Privacy Notice
Last updated: 29 Jan 20261. Who we are
CllrWay (“we”, “us”, “our”) is the data controller for personal data collected through the CllrWay platform. Our registered office is 1, That London. You can reach our data protection contact at george@cllrway.com.
2. Personal data we collect
We collect and process the following categories of personal data:
Account data — name, email address, council/ward affiliation, role and login timestamps.
Resident register data — names, addresses, postcodes, electoral roll identifiers and contact details uploaded by councillors from public electoral roll sources.
Casework data — correspondence, issue descriptions and contact information relating to residents who contact their councillor.
Canvassing data — doorstep visit outcomes, household intentions and canvassing notes recorded during local political activity.
Survey data — responses submitted via public survey links (hashed IP address and session token only; no direct identifiers unless voluntarily provided).
Technical data — IP addresses, browser/device information and activity logs collected automatically for security and service stability.
Communications — emails sent or received through the platform’s integrated email features.
3. Lawful basis for processing
We process personal data on the following UK GDPR lawful bases:
| Purpose | Lawful basis |
|---|---|
| Providing and managing the platform service | Contract (Art 6(1)(b)) |
| Account security, audit logging and fraud prevention | Legitimate interests (Art 6(1)(f)) |
| Resident register management by councillors | Legitimate interests / Public task (Art 6(1)(e)/(f)) |
| Casework processing on behalf of residents | Legitimate interests / Consent (Art 6(1)(a)/(f)) |
| Canvassing activity (political) | Legitimate interests in democratic engagement (Art 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art 6(1)(c)) |
| Responding to subject access or erasure requests | Legal obligation (Art 6(1)(c)) |
4. How we use your data
We use personal data to operate and improve the CllrWay service, authenticate users, generate correspondence and PDF letters, facilitate canvassing activity, provide analytical tools to councillors, and comply with our legal obligations. We do not sell personal data to third parties, use it for advertising, or process it for automated profiling that produces legal or similarly significant effects.
5. Who we share data with
We share personal data only with carefully selected sub-processors necessary to deliver the service:
Microsoft Azure — cloud infrastructure, database hosting and blob storage (EEA/UK data centres).
Microsoft Entra ID — authentication and identity management.
Stripe — payment processing for subscriptions (card data never touches our servers).
SMTP provider — outbound email delivery.
All sub-processors are contractually bound to process data only on our instructions and in compliance with UK GDPR. We do not transfer personal data outside the UK/EEA without appropriate safeguards (Standard Contractual Clauses or equivalent).
6. How long we keep your data
Account data — retained for the lifetime of your account and anonymised within 30 days of account erasure.
Dataset / resident data — retained until you delete the dataset. Soft-deleted datasets are permanently purged after 30 days.
Audit logs — retained for 12 months for security and accountability purposes.
Billing records — retained for 7 years to comply with financial regulations.
7. Your rights
Under UK GDPR you have the right to:
Access — request a copy of personal data we hold about you (DSAR). You can download your data directly from your Profile → My Data tab.
Rectification — correct inaccurate personal data via your profile settings.
Erasure — request deletion of your account and associated personal data. Use Profile → My Data → Delete my account or contact us.
Restriction — ask us to restrict processing in certain circumstances.
Portability — receive your data in a structured, machine-readable format (see the Download my data feature).
Object — object to processing based on legitimate interests.
Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any right, contact us at george@cllrway.com. We will respond within one calendar month. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
8. Cookies and tracking
We use strictly necessary session cookies to authenticate users and maintain secure connections. We do not use advertising, tracking or analytics cookies.
9. Security
We implement technical and organisational measures proportionate to the risk, including: TLS encryption in transit; encryption at rest for database and blob storage; role-based access control; audit logging of sensitive operations; and persisted, encrypted Data Protection key management.
10. Changes to this notice
We may update this notice periodically. Material changes will be communicated via an in-app notification or email. The “last updated” date at the top of this page reflects the most recent revision.
Questions about this notice? Contact us at george@cllrway.com