Privacy notice

Who is the controller?

Talvo is used by organisations to run their own elections and nominations. For that data — voter roll contacts, ballots, nominations, results — the organisation is the data controller and Talvo is a data processor acting on their instructions.

For your Talvo account, billing, and support conversations, Talvo is the controller.

What we store

  • Account data: name, email, hashed password (or provider-issued OAuth token) for organisation administrators.
  • Contact / roll data: names and emails you upload as your voter roll, plus optional grouping fields.
  • Election metadata: titles, candidates, statements, timings, config hashes.
  • Ballots: stored in an isolated schema with no link to voter identity, no IPs, and time coarsened to the hour.
  • Audit log: administrator and staff actions, hash-chained per organisation.
  • Support conversations you initiate.

Retention

The organisation controls how long roll data is kept after an election closes. The default is 90 days; the maximum is 365. When retention elapses, roll snapshots (name/email/token) are irreversibly nulled and the organisation's owner is notified. Ballots are anonymous by design and are kept for the life of the election archive.

Erasure and suppression

An administrator can erase an individual contact at any time. Erasure produces a downloadable DSAR export for the contact's records and, if requested, adds a one-way hash of the email to a suppression list so re-import cannot silently re-add the person.

Subprocessors and international transfers

Our subprocessors are listed on the Trust page. Application data is stored in the United Kingdom. Where a subprocessor operates outside the UK / EEA, transfers rely on the UK International Data Transfer Agreement (IDTA) or the equivalent EU Standard Contractual Clauses.

Your rights and how to complain

You can ask to access, correct, export, or erase your personal data by emailing support@talvo.vote. If your data belongs to an organisation's roll, contact that organisation first — they are the controller.

You can also complain to the Information Commissioner's Office (ICO) at ico.org.uk.