Privacy Policy

Version 1.0 | February 2026

This Privacy Policy explains how we handle the personal data of charity users — the people who register for and use Gift Aid Boost. For information about how donor data is processed, see our Donor Privacy Notice.

For questions, contact: james@giftaidboost.com

1. Who We Are

  • Gift Aid Boost is a trading name of Phaseglass Ltd (company number 17064980, registered in England and Wales, registered office: 42 Amberley Road, Portsmouth, Hampshire, PO2 0TG)
  • Gift Aid Boost is a platform that helps UK charities recover unclaimed Gift Aid
  • For the purposes of data protection law, we are the data controller for the personal data of our charity users (you)
  • Contact: james@giftaidboost.com

2. What Data We Collect

We collect the following personal data when you register for and use Gift Aid Boost:

Data When collected
Full name (first and last) Registration
Email address Registration
Job title Registration
Password (stored as a secure hash, never in plain text) Registration
Charity details (name, registration number) Registration (from Charity Commission)
Login activity (IP address, user agent, timestamps) Each login
Security events (failed logins, password changes) As they occur
Consent records (what you agreed to and when) Registration and settings changes
Analytics (page views, feature usage) If you consent to analytics cookies

3. How We Use Your Data

Purpose Legal basis
Account creation and management Contract performance
Service delivery (Gift Aid recovery) Contract performance
Service communications (verification emails, password resets, invoices) Contract performance
Security monitoring (detecting unauthorised access, fraud prevention) Legitimate interest
Product updates and feature announcements Consent (opt-in)
Analytics and service improvement Consent (opt-in via cookie preferences)
Legal compliance (HMRC audits, ICO requests) Legal obligation

4. Legal Basis for Processing

  • Contract performance: we need your data to provide the Gift Aid Boost service as agreed in our Terms of Service
  • Legitimate interests: security monitoring to protect your account and our platform. We have balanced our interests against your rights and believe this processing is proportionate
  • Consent: marketing communications and analytics are only processed with your explicit opt-in consent, which you can withdraw at any time
  • Legal obligation: we may be required to retain certain records for HMRC compliance or respond to lawful requests from regulators

5. Data Sharing

We share your personal data only with the following service providers, who process it on our behalf:

Provider Purpose Location
Supabase Database hosting EU
Railway Application hosting US (SOC 2)
Vercel Frontend hosting Global CDN
Resend Email delivery US (SOC 2 Type II)
Stripe Payment processing US (PCI-DSS Level 1)
  • We never sell your personal data to third parties
  • We never share your data for advertising purposes
  • A full list of sub-processors is available in our compliance pack

6. Data Retention

Data type Retention period
Account data (name, email, charity details) While your account is active + 30 days after termination
Security logs (login attempts, IP addresses) 12 months
Consent records 7 years (legal compliance)
Invoice and payment records 6 years (HMRC requirements)
Analytics data 12 months

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — ask us to correct inaccurate data (you can also update most details in your account settings)
  • Right to erasure — request deletion of your personal data, subject to legal retention requirements
  • Right to restrict processing — ask us to limit how we use your data in certain circumstances
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Right to withdraw consent — withdraw consent for marketing communications at any time via your account settings or by contacting us

To exercise any of these rights, contact us at james@giftaidboost.com. We will respond within 30 days.

8. Cookies

  • We use essential cookies and local storage to keep you logged in and remember your preferences
  • Analytics and marketing cookies are only used with your explicit consent
  • You can manage your cookie preferences at any time via the cookie banner or the “Cookie Preferences” link in the footer
  • For full details, see our Cookie Policy

9. Security

We take the security of your personal data seriously. Our measures include:

  • Encryption of personal data at rest using field-level encryption
  • HTTPS (TLS 1.2+) for all data in transit
  • Two-factor authentication on all accounts
  • Passwords hashed using Argon2id (industry-leading algorithm)
  • Real-time security event monitoring and alerting
  • Regular dependency auditing and vulnerability scanning
  • Incident response procedures with 72-hour breach notification

10. International Transfers

  • Your primary data is stored in the EU (Supabase database hosting)
  • Some sub-processors are based outside the UK/EEA (see section 5)
  • Where data is transferred internationally, it is protected by:
    • UK adequacy decisions
    • Standard contractual clauses (SCCs)
    • Sub-processor security certifications (SOC 2, PCI-DSS)

11. Changes to This Policy

  • We may update this Privacy Policy from time to time
  • We will notify you of material changes at least 30 days before they take effect, via email to your registered address
  • The version number and date at the top of this page will be updated
  • Previous versions are available on request

12. Contact and Complaints

  • If you have questions about this policy or want to exercise your rights, contact: james@giftaidboost.com
  • If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO):