1. WHO IS COVERED BY THIS POLICY?

This privacy policy applies to:
– Children receiving care and support services.
– Parents or legal guardians of enrolled children.
– Employees, contractors, and partners of Rainbow Care&Coaching.

2. PURPOSES OF DATA PROCESSING

Rainbow Care&Coaching processes personal and sensitive data for the following purposes:
– Delivery of therapeutic, behavioral, and developmental services.
– Compliance with Dutch and EU laws (e.g., UAVG, GDPR).
– Internal recordkeeping and billing.
– Communication with parents or guardians.
– Safeguarding vulnerable children via supervised care and video monitoring (see Section 13).

3. LEGAL BASES FOR PROCESSING

Data is processed under the following GDPR legal bases:
– Consent (Art. 6(1)(a)): For social media use, collaboration with third parties.
– Contractual necessity (Art. 6(1)(b)): For providing agreed-upon care services.
– Legal obligation (Art. 6(1)(c)): Reporting to authorities or complying with audits.
– Legitimate interest (Art. 6(1)(f)): For safeguarding children, ensuring high-quality service delivery, and securing the care environment, including video surveillance where necessary.

4. SPECIAL CATEGORIES OF DATA

Rainbow may process medical or behavioral information where:
– Explicit consent has been obtained.
– It is necessary for the delivery of care by professionals bound to confidentiality.
– It supports therapeutic decision-making in a safe, evidence-based manner.

5. DATA RETENTION PERIODS

– General personal data: Retained for the duration of care + legal requirements.
– Medical records: Retained for up to 15 years or until the child reaches adulthood, whichever is later (in accordance with Dutch law).
– Surveillance footage: Retained for a maximum of 30 days unless explicitly preserved for an ongoing safeguarding review or legal obligation, in which case separate retention controls and access restrictions apply.
– Anonymized data: May be retained for research, planning, or statistical purposes.

6. DATA SHARING WITH THIRD PARTIES

We may share data with:
– Care professionals, therapists, and behavior specialists.
– Educational institutions or governmental bodies (as necessary).
– IT providers under signed Data Processing Agreements (DPAs).
All third parties are bound by confidentiality and GDPR-compliant contracts.

7. DATA SECURITY MEASURES

– AES-encrypted local data storage only (no cloud storage used).
– Role-based access control and secure login procedures.
– Access logs are maintained and reviewed regularly, and in response to safeguarding or security events.
– Physical safeguards on devices storing sensitive data.

8. RIGHTS OF DATA SUBJECTS

As a parent or guardian (or data subject), you may:
– Request access to or correction of your data.
– Request deletion of non-essential data.
– Restrict certain processing activities.
– Object to processing where applicable.
– Lodge a complaint with the Dutch Data Protection Authority.
Please contact [email protected] to exercise your rights.

9. BREACH RESPONSE

In the event of a data breach, we will:
– Notify the Dutch DPA within 72 hours.
– Notify affected individuals if high risk is determined.
– Document the incident internally and retain breach logs.

10. CHILDREN’S DATA PROTECTION

Data about children under 16 is only collected and processed with parent/guardian consent.
Additional safeguards are applied to all children’s records, including limited access, encryption, and restricted usage.

11. CHANGES TO THIS POLICY

We reserve the right to update this policy to reflect operational, legal, or technical changes.
Changes will be posted and shared with enrolled families.

12. CONTACT

For questions, requests, or complaints:
Rainbow Care&Coaching
[email protected]

13. VIDEO SURVEILLANCE IN CARE SETTINGS

Rainbow Care&Coaching utilizes video surveillance in specific care-related environments:
– Therapy rooms
– Group rooms
– Hallways
– Child-accessible kitchen areas