Data Protection & Privacy Policy

Effective date: 25 May 2026

1. Policy statement

iGiftAid Limited is committed to protecting the privacy and security of personal data in accordance with UK GDPR, the Data Protection Act 2018, and all applicable data protection legislation. We recognise that donors and beneficiaries entrust us with sensitive information, and we take this responsibility seriously.

2. Data controller information

Data Controller: iGiftAid Limited (UK charity, registration pending)

Registered office: 20–22 Wenlock Road, London N1 7GU, United Kingdom

ICO registration number: application pending

Contact: igiftaid@gmail.com

3. Personal data we collect

3.1 Donor data

Name and contact information
Email address and postal address (when voluntarily shared)
Payment information (processed securely by Stripe or PayPal; iGiftAid does not store card data)
Donation history and preferences

3.2 Beneficiary data

Full name, date of birth, and contact details
Identity documents (ID cards, passports)
Location information
Financial-hardship details and fundraising narrative
Payment receipt information (mobile wallet, crypto address)
Images and videos (where provided for a campaign)

3.3 Website visitors

If you visit this website without contacting us, we receive only standard server-log data (IP address, browser type, page requested, timestamp) kept for operational diagnostics. We do not load analytics, advertising, or tracking scripts.

4. Lawful basis for processing

Legitimate interests: facilitating charitable fundraising and fund transfers
Legal obligation: compliance with AML/CTF, sanctions, and financial regulations
Consent: marketing communications and public campaign information
Contract: providing fundraising services to beneficiaries

5. Data-processing principles

Lawfulness, fairness, and transparency: we process data legally and inform individuals
Purpose limitation: data used only for stated charitable purposes
Data minimisation: we collect only necessary information
Accuracy: we maintain accurate records and enable corrections
Storage limitation: data retained only as long as necessary (see Section 8)
Integrity and confidentiality: data secured against unauthorised access

6. Data-security measures

Encryption of data in transit and at rest
Access controls and authentication requirements
Regular security audits and vulnerability assessments
Staff training on data protection and security
Secure destruction of data no longer required
Data-breach response plan and ICO notification procedures

7. Third-party data processors

We share data with trusted third parties only when necessary:

Payment processors: Stripe, PayPal (covered by their data-protection policies)
Fundraising platforms: Chuffed and similar platforms
Sanctions screening providers: for compliance purposes
Cloud hosting services: for secure data storage

All processors are vetted and bound by data-processing agreements meeting UK GDPR requirements.

8. Data retention

Donor records: 7 years after last donation (tax and accounting requirements)
Beneficiary records: 7 years after campaign closure
AML/CTF records: minimum 5 years per MLR 2017
Financial records: 7 years per Charity Commission requirements
Marketing consent: until withdrawn, or after 2 years of inactivity

9. Your rights

Data subjects have the right to:

Access: request copies of personal data we hold
Rectification: correct inaccurate or incomplete data
Erasure: request deletion (subject to legal obligations)
Restrict processing: limit how we use data
Data portability: receive data in machine-readable format
Object: object to processing based on legitimate interests
Withdraw consent: withdraw consent for marketing at any time

Requests should be sent to igiftaid@gmail.com and will be responded to within 30 days. You may also lodge a complaint with the Information Commissioner's Office at ico.org.uk.

10. International data transfers

When transferring funds to beneficiaries in Gaza and Bangladesh, we may transfer personal data internationally. We ensure appropriate safeguards through:

Data minimisation (only necessary information transferred)
Encryption during transfer
Contractual protections with payment intermediaries

11. Cookies and similar technologies

This site uses no analytics, advertising, or tracking cookies. The only client-side storage we set is a single localStorage entry recording your response to the cookie consent banner, so we don't re-prompt you on every visit. You can change your choice at any time via the “Manage cookies” link in the footer.

Essential cookies that may be set by our hosting provider for security or load balancing are strictly necessary for the site to function and do not require consent under UK PECR.

12. Children's data

We do not knowingly collect data from children under 16 without parental consent. Beneficiary campaigns involving children require verified guardian authorisation.

13. Data-breach procedures

In the event of a data breach:

Immediate containment and investigation
Assessment of risk to individuals
ICO notification within 72 hours if high risk
Notification to affected individuals without undue delay

14. Contact

Questions about this policy or your data should be addressed to igiftaid@gmail.com.

iGiftAid Limited
20–22 Wenlock Road, London N1 7GU, United Kingdom