Legal

Privacy notice

Last updated 2 June 2026. How I collect, use, store and protect your personal data when you use this site or get in touch.

1. Who I am and how to contact me

I, Matthew Winfield, am the data controller for personal data submitted through this website (cllrmatthewwinfield.com) under the UK GDPR and the Data Protection Act 2018. I act in my capacity as the elected Reform UK Councillor for the Bretforton and Offenham ward.

You can contact me about anything in this notice by email at Winfieldreformuk@gmail.com or by post at Reform UK, 21-24 Millbank, London, SW1P 4QP. Mark data-protection enquiries “Data request” in the subject line so I can route them quickly.

2. Information Commissioner’s Office registration

The Data Protection (Charges and Information) Regulations 2018 require most data controllers in the UK to pay a data protection fee and be listed on the ICO’s public register of controllers. My personal data-controller registration is in progress. Once issued, the registration number will be published here. The public register is searchable at ico.org.uk/ESDWebPages/Search.

3. Nature of this website and capacity in which I act

This is my personal political website, operated by me in my individual capacity as an elected Reform UK councillor and as a Reform UK political campaigner. It is not an official Wychavon District Council publication, and no part of it is funded, hosted or controlled by the council.

I keep the line between my official council role and my political activity clean. Casework I take through council channels uses my official council email and the council’s own information systems, under Wychavon District Council’s separate privacy notice. Anything submitted through this website is processed separately under this notice and never on council infrastructure.

This separation is required by the Code of Recommended Practice on Local Authority Publicity (DCLG, 2011) and by the publicity rules of the Local Government Act 1986. I follow it strictly: council resources are not used to produce or promote this site, and this site does not claim to speak for the council.

All campaign material published here carries the electoral imprint required by Part 6 of the Political Parties, Elections and Referendums Act 2000 (as amended by the Elections Act 2022) and the digital imprint rules in force from 1 November 2023: “Promoted by Matthew Winfield on behalf of Matthew Winfield, Reform UK, 21-24 Millbank, London, SW1P 4QP.”

4. What personal data I collect

You only give me personal data if you choose to. I collect the minimum needed for each purpose (the “data minimisation” principle in UK GDPR Article 5(1)(c)).

4.1 Community feedback form

  • Your chosen contact method, and your email or phone if you provide one.
  • Whether you are a resident of Bretforton, Offenham, or elsewhere.
  • The type and details of your submission, including any photos you attach.
  • Whether you would like a follow-up reply.
  • Optional newsletter consent and email, optional issue category, and an optional rating of local maintenance.

4.2 Newsletter contribution form

  • Your name and email, and optionally a phone number.
  • The type of contribution, your proposed title, and the body of your submission, including any files.
  • Confirmation that you grant permission to publish and that the content is original.
  • Whether you would like your name withheld if the piece is published.
  • Optional feedback on the existing newsletter format.

4.3 Newsletter subscribers

Your email address and the date you subscribed. Nothing else.

4.4 Contact form

  • Your name and email address.
  • An optional phone number.
  • The category of enquiry and the content of your message.

4.5 Surgery bookings

  • Your name, email and optional phone number.
  • A short summary of the issue you want to discuss.
  • The slot you have chosen.

4.6 Information collected automatically

My hosting provider records basic technical information so the site can serve pages and stay secure: a short-lived record of the request, the page visited, your approximate location at country level, and a generic device or browser type.

With your express opt-in via the cookie banner, the site also loads Google Analytics 4 for aggregate visitor statistics. GA4 is disabled by default under Google Consent Mode v2 and only activates after you click Accept all. IP addresses are anonymised before processing. I run GA4 in measurement-only mode (no advertising features, no Google Signals, no remarketing). See the cookies policy for the full list of cookies and their lifetimes.

5. Purposes and lawful bases (UK GDPR Article 6)

Every processing activity I undertake is matched to a specific purpose and a lawful basis. The table below sets out each one.

  • To respond to enquiries, casework and feedback. Lawful basis: public task (UK GDPR Art 6(1)(e)) , the exercise of my official authority as an elected councillor, recognised under the Local Government Act 2000 and the Localism Act 2011.
  • To send the monthly newsletter and other marketing emails. Lawful basis: consent (UK GDPR Art 6(1)(a)) and the consent requirements of the Privacy and Electronic Communications Regulations 2003 (PECR). You give consent on the subscribe form and can withdraw it at any time by clicking the unsubscribe link in any email.
  • To consider your submission for publication in the newsletter. Lawful basis: consent (UK GDPR Art 6(1)(a)) given in the publication agreement on the contribution form.
  • To organise and run an online surgery slot you booked. Lawful basis: contract / pre-contractual steps (UK GDPR Art 6(1)(b)) , performing what you asked for , combined with public task (Art 6(1)(e)) as your councillor.
  • To keep the site running, secure, and free of abuse. Lawful basis: legitimate interests (UK GDPR Art 6(1)(f)) in running a working, safe website. The processing is minimal, anonymous where possible, and reasonably expected by visitors.
  • To comply with my own legal obligations , for example responding to a subject access request, retaining records to meet audit duties, or complying with a lawful order. Lawful basis: legal obligation (UK GDPR Art 6(1)(c)).

6. Special category data (UK GDPR Article 9)

Some of the things you might tell me through the forms could reveal information about your political opinions, your health, your race or ethnic origin, your sex life or sexual orientation, your religious beliefs, or trade-union membership. UK GDPR Article 9 calls these special category data and requires an additional condition in Schedule 1 of the Data Protection Act 2018.

Where you have voluntarily disclosed special category data to me as your elected representative (for example, telling me about a health issue you need help with), I rely on the condition in Schedule 1, Part 2, paragraph 23 of the Data Protection Act 2018: elected representative responding to a constituent. Where that condition does not apply, I rely on your explicit consent (UK GDPR Art 9(2)(a)).

I do not collect special category data unless you choose to share it with me, and I never use it for any purpose beyond the one you shared it for.

7. Source of your data

All personal data I hold about you was given to me directly by you, through the forms on this site or by replying to one of my emails. I do not buy contact lists, scrape personal data from third parties, or use data brokers.

8. Recipients (who I share your data with)

I use a small number of suppliers (data processors) to keep the site and database running. They are bound by written data-processing agreements that meet UK GDPR Article 28 and cannot use your data for their own purposes.

  • Supabase , stores form submissions, newsletter subscribers, contact messages, and uploaded files. Hosted in the European Union (London region).
  • Vercel , hosts the website. Pages are served from a global edge network which may include locations outside the UK and EEA.
  • Resend , sends transactional emails (confirmations, login codes, newsletters). Hosted in the European Union.
  • Google Ireland Limited , processes aggregate visitor analytics through Google Analytics 4, but only after you give cookie consent. IPs are anonymised before processing.

Where it is necessary to progress a piece of casework on your behalf, I may share the minimum necessary information with the relevant local authority, public body or public official (for example, a council officer responsible for a particular service, an MP, the police, a housing association, the NHS, or a regulator). I will not pass your details to anyone else without your permission unless I am legally required to do so.

9. International transfers

Where personal data is transferred outside the United Kingdom (for example to United States data centres operated by Vercel or Google), the transfer is protected by one of the safeguards permitted under UK GDPR Chapter V. In practice this is the UK extension to the EU-US Data Privacy Framework where the receiving organisation is certified, or the UK International Data Transfer Agreement (or the EU Standard Contractual Clauses with the UK Addendum) where it is not. A copy of the relevant safeguard is available on request.

10. How long I keep your data (retention)

  • Casework and feedback: for the duration of the current council term and up to six years after, to allow for follow-up enquiries and audit. Then permanently deleted.
  • Newsletter contributions: kept for as long as you remain happy for the piece to be considered. If you withdraw consent, the contribution and your contact details are deleted within one month.
  • Newsletter subscribers: kept until you unsubscribe. Once you unsubscribe the record is removed within one month, unless I need to retain it to honour your own wishes (for example to avoid re-adding you).
  • Contact messages: kept for up to three years from the date of last contact, then permanently deleted.
  • Surgery bookings: kept for one council year, then deleted.
  • Server access logs and security records: kept by the hosting provider for up to 30 days.
  • Google Analytics 4 data: retained by Google for 14 months at the property level, then automatically deleted.

11. Whether you have to provide your data

You are never required to give me personal data. If you choose not to provide some or all of the information a form asks for, I may not be able to respond to your enquiry or add you to the newsletter , but there are no other consequences.

12. Automated decision-making and profiling

I do not use automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you (UK GDPR Article 22). Every reply, casework decision and publication choice is made by me personally or by a human staff member acting on my instructions.

13. Your rights under the UK GDPR

You have the following rights in relation to your personal data:

  • Right to be informed (Articles 13-14) , what this notice is for.
  • Right of access (Article 15) , ask for a copy of the personal data I hold about you.
  • Right to rectification (Article 16) , ask me to correct anything inaccurate.
  • Right to erasure (Article 17) , ask me to delete your data where one of the grounds applies (commonly known as the “right to be forgotten”).
  • Right to restrict processing (Article 18) , ask me to pause processing while a query is resolved.
  • Right to data portability (Article 20) , for data processed on the basis of consent or contract, ask for a structured, machine-readable copy.
  • Right to object (Article 21) , object to processing carried out for public task or legitimate interests. For direct-marketing processing the right is absolute and I will stop straight away.
  • Right to withdraw consent (Article 7(3)) , where I rely on consent (for example to send you the newsletter), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing already carried out.
  • Right not to be subject to automated decision-making (Article 22), see section 11. I do not use any.
  • Right to complain to a supervisory authority (Article 77), see section 13.

To exercise any of these rights, email Winfieldreformuk@gmail.com with the subject line “Data request”. I will respond within one calendar month from receipt. The response is free of charge unless your request is manifestly unfounded or excessive, in which case I may charge a reasonable fee or refuse to act, as UK GDPR Article 12(5) allows.

14. Complaints to the Information Commissioner

If you are unhappy with how I have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office. I would appreciate the chance to put things right first, so please consider contacting me before approaching the ICO.

  • Website: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15. Security and data breaches

I take appropriate technical and organisational measures to keep your personal data secure, including HTTPS encryption on every page, access controls and unique admin accounts, encrypted database storage at rest, two-factor authentication on supplier accounts where supported, and regular review of who can access what.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, I will notify the Information Commissioner’s Office within 72 hours of becoming aware of it, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to your rights and freedoms, I will also notify you directly, without undue delay (Article 34).

16. Children

This site is intended for adults and the forms here are aimed at adult residents. If you are under 13, please ask a parent or guardian to use the forms on your behalf. The newsletter and electronic communications services are not knowingly offered to children under 13 (UK GDPR Article 8 / Information Society Services consent threshold).

17. Changes to this notice

I may update this notice from time to time to reflect changes in how the site is used or to keep it aligned with the law. The latest version will always be at this URL, and the “last updated” date at the top of the page will tell you when it was last revised. Material changes will be flagged in the next newsletter and on the home page for at least 30 days.

Read the cookies policyGet in touch