Who We Are
Your Rights Shield is a proposed Charitable Incorporated Organisation in registration with the Charity Commission of England and Wales. Our purpose is to provide free, transparent legal information tools to people in England and Wales who cannot access or afford professional legal advice.
We are in the process of registering as a data controller with the Information Commissioner's Office (ICO). Our ICO registration number will be published here once confirmed.
Our principal contact for data protection matters is:
Your Rights Shield (Proposed CIO)
Email: mattf@yourrightsshield.org.uk
What We Collect and Why
2.1 — Tool Inputs
When you use one of our public legal information tools, you enter information about your situation — for example, your pay rate, tenancy type, or benefit claims. This information is processed entirely within your browser. It is not transmitted to or stored on our servers. We never see it. It exists only on your device for as long as the tool is open.
2.2 — Anonymous Analytics
When you complete a check using one of our tools, a minimal analytics record is sent to our servers. This record contains:
- Which tool was used (e.g. "Shift Shield")
- A category identifier (e.g. "care sector")
- Issue flags raised (e.g. "nmw_concern", "deposit_risk") — generic categories, not personal data
- An impact band (nil / under £2,000 / over £2,000) — a generalised indicator only
This record contains no IP address, no device identifier, no session cookie, and no user identifier of any kind. It cannot be linked to you. We use this data solely to understand aggregate patterns of legal need across the platform.
2.3 — Optional Contact Details
Some tools include an optional contact form allowing you to submit your name, email address, and optionally a phone number if you would like to be connected with an adviser. Submitting contact details is entirely voluntary — you receive your full result regardless of whether you submit contact information.
If you submit contact details, they are stored securely in our database for the purpose of adviser follow-up only. They are not used for marketing, shared with third parties for commercial purposes, or retained beyond the period set out in Section 6.
The contact form is currently hidden on all tools pending confirmation of partner adviser organisations. It will not be visible to users until that confirmation is in place.
What We Do Not Collect
- Your name, address, or any identifying information — unless you voluntarily submit it via the contact form
- IP addresses or device identifiers
- Advertising tracking pixels or third-party tracking cookies
- Browsing history or cross-site tracking data
- Location data
- Biometric data of any kind
No data is ever sold to third parties. No data is used for advertising purposes. We do not have commercial relationships with advertisers.
Lawful Basis for Processing
We process personal data only where we have a lawful basis to do so under the UK General Data Protection Regulation (UK GDPR).
| Processing Activity | Lawful Basis |
|---|---|
| Anonymous analytics | Legitimate interests (Article 6(1)(f)) — understanding aggregate legal need is necessary for our charitable purpose. No individual is identifiable from this data. |
| Optional contact submissions | Consent (Article 6(1)(a)) — you actively choose to submit your details and are informed how they will be used. Submission is optional and does not affect your result. |
| Adviser account data (Shield Engine) | Contract and legitimate interests (Article 6(1)(b)/(f)) — necessary to provide access to the adviser platform in connection with a partner organisation. |
| Case management records (Shield Engine) | Legitimate interests (Article 6(1)(f)) — necessary to enable advisers to manage and track cases in furtherance of our charitable purpose. |
Where our tools process information about health conditions, disability status, or financial vulnerability, we rely on the additional condition under Article 9(2)(g) — substantial public interest — as a charitable organisation providing support services to individuals in need.
Our Data Processors
We use a small number of carefully selected third-party processors to operate the platform. All processors are bound by data processing agreements and operate to appropriate security standards.
| Processor | Role | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication for Shield Engine and contact submissions | EU — Ireland (EU-West-1). SOC 2 Type II certified. |
| Netlify Inc. | Website hosting and serverless functions for analytics relay | EU-compliant hosting. DPA in place. |
| Anthropic PBC | AI processing for payslip analysis (Shift Shield only) | Data not retained for model training by default. API data processing agreement in place. |
We do not use Google Analytics, Meta Pixel, or any third-party advertising or behavioural tracking services.
How Long We Keep Data
| Data Category | Retention Period |
|---|---|
| Anonymous analytics records | 24 months, then deleted. Reviewed annually. |
| Optional contact submissions | 12 months from submission, or until the case is resolved — whichever is sooner. Deleted on request within 30 days. |
| Case management records (Shield Engine) | 3 years from case closure. Consistent with standard advice sector practice. |
| Audit log entries (Shield Engine) | 3 years. Governance and accountability requirement. |
| Adviser account data (Shield Engine) | Duration of the relationship plus 12 months. Deleted within 30 days of a deactivation request. |
How We Protect Your Data
We have implemented the following technical and organisational measures to protect personal data:
- All platform domains served over HTTPS with TLS encryption in transit
- Database hosted in the EU with encryption at rest
- Row-level security enforced at database level — no public read or write access without explicit permission
- Shield Engine access restricted to authenticated accounts with hashed password storage
- Serverless functions act as an intermediary layer — database credentials are never exposed in public-facing code
- No sensitive data stored in browser local storage or session storage
- Content Security Policy headers configured on Shield Engine
- Data processed on dedicated devices, separate from personal use
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with our obligations under UK GDPR.
Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Right to be informed | You have the right to know what data we hold about you and how we use it. This policy fulfils that obligation. |
| Right of access | You can request a copy of any personal data we hold about you. We will respond within one month. |
| Right to erasure | You can ask us to delete your personal data. We will do so within 30 days subject to any legitimate grounds for retention. Anonymous analytics data cannot be erased as it cannot be linked to individuals. |
| Right to rectification | You can ask us to correct inaccurate data we hold about you. |
| Right to object | You can object to processing based on legitimate interests. Where your objection is upheld, we will stop processing and delete the data. |
| Right to data portability | Contact submissions can be provided to you in CSV format on request. Anonymous analytics data is not portable as it cannot be linked to individuals. |
To exercise any of these rights, contact us at mattf@yourrightsshield.org.uk. We will respond within one month. If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk/make-a-complaint.
Cookies
Our public tools do not use advertising cookies, tracking cookies, or third-party analytics cookies of any kind.
We may use strictly necessary session cookies required for the technical operation of the platform — for example, to maintain an authenticated session within Shield Engine. These are functional cookies only and do not track you across sites.
No cookie consent banner is currently displayed on the public tools because we do not set non-essential cookies. If this changes, this policy and the platform will be updated accordingly.
Changes to This Policy
This policy will be reviewed annually and updated whenever there is a material change in our processing activities, a new tool is launched, a new data processor is engaged, or there is a significant change in applicable legislation.
The version number and date at the top of this page will reflect the current version. We will not make material changes without updating the date.
Contact and Complaints
For any questions about this policy, to exercise your data rights, or to raise a concern about how we handle personal data, please contact us:
Email: mattf@yourrightsshield.org.uk
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
ico.org.uk/make-a-complaint
ICO Helpline: 0303 123 1113
We are committed to resolving any concerns promptly and transparently. We would always prefer the opportunity to address a concern directly before it reaches the ICO.