Privacy Policy for Advisers

This privacy policy applies to advisers and staff who use the PalmFlow dashboard. If you are a client completing a PIP form through PalmFlow, a separate privacy notice will be shown to you before you begin.

PalmFlow provides a secure platform for advisory organisations to assist clients with Personal Independence Payment (PIP) applications. This policy explains how we handle information about advisers who use our service.

1. Who We Are

PalmFlow is operated by Digital Palm Ltd.

For adviser accounts: PalmFlow acts as Data Controller for information about advisers (your account, login details, usage).

For client data: Your organisation (Citizens Advice bureau, local council, NHS body, or other advisory service) is the Data Controller. PalmFlow acts only as Data Processor, providing the technical platform on your organisation's behalf.

2. Information We Collect About Advisers

Account Information

• Full name
• Work email address
• Organisation name and identifier
• Role/job title (if provided by your organisation)
• Account creation date

Authentication Data

• Password (encrypted - we never see your actual password)
• Multi-factor authentication settings (if enabled)
• Session tokens and login status
• Failed login attempts

Usage Data

• Login times and session duration
• Number of client sessions you've created
• Which features you use (dashboard views, summaries generated)
• Actions taken (creating sessions, reviewing summaries, transferring cases)

Technical Data

• IP address (for security monitoring)
• Browser type and version
• Device type (desktop/mobile/tablet)
• Operating system
• Error logs and performance data

What We Do NOT Collect

We do not collect or store the actual health information that clients provide in their PIP forms when viewing it through the dashboard. Client health data is stored separately and controlled by your organisation.

3. How We Use Adviser Information

Legal Basis

We process adviser information under GDPR Article 6(1)(b) - Contract (necessary to provide the service to your organisation) and Article 6(1)(f) - Legitimate Interests (maintaining system security and improving our service).

Purposes

• Account Management: Creating and maintaining your adviser account
• Authentication: Verifying your identity when you log in
• Access Control: Ensuring you only see your organisation's data
• Service Delivery: Enabling you to create client sessions and review AI summaries
• Security: Detecting unauthorised access attempts and preventing fraud
• Support: Responding to your queries and technical issues
• Improvement: Understanding how advisers use the platform to improve features
• Compliance: Meeting legal and regulatory obligations
• Communication: Sending service updates, security alerts, and policy changes

4. Information Sharing

Within Your Organisation

Your organisation's administrators can view:

• Your account details (name, email, role)
• Your usage statistics (sessions created, login frequency)
• Client sessions assigned to you

Sub-Processors (Third Parties)

We use the following sub-processors to deliver our service:

Supabase (Database & Authentication)

• Service: PostgreSQL database, user authentication
• Data location: AWS London region (United Kingdom)
• What they process: All adviser account data and client health data
• Security: AES-256 encryption at rest, TLS 1.3 in transit
• DPA: Data Processing Agreement in place

Vercel (Application Hosting)

• Service: Web application hosting and content delivery
• Data location: London, United Kingdom
• What they process: Frontend application only (no data storage)
• Security: WAF protection, DDoS mitigation, TLS 1.3
• DPA: Data Processing Agreement in place

Azure OpenAI (Primary AI Processor)

• Service: AI chat guidance and summary generation for client PIP forms
• Data location: UK region (Microsoft Azure)
• What they process: Client health information only (transient processing)
• Retention: Zero - no persistent storage
• DPA: Microsoft Data Processing Agreement in place
• Note: Does NOT process adviser account information

OpenAI (Fallback AI Processor)

• Service: AI processing when Azure OpenAI UK is unavailable
• Data location: United States
• What they process: Client health information only (transient processing)
• Retention: 30 days maximum (per OpenAI API terms)
• DPA: Data Processing Agreement with Standard Contractual Clauses
• Note: Does NOT process adviser account information
• Disclosure: Clients are informed of potential US processing before starting their session

Legal Obligations

We may disclose information if required by law, court order, or regulatory authority, including:

• Responding to lawful requests from law enforcement
• Complying with Information Commissioner's Office (ICO) investigations
• Protecting against legal liability or fraud

Business Transfers

If PalmFlow is acquired or merged with another company, adviser information may be transferred to the new entity. We will notify you at least 30 days in advance and provide options to delete your account if you object.

What We Never Do

We do not and will never:

• Sell your information to third parties
• Use your information for marketing purposes
• Share your information with advertisers
• Process your information outside our disclosed sub-processors

5. Data Security

We implement comprehensive security measures to protect adviser accounts and client data:

Technical Controls

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Authentication: Secure password hashing (bcrypt), optional MFA
• Access Control: Role-based permissions, row-level security policies
• Session Management: 8-hour automatic timeout, secure token handling
• Network Security: Web Application Firewall (WAF), DDoS protection
• Monitoring: Automated security alerts, failed login tracking

Organisational Controls

• Background-checked staff with security training
• Principle of least privilege (staff access only what they need)
• Audit logging of all sensitive operations
• Regular security assessments and penetration testing
• Incident response plan with 24-hour breach notification

Data Segregation

• Organisation-level data isolation (you cannot see other organisations' data)
• Database-level row security enforced automatically
• No cross-organisation data sharing

6. Data Retention

Adviser Accounts

Active accounts: Retained while you remain employed at your organisation and use the service.

Deactivated accounts: When you leave your organisation, your account is deactivated. Your historical records (session creation history, audit logs) are retained for 2 years for accountability purposes, then permanently deleted.

Organisation cancellation: If your organisation cancels PalmFlow service, all adviser accounts are deactivated immediately. Data is retained for 30 days to allow data export, then permanently deleted.

Client Health Data

Your organisation controls retention of client PIP form data based on their regulatory requirements and internal policies:

• Default policy: 2 years from last activity
• Configurable range: 1-7 years
• Examples: Citizens Advice may retain 2 years per their service standards; NHS bodies may retain 7 years per NHS records guidance

Deletion is automated and includes:

• Soft delete with 90-day recovery window
• Permanent deletion from all systems including backups
• Audit log maintained (metadata only, not health content)

7. Your Rights as an Adviser

Under UK GDPR, you have the following rights regarding your adviser account information:

Right of Access

Request a copy of all information we hold about you as an adviser (Subject Access Request).

Right to Rectification

Correct inaccurate or incomplete account information (name, email, role).

Right to Erasure

Request deletion of your account when you leave your organisation. Note: Some records may be retained for legal compliance (e.g., audit logs for accountability).

Right to Restrict Processing

Request we limit how we use your information while a dispute is resolved.

Right to Data Portability

Receive your account information in a machine-readable format (JSON export).

Right to Object

Object to processing based on legitimate interests (e.g., analytics). We will stop unless we have compelling legal grounds.

How to Exercise Your Rights

Contact your organisation's PalmFlow administrator, or email us directly at policy@digitalpalm.co.uk. We will respond within 30 days (1 month).

Right to Complain

If you're unhappy with how we handle your information, you can complain to:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

8. Client Data (Brief Summary)

This section is a brief summary only. Clients see a separate, detailed privacy notice before providing health information.

Your organisation is the Data Controller for all client PIP form data. PalmFlow acts only as Data Processor, providing the technical platform.

What clients provide: Health condition information, daily living limitations, mobility restrictions (no names, addresses, or contact details by design).

How it's processed:

• Client completes AI-guided chat (Azure OpenAI UK or OpenAI US)
• AI generates summaries for adviser review
• Adviser edits and uses summaries to complete official DWP form
• Data stored in UK (Supabase, AWS London)

Legal basis: GDPR Article 9(2)(h) - provision of health and social care services (PIP assistance constitutes social care).

Client rights: Clients exercise data subject rights (access, deletion, rectification) through your organisation as Data Controller.

9. International Data Transfers

Default: UK Processing Only

Adviser account information and client health data are processed and stored in the United Kingdom by default:

• Database: Supabase (AWS London region, UK)
• Hosting: Vercel (London, UK)
• AI (primary): Azure OpenAI (UK region)

Exception: OpenAI US (Fallback for Client Data Only)

When Azure OpenAI UK is unavailable, client health information (not adviser accounts) may be processed via OpenAI's US servers. This constitutes an international transfer to a third country.

Safeguards:

• Standard Contractual Clauses (SCCs) in place with OpenAI
• No personal identifiers sent (health information only)
• 30-day maximum retention by OpenAI
• Clients informed before session begins
• Clients can decline if US processing unacceptable

Your adviser account information never leaves the UK.

10. Cookies and Tracking

We use essential cookies only:

Strictly Necessary Cookies

• Session cookie: Maintains your login state (8-hour expiry)
• Authentication token: Verifies your identity on each request
• CSRF token: Prevents cross-site request forgery attacks

We do not use:

• Analytics cookies (Google Analytics, etc.)
• Marketing cookies
• Social media tracking pixels
• Third-party advertising cookies

You can disable cookies in your browser, but this will prevent you from logging in to PalmFlow.

11. Automated Decision-Making

PalmFlow does not make automated decisions about advisers or clients.

AI is used to generate draft summaries of client responses, but:

• Advisers review all AI output before use
• Advisers decide what to include in final PIP submissions
• No automated eligibility assessments
• No automated decisions affecting client benefits

12. Children's Privacy

PalmFlow is not intended for use by children under 16. Adviser accounts should only be created for employed or contracted staff members. If we become aware that an account was created for a child under 16, we will delete it immediately.

Clients completing PIP forms may be under 16 (accompanied by a parent/guardian). The client privacy notice addresses this scenario separately.

13. Changes to This Privacy Policy

We may update this policy to reflect changes in our practices, legal requirements, or service features.

How we notify you:

• Email to all active adviser accounts
• Prominent banner in PalmFlow dashboard
• Updated "Last Updated" date at top of this policy

Material changes (affecting your rights or how we use data) will be notified at least 30 days in advance. Your continued use of PalmFlow after the effective date constitutes acceptance of the updated policy.

If you disagree with changes, you may request account deletion by contacting your organisation administrator or emailing us directly.

14. Data Protection Officer

For organisations processing large volumes of sensitive data, we recommend appointing a Data Protection Officer (DPO). If your organisation has a DPO, please inform us so we can coordinate on data protection matters.

PalmFlow does not currently have a formal DPO as we process data solely on behalf of Controller organisations. However, data protection queries should be directed to the contact details below.