Civicore Logo Civicore
Purpose How It Works Benefits Testimonials Contact
Back to Civicore

Privacy Policy

Effective Date: 5 July 2026
Last Updated: 5 July 2026
Important: This Privacy Policy explains how Carderra Limited ("we," "us," or "our") collects, uses, and protects your personal information when you use the Civicore service. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Contents

  • 1. Introduction
  • 2. Data Controller and Data Processor
  • 3. Information We Collect
  • 4. Legal Basis for Processing (UK GDPR)
  • 5. How We Use Your Information
  • 6. How We Share Your Information
  • 7. International Data Transfers
  • 8. Data Security
  • 9. Data Retention
  • 10. Your Rights
  • 11. Data Protection Impact Assessment (DPIA)
  • 12. AI-Specific Transparency and Use
  • 13. Cookies and Tracking Technologies
  • 14. Children's Privacy
  • 15. Changes to This Privacy Policy
  • 16. Supervisory Authority (UK ICO)
  • 17. Contact Us

1. Introduction

Civicore (operated by Carderra Limited) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered service for councillors and Members of Parliament.

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy applies to all users of the Civicore Service, including councillors, MPs, and authorised staff members.

2. Data Controller and Data Processor

Data Controller:
Carderra Limited
128 City Road, London, United Kingdom, EC1V 2NX
Company Registration Number: 14061262

Data Protection Officer (DPO):
You can contact our DPO at:
Email: dpo@civicore.co.uk
Phone: 0333 339 0043

Data Controller/Processor Relationship:

  • Carderra Limited acts as a Data Processor when processing personal data on behalf of our users (councillors, MPs, and local authorities) in the course of providing the Service.
  • Users of the Service (councillors and their employing local authorities) act as Data Controllers for the constituent inquiries and related personal data they submit to the Service.
  • We process personal data only on your instructions and in accordance with this Privacy Policy.

3. Information We Collect

3.1 Personal Information You Provide

We collect the following categories of personal information:

Account Information:

  • Full name
  • Email address
  • Phone number
  • Professional postal address (office address)
  • Username and password (encrypted)

Professional Information:

  • Job title and role (e.g., Councillor, MP)
  • Local authority or constituency details
  • Political party affiliation (optional)
  • Verification documents (if required)

Communication Data:

  • Messages, inquiries, and feedback submitted through our Service
  • Email correspondence with our support team
  • Survey responses and feedback forms

Constituent Inquiry Data (where processed on your behalf):

  • Anonymised or pseudonymised summaries of constituent inquiries
  • Categories of issues raised (housing, planning, benefits, etc.)
  • We strongly advise against submitting identifiable personal data of constituents (see Section 5 of our Terms, "Acceptable Use Policy")

3.2 Technical Information Automatically Collected

When you use the Service, we automatically collect:

Device and Usage Data:

  • IP address (anonymised where possible)
  • Browser type and version
  • Operating system and device information
  • Date and time of access
  • Pages viewed and features used
  • Session duration and interactions
  • Referring website or source

Cookies and Similar Technologies:

We use cookies and tracking technologies to enhance your experience, remember preferences, and analyse usage. For more details, see Section 13 (Cookies).

3.3 AI Training and Service Improvement Data

To improve our AI models and service quality, we may analyse:

  • Aggregated and anonymised usage patterns
  • Performance metrics of AI-generated responses
  • User feedback and correction data

Important: We do not use personal data (including constituent information) to train our AI models unless it has been fully anonymised and aggregated. Any such use will not identify any individual.

4. Legal Basis for Processing (UK GDPR)

We process your personal data based on the following legal grounds:

  • Contractual Necessity (Article 6(1)(b)): Providing the Service and fulfilling our contract with you.
  • Public Task (Article 6(1)(e)): Processing constituent inquiries on behalf of public officials, where the processing is necessary for the performance of a task carried out in the public interest.
  • Legitimate Interests (Article 6(1)(f)): Service improvement, security, and business operations.
  • Consent (Article 6(1)(a)): Marketing communications (you may withdraw consent at any time).
  • Legal Obligation (Article 6(1)(c)): Compliance with applicable legal requirements.

4.1 Special Category Data

We do not intentionally collect special category data (as defined under Article 9 of the UK GDPR). Should such data be inadvertently submitted, we will delete it promptly upon discovery. Users are expressly prohibited from submitting special category data (see Section 5 of our Terms).

5. How We Use Your Information

We use your personal information for the following purposes:

5.1 Service Provision

  • To create and manage your user account
  • To provide, maintain, and deliver the Civicore Service
  • To generate AI responses to constituent inquiries (as a draft tool)
  • To store and retrieve your inquiry history and preferences

5.2 Communication and Support

  • To respond to your inquiries and provide customer support
  • To send you Service-related notifications and updates
  • To inform you of changes to our Terms or Privacy Policy
  • To send you billing and subscription-related communications

5.3 Service Enhancement

  • To analyse usage patterns and improve the Service
  • To train and refine our AI algorithms (using anonymised data only)
  • To develop new features and functionality
  • To monitor and evaluate the performance of the Service

5.4 Security and Compliance

  • To protect against fraud, abuse, and security threats
  • To verify your identity and eligibility
  • To comply with applicable laws and regulations
  • To enforce our Terms and Conditions

6. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

6.1 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

  • Stripe: Payment processing (we do not store full card details)
  • AWS/Azure: Cloud hosting and infrastructure (account data, usage data, AI processing)
  • SendGrid: Email delivery (email address)
  • Analytics Providers: Service analytics (anonymised usage data)
  • Support Tools: Customer support management (contact details and support tickets)

All service providers are contractually bound to process data only on our instructions and to maintain appropriate security measures.

6.2 Legal Requirements

We may disclose your information if required by:

  • Law, court order, or government regulation
  • Enforcement of our Terms and Conditions
  • Protection of our rights, property, or safety (or those of our users)

6.3 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of the business transaction. You will be notified of any such transfer.

6.4 With Your Consent

We may share your information with third parties if you explicitly consent to such sharing.

7. International Data Transfers

Your personal information may be transferred to and processed in countries outside the UK, including the United States and the European Economic Area (EEA).

Safeguards in Place:

  • We use Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office (ICO)
  • We ensure that all third-party processors comply with UK data protection standards
  • We conduct transfer impact assessments (TIAs) where required

For further information on our international data transfer safeguards, please contact our DPO.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal information:

8.1 Technical Measures

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Strict role-based access controls and authentication mechanisms
  • Security Testing: Regular vulnerability assessments, penetration testing, and security audits
  • Network Security: Firewalls, intrusion detection systems, and secure networks
  • Backup and Recovery: Regular encrypted backups with disaster recovery procedures

8.2 Organisational Measures

  • Staff Training: All employees receive regular data protection training
  • Confidentiality Agreements: Staff are bound by confidentiality obligations
  • Data Minimisation: We collect only the data necessary for the purposes described
  • Privacy by Design: Privacy considerations are integrated into service development

8.3 Data Breach Response

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the ICO within 72 hours of becoming aware
  • Notify affected individuals without undue delay
  • Take immediate steps to contain and remediate the breach

9. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

  • Account Information: Duration of active subscription + 24 months (to manage accounts and allow for re-activation)
  • Communication Data: Up to 6 years (legal and business record-keeping, compliance)
  • Technical Logs: Up to 12 months (security monitoring and service improvement)
  • Constituent Inquiry Data: Duration of your account + 30 days (to allow you to export or manage your data; anonymised thereafter)
  • AI Training Data: Anonymised data may be retained indefinitely (to improve Service performance; no personal data retained)
  • Billing Records: 7 years (tax and accounting compliance)

After the retention period, data is securely deleted or anonymised.

9.1 Deletion at Your Request

You may request deletion of your account and personal data at any time. We will delete your data within 30 days of your request, subject to legal retention obligations.

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal information:

  • Right of Access: Request a copy of the personal information we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete information.
  • Right to Erasure (Right to be Forgotten): Request deletion of your personal information in certain circumstances (e.g., where it is no longer necessary, or where you withdraw consent).
  • Right to Restriction of Processing: Request limitation of processing in certain situations (e.g., while we verify accuracy).
  • Right to Data Portability: Request transfer of your data to another service provider in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests, or processing for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) (see Section 16).

10.1 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: privacy@civicore.co.uk
Post: Data Protection Officer, Carderra Limited, 128 City Road, London, EC1V 2NX

We will respond to your request within 30 days (or sooner where possible). We may ask for verification of your identity before processing your request.

11. Data Protection Impact Assessment (DPIA)

In accordance with UK GDPR requirements, we have conducted a Data Protection Impact Assessment (DPIA) for the processing of personal data through our AI Service. This assessment identifies and mitigates risks associated with the use of AI, particularly regarding:

  • Automated decision-making and profiling
  • Processing of constituent data on behalf of public officials
  • The potential for bias or inaccuracies in AI-generated outputs

A summary of our DPIA is available upon request to our DPO.

12. AI-Specific Transparency and Use

12.1 AI-Generated Content

The Civicore Service uses artificial intelligence to generate draft responses to constituent inquiries. You should be aware that:

  • AI-generated content may contain errors or inaccuracies
  • The AI model may reflect biases present in its training data
  • Human oversight and review are essential before any official use

12.2 Automated Decision-Making

The Service does not engage in fully automated decision-making that has legal or similarly significant effects on individuals. Final decisions regarding constituent responses are made by human users (councillors/MPs).

12.3 Transparency

Where AI-generated content is used in official communications, you should consider declaring this fact in accordance with your local authority's policies on AI usage.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience and analyse service usage.

13.1 Types of Cookies We Use

  • Essential: Required for basic functionality (login, session management) — Session duration
  • Preferences: Remember your settings and preferences — Up to 12 months
  • Analytics: Track usage patterns and improve the Service — Up to 24 months
  • Marketing: Personalise marketing communications (with consent) — Up to 12 months

13.2 Cookie Management

You can control cookie settings through your browser preferences. However, disabling essential cookies may affect Service functionality.

14. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, please contact us, and we will delete it promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.

  • Material changes will be communicated by email (to the address associated with your account) and/or by a prominent notice on our website at least 30 days in advance.
  • The "Last Updated" date at the top of this page will be revised accordingly.

Your continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.

16. Supervisory Authority (UK ICO)

If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection matters.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: https://ico.org.uk
Phone: 0303 123 1113

17. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your rights, or have concerns about our data protection practices, please contact us:

Data Protection Officer
Carderra Limited
128 City Road
London, United Kingdom
EC1V 2NX

Email: privacy@civicore.co.uk
Phone: 0333 339 0043
Company Registration Number: 14061262