Article 30 UK GDPR

Records of Processing Activities

CourtCraft Advocate Ltd — ICO Registration No. ZB812547

Version 1.0 | Prepared: May 2026 | Next Review: May 2027

Article 30 Obligation

Under Article 30 of the UK GDPR, controllers must maintain a record of all processing activities carried out under their responsibility. This record must be made available to the ICO on request. CourtCraft Advocate Ltd is required to maintain this RoPA because it processes special category personal data (Article 9) on a large scale.

10

Processing Activities

4 activities

Special Category

4 activities

High/Critical Risk

USA (SCCs)

Third Countries

Controller Details (Article 30(1)(a))

Data Controller

CourtCraft Advocate Ltd

ICO Registration

ZB812547

Contact

privacy@courtcraftadvocate.com

DPO Status

Appointment in progress — required before full commercial launch

Jurisdiction

England & Wales (UK GDPR / DPA 2018)

RoPA Version

1.0 — May 2026

PR-001

User Account Registration & Authentication

Low Risk

Purpose of Processing (Art. 30(1)(b))

Creating and managing user accounts; authenticating users to the platform; maintaining account security

Personal Data Categories (Art. 30(1)(c))

Full nameEmail addressCountryPassword (hashed)Account creation dateLast login timestamp

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

Registered usersTrial users

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance

Recipients (Art. 30(1)(d))

Supabase Inc. (database/auth)

Resend Inc. (verification emails)

Third Country Transfers (Art. 30(1)(e))

USA — Supabase (SCCs + UK Addendum), Resend (SCCs)

Retention Period (Art. 30(1)(f))

Duration of subscription + 12 months post-termination; then deleted

Security Measures (Art. 30(1)(g) / Art. 32)

AES-256 encryption at restTLS 1.3 in transitRow-level security (RLS)Bcrypt password hashingSession fingerprinting
PR-002

AI-Assisted Legal Guidance (Chat)

High Risk

Purpose of Processing (Art. 30(1)(b))

Providing AI-generated legal guidance on UK family law proceedings; answering procedural and substantive legal questions

Personal Data Categories (Art. 30(1)(c))

Chat messagesLegal queriesSession identifiersTimestamps

Special Category Data (Art. 9)

Family law proceedings dataDomestic abuse disclosures (screened by DASH gate)Health information (where disclosed)Financial vulnerability indicators

Data Subjects (Art. 30(1)(c))

Registered usersTrial users

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance; Article 6(1)(a) — Consent

Art. 9 Basis

Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims

Recipients (Art. 30(1)(d))

Anthropic PBC (Claude AI)

OpenAI LLC (GPT)

Perplexity AI (legal research — PII-stripped)

Supabase Inc. (storage)

Third Country Transfers (Art. 30(1)(e))

⚠️ USA — Anthropic (IDTA pending), OpenAI (IDTA pending), Perplexity (SCCs + PII-stripping), Supabase (SCCs + UK Addendum)

Retention Period (Art. 30(1)(f))

Chat history retained for duration of subscription + 12 months; then deleted

Security Measures (Art. 30(1)(g) / Art. 32)

DASH domestic abuse gate (pre-AI screening)PII-stripping before Perplexity callsAES-256 encryptionRLS access controlsNo AI training on user data
PR-003

DASH Domestic Abuse Risk Screening

Critical Risk

Purpose of Processing (Art. 30(1)(b))

Screening all user inputs for domestic abuse indicators before AI processing; routing high-risk disclosures to crisis resources; maintaining audit log for regulatory compliance

Personal Data Categories (Art. 30(1)(c))

Anonymised screening event logsRisk tier classificationTimestampSession identifier (no user ID in log)

Special Category Data (Art. 9)

Domestic abuse indicators (anonymised — no personal identifiers stored in DASH log)

Data Subjects (Art. 30(1)(c))

All platform users (screened on every query)

Legal Basis (Art. 30(1)(b))

Article 6(1)(c) — Legal obligation; Article 6(1)(f) — Legitimate interests (user safety)

Art. 9 Basis

Article 9(2)(g) — Substantial public interest (Domestic Abuse Act 2021, Schedule 1, para 18)

Recipients (Art. 30(1)(d))

Supabase Inc. (anonymised audit log only)

Third Country Transfers (Art. 30(1)(e))

USA — Supabase (SCCs + UK Addendum) — anonymised data only

Retention Period (Art. 30(1)(f))

Anonymised DASH audit logs retained for 24 months for regulatory compliance; then deleted

Security Measures (Art. 30(1)(g) / Art. 32)

Deterministic (non-AI) pattern matching onlyNo personal identifiers in DASH logNon-dismissible crisis modal for CRITICAL tierNSPCC (0808 800 5000) and Samaritans (116 123) displayed
PR-004

Case Data Storage & Management

High Risk

Purpose of Processing (Art. 30(1)(b))

Storing and managing user case files, court dates, timeline events, documents, and case notes for family law proceedings

Personal Data Categories (Art. 30(1)(c))

Case detailsCourt dates and hearing informationTimeline eventsCase notesParty names (user-entered)Document metadata

Special Category Data (Art. 9)

Family law proceedings dataChild welfare informationFinancial vulnerability dataDomestic abuse case details (where applicable)

Data Subjects (Art. 30(1)(c))

Registered usersThird parties named in case files (user-entered)

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance

Art. 9 Basis

Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims

Recipients (Art. 30(1)(d))

Supabase Inc. (database and storage)

Third Country Transfers (Art. 30(1)(e))

USA — Supabase (SCCs + UK Addendum). NOTE: Region confirmation (eu-west-2) required before production data.

Retention Period (Art. 30(1)(f))

Duration of subscription + 12 months; then deleted. User may request earlier deletion via Article 17 erasure right.

Security Measures (Art. 30(1)(g) / Art. 32)

AES-256 encryption at restTLS 1.3 in transitRow-level security — user can only access own dataNo cross-user data access
PR-005

AI Document Generation

High Risk

Purpose of Processing (Art. 30(1)(b))

Generating court documents (position statements, witness statements, chronologies, Scott schedules) based on user-provided case data

Personal Data Categories (Art. 30(1)(c))

Case data (as per PR-004)Generated document contentDocument version history

Special Category Data (Art. 9)

All special category data present in case files (as per PR-004)

Data Subjects (Art. 30(1)(c))

Registered usersThird parties named in generated documents

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance

Art. 9 Basis

Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims

Recipients (Art. 30(1)(d))

Anthropic PBC (Claude AI)

OpenAI LLC (GPT)

Supabase Inc. (storage)

Third Country Transfers (Art. 30(1)(e))

⚠️ USA — Anthropic (IDTA pending), OpenAI (IDTA pending), Supabase (SCCs + UK Addendum)

Retention Period (Art. 30(1)(f))

Generated documents retained for duration of subscription + 12 months

Security Measures (Art. 30(1)(g) / Art. 32)

AI-generated label on all outputsMandatory human review before court submissionCourt of Protection hard blockPublic law PLO detection gate
PR-006

McKenzie Friend Session Booking

Low Risk

Purpose of Processing (Art. 30(1)(b))

Processing bookings for paid McKenzie Friend support sessions; scheduling and payment processing

Personal Data Categories (Art. 30(1)(c))

Full nameEmail addressSession typeBooking date/timePayment reference

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

Registered users booking McKenzie Friend sessions

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance

Recipients (Art. 30(1)(d))

Calendly LLC (scheduling)

Stripe Inc. (payment processing)

Third Country Transfers (Art. 30(1)(e))

USA — Calendly (SCCs + UK Addendum), Stripe (SCCs — covered by Stripe Services Agreement)

Retention Period (Art. 30(1)(f))

Booking records retained for 7 years (HMRC financial records requirement)

Security Measures (Art. 30(1)(g) / Art. 32)

PCI DSS compliance via StripeNo card data stored by CourtCraftEncrypted booking data
PR-007

Payment Processing & Subscription Management

Low Risk

Purpose of Processing (Art. 30(1)(b))

Processing subscription payments; managing billing cycles; handling payment failures and refunds

Personal Data Categories (Art. 30(1)(c))

Email addressSubscription tierPayment statusStripe customer IDInvoice records

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

Paying subscribers

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance; Article 6(1)(c) — Legal obligation (HMRC)

Recipients (Art. 30(1)(d))

Stripe Inc. (payment processor)

Supabase Inc. (subscription records)

Third Country Transfers (Art. 30(1)(e))

USA — Stripe (SCCs — covered by Stripe Services Agreement), Supabase (SCCs + UK Addendum)

Retention Period (Art. 30(1)(f))

Financial records retained for 7 years (HMRC requirement); subscription status retained for duration + 12 months

Security Measures (Art. 30(1)(g) / Art. 32)

PCI DSS compliance via StripeNo card data stored by CourtCraftWebhook signature verification
PR-008

Transactional Email Communications

Low Risk

Purpose of Processing (Art. 30(1)(b))

Sending account verification, GDPR confirmation, payment receipts, trial countdown, and service notification emails

Personal Data Categories (Art. 30(1)(c))

Email addressFull nameEmail typeSend timestamp

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

All registered users

Legal Basis (Art. 30(1)(b))

Article 6(1)(b) — Contract performance; Article 6(1)(c) — Legal obligation (GDPR confirmation emails)

Recipients (Art. 30(1)(d))

Resend Inc. (email delivery)

Third Country Transfers (Art. 30(1)(e))

USA — Resend (SCCs)

Retention Period (Art. 30(1)(f))

Email send logs retained for 12 months; then deleted

Security Measures (Art. 30(1)(g) / Art. 32)

TLS encryption in transitNo email content stored by CourtCraftUnsubscribe mechanism for marketing
PR-009

Analytics & Platform Improvement

Low Risk

Purpose of Processing (Art. 30(1)(b))

Understanding how users interact with the platform; identifying bugs and performance issues; improving features

Personal Data Categories (Art. 30(1)(c))

Anonymised usage eventsPage viewsFeature interactionsSession durationBrowser/device type

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

All users who have given analytics consent

Legal Basis (Art. 30(1)(b))

Article 6(1)(a) — Consent; Article 6(1)(f) — Legitimate interests

Recipients (Art. 30(1)(d))

Google LLC (Google Analytics — where consent given)

Third Country Transfers (Art. 30(1)(e))

USA — Google (SCCs + UK Addendum)

Retention Period (Art. 30(1)(f))

Analytics data retained for 26 months (Google Analytics default); anonymised aggregate data retained indefinitely

Security Measures (Art. 30(1)(g) / Art. 32)

IP anonymisation enabledAnalytics only active with explicit consentNo cross-site tracking
PR-010

Security Logging & Incident Response

Low Risk

Purpose of Processing (Art. 30(1)(b))

Maintaining security audit logs; detecting unauthorised access; supporting incident response and ICO breach notification

Personal Data Categories (Art. 30(1)(c))

Login timestampsIP addresses (hashed)Session identifiersSecurity event typesFailed authentication attempts

Special Category Data (Art. 9)

No special category data

Data Subjects (Art. 30(1)(c))

All users

Legal Basis (Art. 30(1)(b))

Article 6(1)(c) — Legal obligation (UK GDPR Article 32 security requirement); Article 6(1)(f) — Legitimate interests

Recipients (Art. 30(1)(d))

Supabase Inc. (log storage)

Third Country Transfers (Art. 30(1)(e))

USA — Supabase (SCCs + UK Addendum)

Retention Period (Art. 30(1)(f))

Security logs retained for 12 months; then deleted

Security Measures (Art. 30(1)(g) / Art. 32)

IP addresses hashed before storageAccess restricted to data controller onlyLogs used only for security purposes

Retention Schedule

UK GDPR Article 5(1)(e) — Storage Limitation Principle

Under Article 5(1)(e) UK GDPR, personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. The following retention periods apply:

Data CategoryRetention PeriodLegal BasisDeletion Method
Account data (name, email, subscription)Duration of subscription + 12 monthsArt. 6(1)(b) contract performanceAutomated deletion on account termination + 12 months
Case data (court dates, timeline, notes)Duration of subscription + 12 monthsArt. 6(1)(b) contract performanceAutomated deletion; user may request earlier deletion via Art. 17
AI conversation history30 daysArt. 6(1)(f) legitimate interestsAutomated rolling deletion after 30 days
Generated documentsDuration of subscription + 12 monthsArt. 6(1)(b) contract performanceDeleted with account; user may request earlier deletion
DASH domestic abuse audit logs (anonymised)24 monthsArt. 6(1)(c) legal obligationAutomated deletion after 24 months; no personal identifiers stored
Security logs (IP hashed, session events)12 monthsArt. 6(1)(c) legal obligationAutomated deletion after 12 months
Payment records (invoices, Stripe records)7 yearsArt. 6(1)(c) HMRC legal obligationDeleted after 7 years per HMRC requirement
Breach incident log3 years minimumArt. 6(1)(c) ICO requirementReviewed by DPO; deleted after 3 years unless ongoing proceedings
Email send logs12 monthsArt. 6(1)(b) contract performanceAutomated deletion after 12 months

Document Control

Version

1.0

Prepared

May 2026

Next Review

May 2027

Prepared by

CourtCraft Advocate Ltd

DPO Sign-off

Pending — required before full commercial launch

ICO Available

Yes — available on request to ICO

⚠️ Outstanding Items

  • Anthropic IDTA must be executed before PR-002 and PR-005 are fully compliant
  • Supabase region must be confirmed as eu-west-2 before PR-004 is fully compliant
  • DPO appointment required before this RoPA can be formally signed off
  • TNA Computational Analysis Licence required before any RAG corpus construction

© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.