Skip to main content

Privacy Policy

How we collect, use, and protect your personal data.

Effective Date: 19 March 2026

1. Introduction

Welcome to Impactful ("the App", "our App"), a mobile application designed to inspire and empower young people aged 13–30 to make meaningful changes in their communities. This Privacy Policy explains how your personal data is collected, used, stored, and protected when you use the App on Android or iOS.

This policy is provided in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR"). Where users are under 18, this policy also reflects the requirements of the Age Appropriate Design Code ("Children's Code") published by the Information Commissioner's Office.

Please read this policy carefully. By creating an account or using the App, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

The data controller responsible for your personal data is:

  • Legal name: Enjoy Development Limited
  • Company number: 11274660
  • Registered address: Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE
  • ICO registration number: ZB400387
  • General enquiries: hello@impactfulhub.com

3. Data Protection Contact

For all data protection enquiries, requests to exercise your rights, or complaints about how your data is handled, please contact our Data Protection Lead:

  • Email: legal@impactfulhub.com
  • Post: Data Protection Lead, Enjoy Development Limited, Vicarage Court, 160 Ermin Street, Swindon, England, SN3 4NE

We aim to respond to all data protection requests within one calendar month of receipt.

4. Data We Collect

We collect the following categories of personal data when you use the App:

4.1 Identity Data

  • Full name
  • Email address
  • Display name
  • Profile photo

4.2 Demographic Data

  • Date of birth (stored in encrypted form)
  • Age (calculated from date of birth)

4.3 Profile Data

  • Biography (stored in encrypted form)
  • Volunteer category preferences

4.4 Behavioural Data

  • Completed activities and activity completion timestamps
  • Pledges made
  • Impact Coins earned, banked, and donated
  • Activity descriptions and evidence submitted
  • Survey responses (including feel_type sentiment data)

4.5 Session Data

  • Session identifiers
  • Page or screen name viewed
  • Last active timestamp

4.6 Device Data

  • Device make, model, and unique device identifiers
  • App version
  • Locale and language settings
  • Operating system and version

4.7 Location Data

  • Geographic location data (collected only with your explicit permission via the device operating system)

4.8 AI Interaction Data

  • Prompts and responses from AI-powered features including idea generation, instruction generation, chat, and bio generation

5. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you: when you create an account, complete your profile, submit activities, make pledges, or interact with AI features
  • Automatically: through session tracking, analytics, crash reporting, and device information collected when you use the App
  • From third parties: when you sign in using Google Sign-In or Apple Sign-In, we receive your name and email address from those providers

6. Purposes of Processing and Legal Basis

Under Article 6 of the UK GDPR, we process your personal data on the following legal bases:

6.1 Performance of a Contract (Article 6(1)(b))

Processing necessary to provide you with the App and its features, including:

  • Creating and managing your user account
  • Providing activity tracking, pledges, and Impact Coins functionality
  • Delivering AI-powered idea generation, instructions, chat, and bio generation
  • Enabling social sharing to platforms such as Instagram, TikTok, Facebook, Snapchat, X/Twitter, YouTube, and LinkedIn
  • Managing organisation following features
  • Processing Impact Coins earned, banked, and donated

6.2 Consent (Article 6(1)(a))

Where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Consent is sought for:

  • Collection of location data via device permission prompts
  • Analytics and usage tracking (see Section 11 on cookies and tracking)
  • Marketing communications and promotional notifications

6.3 Legitimate Interests (Article 6(1)(f))

We process certain data where it is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights. Our legitimate interests include:

  • Security and fraud prevention: monitoring for suspicious activity, enforcing content moderation (including banned words systems), and protecting users from abuse
  • Service improvement: analysing usage patterns and crash reports to fix bugs, improve performance, and develop new features
  • Technical support: diagnosing issues using device and session data

You have the right to object to processing based on legitimate interests. Please contact us at legal@impactfulhub.com to exercise this right.

6.4 Legal Obligation (Article 6(1)(c))

We may process your data where necessary to comply with a legal obligation, including:

  • Responding to lawful requests from law enforcement or regulatory authorities
  • Meeting record-keeping requirements under applicable legislation

7. Recipients of Your Data

We do not sell your personal data. We share your data only with the following categories of recipients, each acting as a data processor under written agreements that require them to protect your data:

7.1 Firebase (Google LLC)

  • Services: Authentication, Cloud Firestore database, Cloud Storage, Remote Config
  • Data shared: Identity data, profile data, behavioural data, session data
  • Purpose: Core app infrastructure, user authentication, and data storage

7.2 Google Analytics (Google LLC)

  • Services: Usage analytics and event tracking
  • Data shared: Session data, device data, behavioural data (anonymised where possible)
  • Purpose: Understanding usage patterns and improving the App

7.3 Supabase Inc.

  • Services: Database backend
  • Data shared: Identity data, profile data, behavioural data
  • Purpose: Data storage and retrieval for app features

7.4 Sentry (Functional Software Inc.)

  • Services: Crash reporting and performance monitoring
  • Data shared: Device data, session data, error logs
  • Purpose: Identifying and resolving technical errors and performance issues

7.5 Google Sign-In (Google LLC) and Apple Sign-In (Apple Inc.)

  • Services: Social authentication
  • Data shared: Authentication tokens; name and email received from provider
  • Purpose: Secure, convenient account creation and login

7.6 Law Enforcement and Regulatory Bodies

We may disclose your data to law enforcement agencies, courts, or regulators where we are legally required or permitted to do so.

8. International Data Transfers

Several of our third-party processors are based in the United States. When your personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:

  • UK adequacy regulations: where the UK Government has determined that the recipient country provides an adequate level of data protection
  • International Data Transfer Agreement (IDTA): the UK equivalent of Standard Contractual Clauses, as approved by the ICO
  • UK Addendum to the EU Standard Contractual Clauses: where applicable

Specifically, transfers to Google LLC, Supabase Inc., Functional Software Inc. (Sentry), and Apple Inc. are protected by these mechanisms. You may request a copy of the relevant safeguards by contacting legal@impactfulhub.com.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

  • Account and identity data: retained for the duration of your account and deleted within 30 days of account deletion
  • Profile data (bio, preferences): retained for the duration of your account and deleted within 30 days of account deletion
  • Behavioural data (activities, pledges, coins): retained for the duration of your account and deleted within 30 days of account deletion
  • Session and device data: retained for 12 months from the date of collection, then automatically purged
  • Analytics data: retained in anonymised or aggregated form for up to 26 months
  • Crash reports (Sentry): retained for 90 days from the date of the event
  • AI interaction data: retained for 12 months for service improvement, then deleted
  • Location data: retained for 12 months from the date of collection
  • Backup copies: removed from backup systems within 90 days of deletion from primary systems

Where we are required to retain data for longer to comply with legal obligations (for example, tax or accounting requirements), we will retain only the minimum data necessary for the required period.

10. Children's Data and the Age Appropriate Design Code

Impactful is designed for young people aged 13 and above. Under Section 9 of the Data Protection Act 2018, the UK age of digital consent is 13, meaning users aged 13 and over may consent to data processing themselves. We do not knowingly collect personal data from anyone under the age of 13. If we become aware that we have collected data from a child under 13, we will delete it promptly.

For users aged 13 to 17, we apply the following safeguards in line with the ICO's Age Appropriate Design Code (Children's Code):

  • Best interests of the child: the best interests of the child are a primary consideration in the design and operation of our data processing activities
  • High privacy by default: privacy settings for users under 18 are set to the highest level by default
  • Data minimisation: we collect only the minimum data necessary to provide the App's features to younger users
  • Transparency: this policy is written in clear, age-appropriate language; we provide in-app explanations of data collection at the point of collection
  • No detrimental use: children's data is not used in ways that are detrimental to their wellbeing
  • No profiling for marketing: we do not profile users under 18 for marketing purposes
  • Geolocation: location tracking for users under 18 is off by default and requires explicit consent to enable
  • Content moderation: we employ a banned words system and content moderation measures to help protect younger users

Parents or guardians may contact us at legal@impactfulhub.com to review, amend, or request deletion of their child's data at any time.

11. Cookies and Tracking Technologies

The App uses the following tracking technologies in compliance with PECR:

  • Google Analytics: collects anonymised usage data including session identifiers, page views, screen names, and event data to help us understand how the App is used and to improve its features
  • Firebase Analytics: collects device data, session data, and behavioural events for performance monitoring, feature usage analysis, and Remote Config delivery
  • Sentry: collects device data, session identifiers, and error stack traces for crash reporting and performance monitoring

These technologies use device-level identifiers and session tokens rather than browser cookies, as the App is a native mobile application. Where consent is required under PECR for storing or accessing information on your device, we request it before activating non-essential tracking.

You can control analytics tracking through the App's settings or by adjusting your device permissions. Disabling analytics will not affect your ability to use core App features.

12. Your Rights Under UK GDPR

Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Right of access (Article 15): you may request confirmation of whether we process your data and obtain a copy of that data
  • Right to rectification (Article 16): you may request correction of inaccurate personal data or completion of incomplete data
  • Right to erasure (Article 17): you may request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful
  • Right to restriction of processing (Article 18): you may request that we limit how we process your data in certain circumstances, such as while we verify its accuracy
  • Right to data portability (Article 20): you may request your personal data in a structured, commonly used, machine-readable format and have it transmitted to another controller
  • Right to object (Article 21): you may object to processing based on legitimate interests or for direct marketing purposes; we will cease processing unless we demonstrate compelling legitimate grounds
  • Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal

To exercise any of these rights, please contact us at legal@impactfulhub.com. We will respond within one calendar month. In complex cases or where we receive a large number of requests, we may extend this period by a further two months, in which case we will inform you within the first month.

We will not charge a fee for responding to your request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

13. Right to Lodge a Complaint

If you are dissatisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with the UK supervisory authority:

We encourage you to contact us first at legal@impactfulhub.com so we have the opportunity to address your concern before you escalate to the ICO.

14. Is Providing Your Data a Requirement?

Providing your personal data is not a statutory requirement. However, certain data is necessary for us to provide the App and its features to you:

  • Contractual requirement: identity data (name, email) is required to create an account and access the App. Without this data, we cannot provide the service
  • Optional data: profile photo, biography, volunteer preferences, and location data are optional. You may use the App without providing this data, though some features may be limited
  • Consent-based data: analytics and location tracking are optional and you may decline or withdraw consent at any time without losing access to core features

15. Automated Decision-Making and Profiling

The App uses AI-powered features (idea generation, instruction generation, chat, and bio generation) that involve automated processing. These features provide suggestions and generated content based on your inputs and profile data.

These automated processes do not produce legal effects or similarly significant effects on you. They are designed to assist and enhance your experience, and you are not obliged to use or accept AI-generated outputs.

We use behavioural data (activities completed, preferences) to personalise content recommendations within the App. This profiling is carried out on the basis of contract performance and legitimate interests in improving user experience. It does not result in decisions that produce legal or similarly significant effects.

We do not use automated decision-making processes that produce legal or similarly significant effects as defined under Article 22 of the UK GDPR.

16. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include:

  • Encryption of sensitive data at rest (including date of birth and biography fields)
  • Encryption of data in transit using TLS/SSL
  • Access controls restricting data access to authorised personnel only
  • Regular security reviews and monitoring
  • Secure authentication via Firebase Authentication, Google Sign-In, and Apple Sign-In

While we take all reasonable steps to protect your data, no method of electronic storage or transmission is completely secure. We cannot guarantee absolute security but will notify you and the ICO of any qualifying data breach in accordance with our legal obligations.

17. Social Sharing

The App allows you to share content to third-party social media platforms including Instagram, TikTok, Facebook, Snapchat, X/Twitter, YouTube, and LinkedIn. When you choose to share content:

  • The content you share and any associated data will be subject to the privacy policy of the receiving platform
  • We do not control how third-party platforms process your data once shared
  • Sharing is always initiated by you and is entirely voluntary

We recommend reviewing the privacy policies of any third-party platforms before sharing content.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the App's features. When we make material changes:

  • We will notify you through an in-app notification, push notification, or email
  • The updated effective date will be displayed at the top of this page
  • For users under 18, we will take reasonable steps to communicate changes in clear, age-appropriate language

Continued use of the App after the updated policy takes effect constitutes your acknowledgement of the changes. If you do not agree with any changes, you should stop using the App and request deletion of your account.

19. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is processed, please contact us: