← Back to CivicSync

Privacy Policy

Last updated: 10 May 2026 · Governed by UK GDPR and the Data Protection Act 2018

1. Who we are

CivicSync Ltd (“CivicSync”, “we”, “us”, “our”) is the data controller for personal data processed through this platform.

We are registered with the Information Commissioner’s Office (ICO) under registration number [ICO Registration Number].

CivicSync is a civic engagement platform that enables UK residents to raise local issues, participate in public consultations, and communicate with their elected councillors and council officers.

2. What data we collect

Account data (all users)

  • Full name and email address
  • Hashed password (we never store plaintext passwords)
  • UK postcode (used to map your account to a ward)
  • Account creation date and last login
  • Role (Resident, Councillor, Council Officer, etc.)

Optional demographic data (residents only)

You may optionally provide your age band and gender. This data is used only in aggregated, anonymised analytics visible to your councillor (minimum 5 responses per group). We never display individual demographic data to officials. You control this via your privacy settings and can withdraw consent at any time.

Content you create

  • Issue reports (title, description, category, postcode, optional photo)
  • Consultation responses
  • Poll votes (stored anonymously; we cannot link a vote to your account after submission)
  • Community feed posts

Technical data

  • IP address (retained in server logs for up to 30 days for security purposes)
  • Device type and browser (from User-Agent header, not stored beyond the session)
  • Session tokens (stored as secure, HttpOnly cookies)

3. How we use your data

PurposeLawful basis
Creating and managing your accountContract (Art 6(1)(b))
Routing issues to your ward councillorContract (Art 6(1)(b))
Sending issue status updates and notificationsContract (Art 6(1)(b))
Verifying your postcode/ward assignmentContract (Art 6(1)(b))
Aggregated ward analytics for officialsLegitimate interests (Art 6(1)(f))
AI sentiment analysis on issue textLegitimate interests (Art 6(1)(f))
Demographic analytics (opt-in)Consent (Art 6(1)(a))
Community digest emails (opt-in)Consent (Art 6(1)(a))
Security, fraud prevention, abuse reportingLegitimate interests (Art 6(1)(f))
Legal compliance and ICO obligationsLegal obligation (Art 6(1)(c))

4. Our lawful basis for processing

Under the UK GDPR (Article 6), we rely on the following lawful bases:

  • Contract: Processing necessary to provide the CivicSync service you have signed up for.
  • Legitimate interests: Analytics, security, and AI-assisted issue summarisation. We have conducted a Legitimate Interests Assessment (LIA) and determined that these activities do not override your rights, given the civic nature of the platform and the aggregation / anonymisation measures applied.
  • Consent: Optional demographic analytics and marketing emails. You can withdraw consent at any time from your profile settings without affecting your use of the platform.
  • Legal obligation: Compliance with applicable UK law, including the Data Protection Act 2018, PECR, and any lawful request from a supervisory authority.

5. Who we share your data with

We do not sell your personal data. We share data only with the following recipients:

RecipientPurposeSafeguards
Railway / AWS (hosting)Cloud infrastructure for the app and databaseUK/EEA-equivalent adequacy or Standard Contractual Clauses (SCCs)
Supabase (database)PostgreSQL database hostingGDPR-compliant DPA in place
Resend (email)Transactional email deliveryGDPR DPA in place; UK data residency option available
OpenAI (optional)AI text analysis if AI_PROVIDER=openaiOptional feature; only enabled by operator; OpenAI GDPR DPA available
Your councillor / council officerAggregated issue and consultation analytics for your wardNo individual personal data; aggregated only (n≥5)
ICO or law enforcementIf required by UK law or court orderMinimum data; documented request required

CivicSync is hosted on infrastructure within the UK or a country with an adequacy decision from the UK Government. Where transfers occur outside the UK, we use Standard Contractual Clauses (SCCs) or an equivalent transfer mechanism.

6. How long we keep your data

Data typeRetention period
Active account dataFor the duration of your account
Deleted account dataAnonymised immediately; email pseudonymised to deleted-{id}@civicsync.uk
Issue reports3 years after closure (civic record-keeping)
Consultation responses5 years after consultation closes (public interest)
Audit logs (admin actions)7 years (legal compliance)
Server access logs (IP addresses)30 days
Session tokens30 days (rolling)

7. Your rights under UK GDPR

You have the following rights. To exercise any of them, email privacy@civicsync.uk or use the self-service options in your profile settings. We will respond within 30 days as required by UK GDPR Article 12.

Right of access (Art 15)

Request a copy of all personal data we hold about you. Use the 'Download my data' button in your profile settings.

Right to rectification (Art 16)

Correct inaccurate data. Update your name, postcode and preferences directly in your profile.

Right to erasure (Art 17)

Delete your account and all personal data. Use 'Delete my account' in your profile. Note: anonymised/aggregated data is retained.

Right to data portability (Art 20)

Receive your data in a machine-readable JSON format. Use 'Download my data' in your profile.

Right to restrict processing (Art 18)

Ask us to pause processing your data whilst a dispute is resolved.

Right to object (Art 21)

Object to processing based on legitimate interests. We will stop unless we have compelling grounds.

Right to withdraw consent

Withdraw consent for demographics or marketing emails at any time from Privacy & Consent settings.

Right to lodge a complaint

Contact the ICO at ico.org.uk or call 0303 123 1113.

8. Cookies

We use only strictly necessary cookies to operate this service. We do not use advertising cookies, tracking pixels, or third-party analytics (e.g. Google Analytics). Under UK PECR, strictly necessary cookies do not require consent, but we disclose them here for transparency.

Cookie namePurposeDurationType
next-auth.session-tokenAuthenticates your session (HttpOnly, Secure, SameSite=Lax)30 daysStrictly necessary
next-auth.csrf-tokenCSRF protection for form submissions (HttpOnly)SessionStrictly necessary
next-auth.callback-urlStores the post-login redirect URLSessionStrictly necessary
civicsync-cookie-consentRecords your cookie consent choice1 yearStrictly necessary

You can manage cookies in your browser settings. Blocking session cookies will prevent you from logging in. See our Cookie Policy for more detail.

9. Security measures

We take appropriate technical and organisational measures to protect your data, including:

  • Passwords hashed using bcrypt (minimum cost factor 12)
  • All data in transit encrypted using TLS 1.2+ (HTTPS enforced)
  • Database connections over encrypted channels with SSL required
  • Session tokens stored as HttpOnly, Secure, SameSite=Lax cookies
  • Strict Content Security Policy and other security headers on all responses
  • Role-based access control — officials see only ward-level aggregates, never individual resident data without consent
  • Admin audit log for all privileged actions
  • Data hosted within the UK or a country with UK adequacy status

In the event of a data breach affecting your rights, we will notify the ICO within 72 hours and affected users without undue delay, as required by UK GDPR Article 33/34.

10. Children

CivicSync is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has registered, please contact us at privacy@civicsync.uk and we will delete the account promptly.

Users aged 13–17 may use the platform with parental knowledge. No special category data is collected from minors.

11. Changes to this policy

We will notify registered users of material changes to this policy by email at least 14 days before they take effect. The “Last updated” date at the top of this page will always reflect the current version. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact us

Data Controller: CivicSync Ltd

Privacy enquiries: privacy@civicsync.uk

Data Protection Officer: dpo@civicsync.uk

ICO registration: [ICO Registration Number]

If you are unhappy with how we handle your data, you have the right to complain to the ICOico.org.uk · 0303 123 1113

Privacy Policy | CivicSync