Gift Aid Boost — Data Compliance Pack
Version 1.0 | February 2026
This document is provided for your data protection officer or legal team to review Gift Aid Boost's data handling practices.
For questions, contact: james@giftaidboost.com
1. Data Processing Agreement Summary
- Gift Aid Boost acts as a data processor under UK GDPR
- Your charity (the client) is the data controller
- Purpose: processing donor data solely for Gift Aid recovery on behalf of the charity
- We process data only on documented instructions from the controller
- We implement appropriate technical and organisational security measures
- We do not sub-process without prior written consent (sub-processors listed below)
- We assist the controller with data subject access requests and breach notifications
- Upon termination, we delete all personal data within 90 days (except where retention is legally required)
- Breach notification: within 72 hours of becoming aware of a personal data breach
The full Data Processing Agreement is available at /legal/data-processing-agreement and is accepted during registration.
2. Sub-Processor Register
| Sub-Processor | Purpose | Data Accessed | Location |
|---|---|---|---|
| Supabase (PostgreSQL) | Database hosting & storage | Donor records, declarations, claim data | EU (Frankfurt) |
| Resend | Email delivery | Donor email addresses, charity name | US (SOC 2 Type II) |
| Ideal Postcodes | Address verification & completion | Postcodes, partial addresses | UK |
| T2A | Electoral roll lookup | Names, addresses | UK |
| attachmentAV | Virus scanning of uploaded files | Uploaded file contents (scanned, not stored) | EU |
| Railway | Application hosting | All application data (encrypted in transit) | US (SOC 2) |
| Anthropic (Claude API) | AI column mapping | No PII — anonymised column headers and data patterns only | US |
| Stripe | Payment processing | Charity name, billing email, invoice amounts | US (PCI-DSS Level 1) |
All sub-processors are contractually bound to equivalent data protection standards. We will notify you at least 30 days before adding a new sub-processor.
Last updated: February 2026
Postcodes.io is an open-source UK government service — no API key required, no account relationship, no data stored by the service.
3. Data Flow Diagram
Charity uploads files (CSV/Excel)
Virus scanning (attachmentAV)
Secure storage (Supabase)
Column mapping & donor matchingAll processing on our servers
Gap-filling from UK data sourcesIdeal Postcodes, T2A
Declaration emails to donors (Resend)
Monthly HMRC Gift Aid schedule spreadsheets generated
Charity downloads claim spreadsheet
No personal data is sent to any service for the purpose of data processing beyond what is listed above.
4. Retention Schedule
| Data Category | Retention Period | Basis |
|---|---|---|
| Donor records (names, addresses, contact details) | 6 years from last claim | HMRC audit requirement |
| Gift Aid declarations (proof of donor consent) | 6 years from last claim | HMRC audit requirement |
| Donation records | 6 years from last claim | HMRC audit requirement |
| Claim batch records | 6 years from generation | HMRC audit requirement |
| Uploaded files (original CSV/Excel) | 14 days from upload | Data minimisation — deleted automatically |
| File metadata (name, hash, row count, upload date) | 6 years | Audit trail |
| Processing job logs | 90 days | Operational diagnostics |
| User account data | Duration of account + 90 days | Service provision |
| Verification codes (2FA) | 15 minutes | Data minimisation — auto-expired |
| Security event logs | 1 year | Legitimate interests (security monitoring) |
| Analytics events | 90 days | Legitimate interests (product improvement) |
| Admin audit log | Indefinite | Accountability — immutable by design |
| Outreach queue records | 6 years from last claim | HMRC audit trail (linked to declarations) |
Data is permanently deleted after the retention period expires.
5. Lawful Basis Register
| Processing Activity | Lawful Basis | UK GDPR Article | Notes |
|---|---|---|---|
| Donor data processing for Gift Aid recovery | Legitimate interests | 6(1)(f) | Charity's interest in recovering entitled Gift Aid; proportionate to donor's reasonable expectations |
| Declaration email outreach | Legitimate interests | 6(1)(f) | Donors opted into Gift Aid; one-click unsubscribe available |
| User account creation and authentication | Contract | 6(1)(b) | Necessary for service provision |
| HMRC Gift Aid schedule generation | Legal obligation | 6(1)(c) | HMRC-mandated format for Gift Aid claims |
| 6-year data retention | Legal obligation | 6(1)(c) | HMRC requires records for audit purposes |
| Security event logging | Legitimate interests | 6(1)(f) | Security of processing (Recital 49) |
| Invoicing and payment processing | Contract | 6(1)(b) | Necessary for service provision |
We do not process any special category data (Article 9) or criminal offence data (Article 10).
6. GDPR Article 28 Compliance Statement
Gift Aid Boost confirms compliance with GDPR Article 28 requirements for data processors:
- (28)(1) We implement appropriate technical and organisational measures to ensure processing meets GDPR requirements
- (28)(2) We do not engage sub-processors without prior written authorisation from the controller. Sub-processors are listed in this document and updated as changes occur
- (28)(3)(a) We process personal data only on documented instructions from the controller, including transfers to third countries (none currently)
- (28)(3)(b) We ensure persons authorised to process personal data have committed to confidentiality
- (28)(3)(c) We implement appropriate security measures including encryption (TLS in transit, AES-256 at rest), access controls, and regular security reviews
- (28)(3)(e) We assist the controller in responding to data subject requests (access, rectification, erasure, portability)
- (28)(3)(f) We assist the controller in ensuring compliance with breach notification obligations, notifying within 72 hours
- (28)(3)(g) On termination, we delete all personal data within 90 days unless retention is legally required
- (28)(3)(h) We make available all information necessary to demonstrate compliance and allow for audits
7. Contact
For data protection enquiries:
- Email: james@giftaidboost.com
- Subject line: “Data Protection Enquiry”
For data subject access requests, contact your charity's data protection officer. We will assist promptly upon receiving a controller's instructions.