Privacy Notice

Introduction 

Citizens Advice Edinburgh is a registered Data Controller with the Information Commissioner’s Office (ICO). Our registration number is ZA304430. 

This Privacy Notice describes how we collect and process the personal data of people who engage with our services. It also explains people’s rights and how to contact us.  

If you have any questions about how we use personal information, please ask your adviser, or ask to speak to the Duty Manager.  If you still have questions, you can email dataprotection@cabedinburgh.org.uk  

About Us 

Citizens Advice Bureaux (CAB) are the largest independent advice network in the Scotland. We are independent, registered and regulated charities, operating throughout Scotland. Our advice is available to everyone and is free, independent, confidential and impartial.  We also advocate for changes to legislation and social policy that will improve people’s circumstances locally and across Scotland. 

Citizens Advice Edinburgh is a member of the Scottish Association of Citizens Advice Bureaux (operating as Citizens Advice Scotland or CAS), a network of 59 individual Citizens Advice Organisations.  We use a case management system called CASTLE and are Joint Controllers for the personal data held on systems managed by CAS. You can find more information on the CAS Privacy Notice

Information we collect about you 

Personal data is any information that identifies or relates to a specific person. This may include: 

 

  • Personal details such as name, contact information, and date of birth 

  • Details about your enquiry 

  • Information about your circumstances such as financial circumstances, benefits you receive, employment and housing status 

  • Demographics data that you provide us with 

  • If you have agreed to be contacted for feedback or communications 

  • Personal data of people in your household, for example, if you have children or are a carer 

  • If someone is seeking advice on your behalf, we may collect their details too 

  • Details of your donation, if you donate to us 

 

We may also collect special category data or other sensitive information when necessary: 

 

  • information that may inform the advice we provide, such as health conditions  

  • Demographics data that you provide us with 

  • criminal activity data that may inform the advice and support we provide 

 If you do not want us to keep a record of the advice we provide, we can help you as best we can, but advice will be limited and general rather than specific to your circumstances. 

How we collect your information 

 We may collect your information: 

 

  • When you contact us including in person, by phone, videocall, webchat, email, letter or through our website 

  • From systems we use to support our work, such as appointment booking systems 

  • When you, or a third party, provides us with documentation 

  • From an organisation that referred you 

  • From someone acting on your behalf 

  • When you complete a survey or provide us feedback 

  • On CCTV when you attend our premises 

  • Via cookies on our website 

  • When you make a donation to us, including through fundraising sites. We collect donations through the Charities Aid Foundation

 

We have a ChatBot available on our website to support with initial signposting and to contact an adviser. There is a supplementary Privacy Notice for this. 

 

We use social media to raise awareness of our services and promote our impact, and we are occasionally contacted this way with queries. To protect your personal information, we encourage you to contact us via other methods and we will seek agreement from you to transfer your personal information from social media to our systems. 

 How we use your information 

 We may use your information to: 

 

  • Contact you to support with your enquiry and explain how we can help 

  • Keep a record of our conversations and actions to inform your advice and support needs 

  • Support you in accessing our services, such as through British Sign Language or interpretation services 

  • Keep records for audit, standards, and insurance purposes 

  • Share information with other organisations, such as for referrals 

  • Report statistics or anonymised case studies to funders 

  • Develop and improve our services 

  • Manage donations 

  • Send communications  

  • Ask for your feedback on our services 

 

We may also use your data to monitor the issues that are impacting the people we help. This informs our work advocating for changes to legislation and social policy. We do this through data analysis; however, we may use your experiences to inform our case studies. These will be anonymised. Occasionally we may ask to share your story to bring awareness to an issue, we will only do this when you have given consent. 

 Our lawful basis for using your information 

 We only process your personal data when there is a lawful basis for us doing so. We may rely upon: 

 

  • legitimate interests, such as for maintaining records of advice and support, to defend legal claims, and to maintain a high-quality service 

  • public task, when we are delivering a statutory service 

  • legal obligation, when we need to process your data to meet a legal obligation 

  • your consent, such as when we contact you for feedback or refer you to another support organisation 

 

Where we process special category data (such as health information), we may rely upon: 

 

  • substantial public interest conditions 

  • defence of legal claims  

  • archiving, research and statistics 

  • your explicit consent 

 

When relying on substantial public interest conditions in Schedule 1 Part 2 of the DPA 2018 we are required to have an Appropriate Policy Document in place. 

 Who we share your information with 

 We only share your personal data when necessary and in line with data protection laws. 

 

  • if we need to share your information with CAS or other Bureaux 

  • with professional advisors such as insurers and legal professionals 

  • with auditors to maintain standards, such as for CAS Membership Standards audits, or with the Scottish Legal Aid Board (SLAB) for Scottish National Standards accreditation  

  • with funders as part of audit and compliance, or for research and reporting purposes. We anonymise this where possible 

  • to meet any legal and regulatory obligations 

  • If we use external service providers, we put in place contracts to ensure they follow data protection rules 

 

We may share information with the following, only when you have consented: 

 

  • If we refer you to another organisation for support 

  • If someone is acting on your behalf, we may share your information with them when necessary 

  • If we engage with an organisation on your behalf, we may have to share information with them 

  • with funding partners to obtain feedback on our service provision 

  • with HMRC if you make a Gift Aid declaration as part of your donation 

 

In exceptional circumstances, where there is a high risk of harm to an individual, information may be shared with third parties. We have strict Safeguarding procedures in place for when this may occur. 

 Will we share your information outside of the UK? 

 We only store personal data in the UK or the EU.  

 However, some of our suppliers may be based in other countries. If we need to share your data with these companies, we take steps to make sure your data is protected. 

How long we keep your information 

We will only keep your data for as long as is necessary. For most people we keep your data for a maximum of seven years. This is from the point of last contact. We keep recordings of phone calls for two years. 

In certain circumstances we are required to keep records for longer, for example, if you have arranged a debt remedy solution, your records are kept for the duration this is active. 

In rare cases, we might keep your data for longer if there is a legal reason, such as an on-going complaint or legal case.  

National Projects 

National Projects are projects delivered by Bureaux across the Citizens Advice Network and managed by CAS. Where you seek support from one of these projects, you may receive advice from an adviser based in a Bureaux somewhere else in Scotland. Some projects have a Privacy Notice which supplements this one, these are linked below: 

Your rights 

You have rights over your personal data. Your query may be passed to the CAS Data Protection Team to resolve. 

You can: 

  • Request a copy of your personal information 

  • Ask us to update anything that’s no longer accurate 

  • Request that we delete your personal data. There are some exceptions, and we may need to keep some of your data, for example to defend legal claims 

  • Object to how we use data in some situations 

  • Withdraw your consent 

We do not use any automation or profiling to make decisions. 

If you’re unhappy with how we have handled your data, you can complain to the Information Commissioner’s Office at ico.org.uk

Last updated: June 2025 

Chatbot Privacy Notice

Who We Are and Important Information

Citizens Advice Edinburgh is the controller and responsible for your personal data and it is a member of the Scottish Association of Citizens Advice Bureau (“Cas”), details of which can be found on its website privacy policy (collectively referred to as "we", "our", "us" or "Cab").  This Privacy Notice sets out the type of personal information we collect about you, why we collect it, and how we use it when you use our chatbot service. 

It is important that you read this Privacy Notice together with our website privacy policy which contains more detailed information about our data processing and can be accessed here or you can request a copy from us. 

If you have any queries about our privacy practices or about this Privacy Notice contact us:

Address: 23 Dalment Street, Edinburgh EH6 8PG 

Email: websitecontact@cabedinburgh.org.uk


What Personal Data we collect and how this is collected

We collect personal data such as:

  • your phone number 

  • information you provide us within the free text facility within the chat

  • the transcript of the chat

Purposes of using your Personal Data and lawful basis we rely on

We use your personal data to: 

  • provide you with the chatbot service  

  • learn from and improve the service

  • share the data with CAS and our third party chatbot supplier to facilitate improvement of services and wider development of services for fellow members of shared services

  • manage our relationship with you e.g. to contact you where you request this 

  • meet our regulatory requirements or legal responsibilities, as required.

We will only use your personal data when the law allows us to. Our lawful basis to process your personal data is in our legitimate interests. It is in our legitimate interest to respond to enquiries, requests, and information received to ensure we provide you with the relevant support, improve the service and share personal data with our third party chatbot supplier which helps us to provide and improve the service.   

Who do you share my information with?

We may share your personal data with CAS, our third-party supplier who helps us develop, improve and supply the chatbot service, and other local Citizen's Advice Bureaus to provide you with the correct advice and/ or support. We also share this data with Google Cloud, insurers, and regulators.  

Personal Data  Transfers

We transfer personal data to and from the EEA and UK based on the adequacy decisions for the UK and EU. Please see our  website privacy policy.

How long do we keep records for?

We will only keep your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including to satisfy any legal, insurance, regulatory, tax, accounting, or reporting requirements or if there’s a complaint or if we reasonably believe there is a prospect of litigation. 

If you chose not to get in touch with us after the chat has ended we’ll keep the data from the chat for 3 months. Where you get in touch with us we keep this for 7 years and for certain complex cases we keep this data for 16 years. 

We may keep data longer than these periods if necessary. Examples of where records need to be kept beyond the retention periods include records of advice and support around statutory debt options and building works over a certain value.

Your Legal Rights

Under certain circumstances, you have rights under data protection laws concerning your personal data including the right to receive a copy of the personal data we hold about you, the right to rectification, restriction, erasure, objection, as well as the right to portability. You also have the right to make a complaint at any time to a supervisory authority which is the Information Commissioner's Office in the UK and is the regulator for data protection issues (www.ico.org.uk). 

Our full Data Protection Policy and Procedure, can be found here:

Citizens Advice Edinburgh Data Protection Policy and Procedures