Privacy Policy

Last updated: June 2025 · CJ Software Ltd · Co. No. 17249621

1. Who is the data controller?

CJ Software Ltd (trading as ClerkDesk), registered in England and Wales, Company No. 17249621, is the data controller for personal data processed through this website and service. Contact: [email protected]

This policy applies to clerkdesk.co.uk and the ClerkDesk software service. It is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What data we collect and why

Account registration

• What: Name, email address, council name, password (hashed, never stored in plain text)
• Why: To create and manage your account (contract performance)
• Kept for: Duration of your account, plus 30 days after deletion

Meeting audio and transcripts

• What: Audio files you upload, AssemblyAI transcripts, Claude-generated draft minutes
• Why: To provide the AI Minutes feature (contract performance)
• Kept for: As long as you keep the meeting record, or 30 days after account cancellation
• Third parties: Audio is sent to AssemblyAI (transcription) and Anthropic Claude (formatting). Both process data under data processing agreements. Audio is not retained by either party beyond the processing window.

Documents in the vault

• What: Files you upload (policies, contracts, AGARs, etc.). Credentials files are encrypted with AES-256 before storage.
• Why: To provide the Document Vault feature (contract performance)
• Kept for: As long as you keep the document, or 30 days after account cancellation
• Stored on: AWS S3 (eu-west-2, London region)

Compliance scan results

• What: The URL scanned, WCAG issue counts, your name and email if provided
• Why: To deliver results and, if you opt in, email you the evidence pack (legitimate interest / consent)
• Kept for: 12 months

Billing information

• What: Subscription status and Stripe customer ID. Card details are held by Stripe; we never see or store them.
• Why: To manage your subscription (contract performance / legal obligation)
• Kept for: 7 years (VAT/accounting obligations)

Usage and technical data

• What: Server logs (IP address, page requests, error logs). No third-party analytics scripts are loaded.
• Why: Security monitoring and debugging (legitimate interest)
• Kept for: 90 days

3. Who we share data with

We do not sell your data. We share it only with the sub-processors needed to run the Service:

• AssemblyAI: audio transcription (USA; EU SCCs in place)
• Anthropic: AI text processing (USA; EU SCCs in place)
• AWS: file storage, eu-west-2 region (London)
• Stripe: payment processing (USA; EU SCCs in place)
• Resend: transactional email (USA; EU SCCs in place)
• Vercel: frontend hosting (USA/EU edge; EU SCCs in place)

We may disclose data if required by law, court order, or to protect the rights and safety of others. We will notify you of any such disclosure unless prohibited from doing so.

4. International transfers

Some sub-processors listed above are based outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place (standard contractual clauses or an adequacy decision by the UK Secretary of State).

5. Your rights under UK GDPR

You have the right to:

• Access: request a copy of the personal data we hold about you
• Rectification: ask us to correct inaccurate data
• Erasure: ask us to delete your data (subject to legal retention obligations)
• Portability: receive your data in a machine-readable format
• Restriction: ask us to limit how we use your data while a dispute is resolved
• Object: object to processing based on legitimate interest
• Withdraw consent: where processing is based on consent, you can withdraw it at any time

To exercise any right, email [email protected]. We will respond within one calendar month.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113.

6. Cookies

ClerkDesk uses one strictly necessary session cookie to keep you logged in. No advertising, analytics, or tracking cookies are set. No consent banner is required for strictly necessary cookies under PECR.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 for credentials in the vault, AWS server-side encryption for all S3 objects). Access is restricted by role-based authentication. Passwords are hashed with bcrypt. We perform regular security reviews.

8. Children

ClerkDesk is intended for use by parish council clerks (adults in a professional capacity). We do not knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. Changes to this policy

We may update this policy. Material changes will be notified by email at least 30 days in advance. The "last updated" date at the top of this page always reflects the current version.

10. Contact

Data protection queries: [email protected]
CJ Software Ltd, Company No. 17249621, registered in England and Wales.