PVG Pal helps you and your safeguarding coordinator keep track of your PVG (Protecting Vulnerable Groups) scheme membership.
We store your name, email, phone number, and PVG membership details so your coordinator can see that your checks are up to date.
We never store your disclosure certificate, any conviction information, your ID documents, or the contents of your self-declaration form.
Your data is stored securely on servers in the European Union. You can delete your account and all your data at any time from the app settings.
If you have any questions, email privacy@pvgpal.app and we will respond within 30 days.
PVG Pal is operated by Hugh Mackenzie, trading as PVG Pal, based in Aberdeenshire, Scotland. For the purposes of data protection law, Hugh Mackenzie is the data controller — the person responsible for deciding how your personal data is used.
When your safeguarding coordinator uses PVG Pal to manage volunteers, the organisation they represent (for example, your church or sports club) is a joint controller of the data they can access about you. They have their own obligations under data protection law, and we require them to sign a Data Processing Agreement before they can invite any volunteers.
We only collect what is needed to track your PVG compliance status. Here is exactly what we hold, why we hold it, and what gives us the legal right to do so.
| What we collect | Why we need it | Legal basis |
|---|---|---|
| Your name | So your coordinator can identify you on their dashboard and compliance register | Legitimate interest — your organisation has a legal obligation to track PVG status |
| Your email address | To create your account, send you important updates (like deadline reminders), and forward emails from Disclosure Scotland to your real inbox | Legitimate interest / Contract |
| Your phone number | So your coordinator can send you deadline reminders by WhatsApp or SMS if you have given your consent for this | Consent — you tick a box at registration and can withdraw consent at any time in settings |
| Your PVG membership number | To confirm your PVG scheme membership and enable your coordinator to record it on the compliance register (such as the Church of Scotland SG07) | Legitimate interest — authorised under DPA 2018, Schedule 1, Part 2 (safeguarding of children and individuals at risk) |
| Your PVG type (children, adults, or both) |
To check that your PVG membership covers the type of work you do | Legitimate interest |
| PVG application status and dates (application submitted, DS link received, certificate issued, certificate shared) |
To track where you are in the PVG process and send timely reminders about deadlines | Legitimate interest |
| Which organisations you are linked to | So each coordinator can see only the volunteers in their own organisation | Legitimate interest |
| Your passthrough email address (e.g. yourname-abc123@pvgpal.app) |
This is the address used on PVG forms so we can automatically track status changes — see section 3 below | Legitimate interest |
| Email event log (sender address, date/time, subject line only — never the email body) |
To detect when Disclosure Scotland or the Safeguarding Service has sent you something, so we can update your status and start any deadline countdowns automatically | Legitimate interest |
| Consent records (what you agreed to, when, and which version of this policy) |
To prove that we asked for your permission properly, as the law requires | Legal obligation (UK GDPR accountability) |
| Training completion dates (e.g. safeguarding training, first aid) |
To track whether training requirements are up to date — we link to your training provider's platform, we do not deliver training ourselves | Legitimate interest |
When you register, PVG Pal creates a unique email address for you — something like yourname-abc123@pvgpal.app. This is your "passthrough" address.
This passthrough address goes on your PVG application forms instead of your real email. When Disclosure Scotland or the Safeguarding Service sends you an email (for example, your application link or your certificate), it arrives at your passthrough address first.
Our system reads only three things from the email: who sent it, when they sent it, and the subject line. This is enough for us to detect what stage your application has reached and start any deadline countdowns automatically.
We then immediately forward the complete email to your real email address. You receive the full email exactly as it was sent, and you can open links, download attachments, and reply as normal.
Because the passthrough address is used on all forms, your real email address is never shared with the Church of Scotland Safeguarding Service, Volunteer Scotland Disclosure Services (VSDS), or Disclosure Scotland. Disclosure Scotland will only have your real email if you provide it directly when creating your ScotAccount — PVG Pal is not involved in that exchange.
| Who | What they can see | Why |
|---|---|---|
| You | Everything about your own account — your PVG wallet, status, deadlines, linked organisations, and settings | It is your data |
| Your safeguarding coordinator(s) | Your name, PVG status, compliance traffic-light status, deadlines, and whether you have shared your certificate. They can only see volunteers in their own organisation — not volunteers at other organisations you may belong to. | They need this to fulfil their legal safeguarding duties |
| Auditors (e.g. presbytery inspectors) |
A read-only compliance summary. They see traffic-light status and whether requirements are met — not your PVG membership number or personal contact details. | Regulatory inspection. Access is time-limited (72 hours) and read-only. |
| PVG Pal admin (Hugh Mackenzie) |
All data, for the purposes of support, troubleshooting, and responding to data requests. All admin access is logged in an audit trail that cannot be edited or deleted. | To run and maintain the service |
We never sell, rent, or share your personal data with advertisers, marketers, or any third party for their own purposes.
All your personal data is stored on Cloudflare's servers within the European Union. We use Cloudflare's D1 database with an EU jurisdiction setting, which means your data is guaranteed to stay within the EU — it is never stored on servers in the United States or elsewhere outside the EU.
All data is encrypted when it is stored (encryption at rest) and when it moves between your device and our servers (encryption in transit using HTTPS/TLS 1.3).
We do not keep your data forever. Here are the specific retention periods:
| Data | How long we keep it |
|---|---|
| Your account and PVG details | 12 months after your last active role ends (i.e. 12 months after you are no longer linked to any organisation as an active volunteer) |
| Email event log (metadata only) | 12 months after last active role |
| Consent records (proof of your agreement at registration) | Duration of your account plus 12 months |
| Audit log entries related to your data | 7 years (regulatory best practice for safeguarding records) |
After these periods, your data is automatically deleted. You can also delete your account at any time — see section 8 below.
Your disclosure certificate contents — we never see, read, or store any conviction information or the details on your PVG certificate.
Your ID documents — we never ask you to upload a scan or photo of your passport, driving licence, or any other identity document.
Your self-declaration form (SG03) contents — this is between you and the Safeguarding Service. We never see what you have disclosed.
Vetting information or reasons for barring — this information is restricted to Disclosure Scotland and is never available to PVG Pal.
The body of any email sent to your passthrough address — only the sender, date, and subject line are logged. The full email is forwarded to you and not stored.
Payment card details — volunteers do not pay for PVG Pal (your organisation pays). Even for organisations, all payment is handled by Stripe and we never see or store card numbers.
Under UK data protection law, you have the following rights. You do not need to pay anything to exercise them.
You can ask us for a copy of all the personal data we hold about you. We will respond within 30 days. Email privacy@pvgpal.app with the subject line "Subject Access Request".
You can update your name, email, phone number, and PVG details at any time in the app. If something is wrong and you cannot fix it yourself, contact us and we will correct it.
You can delete your account from the Settings screen in the app. This permanently removes all your personal data from our systems — your name, email, phone number, PVG details, organisation links, email event log, and passthrough email address. The only thing that remains is a record in the audit log that a deletion took place (but not what was deleted).
If you cannot access the app, email privacy@pvgpal.app and we will delete your account within 30 days.
You can unlink yourself from an organisation without deleting your account. This means that coordinator will no longer be able to see your data. You can do this from the My Organisations screen.
You can export your PVG wallet data from the app at any time.
If you believe we do not have a good reason to process your data, you can object. Email privacy@pvgpal.app and we will consider your objection within 30 days.
If you agreed to receive WhatsApp or SMS reminders from your coordinator, you can withdraw this consent at any time in the app Settings. This does not affect anything else about your account.
We use a small number of trusted companies to help us run the service. Each one has signed a data processing agreement with us. None of them use your data for their own marketing or other purposes.
| Company | What they do for us | Where your data is processed |
|---|---|---|
| Cloudflare | Hosts our database, runs our server code, handles the passthrough email system, and hosts the web dashboard | European Union — database is locked to EU jurisdiction. Cloudflare is ISO 27001 and SOC 2 certified. |
| Apple / Google | Distributes the app via the App Store and Google Play. Sends push notifications to your device. | Global. Push notifications contain no personal details — they say things like "You have an update" rather than specific PVG information. |
| Anthropic (Claude Haiku) | Powers the AI assistant that answers general PVG process questions (see section 11) | United States — but no personal data is ever sent to Anthropic. The AI only receives your question, not your name, PVG number, or any other personal information. |
PVG Pal sends push notifications to your phone to remind you about important deadlines — for example, when your Disclosure Scotland application link arrives, or when your 14-day certificate sharing deadline is approaching.
These notifications are designed to help you, not nag you. You can control them in your phone's notification settings. Turning off notifications does not affect your account or your data.
If you gave consent for your coordinator to send you reminders by WhatsApp or SMS, those messages come from your coordinator directly (via a pre-written message in the app). You can withdraw this consent at any time in Settings.
PVG Pal includes an AI assistant that can answer general questions about the PVG process — things like "Do I need a PVG check for this role?" or "How long does the application take?"
The AI assistant never sees your personal data. When you ask a question, only the question itself is sent to the AI service (provided by Anthropic). Your name, PVG number, email address, and organisation details are never included. The AI does not remember previous conversations.
PVG Pal is designed for adult volunteers. You must be 16 or older to create an account. We do not knowingly collect data from anyone under 16.
The parent/guardian consent features in PVG Pal (for activity permissions like photography consent) are managed by the safeguarding coordinator, and the parents/guardians interact via email or SMS — they do not need the app and do not create accounts.
If we make significant changes to how we use your data, we will notify you by push notification and email before the changes take effect. We will not reduce your rights under this policy without your explicit consent.
Minor wording changes (like correcting a typo or updating a company address) may be made without notification, but the updated policy will always be available in the app and on our website.
The date at the top of this policy shows when it was last updated.
If you are unhappy with how we have handled your data, you have the right to complain to the UK's data protection regulator:
We would appreciate the chance to address your concerns before you contact the ICO, but you are not required to come to us first.
PVG Pal — Privacy Policy (Volunteers)
Version 1.0 (Draft) — April 2026
Accessible from: Registration (V1b), Settings (V10), and pvgpal.app