Broxtowe+
Privacy Policy
This policy explains how we handle personal data in the Broxtowe+ neighbourhood service directory. Last updated: 16 June 2026.
Who we are
Broxtowe+ is a community service directory created and operated by Nottingham West Primary Care Network(“Nottingham West PCN”, “we”, “us”). For the personal data described in this policy, Nottingham West Primary Care Network is the data controller.
You can contact us about this policy or your personal data by email at pics.nwpcn@nhs.net or via nottinghamwestpcn.co.uk.
Who this policy applies to
You can browse the public directory and search for services without creating an account or giving us personal details. We only collect personal data about you when you register for a portal account (for example as a service owner or booker), submit a service listing, or request ownership of a service.
Information we collect
Depending on how you use Broxtowe+, we may collect:
- Account and registration details — your full name, email address, organisation, job title, the access level you request, and your account status (pending, approved, or rejected).
- Sign-in information — authentication is handled by our identity provider (Auth0 by Okta). They process your email address and password on our behalf; we do not store your password. We store an identifier that links your sign-in to your Broxtowe+ profile.
- Service and space listings — if you are a service owner or administrator, the information you add about services or spaces, which may include names, descriptions, addresses, postcodes, public contact details (phone, email, website), and booking or referral information.
- Ownership requests — when you ask to manage an existing service, we record your name, email, the service requested, and any message you include.
- Activity records — we keep audit logs of key actions (such as approvals, edits, and ownership decisions), including who performed them and when, to keep the directory secure and accountable.
- Technical information— basic information needed to operate the service, such as cookies and server logs (see “Cookies” below).
How we use your information and our legal basis
We use personal data to:
- create and manage portal accounts and review registrations;
- publish and maintain the community service directory;
- process and review ownership requests and send related notifications by email;
- keep the service secure and investigate misuse; and
- communicate with you about your account or listings.
Our lawful bases under the UK GDPR are our legitimate interests in running a useful and secure community directory and, where relevant, the performance of a task carried out in the public interest as part of our work supporting local health and wellbeing. Where we ask for your consent (for example to publish optional details), you may withdraw it at any time.
Who we share it with
We do not sell your personal data. We share it only with service providers who process data on our behalf, under appropriate contracts, including:
- Vercel — hosting the website and privacy-friendly, cookieless web analytics.
- Auth0 by Okta — secure sign-in and authentication.
- Google Firebase — database, hosting, and email-triggering functions.
- Resend — sending transactional emails (for example approval notices).
- ImgBB — hosting images uploaded for service listings.
- postcodes.io and OpenStreetMap — converting postcodes to map locations and displaying maps. Approximate location data is sent to these services to show services on a map.
We may also disclose information where we are required to do so by law, or to protect the rights, safety, and security of our users and the service.
Where your data is stored
Your data is stored using the providers above. Some of these providers may process data outside the UK. Where that happens, we rely on appropriate safeguards (such as UK adequacy regulations or standard contractual clauses) to protect your information.
How long we keep it
Broxtowe+ stores data in Google Firebase (Firestore). Firebase does not automatically delete data, so we keep your information only for as long as it is needed and then remove it manually:
- Account details — kept for as long as your account exists. If an administrator deletes your account, or you ask us to delete your data, your profile is permanently removed from our database.
- Service and space listings — kept while they are part of the directory. Listings can be archived (hidden from the public) and are permanently deleted when an administrator removes them.
- Ownership requests — kept as a record of the request and its outcome, and removed if the related account is deleted or on request.
- Audit logs — kept to maintain security and accountability for as long as we consider necessary for those purposes.
- Search logs — anonymous records of search terms (not linked to any person) kept to help us improve the directory, and removed once they are no longer useful for that purpose.
Because deletion is manual rather than automatic, you can ask us at any time to delete personal data we no longer need (see “Your rights”). When we delete data from Firebase, residual copies may remain in routine backups for a short period before they are overwritten.
Analytics
We use Vercel Web Analytics to understand how the directory is used — for example how many people visit, which pages and services are popular, and how visitors arrive. This helps us improve the service and report on its use.
This analytics is privacy-friendly and does not use cookies or track you across other websites. It collects aggregate, anonymised information only — we cannot use it to identify you, and we never send the words you type into the search box to Vercel or any other third party.
To understand what local people are looking for — and to spot services that may be missing — we keep an anonymous log of search terms entered into Broxtowe+ in our own database. These records contain only the words searched and whether any results were found. They are not linked to your identity, account, or device, and are never shared outside our team. Because these records are anonymous, no consent banner is required.
Cookies
We use a small number of cookies, only where needed to run the service:
- Sign-in cookies set by our authentication provider to keep you logged in securely.
- Registration cookies — short-lived cookies that temporarily remember the details you enter on the registration page (such as your name, organisation, job title, and requested access level) so your account can be set up correctly after sign-up. These expire within an hour.
We do not use advertising or third-party tracking cookies. Browsing the public directory does not require you to accept any non-essential cookies.
Your rights
Under UK data protection law you have the right to:
- ask for a copy of the personal data we hold about you;
- ask us to correct inaccurate or incomplete data;
- ask us to delete your data (the “right to erasure”);
- ask us to restrict or object to how we use your data;
- ask for your data in a portable format; and
- withdraw consent where we rely on it.
To exercise any of these rights, contact us at pics.nwpcn@nhs.net.
Keeping your data secure
We take appropriate technical and organisational measures to protect personal data, including secure authentication, role-based access controls so people only see what they need to, and restricting sensitive listing details to approved staff.
Children
Broxtowe+ is intended for use by adults working with or running community services. It is not directed at children, and we do not knowingly collect personal data from children.
Complaints
If you have a concern about how we handle your personal data, please contact us first so we can try to help. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority, at ico.org.uk.
Changes to this policy
We may update this policy from time to time. When we make significant changes, we will update the “last updated” date at the top of this page.