Client Review Platform — Privacy Notice (Working Draft v0.1)
Status: working draft for data-protection review. This is the Privacy Notice referenced by clause B9 of the Terms of Use. It is structural drafting to take to a data-protection adviser, not final text and not legal advice. The items marked (adviser to finalise) are genuine decisions that need professional sign-off: the controller details, the lawful-basis assessments, retention periods, and whether ICO registration or a DPO is required. I am not a lawyer.
1. Who we are
[Platform operating company name], registered in England and Wales, company number [number], registered address [address], is the data controller for the personal data described in this notice.
For any data-protection matter, contact: [privacy contact / email]. (Adviser to confirm whether a DPO is required and, if so, name them here.)
2. Who this notice covers
The platform processes the personal data of three main groups, with a different basis for each:
- Members — the agencies, consultants and freelancers who hold accounts and write reviews.
- Client points of contact — the individual you supply at a reviewed company so we can verify the engagement and serve notice of a review. We collect this data from the member, not from you directly (see §6).
- Representatives of reviewed companies — people who claim a company profile, reply to a review, or raise a challenge.
It also covers ordinary website visitors in the limited way described in §9.
3. The personal data we process
| Group | Data we process |
|---|---|
| Members | Name, business name and type, work email, account credentials, verification information, contribution and activity history, and subscription or payment details |
| Client points of contact | Name, job role and work email, linked to the engagement and review they relate to |
| Verification documents | A redacted contract or invoice for engagements of £2,500 or more, which may contain personal data even after redaction. Held only transiently (see §11) |
| Reviewed-company representatives | Name, role and contact details connected to a profile claim, reply or challenge |
| Reviews themselves | Reviews are about companies, not individuals. For a sole trader or one-person company, a review may indirectly relate to an identifiable person, which is why those reviews are handled more strictly (see the Terms and the platform spec) |
We do not set out to collect special category data (such as health, race or political opinion). Members and reviewers are told not to include it (see §7).
4. Why we process it, and our lawful basis
| Purpose | Lawful basis (adviser to confirm) |
|---|---|
| Providing the platform to members (accounts, reading, contributing) | Performance of a contract with the member |
| Verifying that an engagement really happened | Legitimate interests — maintaining the integrity and accuracy of the platform |
| Holding and notifying the client point of contact | Legitimate interests — operating a fair notice-and-reply process that is also the platform's defamation safeguard |
| Moderating reviews before publication | Legitimate interests — legal safety and content quality |
| Hosting reviews and replies | Legitimate interests — running a service that lets members make informed onboarding decisions |
| Security, fraud prevention and enforcing our Terms | Legitimate interests |
| Taking subscription payments | Performance of a contract and legal obligation (financial records) |
| Any marketing to members | Consent, which you can withdraw at any time |
Where we rely on legitimate interests, we have weighed our interest against your rights and concluded the processing is necessary and proportionate. (Adviser to finalise the legitimate interests assessments, especially for the client-contact data, the verification documents, and the hosting of reviews against an objection.) You can object to legitimate-interests processing at any time (see §12).
5. (Reserved)
6. Where we get client-contact data from
If you are a client point of contact, we did not collect your details from you. A member you or your company worked with supplied them to us so that we could verify the engagement and notify you that a review has been submitted.
We tell you this, what we hold, why, and your rights, in the notification we send you (see Appendix A), in line with our transparency obligations for data not collected directly from the individual. (Adviser to confirm the Article 14 timing and content.)
7. Special category data
We do not intend to process special category data. Members and reviewers are instructed to keep reviews factual, businesslike and about company conduct, and not to include sensitive personal information. Our moderation process removes such content where it appears.
8. Moderation and automated processing
Every review passes through an automated sense-check before publication, which flags and proposes edits to problematic content. This is not a solely automated decision with legal or similarly significant effect: a human moderator makes the final decision on anything the check flags, on every member's first review, and on every review of a sole trader or one-person company. You can ask for human review of any moderation outcome that affects you. (Adviser to confirm this keeps us outside Article 22.)
9. Who we share data with
- Service providers (processors) acting on our instructions, such as hosting, email delivery and payment processing. They are bound by contract to protect the data.
- A reviewed company, which sees the client point of contact's details only as part of the notice that a review concerns it, and sees reviews about it within the gated record. Reviewer identities are not disclosed to reviewed companies.
- Authorities or advisers where we are required by law, or to establish or defend legal claims.
We do not sell personal data. The platform is members-only and is not published to the open web.
10. International transfers
We aim to keep personal data within the UK. Where a processor is outside the UK, we put an approved safeguard in place (such as the UK International Data Transfer Agreement or addendum). (Adviser to confirm once the processor list is fixed, and to advise if the platform later serves non-UK members.)
11. How long we keep it
- Verification documents (redacted contract or invoice) are held only for as long as needed to verify the engagement, then destroyed. We keep a record that verification took place and when the document was destroyed, but not the document itself.
- Member account data is kept for the life of the membership and a limited period afterwards. (Adviser to set the period.)
- Client-contact details are kept while the related review is live, so the notice, reply and challenge process can operate and so we can evidence that a fair process was followed. (Adviser to set the period and the position once a review is withdrawn.)
- Reviews and replies are kept for as long as the platform operates them, subject to the rights below.
- Payment records are kept as long as the law requires.
12. Your rights
Subject to the conditions in UK data-protection law, you have the right to: access your data; have it corrected; ask for erasure; restrict or object to processing; and request portability. Where we rely on consent, you can withdraw it at any time.
For reviewed companies and their contacts specifically:
- A factual error in a review will be corrected or the review removed.
- Disagreement with an opinion does not remove a review; your reply is attached to it instead.
- An objection or erasure request is weighed against our legitimate interest in operating a fair, accurate platform and against our process safeguards. We will explain the outcome.
To exercise any right, contact [privacy contact / email]. We respond within one month.
13. Complaints
If you are unhappy with how we handle your data, please contact us first. You also have the right to complain to the Information Commissioner's Office (ICO), ico.org.uk. (Adviser to confirm whether we must pay the ICO data protection fee and register.)
14. How we keep data secure
We use appropriate technical and organisational measures, including access controls, encryption in transit, gated membership, and prompt destruction of verification documents once used. Access to personal data is limited to staff who need it.
15. Changes to this notice
We may update this notice and will tell members of any material change.
16. Contact
[Platform operating company name], [address]. Data-protection contact: [email].
Appendix A — Client-contact notification wording (discharges the §6 transparency duty)
This is the message sent to a client point of contact when a member submits a review. It both starts the holding period and informs the contact of how their data is used. (Adviser to finalise.)
Subject: A review has been submitted about [Company name]
Hello [Contact name],
[Member-side, shown as the platform, not the named reviewer:] A service provider that worked with [Company name] has submitted a review of the company on [Platform name], a members-only platform where providers review the companies they work with. You have been listed as the point of contact for this engagement.
Why you are hearing from us. We were given your name, role and work email by the provider so we could verify the engagement and let you know about the review before it goes live. We hold this information to operate a fair notice and reply process. You can read how we handle your data in our Privacy Notice at [link], and you have the right to access, correct or object to it.
What happens next. The review will become visible to our members in [7 / 14] days unless [Company name] responds. You can:
- Reply to the review, which is attached to it, or
- Challenge it if you believe it contains a factual error.
The review concerns the company's conduct and working relationship only. It does not name individuals. Reviews are the opinions of the providers who write them.
To reply, challenge, or claim [Company name]'s profile, use [link].
[Platform name]
End of working draft. Do not publish without data-protection adviser sign-off. Pairs with the Terms of Use & Review Guidelines, the solicitor briefing, the spec v0.2, and the moderation agent contract.