Privacy Policy

This Privacy Policy explains how Defence Legal Services Ltd (trading as Police Station Agent, "we", "us", "our"), the provider of the Custody Note desktop software ("Custody Note", "the Software"), collects, uses, stores and protects personal data in connection with the website custodynote.com ("the Site") and the related licensing, support and optional cloud services we offer. It is written for users in the United Kingdom and reflects the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It should be read alongside our Cookie Policy, Security page and Terms & Conditions.

1. Who we are and how to contact us

The data controller for personal data processed through this Site and for account, licensing and support enquiries is Defence Legal Services Ltd. You can reach us at robertcashman@defencelegalservices.com (Outlook Web) or via our contact page. We have not appointed a statutory Data Protection Officer, but the contact above is responsible for data protection queries.

Important distinction. The case and client data you enter into the Software on your own devices is processed by you or your firm as the data controller for your professional activities. We do not act as controller for that content. Where you enable optional cloud backup or sync, we act as your data processor for the encrypted data only, as described in section 5.

2. The categories of personal data we process

Through the Site, licensing and support, we may process:

• Contact and enquiry data — your name, email address, firm or organisation, and the content of messages when you email us, use a form, request support, or register interest in a product.
• Licensing and transaction data — information needed to issue, validate and renew licence keys and subscriptions, including order references and the plan you hold. Card payments are handled by our payment provider; we do not store full card numbers.
• Support data — diagnostic details you choose to share (for example app version, operating system, and a description of the issue) so we can help you.
• Technical and security data — standard server and security logs that our hosting and CDN providers generate (for example IP address, browser/user-agent, and date/time of requests). Retention and detail depend on the hosting configuration and are used for security, abuse prevention and reliability.
• Analytics data — where the Site uses privacy-focused, first-party analytics (see our Cookie Policy), aggregated page-view and performance metrics that are not used to build advertising profiles.

3. Data we deliberately do not collect

We do not sell personal data. We do not use third-party advertising trackers or cross-site advertising networks on this Site. We do not collect the content of your attendance notes through the website, and we do not train artificial intelligence models on your case records.

4. The Custody Note application — local storage and encryption

Custody Note is designed so that attendance records and related professional content are stored primarily on your device (a Windows PC or a Mac) in an encrypted local database using AES-256 (or equivalent industry-standard encryption as implemented in the product). We do not have routine access to the plaintext content of your case files on your machine.

On macOS, the app may use the system Keychain to store encryption-related credentials securely. On Windows, equivalent operating system secure-storage mechanisms are used where applicable.

You are responsible for device security, passwords, recovery credentials, backups, and compliance with your firm's policies and your professional obligations.

5. Optional cloud backup and sync (AWS London)

If you enable optional features that back up or synchronise data with cloud services, that data is processed in infrastructure located in AWS London (eu-west-2) or as otherwise disclosed in the product. Data is encrypted on your device before transmission and stored in encrypted form; decryption keys remain under controls tied to your account and the product design. We hold encrypted data we cannot read.

For this processing we act as your processor and process the data only to provide the backup/sync feature, to maintain security, and as required by law. We will support your obligations as controller, including providing appropriate processing terms where required and assisting with security and breach-handling within our role.

6. How and why we use personal data (purposes)

We use personal data to:

• provide, activate, and support the Software and your licence;
• respond to enquiries, support requests and feedback;
• operate, secure and improve the Site and the product;
• manage trials, subscriptions, billing and renewals;
• prevent, detect and investigate fraud, abuse and security incidents;
• comply with legal, regulatory and accounting obligations.

7. Legal bases (UK GDPR Article 6)

Depending on the activity, we rely on:

• Contract — to provide the Software, licence, optional cloud features, and the support you request.
• Legitimate interests — operating a secure website, understanding aggregate usage, improving the product, and preventing abuse, balanced against your rights and freedoms.
• Legal obligation — where we must comply with law, regulation, or a binding request.
• Consent — where required, for example certain non-essential cookies or optional marketing; you can withdraw consent at any time.

8. Sharing and sub-processors

We share personal data only where necessary and under appropriate safeguards. Categories of recipients include:

• Hosting and content delivery — our website host/CDN (which processes server logs to serve and secure the Site).
• Cloud infrastructure — Amazon Web Services (AWS), eu-west-2 London, for optional encrypted backup/sync.
• Software distribution — installers may be delivered via third-party infrastructure such as GitHub Releases.
• Payment processing — our payment provider handles card transactions under its own controls and privacy notice.
• Professional advisers and authorities — where required by law, to establish or defend legal claims, or in connection with a business reorganisation.

We require processors to act only on our instructions and to maintain appropriate security. We do not sell or rent personal data to third parties.

9. Retention

We keep enquiry, account, licensing and transaction data only for as long as necessary for the purposes above, including legal, regulatory, tax, and complaint-handling requirements (for example, financial records are typically retained for six years). Security and server logs are retained for a limited period as configured by our hosting providers. Local data on your device, and any encrypted cloud backup you enable, are retained and deleted according to your own settings and choices.

10. Security

We use technical and organisational measures appropriate to the risk, including encryption (AES-256 at rest in the product, TLS in transit for cloud features), access controls, and the principle of holding the least data necessary. No system is perfectly secure, but our architecture is designed so that we cannot read your case content. See our Security page for detail. If a personal data breach occurs that is likely to result in a risk to individuals, we will notify the ICO and, where required, affected individuals, in line with our legal obligations.

11. Your rights

Under UK data protection law you may have the right to:

• be informed about how your data is used (this notice);
• access a copy of your personal data;
• have inaccurate data rectified;
• have data erased in certain circumstances;
• restrict processing in certain circumstances;
• data portability where applicable;
• object to processing based on legitimate interests or for direct marketing;
• withdraw consent where processing is consent-based;
• not be subject to solely automated decisions producing legal or similarly significant effects — we do not carry out such automated decision-making or profiling.

To exercise any right, contact us using the details above; we will respond within one month (extendable for complex requests, with notice). There is normally no charge. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk (helpline 0303 123 1113), though we would welcome the chance to resolve any concern first.

12. Children

The Site and the Software are intended for legal professionals and are not directed at children. We do not knowingly collect personal data from children through the Site.

13. International transfers

We design services so that core professional data for UK users is kept in the UK/EU where the product provides for that. Where any transfer of personal data outside the UK/EEA occurs (for example a sub-processor located elsewhere), we ensure an appropriate safeguard is in place, such as UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses.

14. Cookies

For details of cookies and similar technologies used on the Site, see our Cookie Policy.

15. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will change; where changes are material we will highlight them on the Site. Your continued use after an update constitutes awareness of the revised policy.