Privacy Policy

Last updated: 12 November 2025

1. Introduction

Charity Connector (“we”, “our”, or “us”) is committed to protecting the privacy of users who access our platform. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

This Privacy Policy explains what information we collect, why we collect it, and how we protect it. It should be read together with our Cookie Policy, which forms part of this Privacy Policy. By using our platform, you agree to both this Privacy Policy and the Cookie Policy.

2. Data We Collect

• Name
• Email address
• IP address
• Browser user agent (including version and platform)

We do not collect unnecessary personal information, analytics, or marketing data.

3. How We Collect Data

Users are invited to the platform by administrators. There is no public registration. Data is provided directly by the administrator when creating the user, and optionally updated by the user after logging in.

4. How We Use Your Data

• To provide and maintain access to the platform.
• To authenticate users and enforce security measures (2FA, password strength, session timeouts).
• To notify you of important account activity (e.g. new device logins, password resets, credential expiries).
• To maintain an audit log of account activity for accountability and compliance.
• To comply with legal obligations and ensure platform integrity.

We do not use your information for marketing or share it with third parties unless legally required.

5. Data Retention

• Users who are invited but do not agree to the Terms of Service and Privacy Policy within 30 days are automatically deleted.
• Account and log data are retained only as long as necessary to maintain compliance or as required by law.
• Users can export or delete their personal data at any time via their account settings (export in PDF format; deletion requires password confirmation).

6. Security Measures

• Strong password policy: at least 12 characters including upper/lowercase, number, and special character.
• Mandatory two-factor authentication (2FA).
• Password expiry every 90 days (cannot reuse previous passwords).
• Session timeout after 30 minutes of inactivity.
• Encryption of all PII and API credentials in the database.
• Strict Content Security Policy (CSP).
• Automatic alerts for new device logins.
• Audit log of all user changes.
• Regular use of the latest stable software versions.

7. Legal Basis for Processing

• Contractual necessity – to provide the service you use.
• Legitimate interest – to ensure security and prevent abuse.
• Legal obligation – to comply with data protection and audit requirements.

8. Data Sharing

We do not sell, rent or trade your personal data. We may share limited data only when legally required (e.g. to comply with law enforcement or regulatory obligations).

9. Your Rights

Under the UK GDPR, you have the right to:

• Access your personal data.
• Request correction or deletion.
• Export your data.
• Withdraw consent (where applicable).
• Lodge a complaint with the Information Commissioner’s Office (ICO).

You can exercise these rights by contacting us.

10. Changes to This Policy

We may update this Privacy Policy periodically. Users will be notified upon their next login and must accept the updated version to continue using the platform. The “Last updated” date will always reflect the latest version.