W
Welshdale Portal

GDPR Compliance Statement

Effective Date: 24 November 2025

Last Updated: 24 November 2025

Welshdale Portal is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document outlines our data protection practices and your rights as a data subject.

Our Commitment: We take data protection seriously and have implemented comprehensive technical and organisational measures to ensure the security and privacy of your personal data.

1. Data Controller Information

Welshdale Portal is the data controller for the personal data we process through our platform.

Data Controller: Welshdale Portal

Contact Email: info@welshdale.co.uk

ICO Registration: Registered with the Information Commissioner's Office

Location: United Kingdom

2. Legal Basis for Processing

We process personal data under the following lawful bases as defined by UK GDPR:

Article 6(1)(b) - Contract Performance

Processing necessary to provide the case management platform and related services

Article 6(1)(c) - Legal Obligation

Processing required to comply with UK laws, regulations, and court orders

Article 6(1)(f) - Legitimate Interests

Processing for fraud prevention, security, and service improvement

Article 6(1)(a) - Consent

Processing for marketing communications (with explicit opt-in consent)

3. Categories of Personal Data Processed

3.1 Identity Data

  • Full name
  • Email address
  • Telephone number
  • Organisation/law firm name

3.2 Case Data

  • Case reference numbers
  • Case types and status
  • Case notes and updates
  • Client information related to legal cases

3.3 Document Data

  • Uploaded documents and files
  • Document metadata (file names, upload dates)

3.4 Technical Data

  • IP addresses
  • Browser type and version
  • Login timestamps
  • Usage patterns

3.5 Payment Data

  • Payment card information (processed by Stripe - we do not store card details)
  • Billing addresses
  • Transaction history

4. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access (Article 15)

Request a copy of the personal data we hold about you

Response time: Within 1 month

Right to Rectification (Article 16)

Correct inaccurate or incomplete personal data

Response time: Within 1 month

Right to Erasure / "Right to be Forgotten" (Article 17)

Request deletion of your personal data in certain circumstances

Response time: Within 1 month

Right to Restriction of Processing (Article 18)

Limit how we use your personal data

Response time: Within 1 month

Right to Data Portability (Article 20)

Receive your personal data in a machine-readable format

Response time: Within 1 month

Right to Object (Article 21)

Object to processing based on legitimate interests or for direct marketing

Response time: Within 1 month

Rights Related to Automated Decision Making (Article 22)

Not be subject to decisions based solely on automated processing

Note: We do not use automated decision-making

How to Exercise Your Rights:

Email us at info@welshdale.co.uk with your request

We will respond within 1 month (extendable by 2 months for complex requests)

5. Technical and Organisational Security Measures

5.1 Technical Security

  • Encryption in Transit: TLS 1.2+ encryption for all data transmission
  • Encryption at Rest: Database and file encryption for stored data
  • Access Controls: Role-based access control (RBAC) and multi-factor authentication
  • Secure Authentication: JWT tokens with 30-minute expiry, bcrypt password hashing
  • Network Security: Firewalls, DDoS protection, intrusion detection systems
  • Regular Backups: Daily automated backups with encryption
  • Vulnerability Management: Regular security audits and penetration testing

5.2 Organisational Security

  • Data Minimisation: We collect only data necessary for our services
  • Purpose Limitation: Data used only for specified, legitimate purposes
  • Storage Limitation: Data retained only as long as necessary
  • Staff Training: Regular data protection training for all employees
  • Confidentiality Agreements: All staff bound by confidentiality obligations
  • Incident Response Plan: Documented procedures for data breach response
  • Data Protection Impact Assessments: Conducted for high-risk processing

5.3 Data Isolation

We implement multi-tenant architecture with complete data isolation:

  • Each organisation's data is completely isolated from others
  • Users can only access data within their own organisation
  • Database-level separation and access controls
  • No cross-organisation data sharing

6. Data Retention Policy

Data TypeRetention PeriodLegal Basis
Account DataDuration of account + 90 daysContract performance
Case DataDuration of account + 90 daysContract performance
Financial Records6 years from transactionLegal obligation (UK tax law)
Marketing ConsentUntil consent withdrawnConsent
Security Logs12 monthsLegitimate interest

Upon account closure, we will delete or anonymise your data within 90 days unless we are legally required to retain it longer (e.g., for tax or legal compliance purposes).

7. International Data Transfers

Your data is primarily stored and processed in the United Kingdom. If we transfer data outside the UK or EEA, we ensure:

  • The destination country has adequate data protection laws (adequacy decision), OR
  • We use Standard Contractual Clauses approved by UK authorities, OR
  • We rely on other appropriate safeguards under UK GDPR

Third-Party Services: We use the following services that may involve data transfers:

  • Stripe (payment processing) - Adequate safeguards in place
  • Email service providers - UK/EEA based or with adequate safeguards

8. Data Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms:

  • ICO Notification: We will notify the Information Commissioner's Office within 72 hours
  • Individual Notification: If high risk, we will notify affected individuals without undue delay
  • Content of Notification: Nature of breach, likely consequences, measures taken
  • Documentation: All breaches are documented, regardless of whether notification is required

Our Commitment: We have comprehensive incident response procedures in place and conduct regular security drills to ensure rapid and effective breach response.

9. Data Protection Officer (DPO)

While not legally required to appoint a DPO, we have designated a data protection contact point:

Data Protection Contact: info@welshdale.co.uk

You can contact us with any data protection queries or concerns

10. Cookies and Tracking Technologies

We use only essential cookies necessary for the platform to function:

Cookie NamePurposeDuration
session_tokenAuthentication and session management30 minutes
csrf_tokenSecurity (CSRF protection)Session

No Tracking: We do not use advertising cookies, analytics cookies, or third-party tracking technologies.

11. How to Complain

If you have concerns about our data protection practices:

Step 1: Contact Us

Email: info@welshdale.co.uk

We will investigate and respond within 30 days

Step 2: Contact the ICO

You have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Telephone: 0303 123 1113

Live Chat: Available on ICO website

12. Updates to This Statement

We may update this GDPR Compliance Statement from time to time to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when this statement was last revised. We will notify you of material changes by email or through a notice on the platform.

13. Contact Information

For any GDPR-related questions or to exercise your rights:

Email: info@welshdale.co.uk

Website: welshdale.co.uk

Response time: Within 1 month of receiving your request

Our Commitment to Data Protection

Welshdale Portal is committed to maintaining the highest standards of data protection and privacy. We continually review and improve our practices to ensure compliance with UK GDPR and provide transparency about how we handle your personal data.

Your trust is important to us. If you have any questions or concerns about our data protection practices, please don't hesitate to contact us.

← Back to Home