Data Protection — PinkWatch.org Community Safety Tracker

Our Commitment

PinkWatch.org is committed to protecting your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) 2003. This page provides detailed information about how we handle and protect your data.

1. Data Controller Details

Data Controller	PinkWatch.org
Contact Email	privacy@pinkwatch.org
ICO Registration	Registered with the Information Commissioner's Office (registration pending/in progress)
Applicable Law	UK GDPR, Data Protection Act 2018, PECR 2003

2. Data Processing Register

In accordance with UK GDPR Article 30, we maintain a record of our processing activities:

Data Category	Purpose	Lawful Basis	Retention
Full Name	Account identification, attribution of reports	Contract (Art. 6(1)(b))	Until account deletion + 30 days
Email Address	Authentication, account communications	Contract (Art. 6(1)(b))	Until account deletion + 30 days
Password	Authentication (stored as bcrypt hash only)	Contract (Art. 6(1)(b))	Until account deletion
Postcode	Optional — local area context	Consent (Art. 6(1)(a))	Until account deletion + 30 days
Property Addresses	Community safety map display	Legitimate Interest (Art. 6(1)(f))	Indefinitely unless removal requested
GPS Coordinates	Map pin placement	Legitimate Interest (Art. 6(1)(f))	Indefinitely unless removal requested
Report Descriptions	Community context and information	Consent (Art. 6(1)(a))	Indefinitely unless removal requested
IP Address	Security, abuse prevention	Legitimate Interest (Art. 6(1)(f))	12 months maximum
Browser/Device Info	Service compatibility, security	Legitimate Interest (Art. 6(1)(f))	12 months maximum

3. Data Protection Principles

We adhere to the seven key principles of UK GDPR (Article 5):

Lawfulness, Fairness, and Transparency: We process data lawfully and are transparent about how we use it.
Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only.
Data Minimisation: We collect only the minimum data necessary to provide the Service.
Accuracy: We take reasonable steps to ensure personal data is accurate and up to date. Users can correct their data at any time.
Storage Limitation: Personal data is retained only for as long as necessary for the purposes set out in this document.
Integrity and Confidentiality: We implement appropriate technical and organisational security measures.
Accountability: We are responsible for and can demonstrate compliance with these principles.

4. Technical Security Measures

We implement the following measures in compliance with UK GDPR Article 32:

4.1 Encryption

All data in transit is protected by TLS 1.2 or higher (HTTPS)
Passwords are hashed using the bcrypt algorithm with a work factor of 12 — plain text passwords are never stored or logged
Authentication tokens (JWT) are signed using HMAC-SHA256

4.2 Access Controls

Database access is restricted to the application service account only
Administrative access requires separate authentication
Users can only modify or delete their own submissions

4.3 Infrastructure

Hosted on UK-based servers
Regular software updates and security patches applied
SQL injection prevention through parameterised queries (prepared statements)
Cross-Site Scripting (XSS) prevention through output encoding
CORS headers configured to control cross-origin access

5. Data Protection Impact Assessment Summary

In accordance with UK GDPR Article 35, we have conducted a Data Protection Impact Assessment (DPIA) for the SafeGuard platform. Key findings:

DPIA Summary

Nature of Processing: Collection and public display of property location data submitted by registered community members.

Risk Assessment: The platform processes only property addresses (not personal addresses of individuals) and basic account information. No special category data is processed. The risk to data subjects is assessed as low to moderate.

Mitigating Measures:

Email addresses are never publicly displayed
Users can request removal of their reports at any time
Content moderation to prevent misuse
Robust technical security measures as described above
Clear community standards prohibiting harassment or discrimination

Conclusion: The processing is necessary and proportionate for the legitimate aim of community safety awareness. Adequate safeguards are in place to protect data subjects' rights.

6. Data Subject Rights Procedures

We have established procedures to handle data subject requests within the timeframes required by UK GDPR:

Right	How to Exercise	Response Time
Access (SAR)	Email privacy@pinkwatch.org with subject "Subject Access Request"	Within 1 calendar month
Rectification	Email with details of the data to be corrected	Within 1 calendar month
Erasure	Email requesting account and/or data deletion	Within 1 calendar month
Restriction	Email requesting restriction of specific processing	Within 1 calendar month
Portability	Email requesting data export (provided in JSON format)	Within 1 calendar month
Objection	Email stating grounds for objection	Within 1 calendar month

We may extend the response time by a further two months for complex requests, as permitted by UK GDPR Article 12(3). In such cases, we will notify you within the initial one-month period.

We will verify your identity before processing any data subject request. We will not charge a fee for handling requests unless the request is manifestly unfounded or excessive, in which case a reasonable fee may be charged as permitted by UK GDPR Article 12(5).

7. Data Breach Procedures

In compliance with UK GDPR Articles 33 and 34, we have procedures in place for data breaches:

Detection: We monitor our systems for unauthorised access or data breaches.
Assessment: Upon detection, we assess the nature, scope, and risk of the breach.
Notification to ICO: If the breach is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach.
Notification to Data Subjects: If the breach is likely to result in a high risk to individuals, we will notify affected users without undue delay.
Documentation: All breaches are documented regardless of whether they require notification.

8. Third-Party Data Processors

Processor	Purpose	Location	Safeguards
Web Hosting Provider	Server hosting, data storage	United Kingdom	Data Processing Agreement in place
OpenStreetMap Foundation	Map tile display (no personal data shared)	EU/UK	Open Database License; no personal data transferred

We do not use any third-party analytics, advertising, or social media tracking services.

9. Cookies and Local Storage

In compliance with the Privacy and Electronic Communications Regulations (PECR) 2003:

We use browser localStorage solely to maintain your authentication session (login token and user profile). This is strictly necessary for the Service to function and is exempt from consent requirements under PECR Regulation 6(4).
We do not use any tracking cookies, advertising cookies, or third-party analytics cookies.
No data is shared with advertisers or marketing platforms.

10. International Data Transfers

All personal data is stored and processed within the United Kingdom. We do not transfer personal data to countries outside the UK or EEA. Should this change in future, we will ensure appropriate safeguards are in place as required by UK GDPR Chapter V, such as Standard Contractual Clauses or an adequacy decision by the Secretary of State.

11. Staff Training and Awareness

All individuals with access to personal data are trained on data protection principles and their obligations under UK GDPR. Access to personal data is limited to those who require it to fulfil their role.

12. Complaints and Supervisory Authority

If you have concerns about how we process your data, please contact us first at privacy@pinkwatch.org. If you are not satisfied with our response, you have the right to complain to:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk/make-a-complaint

13. Review Schedule

This Data Protection documentation is reviewed at least annually, or sooner if there are significant changes to our processing activities, applicable legislation, or guidance from the ICO.

14. Contact

Data Protection Enquiries

PinkWatch.org
Email: privacy@pinkwatch.org
Please include "SafeGuard Data Protection" in the subject line.