding requests.
• Processing job applications.
• Continuous reviews, e.g. service reviews, surveys and feedback
• Meeting legal and regulatory requirements.
• Investigating complaints or safeguarding concerns.

5. How We Keep Data Secure

We take appropriate technical and organisational measures to protect personal data, including:

• Access Controls: Limiting access to authorised personnel only.
• Encryption: Protecting data in storage and transmission.
• Regular Security Audits: Monitoring and improving data protection measures.
• Data Minimisation: Collecting only the necessary information for specific purposes.
• Secure Disposal: Ensuring data is safely destroyed when no longer needed.

6. Who We Share Data With

We may share personal data where necessary for the provision of care, legal compliance, or safeguarding purposes. This may include:

• NHS Trusts, GPs, and Healthcare Providers (to ensure continuity of care).
• Local Authorities and Social Care Services (for care assessments and safeguarding).
• Regulatory Bodies (such as the Care Quality Commission, NHS Digital).
• Other providers and suppliers that support the services we offer.
• Commissioning Bodies (for funding and service management).
• Educational settings you attend.
• IT and Cloud Service Providers (for secure data storage and management).

We may also share personal data between entities within our corporate group for several legitimate reasons, including:

• Service Delivery & Operational Efficiency – Ensuring smooth operations by sharing data for administrative, HR, IT, finance or customer service purposes.
• Regulatory Compliance & Risk Management – Meeting legal obligations, conducting internal audits, and managing risks across the organisation.
• Security & Fraud Prevention – Protecting against security threats, cyber risks, and fraud by implementing centralised monitoring and threat detection.
• Research & Analytics – Using aggregated or pseudonymised data to improve products, services, and customer experiences.

To ensure that intra-group data sharing is lawful, transparent, and secure, we implement the following safeguards:

• Data Sharing Agreements (DSAs) – We establish formal agreements between group entities that define the purpose, scope, and legal basis for data sharing.
• Lawful Basis for Processing – Data is shared only where there is a valid legal basis.
• Purpose Limitation – Personal data is only used for the intended and disclosed purposes, preventing unauthorised or excessive use.
• Access Controls – Only authorised personnel with a legitimate need can access shared data, following strict role-based access policies.
• Cross-Border Transfers – If data is transferred between group entities in different countries, we ensure compliance with international data protection laws through mechanisms such as International Data Transfer Agreement (IDTA).

Any third parties that process data on our behalf must comply with strict data protection requirements.

7. International Data Transfers

We may share personal information to third parties outside of the United Kingdom (UK). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws. 

Where personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:

• Standard Contractual Clauses plus International Data Transfer Addendum
• International Data Transfer Agreement
• An exception as defined in Article 49 of the UK GDPR

8. How Long We Keep Personal Data

We retain personal data in accordance with the NHS Records Management Code of Practice and other relevant guidelines. Retention periods vary depending on the type of record and legal requirements. Once retention periods expire, data is securely deleted or anonymised.

9. Your Data Protection Rights

Under data protection laws, you have rights regarding your personal data, including:

• Right to Access: You can request a copy of your personal data.
• Right to Rectification: You can ask us to correct inaccurate or incomplete data.
• Right to Erasure: You can request deletion of your data where appropriate.
• Right to Restrict Processing: You can ask us to limit processing in certain circumstances.
• Right to Data Portability: You can request a transfer of your data to another provider.
• Right to Object: You can object to processing based on legitimate interests.

If we are acting as a data processor, you should contact the data controller (e.g., NHS Trust, local authority) to exercise these rights.

10. Data Breaches and Incident Reporting

We have procedures in place to manage data breaches. If a data breach occurs:

• We will assess the impact and take action to contain the breach.
• If acting as a data processor, we will notify the data controller without undue delay.
• If required, we will report the breach to the Information Commissioner’s Office (ICO) and affected individuals.

11. How to Complain

If you have any concerns about our use of your personal data, you can make a complaint to us using our contact details below.

If you remain unhappy with how we have used your data after raising a complaint with us, you can also complain to the ICO here.

12. Contact Information

If you have questions about this Privacy Notice or wish to exercise your data rights, please contact:

Data Protection Officer (DPO)
Acacium Group
9 Appold Street
London
EC2A 2AP

Email: dpo@acaciumgroup.com

If you are below 13 years, your parent or carer would need to do this.  

13. Policy Review and Amendments

We keep this Policy under regular review. This Policy was last updated on 25/03/25

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.