Privacy Policy
[ ] are placeholders to be confirmed on incorporation of the Community Interest Company.This policy explains how the Interoperability Assurance Platform (“the Platform”, “we”) processes personal data, and your rights under the UK GDPR and the Data Protection Act 2018.
1. Who we are
The data controller for your account data is [Interoperability Assurance CIC] (a Community Interest Company in formation), [registered address]. ICO registration:[to be confirmed]. Data-protection contact: [email protected](interim, pending appointment of a Data Protection Officer / adviser).
For Section 19 report content that a flood authority uploads, that authority is the controllerand we act as its processorunder a written data-processing agreement. We only process that content on the authority’s documented instructions.
2. The personal data we process
| Category | What | Why |
|---|---|---|
| Account & identity | Work email (for the magic-link sign-in), your role and the authority (tenant) you belong to. | To authenticate you and enforce tenant isolation. |
| Section 19 report content | Flood investigation reports you upload, which may contain personal data about residents, landowners and responders. | To tag interoperability evidence and generate the assurance annex, on the authority’s behalf. |
| Operational records | Tags, decisions, coordination messages, exercise records — attributed to the acting user and tenant. | To provide the modules and keep an accountable, tamper-evident record. |
| Technical & security | Server logs, IP address, and error/diagnostic data (only if you allow analytics). | Security, reliability and abuse-prevention. |
On-device demo: if you use the Platform without signing in, uploaded reports are parsed entirely in your browser and never sent to our servers. Only signed-in, tenant-backed use persists data.
Special-category data: report content may incidentally include special-category or sensitive data (for example health or vulnerability information about affected residents). We minimise and restrict such processing and never publish it; it stays inside the security boundary described in section 5.
3. Lawful bases
- Account & authentication — performance of a contract with your organisation, and our legitimate interest in operating a secure service.
- Report content — processed on behalf of the controlling authority, whose lawful basis is typically the performance of a public task (its statutory Section 19 duty under the Flood and Water Management Act 2010).
- Analytics & error monitoring — your consent(which you can withdraw at any time via “Cookie settings”). See our Cookie Policy.
- Security logs — our legitimate interest in protecting the service and its users.
4. AI-assisted tagging & automated decisions
The Platform does not make decisions that produce legal or similarly significant effects about you. Optional AI tag-suggestion, where enabled, is assistive only: every suggestion is reviewed and approved by a person, and inference runs on an in-boundary model endpoint — report content is never sent to a consumer AI service.
5. Where your data is processed (and transfers)
We host data in the UK / EEA. Our processors:
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, serverless functions | London (eu-west-2) |
| Vercel | Application hosting / CDN | London (lhr1) |
| Resend | Transactional sign-in emails | [EU/US — safeguards below] |
| Sentry | Error monitoring (only with your consent) | [EU — safeguards below] |
Where a processor transfers personal data outside the UK, that transfer relies on an adequacy decision or appropriate safeguards (UK IDTA / Standard Contractual Clauses). No report content is placed with a processor without a data-processing agreement.
6. How long we keep it
- Account data — for as long as your organisation uses the Platform, then deleted within [30 days].
- Report content — per the controlling authority’s retention schedule and DPIA.
- Audit & assurance records — these are append-only and tamper-evident by design; they are retained for accountability for [the statutory record period] and cannot be silently altered or removed.
- Backups — expire on the backup rotation cycle.
7. Your rights
Under the UK GDPR you have the right to access, rectify, erase, restrict or object to our processing, to data portability, and to withdraw consent at any time.
- Access / portability: when signed in, you can download the personal data we hold about your account at
/api/account/export(JSON). For a full subject-access request covering report content, contact us. - Withdraw analytics consent: use “Cookie settings” in the footer.
- Erasure:we will erase your data unless we must retain it — for example where it forms part of an authority’s statutory record or the tamper-evident audit trail. We will tell you which applies.
To exercise any right, email [email protected]. We respond within one month.
8. Security
Tenant data is isolated at the database level (row-level security, tested), access is authenticated and role-scoped, traffic is encrypted in transit and data at rest, and administrative access is minimised and logged. See the security overview in our documentation.
9. Cookies
We use strictly-necessary cookies plus optional analytics with your consent. See the Cookie Policy.
10. Complaints
You can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk, or 0303 123 1113. We’d appreciate the chance to help first.
11. Changes
We’ll update this policy as the service and our processors change, and revise the “last updated” date above.
