Redbox privacy policy
This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the UK General Data Protection Regulation (UK GDPR).
Data Controller
The Department for Science and Innovation (DSIT) is the controller and is responsible for the processing of your Personal Data as described in this Privacy Policy.
Your data
Purpose
The purposes for which we are processing your personal data are:
- Enabling login to the platform
- Information will be aggregated and used for anonymous further analysis
- To contact you to take part in research into how to improve the service if you have opted in to research in the Redbox Terms and Conditions
- To contact you when maintenance, changes to terms or other changes are being made that may affect your use of Redbox
The data
Personal data you provide
We will process the following personal data:
-
Information gathered at Signup
- work email address
- grade
- profession
- business unit
- department
- As stipulated in the Terms and Conditions the use of personal data is not permitted as part of any user input into Redbox, either in content loaded or through chat. However; there is no way with current technology to prevent if personal data is inputted into Redbox through content or chat (this is further laid out in the Retention section of this Policy, it will be deleted after 30 days.)
- The Content (both Inputs and Outputs) may be referred to for research purposes
Personal Data We Receive from Your Use of the Services
When you visit, use, or interact with the Services, we receive the following information about your visit, use, or interactions:
Via Plausible Analytics the following information is gathered:
- Browser type and settings
- Device information
- Page URL
- HTTP Referrer
- Operating system
- Country, region
- Internet Protocol (IP) address
Plausible Analytics collects anonymous analytics data about user use of Redbox. IP address is collected but mixed with other data to disguise individual identity. Analytics data is wiped at the end of each day so no history is retained about an individual’s use of Redbox. You can view more information on how Plausible uses this data.
“Essential cookies” are captured as they are required for essential functionality and security. Please read our cookies notice for further information
If you change role or department you can tell the product team for your details to be changed to keep them up to date.
Legal basis of processing
The legal basis for processing your personal data is:
- Public task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller, to provide appropriate tools and systems to support civil servants to summarise documents and develop briefings.
Recipients
Your personal data will be shared by us with analysts/researchers within the DSIT Incubator for Artificial Intelligence (i.AI) if you have opted to take part in research.
As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email and document management and storage services. As part of the existing contracts with the Large Language Model (LLM) they will not use any data inputted to train the models. These LLMs are treated as Third Party services and as such their respective Terms of Use and Terms of Conditions, found on their websites, will apply.
Retention
Your personal data will be retained for 12 months after account inactivity. At that point we will delete your email address, depersonalising the data we hold.
Redbox stores your content for 30 days. Content that you delete is archived but accessible for Freedom of Information requests (FOIs) for 30 days.
Documents will automatically be deleted when a chat is deleted.
All data is stored in Cabinet Office AWS and Elastic.
Your rights
- You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
- You have the right to request that any inaccuracies in your personal data are rectified without delay.
- You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
- You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
- You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
- You have the right to object to the processing of your personal data where it is processed for direct marketing purposes.
- You have the right to withdraw consent to the processing of your personal data at any time.
You will be asked to re-accept Terms and Conditions every 1 year as well as every time the Terms and Conditions are updated.
International transfers
Redbox personal data is stored on our IT infrastructure in the UK. However, Redbox chat data is processed where it is subject to equivalent legal protection as the UK through an adequacy decision.
Contact details
The data controller for your personal data is DSIT. The contact details for the data controller are: DSIT Data Protection Officer, Department for Science, Innovation & Technology, 22-26 Whitehall, London, SW1A 2EG, Email dataprotection@dsit.gov.uk.
If you are unhappy with the way we have handled your personal data, please write to the department’s Data Protection Officer in the first instance using the contact details above.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, or 0303 123 1113, or icocasework@ico.org.uk.
Changes to this notice
We may change this privacy notice. When we make changes to this notice, the "last updated" date at the bottom of this page will also change. Any changes to this privacy notice will apply to you and your data immediately. If these changes affect how your personal data is processed, DSIT will take reasonable steps to make you aware of the changes.
Last updated: 13th February 2025