Privacy Policy

This Privacy Policy explains how Impacturi (operated by Clickonic Ltd, trading as Impacturi) collects, uses, and protects personal data. It is written to comply with the UK General Data Protection Regulation and the Data Protection Act 2018.

1. Who we are

The data controller for the information we hold about you as a user of this platform is Clickonic Ltd, a company registered in England & Wales. Our trading name is Impacturi. You can contact us at dermot@clickonic.co.

When you upload donor records to the platform, you are the data controller for that donor data and we are the data processor acting on your instructions. The terms of that processing relationship are set out in our Data Processing Agreement.

2. What data we collect about you

As a user of the platform we collect:

• Account details: name, email, organisation name, account type (charity or corporate)
• Authentication data: hashed password, session tokens
• Billing data: handled by Stripe. We store a Stripe customer ID, subscription status, and renewal dates. We never see or store your card details.
• Platform activity: pages you create, media you upload, feedback you send, error logs
• Technical data: IP address, browser type, device type, and timestamps (collected by our hosting and error-monitoring providers)

3. Why we process it (and the legal basis)

4. Who we share it with

We do not sell your personal data. We share it only with the sub-processors listed in our Data Processing Agreement, which are required to provide the platform. These include Supabase (hosting, database, authentication, encrypted key vault. Ireland), Vercel (application hosting. EU and US edge), Stripe (payments. UK and EU), OpenAI (AI writing assistant. US, under appropriate transfer safeguards), and Sentry (error monitoring. EU).

5. International transfers

Primary data storage is in the Republic of Ireland. Where a sub-processor is based outside the UK or EU (for example OpenAI, for the AI writing feature), transfers are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an equivalent safeguard.

6. How long we keep it

Set out in full in our Data Retention Policy. In summary: we keep account and donor data while your subscription is active and delete within 30 days of closure. Billing records are kept for 7 years (HMRC requirement). Error logs are held on a rolling 90-day window.

7. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Have inaccurate data corrected
• Have data deleted (“right to be forgotten”)
• Restrict or object to processing
• Have your data exported in a portable format
• Withdraw consent where processing is based on consent
• Complain to the Information Commissioner's Office (ico.org.uk)

To exercise any of these rights, email dermot@clickonic.co. We will respond within 30 days.

8. Cookies

We use a minimal set of cookies. A session cookie set by Supabase keeps you signed in (strictly necessary). A small browser-storage flag records that you have seen our cookie notice. We do not use advertising cookies, analytics cookies, or cross-site tracking.

9. Security

The technical and organisational measures we take to protect your data are described in our Data Security Policy. In the event of a personal data breach affecting you, we will notify you within 72 hours of discovery, in line with our Incident Response Plan.

10. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email to account holders at least 30 days in advance of the change taking effect. The “Last updated” date at the top of this page is authoritative.

11. Contact

Questions about this policy, or to exercise any of your rights, email dermot@clickonic.co.