Article 30 UK GDPR
Records of Processing Activities
CourtCraft Advocate Ltd — ICO Registration No. ZB812547
Version 1.0 | Prepared: May 2026 | Next Review: May 2027
Article 30 Obligation
Under Article 30 of the UK GDPR, controllers must maintain a record of all processing activities carried out under their responsibility. This record must be made available to the ICO on request. CourtCraft Advocate Ltd is required to maintain this RoPA because it processes special category personal data (Article 9) on a large scale.
10
Processing Activities
4 activities
Special Category
4 activities
High/Critical Risk
USA (SCCs)
Third Countries
Controller Details (Article 30(1)(a))
Data Controller
CourtCraft Advocate Ltd
ICO Registration
ZB812547
Contact
privacy@courtcraftadvocate.com
DPO Status
Appointment in progress — required before full commercial launch
Jurisdiction
England & Wales (UK GDPR / DPA 2018)
RoPA Version
1.0 — May 2026
User Account Registration & Authentication
Purpose of Processing (Art. 30(1)(b))
Creating and managing user accounts; authenticating users to the platform; maintaining account security
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance
Recipients (Art. 30(1)(d))
• Supabase Inc. (database/auth)
• Resend Inc. (verification emails)
Third Country Transfers (Art. 30(1)(e))
USA — Supabase (SCCs + UK Addendum), Resend (SCCs)
Retention Period (Art. 30(1)(f))
Duration of subscription + 12 months post-termination; then deleted
Security Measures (Art. 30(1)(g) / Art. 32)
AI-Assisted Legal Guidance (Chat)
Purpose of Processing (Art. 30(1)(b))
Providing AI-generated legal guidance on UK family law proceedings; answering procedural and substantive legal questions
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance; Article 6(1)(a) — Consent
Art. 9 Basis
Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims
Recipients (Art. 30(1)(d))
• Anthropic PBC (Claude AI)
• OpenAI LLC (GPT)
• Perplexity AI (legal research — PII-stripped)
• Supabase Inc. (storage)
Third Country Transfers (Art. 30(1)(e))
⚠️ USA — Anthropic (IDTA pending), OpenAI (IDTA pending), Perplexity (SCCs + PII-stripping), Supabase (SCCs + UK Addendum)
Retention Period (Art. 30(1)(f))
Chat history retained for duration of subscription + 12 months; then deleted
Security Measures (Art. 30(1)(g) / Art. 32)
DASH Domestic Abuse Risk Screening
Purpose of Processing (Art. 30(1)(b))
Screening all user inputs for domestic abuse indicators before AI processing; routing high-risk disclosures to crisis resources; maintaining audit log for regulatory compliance
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(c) — Legal obligation; Article 6(1)(f) — Legitimate interests (user safety)
Art. 9 Basis
Article 9(2)(g) — Substantial public interest (Domestic Abuse Act 2021, Schedule 1, para 18)
Recipients (Art. 30(1)(d))
• Supabase Inc. (anonymised audit log only)
Third Country Transfers (Art. 30(1)(e))
USA — Supabase (SCCs + UK Addendum) — anonymised data only
Retention Period (Art. 30(1)(f))
Anonymised DASH audit logs retained for 24 months for regulatory compliance; then deleted
Security Measures (Art. 30(1)(g) / Art. 32)
Case Data Storage & Management
Purpose of Processing (Art. 30(1)(b))
Storing and managing user case files, court dates, timeline events, documents, and case notes for family law proceedings
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance
Art. 9 Basis
Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims
Recipients (Art. 30(1)(d))
• Supabase Inc. (database and storage)
Third Country Transfers (Art. 30(1)(e))
USA — Supabase (SCCs + UK Addendum). NOTE: Region confirmation (eu-west-2) required before production data.
Retention Period (Art. 30(1)(f))
Duration of subscription + 12 months; then deleted. User may request earlier deletion via Article 17 erasure right.
Security Measures (Art. 30(1)(g) / Art. 32)
AI Document Generation
Purpose of Processing (Art. 30(1)(b))
Generating court documents (position statements, witness statements, chronologies, Scott schedules) based on user-provided case data
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance
Art. 9 Basis
Article 9(2)(a) — Explicit consent; Article 9(2)(f) — Legal claims
Recipients (Art. 30(1)(d))
• Anthropic PBC (Claude AI)
• OpenAI LLC (GPT)
• Supabase Inc. (storage)
Third Country Transfers (Art. 30(1)(e))
⚠️ USA — Anthropic (IDTA pending), OpenAI (IDTA pending), Supabase (SCCs + UK Addendum)
Retention Period (Art. 30(1)(f))
Generated documents retained for duration of subscription + 12 months
Security Measures (Art. 30(1)(g) / Art. 32)
McKenzie Friend Session Booking
Purpose of Processing (Art. 30(1)(b))
Processing bookings for paid McKenzie Friend support sessions; scheduling and payment processing
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance
Recipients (Art. 30(1)(d))
• Calendly LLC (scheduling)
• Stripe Inc. (payment processing)
Third Country Transfers (Art. 30(1)(e))
USA — Calendly (SCCs + UK Addendum), Stripe (SCCs — covered by Stripe Services Agreement)
Retention Period (Art. 30(1)(f))
Booking records retained for 7 years (HMRC financial records requirement)
Security Measures (Art. 30(1)(g) / Art. 32)
Payment Processing & Subscription Management
Purpose of Processing (Art. 30(1)(b))
Processing subscription payments; managing billing cycles; handling payment failures and refunds
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance; Article 6(1)(c) — Legal obligation (HMRC)
Recipients (Art. 30(1)(d))
• Stripe Inc. (payment processor)
• Supabase Inc. (subscription records)
Third Country Transfers (Art. 30(1)(e))
USA — Stripe (SCCs — covered by Stripe Services Agreement), Supabase (SCCs + UK Addendum)
Retention Period (Art. 30(1)(f))
Financial records retained for 7 years (HMRC requirement); subscription status retained for duration + 12 months
Security Measures (Art. 30(1)(g) / Art. 32)
Transactional Email Communications
Purpose of Processing (Art. 30(1)(b))
Sending account verification, GDPR confirmation, payment receipts, trial countdown, and service notification emails
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(b) — Contract performance; Article 6(1)(c) — Legal obligation (GDPR confirmation emails)
Recipients (Art. 30(1)(d))
• Resend Inc. (email delivery)
Third Country Transfers (Art. 30(1)(e))
USA — Resend (SCCs)
Retention Period (Art. 30(1)(f))
Email send logs retained for 12 months; then deleted
Security Measures (Art. 30(1)(g) / Art. 32)
Analytics & Platform Improvement
Purpose of Processing (Art. 30(1)(b))
Understanding how users interact with the platform; identifying bugs and performance issues; improving features
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(a) — Consent; Article 6(1)(f) — Legitimate interests
Recipients (Art. 30(1)(d))
• Google LLC (Google Analytics — where consent given)
Third Country Transfers (Art. 30(1)(e))
USA — Google (SCCs + UK Addendum)
Retention Period (Art. 30(1)(f))
Analytics data retained for 26 months (Google Analytics default); anonymised aggregate data retained indefinitely
Security Measures (Art. 30(1)(g) / Art. 32)
Security Logging & Incident Response
Purpose of Processing (Art. 30(1)(b))
Maintaining security audit logs; detecting unauthorised access; supporting incident response and ICO breach notification
Personal Data Categories (Art. 30(1)(c))
Special Category Data (Art. 9)
No special category data
Data Subjects (Art. 30(1)(c))
Legal Basis (Art. 30(1)(b))
Article 6(1)(c) — Legal obligation (UK GDPR Article 32 security requirement); Article 6(1)(f) — Legitimate interests
Recipients (Art. 30(1)(d))
• Supabase Inc. (log storage)
Third Country Transfers (Art. 30(1)(e))
USA — Supabase (SCCs + UK Addendum)
Retention Period (Art. 30(1)(f))
Security logs retained for 12 months; then deleted
Security Measures (Art. 30(1)(g) / Art. 32)
Retention Schedule
UK GDPR Article 5(1)(e) — Storage Limitation Principle
Under Article 5(1)(e) UK GDPR, personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed. The following retention periods apply:
| Data Category | Retention Period | Legal Basis | Deletion Method |
|---|---|---|---|
| Account data (name, email, subscription) | Duration of subscription + 12 months | Art. 6(1)(b) contract performance | Automated deletion on account termination + 12 months |
| Case data (court dates, timeline, notes) | Duration of subscription + 12 months | Art. 6(1)(b) contract performance | Automated deletion; user may request earlier deletion via Art. 17 |
| AI conversation history | 30 days | Art. 6(1)(f) legitimate interests | Automated rolling deletion after 30 days |
| Generated documents | Duration of subscription + 12 months | Art. 6(1)(b) contract performance | Deleted with account; user may request earlier deletion |
| DASH domestic abuse audit logs (anonymised) | 24 months | Art. 6(1)(c) legal obligation | Automated deletion after 24 months; no personal identifiers stored |
| Security logs (IP hashed, session events) | 12 months | Art. 6(1)(c) legal obligation | Automated deletion after 12 months |
| Payment records (invoices, Stripe records) | 7 years | Art. 6(1)(c) HMRC legal obligation | Deleted after 7 years per HMRC requirement |
| Breach incident log | 3 years minimum | Art. 6(1)(c) ICO requirement | Reviewed by DPO; deleted after 3 years unless ongoing proceedings |
| Email send logs | 12 months | Art. 6(1)(b) contract performance | Automated deletion after 12 months |
Document Control
Version
1.0
Prepared
May 2026
Next Review
May 2027
Prepared by
CourtCraft Advocate Ltd
DPO Sign-off
Pending — required before full commercial launch
ICO Available
Yes — available on request to ICO
⚠️ Outstanding Items
- Anthropic IDTA must be executed before PR-002 and PR-005 are fully compliant
- Supabase region must be confirmed as eu-west-2 before PR-004 is fully compliant
- DPO appointment required before this RoPA can be formally signed off
- TNA Computational Analysis Licence required before any RAG corpus construction
© 2024–2026 CourtCraft Advocate™ Ltd. All rights reserved.