Privacy Statement

All data/information obtained, stored and processed by the organisation is covered by the above policies and procedures. 

Citizens Advice Edinburgh recognises that the handling of identifiable, personal and sensitive information may be necessary for the effective functioning of the organisation and the services we provide.  This may include information obtained from a 3rd party.  Information may be held about individuals using and providing the organisation's services and about individuals in organisations we work in partnership with. 

We all have a responsibility to protect the data we hold about people including how we process that data, whether that is citizens, volunteers, employees or partners.  Our reputation as an organisation people can trust also depends on our ability to uphold and maintain data protection standards, in accordance with the law and best practice. 

The main aims of this policy are to:  

  • Ensure that the organisation complies with the Data Protection Act 2018 and the associated Codes of Practice and Regulations (including the General Data Protection Regulation (GDPR). 

  • Ensure that information given in trust by users of the organisation services, our employees and volunteers or information that is held by the organisation for any other reason; is treated in compliance with the law and associated regulations. 

  • Ensure that information is protected in terms of how it is stored, processed and shared in compliance with the law and associated regulations. 

  • Ensure that the boundaries of confidentiality and individuals rights in relation to data protection are clear and understood by users of our service, our employees and our volunteers and that we are therefore confident that they are able to provide informed consent.  

  • Ensure users are aware of the organisation's responsibilities to protect, control, process and store their information, including requests for access.  

  • Make explicit the responsibilities of employees and volunteers concerning data protection, confidentiality and management of a Data Breach. 

  • Ensure that we remain compliant with Data Protection, including maintaining an up-to-date Data Asset Register, carrying out regular Data Protection Audits, providing continuing professional development for employees and volunteers and applying a Data Protection Impact Assessment to any new services or processes we undertake.  

Responsibility for the control of personal data: 

The organisation’s Data Protection Officer and Senior Information Risk Owner is the Chief Executive, who is responsible for ensuring all data is controlled in compliance with the Data Protection Act 2018 and associated Codes of Practice and Regulations.  In accordance with our Data Protection Authorisation, the Scottish Association of Citizens Advice Bureau (Citizens Advice Scotland) is a Joint Data Controller.  More information about their Data Protection Policies and Procedures can be found at www.cas.org.uk  

Chatbot Privacy Notice

Who We Are and Important Information

Citizens Advice Edinburgh is the controller and responsible for your personal data and it is a member of the Scottish Association of Citizens Advice Bureau (“Cas”), details of which can be found on its website privacy policy (collectively referred to as "we", "our", "us" or "Cab").  This Privacy Notice sets out the type of personal information we collect about you, why we collect it, and how we use it when you use our chatbot service. 

It is important that you read this Privacy Notice together with our website privacy policy which contains more detailed information about our data processing and can be accessed here or you can request a copy from us. 

If you have any queries about our privacy practices or about this Privacy Notice contact us:

Address: 23 Dalment Street, Edinburgh EH6 8PG 

Email: websitecontact@cabedinburgh.org.uk


What Personal Data we collect and how this is collected

We collect personal data such as:

  • your phone number 

  • information you provide us within the free text facility within the chat

  • the transcript of the chat

Purposes of using your Personal Data and lawful basis we rely on

We use your personal data to: 

  • provide you with the chatbot service  

  • learn from and improve the service

  • share the data with CAS and our third party chatbot supplier to facilitate improvement of services and wider development of services for fellow members of shared services

  • manage our relationship with you e.g. to contact you where you request this 

  • meet our regulatory requirements or legal responsibilities, as required.

We will only use your personal data when the law allows us to. Our lawful basis to process your personal data is in our legitimate interests. It is in our legitimate interest to respond to enquiries, requests, and information received to ensure we provide you with the relevant support, improve the service and share personal data with our third party chatbot supplier which helps us to provide and improve the service.   

Who do you share my information with?

We may share your personal data with CAS, our third-party supplier who helps us develop, improve and supply the chatbot service, and other local Citizen's Advice Bureaus to provide you with the correct advice and/ or support. We also share this data with Google Cloud, insurers, and regulators.  

Personal Data  Transfers

We transfer personal data to and from the EEA and UK based on the adequacy decisions for the UK and EU. Please see our  website privacy policy.

How long do we keep records for?

We will only keep your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including to satisfy any legal, insurance, regulatory, tax, accounting, or reporting requirements or if there’s a complaint or if we reasonably believe there is a prospect of litigation. 

If you chose not to get in touch with us after the chat has ended we’ll keep the data from the chat for 3 months. Where you get in touch with us we keep this for 7 years and for certain complex cases we keep this data for 16 years. 

We may keep data longer than these periods if necessary. Examples of where records need to be kept beyond the retention periods include records of advice and support around statutory debt options and building works over a certain value.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws concerning your personal data including the right to receive a copy of the personal data we hold about you, the right to rectification, restriction, erasure, objection, as well as the right to portability. You also have the right to make a complaint at any time to a supervisory authority which is the Information Commissioner's Office in the UK and is the regulator for data protection issues (www.ico.org.uk). 

Our full Data Protection Policy and Procedure, can be found here:

Citizens Advice Edinburgh Data Protection Policy and Procedures