When you use PVG Pal to manage your volunteers' PVG compliance, your organisation and PVG Pal both handle personal data about those volunteers. UK data protection law requires us to have a written agreement setting out who is responsible for what.
In short: your organisation decides why volunteer data is processed (to fulfil your safeguarding obligations). PVG Pal provides the platform that stores and processes the data on your behalf, following your instructions and the rules in this agreement.
This agreement is required by GDPR Article 28. You accept it during onboarding, before you invite your first volunteer.
1.1 "The Organisation" means the entity you represent — your church, sports club, charity, or other voluntary organisation — identified by the name and type you entered during PVG Pal onboarding. The Organisation acts as a controller of volunteer personal data.
1.2 "PVG Pal" means Hugh Mackenzie, trading as PVG Pal, based in Aberdeenshire, Scotland. PVG Pal acts as a processor of volunteer personal data on behalf of the Organisation, and as a joint controller for data necessary to operate the platform (account management, billing, service communications).
1.3 This Agreement is governed by UK GDPR Article 28 and the Data Protection Act 2018.
2.1 PVG Pal processes personal data solely for the purpose of providing PVG compliance tracking and safeguarding administration services to the Organisation, as described in the PVG Pal Terms of Service.
2.2 The categories of personal data processed, the data subjects concerned, and the retention periods are set out in the Schedule below.
2.3 PVG Pal will not process personal data for any purpose other than delivering the service, unless required by law. If a law enforcement request is received, PVG Pal will notify the Organisation before complying, unless legally prohibited from doing so.
3.1 PVG Pal will process personal data only on the documented instructions of the Organisation, which are defined by the Organisation's use of the platform features (adding volunteers, sending nudges, generating reports, etc.).
3.2 PVG Pal will ensure that all persons authorised to process personal data are bound by obligations of confidentiality. At launch, the sole person with admin access is Hugh Mackenzie. Any future team members will be required to sign confidentiality agreements before being granted access.
3.3 PVG Pal will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
| Measure | Implementation |
|---|---|
| Encryption at rest | Cloudflare D1 — AES-256 encryption |
| Encryption in transit | HTTPS / TLS 1.3 for all communications |
| EU data residency | Cloudflare D1 with --jurisdiction eu — data guaranteed to remain within the EU |
| Organisation-scoped access | Every database query is scoped to the Organisation's own data. Coordinators cannot access data from other organisations. |
| Authentication | Email+password or magic link, with biometric/passkey after first login |
| Audit logging | Append-only log of all data access and modifications. Cannot be edited or deleted. |
| Passthrough email — metadata only | Only sender, timestamp, and subject line logged. Email body never stored. |
| Automated deletion | 12-month retention purge after last active role. Cascading deletion on account deletion. |
3.4 PVG Pal will assist the Organisation, insofar as is possible, in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection) under UK GDPR Articles 15–22.
3.5 PVG Pal will assist the Organisation in ensuring compliance with its obligations under UK GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to PVG Pal.
3.6 On termination of the service agreement (subscription cancellation or account closure), PVG Pal will, at the Organisation's choice, return all personal data to the Organisation (via SG07 export or SAR export) and/or delete all personal data, unless EU or UK law requires continued storage. Deletion will be completed within 30 days of the request, with confirmation provided by email.
3.7 PVG Pal will make available to the Organisation all information necessary to demonstrate compliance with this Agreement. The Organisation may request a written summary of PVG Pal's security measures at any time by emailing privacy@pvgpal.app.
4.1 The Organisation warrants that it has a lawful basis for processing volunteer personal data through PVG Pal — specifically, legitimate interest under UK GDPR Article 6(1)(f), arising from its legal obligation to ensure PVG compliance for individuals in regulated roles under the PVG (Scotland) Act 2007.
4.2 The Organisation will inform volunteers that their data is managed through PVG Pal. PVG Pal's volunteer privacy policy is presented to every volunteer at registration; however, the Organisation remains responsible for its own transparency obligations.
4.3 The Organisation will use volunteer data accessed through PVG Pal solely for safeguarding and PVG compliance purposes. The Organisation will not use volunteer data for marketing, fundraising, or any purpose unrelated to safeguarding.
4.4 The Organisation will keep coordinator account credentials secure and will promptly transfer the coordinator role to a successor if the current coordinator leaves the role.
4.5 The Organisation will handle any exported data (SG07 register, audit reports, CSV exports) in accordance with its own data protection policies and will not transmit such data insecurely (e.g. unencrypted email).
5.1 The Organisation provides general written authorisation for PVG Pal to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Database hosting (D1), serverless compute (Workers), web hosting (Pages), email routing | EU (D1 jurisdiction: EU) |
| Stripe, Inc. | Subscription payment processing | EU processing available. PCI DSS Level 1. |
| Anthropic | AI assistant for generic PVG process questions. No personal data transmitted. | US — no personal data transferred |
| Apple / Google | App distribution and push notifications. No personal data in notification content. | Global |
5.2 PVG Pal will inform the Organisation of any intended changes to sub-processors by email at least 30 days before the change takes effect. The Organisation may object to a new sub-processor by contacting privacy@pvgpal.app within 14 days of notification. If the objection cannot be resolved, the Organisation may terminate the service without penalty.
5.3 PVG Pal will ensure that each sub-processor is bound by data protection obligations no less protective than those in this Agreement.
6.1 PVG Pal will notify the Organisation without undue delay — and in any event within 24 hours — after becoming aware of a personal data breach affecting the Organisation's volunteer data.
6.2 The notification will include, to the extent known at the time:
(a) a description of the nature of the breach, including the categories and approximate number of data subjects affected;
(b) the name and contact details of the point of contact at PVG Pal;
(c) a description of the likely consequences of the breach;
(d) a description of the measures taken or proposed to address the breach.
6.3 The Organisation remains responsible for determining whether the breach meets the threshold for notification to the ICO (within 72 hours under UK GDPR Article 33) and/or to affected data subjects (under Article 34). PVG Pal will assist the Organisation in fulfilling these obligations.
7.1 All volunteer personal data is stored within the European Union (Cloudflare D1 with EU jurisdiction constraint). No volunteer personal data is transferred to countries outside the EU/UK.
7.2 The AI assistant (Anthropic, US-based) receives no personal data — only generic PVG process questions. This does not constitute an international transfer of personal data.
7.3 Push notification tokens are processed by Apple and Google globally. These are device identifiers only, and notification content contains no personal data.
7.4 If any future change to the service would require transferring personal data outside the EU/UK, PVG Pal will notify the Organisation in advance and implement appropriate safeguards (such as UK International Data Transfer Agreements) before any transfer occurs.
8.1 PVG Pal will make available to the Organisation, on request, a written summary of its security measures and compliance practices. Requests should be made to privacy@pvgpal.app.
8.2 The Organisation (or a third-party auditor appointed by the Organisation) may, with reasonable notice (at least 30 days), request an audit of PVG Pal's data processing practices as they relate to the Organisation's data. PVG Pal will cooperate with such audits, provided they do not compromise the security of other customers' data or PVG Pal's proprietary systems.
8.3 Audits will be conducted at the Organisation's expense, unless the audit reveals a material breach of this Agreement by PVG Pal.
9.1 This Agreement comes into effect when the Organisation accepts it during PVG Pal onboarding and remains in effect for the duration of the Organisation's PVG Pal subscription.
9.2 On termination of the subscription (whether by cancellation, non-payment, or mutual agreement):
(a) The Organisation may export all volunteer data via the SG07 register export or request a full data export by emailing privacy@pvgpal.app.
(b) PVG Pal will retain data for the period specified in the retention schedule (12 months after last active role for volunteer data; subscription duration plus 12 months for organisation data).
(c) After the retention period, all personal data will be automatically and permanently deleted.
(d) The Organisation may request immediate deletion of all data at any time by contacting privacy@pvgpal.app. PVG Pal will confirm deletion within 30 days.
9.3 Clauses 6 (data breach), 7 (international transfers), and 8 (audit rights) survive termination of this Agreement.
10.1 Each party is liable for damage caused by processing that infringes the UK GDPR, in accordance with UK GDPR Article 82.
10.2 PVG Pal's total liability under this Agreement is limited to the fees paid by the Organisation in the 12 months preceding the event giving rise to the claim, except where liability arises from PVG Pal's wilful misconduct or gross negligence.
10.3 PVG Pal is not liable for any loss or damage arising from the Organisation's failure to comply with its own obligations under this Agreement or under applicable data protection law.
Volunteers in regulated roles registered through the Organisation's PVG Pal account. Parents/guardians of children participating in the Organisation's activities (consent records only).
| Category | Examples |
|---|---|
| Identity data | Name |
| Contact data | Email address, phone number |
| PVG scheme data | PVG membership number, PVG type (children/adults/both), application status, dates, certificate sharing status |
| Organisation linkage | Which organisations the volunteer is connected to and their role within each |
| Email event metadata | Sender address, timestamp, subject line of emails received at the volunteer's passthrough address (body content never stored) |
| Training metadata | Completion dates and expiry dates for safeguarding training (linked to external training providers — PVG Pal does not deliver training) |
| Consent records | Parent/guardian consent responses (photography, trips, medical, etc.) with timestamps |
PVG membership numbers relate to criminal records checks under the PVG (Scotland) Act 2007. Processing is authorised under DPA 2018, Schedule 1, Part 2 (safeguarding of children and individuals at risk). No conviction data, certificate content, or self-declaration content is processed or stored.
| Data | Retention |
|---|---|
| Volunteer personal data | 12 months after last active role |
| Parent/guardian consent records | 1 year after consent period ends |
| Audit reports | 7 years |
| Audit log | 7 years (append-only, immutable) |
| DPA acceptance record | Subscription duration + 7 years |
Disclosure certificate contents, conviction information, ID document scans, self-declaration form contents, vetting information, reasons for barring, email body content, payment card numbers.
PVG Pal — Data Processing Agreement
Version 1.0 (Draft) — April 2026
Accepted during coordinator onboarding (C1-DPA). Accessible from C14 Settings and pvgpal.app.