Client Portal Privacy Policy

Last updated: November 2025

Portal-Specific Policy

This privacy policy is specific to this Client Portal application only. For our complete privacy policy covering all Bywater Kent services, please visit: Main Privacy Policy

1. About This Portal

Bywater Kent Support Services Ltd ("we", "our", or "us") operates this Client Portal to provide secure access to HR and GDPR documents for our clients in the educational sector.

This privacy policy is specific to the Client Portal application and explains how we handle your data when you use this portal to access documents.

📱 Alternative Portal Access

This portal is an alternative access method for clients experiencing login issues with the portal on our main website. Both portals access the same service but are separate applications with this specific privacy notice applying to this portal only.

2. Information We Collect

2.1 Account Information

When you create or are assigned an account, we collect:

  • Email address - Used for login and account identification
  • Full name - To identify you within the portal
  • School name (optional) - To associate you with your institution
  • Password - Stored as a securely hashed value (SHA-256), never in plain text
  • Role and permissions - To control access to HR and GDPR portals

2.2 Usage Information

  • Login timestamps - Last login date for security purposes
  • Session data - Temporary session tokens for maintaining your login state
  • Document access - Records of which documents you've accessed (for security and auditing)

2.3 Cookies

We use one essential cookie:

  • session_token - A secure, HTTP-only session cookie that keeps you logged in
  • Duration: 7 days (or until you log out)
  • Purpose: Authentication only - no tracking or advertising
  • Security: HttpOnly, Secure, SameSite=Strict

We do not use: Analytics cookies, advertising cookies, social media tracking pixels, or any third-party tracking technologies.

3. How We Use Your Information

We use your information solely to:

  • Provide access to the Client Portal and documents
  • Authenticate your identity and maintain secure sessions
  • Manage user accounts and permissions
  • Ensure system security and prevent unauthorized access
  • Comply with legal obligations and service agreements
  • Communicate about service updates (if necessary)

We do not: Sell your data, use it for marketing, share it with third parties for their purposes, or track your behavior across other websites.

4. How We Store and Protect Your Data

4.1 Storage Location

  • User data: Stored in Cloudflare D1 database (distributed globally)
  • Documents: Stored in Cloudflare R2 storage (encrypted at rest)
  • Infrastructure: Hosted on Cloudflare Pages (enterprise-grade security)

4.2 Security Measures

  • Encryption: All data transmitted over HTTPS (TLS/SSL)
  • Password security: SHA-256 hashing - we cannot see your password
  • Secure cookies: HttpOnly, Secure, and SameSite protection
  • Access control: Role-based permissions and authentication
  • Regular updates: Security patches and monitoring

5. Data Retention

  • Active accounts: Data retained while your account is active
  • Deleted accounts: All personal data removed within 30 days of deletion
  • Documents: Retained as per service agreement with your institution
  • Session data: Automatically expires after 7 days or logout

6. Your Rights Under GDPR/UK GDPR

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of the personal data we hold about you
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to Restriction: Request limitation of processing your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing of your data in certain circumstances
  • Right to Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise any of these rights, please contact us using the details in Section 10.

7. Data Sharing and Disclosure

We do not sell, trade, or rent your personal data. We may share data only in these limited circumstances:

  • Service providers: Cloudflare (hosting and infrastructure) - subject to strict data processing agreements
  • Legal requirements: If required by law, court order, or government request
  • Your institution: Admin users at your school may view your account details

We do not use third-party analytics, advertising networks, or social media tracking services.

8. Children's Privacy

This service is intended for educational institution staff and administrators. We do not knowingly collect information from children under 13. If you believe we have collected data from a child under 13, please contact us immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. You are advised to review this Privacy Policy periodically for any changes.

10. Contact Us & Data Protection Officer

If you have questions about this Privacy Policy, wish to exercise your rights, or have concerns about how we handle your data, please contact our Data Protection Officer:

Data Protection Officer

Richard Lewis-Ogden

Bywater Kent Support Services Ltd

7 Crompton Drive, Morley, Leeds, LS27 9TJ

Email: dpo@bywaterkent.co.uk

Website: www.bywaterkent.co.uk

We will respond to your request within 30 days as required by UK GDPR. For general enquiries about our services, please visit our main website.

11. Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contract: Processing necessary to perform our service agreement with your institution
  • Legitimate interests: Maintaining system security and preventing fraud
  • Legal obligation: Compliance with applicable laws and regulations