Privacy Policy

This privacy policy explains how personal data is collected, used, and protected when you use the Casework platform (“Casework”, “we”, “the platform”). Casework is a casework management service provided to local councillors and councils across the United Kingdom. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data controller and processor

The data controller for case data submitted through this platform is the councillor or council operating the site you are using. They determine the purposes and means of processing your personal data in relation to casework enquiries.

Casework (the platform operating company) acts as a data processor on behalf of the data controller. We process personal data only in accordance with the controller’s instructions and our data processing agreement.

Personal data we collect

We collect the following categories of personal data:

• Resident contact information — name, email address, phone number, address, and postcode, submitted via the contact or case submission form.
• Case details — the description and category of your enquiry, any correspondence, and status updates.
• Councillor profile data — name, biography, contact details, ward information, and party affiliation as provided by the councillor.
• Newsletter subscribers — email address provided when opting in to newsletter communications.
• Usage analytics — anonymous, aggregated page-view data collected via Plausible Analytics (no personal data is collected; see Cookies section below).

Lawful basis for processing

We rely on the following lawful bases under Article 6(1) of the UK GDPR:

• Public task (Article 6(1)(e)) — processing of casework data is necessary for the performance of a task carried out in the public interest, namely the representation of constituents by their elected councillor.
• Consent — newsletter subscriptions are processed on the basis of your freely given consent, which you may withdraw at any time by unsubscribing.
• Legitimate interest — we use cookieless analytics (Plausible) to understand how the platform is used and to improve the service. This processing is minimal and does not impact your rights.

Data storage and security

Your personal data is stored in a PostgreSQL database hosted in the United Kingdom. All data is encrypted in transit using TLS. We implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, disclosure, or destruction.

Data retention periods

• Case data — retained for 12 months after case closure, then securely deleted.
• Newsletter subscriptions — retained until you unsubscribe, at which point your email address is removed.
• Audit logs — retained for 3 years for accountability and security purposes.

Third-party processors

We share personal data with the following third-party processors, each bound by data processing agreements:

• Resend — email delivery service used to send case notifications and newsletter communications.
• Plausible Analytics — privacy-focused, cookieless web analytics. Plausible does not collect any personal data or use cookies.

Your rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to data portability — request your data in a structured, commonly used, machine-readable format.
• Right to object — object to processing based on public task or legitimate interest.

To request a copy of your personal data (right of access), you can use our Data Subject Access Request form. To exercise any other rights, please contact us. We will respond to your request within one month.

Cookies

This platform uses a minimal number of cookies:

• Essential: NextAuth session cookie — required for authentication when councillors or caseworkers log in. This cookie is strictly necessary for the platform to function and does not require consent.
• Non-essential: cw_ref (referral tracking) — used to track how visitors arrive at the platform. This cookie is set only when a referral parameter is present and you have accepted non-essential cookies via the consent banner. If you choose “Essential only”, this cookie is never set.
• Essential: cw_consent (cookie preference) — records your cookie consent choice (essential only or all). This cookie is strictly necessary to respect your preference and does not require separate consent.

Plausible Analytics is cookieless and does not set any cookies or store any personal data in your browser.

Complaints

If you are unhappy with how your personal data has been handled, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ico.org.uk/make-a-complaint

Changes to this policy

We may update this privacy policy from time to time. Any changes will be posted on this page with the updated date shown above. We encourage you to review this policy periodically.