CivicBot Logo

Privacy Policy

Last updated: 24 May 2026

CivicBot Ltd ("CivicBot", "we", "us" or "our") is committed to protecting your privacy and handling your personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

This Privacy Policy explains what personal data we collect, how we use it, who we share it with, how long we keep it, and the rights available to you. By using our website civicbot.co.uk or any related services, you confirm that you have read and understood this Policy.

UK data residency: Because CivicBot is built to serve UK local authorities, all personal data we control is stored and processed within the United Kingdom. We do not transfer council or resident personal data outside the UK. See Section 5 for the limited exceptions and safeguards that apply.

1.Data Controller

CivicBot Ltd is the data controller responsible for your personal data. You can contact us at info@civicbot.co.uk for any privacy-related queries, including to exercise your rights under UK data protection law.

2.Personal Data We Collect

We may collect and process the following categories of personal data:

  • Identity & contact data: email address, role indicator (resident, council, curious).
  • Location data: UK postcode you provide, and the council/area we derive from it.
  • Communications data: messages you send via our AI chatbot, support emails, and any feedback you share.
  • Technical data: IP address, browser type, device information, pages visited, and timestamps, collected automatically via standard server logs.
  • Cookies: see our Cookie Policy for full details.

We do not knowingly collect data from children under 13. If you believe a child has provided personal data, contact us and we will delete it.

3.How and Why We Use Your Data

Under UK GDPR we must have a lawful basis to process your personal data. The lawful bases we rely on are:

  • Consent (Art. 6(1)(a) UK GDPR): when you join our waitlist, opt in to receive updates, or interact with the AI chatbot.
  • Legitimate interests (Art. 6(1)(f)): to operate, secure and improve our website and services, prevent fraud, and conduct internal analytics.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable UK laws, regulator requests, and court orders.

Specifically, we use your data to:

  • Add you to the CivicBot pre-launch waitlist and confirm sign-up via email.
  • Match your postcode to your local council so we can notify you when CivicBot launches in your ward.
  • Send transactional emails (e.g. confirmation, launch notice) via our processor ZeptoMail.
  • Respond to your queries and improve our AI chatbot (powered by Google Gemini).
  • Detect, prevent and respond to fraud, abuse or security incidents.

4.Sharing Your Data

We do not sell your personal data. We only share it with the following categories of recipients, under written contracts requiring UK GDPR-equivalent safeguards. Every processor listed below has been selected on the basis that personal data is stored within the United Kingdom:

  • Hosting & database: UK-based cloud infrastructure (data centres located in England). All production databases and backups are held within the UK.
  • Email service provider: ZeptoMail (Zoho) — configured to use UK/EU data residency for transactional email delivery.
  • Postcode lookup: postcodes.io — a UK-based, open-data service operated in the UK.
  • AI chatbot provider: Google Gemini API. The chatbot is used for general queries only and we do not send identifiable resident or council records to it. See Section 5 for the safeguards that apply.
  • Local councils: only once you actively engage with CivicBot post-launch and consent to share data to resolve a specific civic issue. Data shared with councils remains in the UK.
  • Professional advisers & regulators: where legally required (e.g. ICO, HMRC, courts) within the UK.

5.UK Data Residency & International Transfers

UK-only by design. All personal data that CivicBot controls — including waitlist records, council data, resident contact details and case information — is stored and processed exclusively within the United Kingdom. Our primary databases, backups, application servers and logs are hosted in UK data centres.

No routine overseas transfer. We do not routinely transfer personal data outside the UK. Where a sub-processor offers UK or EEA data residency, we always select the UK region. Council data is never transferred outside the UK.

Limited exception — AI chatbot. Our customer-facing AI chatbot is powered by the Google Gemini API, which may process the content of your chat messages on infrastructure outside the UK. To mitigate this:

  • The chatbot is used for general public enquiries only — we do not send council case files, resident records or personal identifiers to it.
  • You are not required to enter personal data to use the chatbot.
  • Any transfer relies on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with Google's published technical and organisational measures.
  • We will replace this provider with a UK-resident alternative as soon as a commercially viable one is available, and we will update this Policy accordingly.

If you would prefer not to use the AI chatbot, you can contact us directly at info@civicbot.co.uk.

6.How Long We Keep Data

We retain waitlist data until launch in your area plus a maximum of 24 months after you unsubscribe or after our services close, whichever is sooner. Chatbot interactions are retained for up to 12 months for service improvement. Server logs are kept for up to 90 days. We may retain anonymised data indefinitely for analytics.

7.Your Rights

Under UK GDPR and the Data Protection Act 2018 you have the right to:

  • Access the personal data we hold about you.
  • Request rectification of inaccurate data.
  • Request erasure ("the right to be forgotten") where lawful.
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

To exercise any right, email info@civicbot.co.uk. We will respond within one month as required by UK GDPR.

8.Security

We use industry-standard technical and organisational measures including HTTPS/TLS encryption in transit, access controls, hashing of credentials, and encryption at rest for our databases. All production systems and backups are hosted in UK data centres in line with our UK data residency commitment (see Section 5). While no online service can be 100% secure, we work to minimise risk and will notify you and the ICO of a personal data breach in line with our statutory obligations under Articles 33–34 UK GDPR.

9.Marketing and Direct Communications

We will only send you marketing emails about CivicBot's launch progress where you have opted in (under PECR Reg. 22). Every email contains a one-click unsubscribe link. You can also email us to unsubscribe at any time.

10.Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be notified by email or a prominent notice on our website.

11.Contact

CivicBot Ltd — Data Protection

info@civicbot.co.uk

© 2026 CivicBot Ltd. All rights reserved.