Privacy Policy

Last updated: November 2025

TrusteeKit (“we”, “our”, or “us”) is committed to protecting your privacy. This policy explains how we collect, use, and safeguard your personal data when you use our donation processing and Gift Aid automation platform.

1. Who we are

TrusteeKit is a trading name operated as a sole trader registered in England. We provide donation processing and Gift Aid automation software for UK charities.

Contact: hello@trusteekit.co.uk

HMRC Vendor ID: 9268

2. Data we collect

2.1 Charity account data

When you register as a charity, we collect:

• Charity name and registration number
• Contact name and email address
• HMRC Charities Reference
• Authorised official details (as required by HMRC)
• Payment account information (Stripe account IDs)

2.2 Donor data

When donations are processed, we collect:

• Donor name and contact details
• Postal address (required for Gift Aid)
• Gift Aid declaration and date
• Donation amounts and dates
• Payment method identifiers (not full card numbers)

2.3 Technical data

We automatically collect:

• IP addresses and browser information
• Usage data and access logs
• Cookies (see section 7)

3. How we use your data

We use personal data to:

• Provide donation processing services
• Generate and submit Gift Aid claims to HMRC
• Send transaction receipts and notifications
• Provide customer support
• Comply with legal obligations (e.g., financial regulations)
• Improve our services

We never sell personal data to third parties.

4. Legal basis for processing

We process personal data under the following legal bases:

• Contract: Processing necessary to provide our services
• Legal obligation: HMRC Gift Aid requirements, financial record-keeping
• Legitimate interests: Service improvement, fraud prevention
• Consent: Marketing communications (where applicable)

5. Data sharing

We share data with:

• HMRC: Gift Aid claims and charity verification
• Payment processing provider: Card payment processing
• Brevo: Email communications (if configured by your charity)
• Railway: Hosting infrastructure (data stored in EU)

All third-party processors are GDPR compliant and bound by data processing agreements.

6. Data security

We protect your data using:

• AES-256-GCM encryption for sensitive data (donor PII, credentials)
• TLS 1.3 for all data in transit
• Row-level security ensuring charities only access their own data
• Regular security audits and monitoring
• Secure credential storage for HMRC and payment integrations

7. Cookies

We use essential cookies for:

• Session management and authentication
• Security and fraud prevention

We do not use advertising or tracking cookies.

8. Data retention

• Gift Aid records: 6 years (HMRC requirement)
• Financial records: 7 years (legal requirement)
• Account data: Duration of account plus 2 years
• Access logs: 90 days

After retention periods expire, data is securely deleted.

9. Your rights

Under UK GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion (subject to legal retention requirements)
• Portability: Export your data in a standard format
• Objection: Object to certain processing activities
• Restriction: Limit how we use your data

To exercise these rights, contact hello@trusteekit.co.uk.

10. International transfers

Your data is primarily stored in the EU (Railway hosting). Where data is transferred outside the UK/EU (e.g., to US-based processors like Stripe), appropriate safeguards are in place including Standard Contractual Clauses.

11. Changes to this policy

We may update this policy from time to time. Significant changes will be notified via email. The “last updated” date at the top indicates when changes were made.

12. Complaints

If you're unhappy with how we handle your data, please contact us first at hello@trusteekit.co.uk.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint