Privacy Notice
Last updated: 13 June 2026
Who controls your data
Common Wealth Common Ground, Charitable Incorporated Organisation, registered in England and Wales.
Charity Commission number: [ADD WHEN REGISTERED]
Data controller contact: privacy@commonwealth-common-ground.world
ICO registration number: [ADD WHEN REGISTERED]
What data we collect and why
| Data | Purpose | Lawful basis | Optional? |
|---|---|---|---|
| First name | Display on profile | Contract | No |
| Last name | Identity record, legal use only | Contract | No |
| Face photo | Community recognition, safety | Contract | No |
| Email address | Account access, notifications | Contract | No |
| Mobile number | SMS verification, safety alerts | Contract | No |
| Full home address | Safety record, legal/police use only | Legitimate interests | No |
| Date of birth | Age verification (18+ gate) | Contract | No |
| Town/region | Local area matching | Contract | No |
| Kindness balance | Exchange tracking | Contract | No |
| Exchange history | Record of completed exchanges | Contract | No |
| Messages | Private communication between members | Contract | No |
| Job record photos | Evidence of exchange completion | Legitimate interests | Yes (remote jobs exempt) |
| Trusted contact details | Safety check-in feature | Consent | Yes |
| Optional ID verification | High-trust exchange types only | Consent | Yes |
| Profile interests/bio | Community matching | Contract | No |
| Trust tier | Access control, community safety | Legitimate interests | No |
| Location lock data | Preventing area-gaming abuse | Legitimate interests | No |
Special category data
Members may disclose health conditions, disabilities, religious beliefs or other sensitive information in their profiles or posts. We do not ask for this. If you share it voluntarily, it is processed under your explicit consent (by choosing to post it publicly) or under substantial public interest (for safeguarding purposes). You can remove it at any time.
Who we share your data with
- Other CommonGround members: first name, photo, town/region, trust tier, exchange history and interests only.
- Stripe: payment processing — a data processor under contract with us.
- Twilio: SMS delivery — a data processor under contract with us.
- Supabase: database and storage hosting — a data processor under contract with us.
- UK Police or law enforcement: only in response to a valid legal request (production order, court order, or s.29 DPA request). We log every such request and notify you when legally permitted.
- We never sell your data. Ever.
Our processors
Stripe — Payment processor
Data may be transferred outside the UK — covered by Standard Contractual Clauses.
Twilio — SMS delivery
Data may be transferred outside the UK — covered by Standard Contractual Clauses.
Supabase — Database & storage hosting
EU/EEA hosting with Row Level Security enabled on all tables.
How long we keep your data
| Data type | Retention period |
|---|---|
| Active account data | While membership active + 2 years after lapse |
| Messages | 2 years from last message |
| Exchange records | 2 years from completion |
| Job photos (not flagged) | 14 days from exchange completion |
| Job photos (safety flagged) | Duration of safety case + 1 year |
| Safety reports | 5 years |
| Evidence PDFs | 5 years |
| Payment records | 7 years (legal/tax obligation) |
| Audit logs (admin access) | 5 years |
| Deleted account data | Anonymised after 90 days |
| Offline pack data | Regenerated monthly — previous pack deleted |
Your rights
You have the right to:
- Access your personal data (Subject Access Request).
- Correct inaccurate data.
- Delete your data (some data must be kept for legal reasons).
- Object to certain processing.
- Restrict processing in some circumstances.
- Portability — receive your data in a machine-readable format.
- Withdraw consent at any time for consent-based processing.
To exercise any right, use our Your Rights form or email rights@commonwealth-common-ground.world. We respond within 30 days and verify your identity before acting on any request.
Complaints
You can complain to the ICO at ico.org.uk or 0303 123 1113.
International transfers
Supabase may store data in the EU/EEA. Twilio and Stripe operate globally. All transfers are covered by appropriate safeguards (Standard Contractual Clauses or equivalent). Details available on request.
Automated decision-making
Trust tiers involve automated calculation but with human oversight. No purely automated decision significantly affecting you is made without human review and an appeals route.
Changes to this notice
We will notify you by email of material changes 30 days before they take effect.