Privacy Policy

1. WHO WE ARE

Impact Assist Limited is a Gift Aid recovery and revenue enhancement service for UK charities and religious organizations. We process personal data on behalf of our charity clients to help them maximize their Gift Aid claims.

• • Company Name: Impact Assist Limited

• • Company Number: 15996190

• • Registered Address: 82 James Carter Road, Mildenhall, IP28 7DE, UK

• • Contact Email: [email protected]

• • Website: www.impactassist.co.uk

2. OUR ROLE UNDER DATA PROTECTION LAW

Impact Assist acts as a Data Processor when we process donor information on behalf of charities and mosques (who are the Data Controllers).

This means:

• • We only process donor data according to the instructions of the charity

• • We cannot use donor data for any other purpose

• • The charity remains responsible for how donor data is collected and used

• • We have strict contracts (Data Processing Agreements) with each charity client

3. WHAT INFORMATION WE PROCESS

We process the following types of personal information on behalf of our charity clients:

3.1 Donor Information

• • Full name (title, first name, surname)

• • Home address and postcode

• • Email address (if provided)

• • Telephone number (if provided)

• • Donation amounts and dates

• • Gift Aid declaration details

3.2 Charity Information (Our Direct Clients)

• • Charity name and registration number

• • Contact details of authorised representatives

• • Bank details for Gift Aid payment processing

4. HOW WE USE PERSONAL INFORMATION

We use donor personal information solely for the following purposes:

• • Processing Gift Aid declarations submitted to our charity clients

• • Submitting Gift Aid claims to HM Revenue & Customs (HMRC)

• • Maintaining records as required by HMRC regulations (6 years)

• • Providing reports and analytics to charity clients about their Gift Aid claims

• • Responding to donor enquiries at the request of the charity
    We do NOT:

• • Use donor data for marketing purposes

• • Share donor data with third parties (except HMRC as required by law)

• • Contact donors directly (all communication goes through the charity)

5. LEGAL BASIS FOR PROCESSING

We process personal data under the following legal bases as defined by UK GDPR:

Legal Obligation (Article 6(1)(c)): We must retain Gift Aid records for 6 years as required by HMRC regulations.

Legitimate Interests (Article 6(1)(f)): Processing is necessary for the charity to claim Gift Aid, which benefits both the charity and the donor. The charity has a legitimate interest in maximizing Gift Aid recovery, and donors benefit from increased value of their donations at no cost to them.

Contract (Article 6(1)(b)): We have Data Processing Agreements with our charity clients authorising us to process data on their behalf. Donors are informed of this processing through the charity’s Gift Aid declaration forms and privacy notices. Donors do not need to provide separate consent for data sharing with Impact Assist, as this processing is covered by the legal bases above.

6. HOW WE PROTECT YOUR INFORMATION

We take data security extremely seriously and implement the following measures:

      6.1 Technical Security

• • Data encrypted at rest using industry-standard encryption (AES-256)

• • Data encrypted in transit using secure protocols (TLS 1.2/1.3)

• • Multi-factor authentication enforced for system access

• • Secure data storage with redundancy across multiple data centres

• • Advanced firewall protection and intrusion detection systems

• • Regular independent security audits and compliance certifications
    6.2 Organisational Security

• • All staff sign confidentiality agreements

• • Mandatory GDPR training for all personnel

• • Role-based access controls (staff only see data they need)

• • Comprehensive audit logs of all data access

• • Incident response procedures for data breaches

7. WHO WE SHARE INFORMATION WITH

We only share personal information with:

HM Revenue & Customs (HMRC): We are legally required to submit Gift Aid claims to HMRC. The charity you donated to: We provide reports on Gift Aid claims to our charity clients.

Cloud service providers: We use secure cloud-based infrastructure with appropriate safeguards in place, including recognized security standards and contractual protections where required.

We do NOT sell, rent, or trade personal information to third parties for marketing purposes.

8. HOW LONG WE KEEP INFORMATION

We retain personal data for the following periods:

Gift Aid Records: 6 years from the end of the accounting period (HMRC legal requirement).

After 6 years: All donor data is securely and permanently deleted.

Charity client data: Retained for the duration of our contract plus 6 years for accounting purposes.

9. YOUR RIGHTS

As a data subject, you have the following rights under UK GDPR:

9.1 Right of Access: You can request a copy of the personal data we hold about you.

9.2 Right to Rectification: You can ask us to correct inaccurate personal data.

9.3 Right to Erasure: You can request deletion of your data (subject to HMRC 6-year retention requirement).

9.4 Right to Restrict Processing: You can ask us to limit how we use your data.

9.5 Right to Data Portability: You can request your data in a machine-readable format.

9.6 Right to Object: You can object to processing based on legitimate interests. However, if
you object to Gift Aid processing, we will not be able to claim Gift Aid on your donations.

9.7 Right to Withdraw Gift Aid Declaration: You can cancel your Gift Aid declaration at any time by contacting the charity.

To exercise any of these rights, please contact:

• • The charity you donated to (as the Data Controller), or

• • Impact Assist at [email protected] We will respond to your request within 30 days.

10. DATA BREACHES

In the unlikely event of a personal data breach:

• • We will notify the charity within 24 hours

• • The charity will notify affected donors and the ICO if required

• • We will take immediate action to contain and remedy the breach

• • We will conduct a full investigation and implement preventative measures

11. INTERNATIONAL TRANSFERS

We store and manage donor data using secure, industry-standard cloud systems. In some cases, data may be stored or processed outside the United Kingdom or European Economic Area through our trusted service providers. Where this occurs, we ensure appropriate safeguards are in place to protect personal data, including:

• • The use of approved contractual protections (such as Standard Contractual Clauses)

• • Working with providers that meet recognised security and data protection standards

We store and manage donor data using secure, industry-standard cloudWe only work with established providers that maintain high levels of security, certification and compliance.

All data handling is carried out in accordance with UK data protection law.

12. CHILDREN’S PRIVACY

Gift Aid declarations can only be made by individuals aged 16 and over who pay UK tax. We do not knowingly collect information from children under 16.

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. The current version will always be available on our website with the ‘Last Updated’ date at the top. Significant changes will be communicated to our charity clients, who will inform their donors as appropriate.

14. COMPLAINTS

If you have concerns about how we handle your personal data, please contact us first at [email protected] and we will do our best to resolve the issue.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: www.ico.org.uk

15. CONTACT US

For any questions about this Privacy Policy or how we handle your data:

Email: [email protected]
Post: Impact Assist Limited, 82 James Carter Road, Mildenhall, IP28 7DE, UK
Website: www.impactassist.co.uk