Privacy Policy

We collect information that you provide directly to us, including:

• Account information: Name, email address, and password when you create an account.
• Donation information: Donation amounts, charity preferences, and transaction history.
• Gift Aid declarations: Your name, address, and confirmation of UK taxpayer status for HMRC Gift Aid claims.
• Payment information: Processed securely by Stripe. We do not store your full card details on our servers.
• Communications: Any messages or feedback you send us.

When you access our Platform, we may automatically collect certain information, including:

• Device information: Browser type, operating system, device type, and unique device identifiers.
• Usage data: Pages visited, time spent on pages, click patterns, and referring URLs.
• Location data: Approximate location based on IP address (we do not collect precise GPS location).
• Cookies: See our Cookie Policy for full details.

We use the information we collect for the following purposes:

• To facilitate donations between donors and charities.
• To process Gift Aid claims with HMRC on behalf of charities.
• To send donation receipts and confirmation emails.
• To manage your account and provide customer support.
• To improve and optimise our Platform's performance.
• To detect and prevent fraud, abuse, and security incidents.
• To comply with legal obligations, including UK charity regulations.

Under UK GDPR, we process your personal data on the following legal bases:

• Contract: Processing necessary to perform our contract with you (e.g., processing donations).
• Consent: Where you have given explicit consent (e.g., marketing emails, cookie preferences).
• Legitimate interests: For purposes such as improving our services, fraud prevention, and analytics.
• Legal obligation: To comply with applicable laws, such as anti-money laundering regulations and HMRC Gift Aid requirements.

We may share your personal information with:

• Charities: When you make a donation, the receiving charity will receive your name, email (unless anonymous), donation amount, and Gift Aid declaration status.
• Stripe: Our payment processor. Stripe processes your payment information under their own privacy policy.
• HMRC: Gift Aid declarations are submitted to HMRC for tax reclaim purposes.
• Service providers: Email delivery (Resend), hosting (Vercel), database (Supabase), and analytics providers who assist in operating our Platform.
• Legal requirements: When required by law, regulation, legal process, or governmental request.

We do not sell your personal data to third parties.

We retain your personal data for as long as necessary to:

• Provide our services and maintain your account.
• Comply with legal obligations (e.g., HMRC requires Gift Aid records to be kept for at least 6 years).
• Resolve disputes and enforce our agreements.

When you delete your account, we will remove your personal data within 30 days, except where retention is required by law.

You have the following rights regarding your personal data:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your personal data ("right to be forgotten").
• Right to restrict processing: Request that we limit how we use your data.
• Right to data portability: Receive your data in a structured, machine-readable format.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at privacy@givlo.co.uk. We will respond within 30 days.

We use cookies and similar tracking technologies to enhance your experience on our Platform. These include:

• Essential cookies: Required for the Platform to function (e.g., authentication sessions).
• Analytics cookies: Help us understand how users interact with our Platform.
• Preference cookies: Remember your settings and choices.

You can manage your cookie preferences at any time. For full details, see our Cookie Policy.

We implement appropriate technical and organisational security measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure payment processing through Stripe (PCI DSS Level 1 compliant).
• Row-level security on our database to prevent unauthorised access.
• Regular security audits and monitoring.
• Access controls limiting employee access to personal data on a need-to-know basis.

While we strive to protect your information, no method of electronic storage is 100% secure. We cannot guarantee absolute security.

Your data may be transferred to and processed in countries outside the United Kingdom. Our service providers (Vercel, Supabase, Stripe) may process data in the United States and other jurisdictions.

Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, or transfers to countries with an adequacy decision.

Our Platform is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@givlo.co.uk and we will take steps to delete such information.

Our Platform may contain links to third-party websites, including charity websites, Stripe, and social media platforms. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated policy on our Platform.
• Sending an email notification to registered users for significant changes.
• Updating the "Last updated" date at the top of this policy.

Your continued use of the Platform after changes are posted constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us:

• Email: privacy@givlo.co.uk
• General enquiries: hello@givlo.co.uk
• Address: Givlo, registered in England & Wales

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113