Skip to main content

Impactful Connect Privacy Policy

How we collect, use, and protect organisation data on our platform.

Effective Date: 19 March 2026

1. Introduction

Welcome to Impactful Connect ("the Platform", "Connect"), a web platform operated at connect.impactfulhub.com that enables organisations – including charities, councils, community groups, and companies – to manage their presence on the Impactful mobile app, publish volunteering opportunities, and engage with young volunteers.

This Privacy Policy explains how personal data is collected, used, stored, and protected when you access and use the Platform. It applies to all authorised users of Impactful Connect, including organisation administrators and team members.

This policy is provided in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR").

By creating an account or using the Platform, you acknowledge that you have read and understood this Privacy Policy. Authorised users must be aged 18 or over.

2. Data Controller and Data Processor

The data controller responsible for personal data collected through the Platform is:

  • Legal name: Enjoy Development Limited
  • Company number: 11274660
  • Registered address: Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE
  • ICO registration number: ZB400387
  • General enquiries: hello@impactfulhub.com

2.1 Our Role as Data Controller

We act as the data controller for all personal data relating to website visitors and authorised user accounts, including identity data, login credentials, usage data, and analytics data.

2.2 Our Role as Data Processor

We act as the data processor for Organisation Data that you upload, create, or configure on the Platform (such as organisation descriptions, media, event details, and volunteering opportunities). In this capacity, we process Organisation Data on your behalf and in accordance with your instructions.

A Data Processing Addendum ("DPA") forms part of the Impactful Connect Terms of Service and governs our processing of Organisation Data. You, as the organisation, remain the data controller for that data.

3. Data Protection Contact

For all data protection enquiries, requests to exercise your rights, or complaints about how your data is handled, please contact our Data Protection Lead:

  • Email: legal@impactfulhub.com
  • Post: Data Protection Lead, Enjoy Development Limited, Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE

We aim to respond to all data protection requests within one calendar month of receipt.

4. Data We Collect

We collect the following categories of data when you use the Platform:

4.1 Organisation Account Data

  • Organisation name, address, and contact details
  • Authorised user details (full name, job role, email address)
  • Subscription tier and billing information (processed via Stripe)

4.2 Content & Configuration Data

  • Organisation descriptions, logos, and media uploaded for display in the Impactful app
  • Event details and volunteering opportunities published to the Impactful app
  • AI configuration instructions and associated metadata

4.3 Usage Data

  • Login activity and timestamps
  • Feature usage and navigation patterns
  • Technical logs including IP address, browser type, and operating system

4.4 Analytics & Cookie Data

  • Page views, form submissions, CTA clicks, scroll depth, and app store click events
  • Data collected via Google Analytics 4 (with Google Tag Manager, container ID GTM-MNXJV46W)
  • Consent preferences stored locally (see Section 11 for full cookie details)

4.5 Support & Communications Data

  • Records of support requests and correspondence
  • Contact form submissions (name, email address, subject, and message)

5. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: when you create an organisation account, add authorised users, publish content, configure AI settings, submit a contact form, or correspond with our support team
  • Automatically: through analytics, cookies, technical logs, and error monitoring when you use the Platform
  • From third parties: from Stripe when processing subscription payments, and from Firebase when authenticating portal access

6. Purposes of Processing and Legal Basis

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

6.1 Performance of a Contract (Article 6(1)(b))

Processing necessary to provide you with the Platform and its features, including:

  • Creating and managing organisation accounts and authorised user access
  • Enabling content publication and configuration for the Impactful app
  • Processing subscription billing and payments via Stripe
  • Delivering the Platform's core functionality and features
  • Providing technical support and responding to service enquiries

6.2 Consent (Article 6(1)(a))

Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Consent is sought for:

  • Analytics cookies via the cookie consent banner (see Section 11)
  • Marketing communications and promotional emails

6.3 Legitimate Interests (Article 6(1)(f))

We process certain data where it is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include:

  • Security and fraud prevention: monitoring for suspicious activity, enforcing access controls, and protecting the Platform from abuse
  • Platform improvement: analysing usage patterns, error reports, and feature adoption to improve performance and develop new features
  • Technical support: diagnosing issues using usage data and technical logs

You have the right to object to processing based on legitimate interests. Please contact us at legal@impactfulhub.com to exercise this right.

6.4 Legal Obligation (Article 6(1)(c))

We may process your data where necessary to comply with a legal obligation, including:

  • Retaining tax and billing records as required by HMRC and the Companies Act 2006
  • Responding to lawful requests from law enforcement or regulatory authorities

7. Recipients of Your Data

We do not sell your personal data. We share your data only with the following categories of recipients, each acting as a data processor under written agreements that require them to protect your data:

7.1 Supabase Inc.

  • Services: Database hosting, authentication, Row-Level Security
  • Data shared: Organisation account data, authorised user data, content data
  • Purpose: Core data storage, retrieval, and access control

7.2 Firebase (Google LLC)

  • Services: Authentication for portal access
  • Data shared: Authorised user identity data, authentication tokens
  • Purpose: Secure user authentication and session management

7.3 Stripe Inc.

  • Services: Payment processing and subscription management
  • Data shared: Customer ID, subscription ID, billing period, and payment details
  • Purpose: Processing subscription payments and managing billing

7.4 Google Analytics (Google LLC)

  • Services: Website analytics via Google Analytics 4
  • Data shared: Page views, events, device data, anonymised usage data
  • Purpose: Understanding usage patterns and improving the Platform

7.5 SendGrid (Twilio Inc.)

  • Services: Transactional email delivery
  • Data shared: Name, email address, message content from contact form submissions
  • Purpose: Delivering contact form emails and platform notifications

7.6 Sentry (Functional Software Inc.)

  • Services: Error tracking and performance monitoring
  • Data shared: Technical logs, browser data, error stack traces
  • Purpose: Identifying and resolving technical errors and performance issues

7.7 Upstash Inc.

  • Services: Redis-based rate limiting
  • Data shared: IP addresses, request metadata
  • Purpose: Preventing abuse and enforcing rate limits on API endpoints

7.8 Law Enforcement and Regulatory Bodies

We may disclose your data to law enforcement agencies, courts, or regulators where we are legally required or permitted to do so.

8. International Data Transfers

Several of our third-party processors are based in the United States, including Supabase, Firebase (Google), Stripe, Google Analytics, SendGrid (Twilio), Sentry, and Upstash. When your personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:

  • International Data Transfer Agreement (IDTA): the UK's approved mechanism for international data transfers, as published by the ICO
  • UK Addendum to the EU Standard Contractual Clauses: where processors rely on EU SCCs, supplemented by the UK Addendum

You may request a copy of the relevant safeguards by contacting legal@impactfulhub.com.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

  • Account data (organisation and authorised user details): retained while the account is active, plus 6 years after account closure (to satisfy requirements under the Companies Act 2006 and HMRC record-keeping obligations)
  • Billing and payment records: 6 years from the date of the transaction (HMRC requirement)
  • Analytics data: 26 months from the date of collection (Google Analytics default retention period)
  • Support correspondence: 2 years after the resolution of the support request
  • Technical logs: 90 days from the date of collection
  • Organisation Data (content, configuration, media): deleted within 30 days of account termination

Where we are required to retain data for longer to comply with legal obligations, we will retain only the minimum data necessary for the required period.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Encryption of data at rest within our database infrastructure
  • Row-Level Security (RLS) policies enforced at the database level via Supabase
  • Access controls restricting data access to authorised personnel and authorised users only
  • Secure authentication via Firebase Authentication
  • Rate limiting to prevent brute-force and denial-of-service attacks
  • Regular security reviews and monitoring via Sentry

While we take all reasonable steps to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security but will notify you and the ICO of any qualifying data breach in accordance with our legal obligations under Articles 33 and 34 of the UK GDPR.

11. Cookies and Tracking Technologies

The Platform uses cookies and similar technologies in compliance with PECR and the UK GDPR. A cookie consent banner is displayed on first visit, allowing you to accept or reject non-essential cookies. No non-essential cookies are set before you provide consent.

11.1 Strictly Necessary Cookies

These cookies are essential for the Platform to function and cannot be disabled. They include session cookies and security tokens required for authentication and access control.

11.2 Analytics Cookies

We use Google Analytics 4 (implemented via Google Tag Manager, container ID GTM-MNXJV46W) to collect anonymised usage data. Analytics cookies are only activated after you provide consent via the cookie banner. Tracked events include page views, form submissions, CTA clicks, scroll depth, and app store click events.

11.3 Marketing Cookies

Marketing cookies are always denied by default and are not set unless you explicitly enable them. We do not currently deploy third-party marketing cookies on the Platform.

11.4 Consent Management

Your cookie consent preferences are stored in your browser's localStorage. You may change your preferences at any time by clicking the "Cookie Settings" link in the website footer, which will re-display the consent banner. If you reject analytics cookies, Google Analytics will not be activated and no analytics data will be collected during your session.

12. Age Restriction

Impactful Connect is designed for use by organisations and their authorised representatives. All authorised users must be aged 18 or over. We do not knowingly collect personal data from anyone under the age of 18 through the Platform. If we become aware that an authorised user is under 18, we will suspend their access and delete their personal data promptly.

13. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Right of access (Article 15): you may request confirmation of whether we process your data and obtain a copy of that data
  • Right to rectification (Article 16): you may request correction of inaccurate personal data or completion of incomplete data
  • Right to erasure (Article 17): you may request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful
  • Right to restriction of processing (Article 18): you may request that we limit how we process your data in certain circumstances, such as while we verify its accuracy
  • Right to data portability (Article 20): you may request your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller
  • Right to object (Article 21): you may object to processing based on legitimate interests or for direct marketing purposes; we will cease processing unless we demonstrate compelling legitimate grounds
  • Rights related to automated decision-making (Article 22): you have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact us at legal@impactfulhub.com. We will respond within one calendar month. In complex cases or where we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you within the first month.

We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

14. Organisation Data and Processor Obligations

Where you upload Organisation Data to the Platform (including descriptions, media, event details, and volunteering opportunities), you remain the data controller for that data. We process it solely on your instructions and in accordance with the Data Processing Addendum that forms part of the Connect Terms of Service.

Our obligations as data processor include:

  • Processing Organisation Data only in accordance with your documented instructions
  • Ensuring that persons authorised to process the data are subject to confidentiality obligations
  • Implementing appropriate technical and organisational security measures
  • Assisting you in responding to data subject access requests where applicable
  • Deleting or returning Organisation Data within 30 days of account termination, at your choice
  • Making available to you all information necessary to demonstrate compliance

15. Automated Decision-Making

The Platform does not use automated decision-making processes that produce legal or similarly significant effects as defined under Article 22 of the UK GDPR. Where AI features are available on the Platform (such as AI configuration tools), these are designed to assist and enhance your experience and do not make decisions on your behalf without human oversight.

16. Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the UK supervisory authority:

We encourage you to contact us first at legal@impactfulhub.com so we have the opportunity to address your concern before you escalate to the ICO.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Platform's features. When we make material changes:

  • We will notify you through a notice on the Platform, by email, or both
  • The updated effective date will be displayed at the top of this page

Continued use of the Platform after the updated policy takes effect constitutes your acknowledgement of the changes. If you do not agree with any changes, you should stop using the Platform and request closure of your organisation account.

18. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is processed, please contact us: