Privacy policy
Who we are
Bristol City Council is the data controller for all personal information collected through the Can Do Bristol platform. This means the Council determines how and why your data is used, in line with its statutory duties and data protection obligations.
Can Do Bristol is powered by Made Open Communications Ltd, who act as a data processor on behalf of the Council. Made Open provides the platform software, hosting, and technical support. Bristol City Council is responsible for administration, moderation, and overall data governance.
Our commitments to you:
- We collect personal information only to support civic participation, volunteering, and community action.
- We request and record your consent before sending optional communications, such as newsletters.
- We never sell your personal data to third parties.
- We clearly explain the purpose of collecting personal information, unless it is self-evident.
- We safeguard and securely store your data using UK-based, accredited hosting providers.
- We respect your preferences and rights regarding data use and storage.
- We send only relevant emails related to your platform usage.
- We obtain your consent before sending any marketing-related emails.
Contact details:
- Bristol City Council (Data Controller)
Email: communities@bristol.gov.uk
Address: City Hall, College Green, Bristol, BS1 5TR - Made Open Communications Ltd (Data Processor)
Registered in England and Wales (Company No. 4309700)
ICO Registration No: Z2818556
Address: Unit FF26, Health and Wellbeing Innovation Centre, Truro, Cornwall, TR1 3FF
All data is securely stored by Cloud Above Ltd, a UK-based ISO 27001 and ISO 9001 accredited hosting provider: Unit 1, 1 King Mark House, Tregunnel Hill, Newquay, Cornwall, TR7 1GF
What personal data we collect
All the personal data we collect is outlined in the table below:
| Data type | What this means |
| Identity data |
|
| Contact data |
|
| Location data | Your region and the organisation you work for (optional) |
| Financial data | None |
| Marketing data | None |
| Activity data |
Date:
General interactions:
|
| Technical data |
|
Aggregated data
We gather, use and share "aggregated data" like statistics or demographics. This type of data, while derived from personal data, doesn't reveal your identity and doesn't fall under GDPR's definition of personal data. Any information that can identify you directly or indirectly will be treated as personal data and handled according to our Privacy Policy.
No special categories of personal data
We don't gather any sensitive personal information about you such as race, religion, health details or criminal history. However, if you choose to include such information in your biography, you are providing it voluntarily and it will be visible on your profile.
How we use your personal data
The platform exists to support the Council’s public function of enabling civic participation, supporting community action, and promoting volunteering. We follow the UK General Data Protection Regulation (UK GDPR), which requires a legal basis for using your data.
Our legal basis for processing Can Do Bristol data is:
- Public task (UK GDPR Article 6(1)(e)) – Most data is processed to help deliver the Council’s public functions. This is supported by the following legal gateways:
- Local Government Act 1972 – General powers to promote the interests and wellbeing of communities.
- Localism Act 2011 – Powers to support community-led initiatives and civic participation.
- Care Act 2014 – Duties to promote wellbeing, prevent needs for care and support, and encourage community-based approaches.
- Consent (UK GDPR Article 6(1)(a)) – We rely on your consent for optional communications, such as newsletters. You can withdraw your consent at any time by unsubscribing.
Who we share your personal data with
We only share your personal data where necessary, and always in line with UK GDPR and Bristol City Council’s data protection standards. We do not sell your data to third parties.
Your data may be shared with the following organisations to support the operation of the Can Do Bristol platform:
| Who we share data with | What we share | Why we access it |
| Made Open Communications Ltd | All data | Made Open is the software provider and data processor acting on behalf of Bristol City Council. |
| Bristol City Council | All data | As the data controller, the Council manages platform administration, moderation, and communications. |
| Cloud Above Ltd | Technical data | UK-based hosting provider used by Made Open to securely store platform data. |
| Mailgun | Email metadata | Sends system notifications (e.g. registration confirmations, connection alerts). Mailgun temporarily stores delivery logs for up to 15 days to monitor delivery performance and troubleshoot issues. |
| Emailblaster | Name and email address | Sends newsletters and updates to subscribed users. You can unsubscribe at any time. |
| Google Analytics | Technical data | Helps us understand platform usage and improve user experience. No personal identifiers are stored. |
How we secure your personal data
We take the security of your personal information extremely seriously and apply multiple layers of protection to keep it safe.
The Can Do Bristol platform and its core databases are securely hosted on UK-based servers managed by our accredited hosting partner, within ISO 27001 certified data centres. These facilities are protected by 24/7 on-site security, access controls and continuous environmental monitoring.
The platform and supporting infrastructure use industry-standard technical and organisational measures to maintain the confidentiality, integrity and availability of your information. These include:
- Secure network architecture with firewalls and intrusion prevention controls.
- Encryption of all data in transit using current security protocols (e.g. TLS 1.2 or higher).
- Secure password management and authentication mechanisms, with optional multi-factor authentication (MFA) for user accounts.
- Regular system updates and vulnerability management to address emerging threats.
- Independent penetration testing is conducted annually to identify and remediate potential weaknesses.
- All staff receive regular information-security and data-protection training and access to systems is controlled through individual accounts, least-privilege permissions and MFA enabled on all admin accounts.
While we apply robust safeguards, no method of online transmission or electronic storage is entirely risk-free. We therefore encourage you to use a strong, unique password and to keep your login details confidential. We recommend that all accounts enable Multifactor authentication to protect their accounts.
How long we store your personal data for
We'll keep your personal data only until:
- You delete your account.
- You exercise your right to be forgotten.
- You haven't logged into your account for 3 years.
- The website is shut down.
Unless the law requires a longer retention period.
Your personal data rights
You have the right to:
- Access your personal data, getting a copy and ensuring lawful processing.
- Correct any incomplete or inaccurate personal data we hold about you.
- Request the erasure of your data if there's no good reason for us to process it.
- Object to the processing carried out as part of the Council's public tasks.
- Ask for the suspension of processing if you question accuracy or purpose.
- Receive your personal data in a machine-readable format or transfer it to a third party.
- Withdraw consent, impacting certain platform functionalities, if we rely on your consent for processing. We'll inform you if this affects your access when you withdraw consent.
Things to be mindful of
Our children policy:
This platform is meant for users aged 16 and above; we don't knowingly collect data from those under 16.
Third-party personal data:
We don't currently collect personal data from third-parties.
Third-party links:
Our platform may have links to third-party sites. Clicking on them may allow third parties to collect or share your data. We're not responsible for their privacy policies, so check them when you leave our platform.
Data requirements:
If we need more personal data to comply with the law or our terms, and you don't provide it when requested, we may have to limit your platform use. We'll inform you if this happens.
Marketing preferences:
We don't send marketing messages from third parties. You can adjust your marketing preferences anytime on the platform or through opt-out links in marketing messages. Opting out won't affect personal data provided through platform use.
How to exercise your rights
To use any of the rights mentioned earlier, please email: communities@bristol.gov.uk.
Accessing your personal data or exercising other rights usually doesn't require a fee. However, if your request is unfounded, repetitive or excessive, we might charge a reasonable fee or refuse to comply. To confirm your identity, we may ask for specific information, ensuring your data is protected. We aim to respond within a month, but if it's complex or we receive multiple requests, it may take longer. We'll keep you informed in such cases.
Making a complaint
If you want to complain about this Privacy Policy or how we handle your personal data, please email: communities@bristol.gov.uk
You can exercise any of these rights, ask questions about how we use your personal data or complain by contacting Bristol City Council at data.protection@bristol.gov.uk or by writing to our data protection officer at:
Data Protection Officer Information Governance Bristol City Council City Hall College Green Bristol BS1 5TR
If you think we have dealt with your information inappropriately or unlawfully, you have the right to complain to the ICO at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Website: https://ico.org.uk/
You can access BCC Can Do Bristol privacy notice in a downloadable format here: Can Do Bristol Privacy Notice