Privacy Notice

We only collect the data you choose to give us through our forms, plus the minimum needed to keep the service secure and remember your language. We do not require you to create an account.

Report a problem form

When you submit a report, we store:

• the category of the issue (for example pothole, fly-tipping, street light)
• the location you provide
• your description of the problem
• the urgency you select
• an optional email address, only if you choose to provide one
• a one-way hashed and truncated version of your IP address — this cannot be reversed to identify you and is used solely to prevent abuse and spam

Purpose: to record and triage the civic issue you are reporting, and to keep the form free from abuse.

Government / organisation enquiry form

When you contact us through the enquiry form, we store:

• your name
• your organisation
• your email address
• your message

Purpose: to read and respond to your enquiry.

Language preference cookie

We store your language choice (English or Welsh) in a single functional cookie named cardiffpal_lang, which lasts about one year. This cookie does not track you and is not used for advertising or analytics. It simply remembers whether you want the site in Welsh or English.

Under the UK GDPR we must have a lawful basis for using your personal data. We rely on the following:

• Legitimate interests — for handling and triaging reports and enquiries, and for preventing abuse, spam and misuse of our forms (this is the basis for the hashed, truncated IP address).
• Consent — for the optional contact email address on the report form. You only provide it if you want us to be able to reach you, and you can ask us to remove it at any time.
• Legitimate interests — for storing your language preference cookie, so the site works the way you expect on your next visit.

We keep personal data only for as long as it is needed for the purpose it was collected for, and then delete or anonymise it.

• Reports and enquiries are kept for as long as needed to handle the issue and for a reasonable period afterwards for record-keeping, then removed.
• The hashed, truncated IP value is short-lived and used only for abuse prevention.
• The cardiffpal_lang cookie expires after about one year, or sooner if you clear your browser cookies.

We do not sell your personal data. We do not share it with advertisers, and we do not use it for advertising.

We may use trusted service providers (for example secure hosting) to run the platform on our behalf. Any such providers act only on our instructions and under appropriate agreements. We may also disclose data if we are legally required to do so.

Under the UK GDPR you have the following rights over your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct data that is wrong or incomplete.
• Erasure — ask us to delete your personal data.
• Restriction — ask us to limit how we use your data.
• Objection — object to us using your data on the basis of legitimate interests.
• Portability — ask to receive certain data in a portable, machine-readable format.

If you have a concern about how we handle your personal data, please contact us first at hello@code2box.com so we can try to put it right.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator. ico.org.uk↗

We may update this notice from time to time. The date at the top shows when it was last reviewed. Please check back occasionally to stay informed.

Last reviewed: June 2026