Legal
Last updated: 17 June 2026
This Data Processing Agreement ("DPA") forms part of the agreement between Impacturi(the "Processor", "we", "us") operated by Clickonic Ltd, and the organisation subscribing to the Impacturi platform (the "Controller", "you", "your organisation").
This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Impacturi platform. "Processing" has the meaning given in the UK GDPR. "Data Subject" means the individual to whom the Personal Data relates. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
The Processor processes Personal Data solely to provide the Impacturi platform services, specifically:
Clickonic does not intentionally process special category data. However, charities supporting beneficiaries with health conditions, disabilities, or financial hardship may upload content that constitutes special category data under UK GDPR Article 9. Charities are responsible for ensuring appropriate safeguards are in place for any such data they upload.
The Processor shall:
The Controller shall:
The Controller provides general written authorisation for the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage | Ireland (eu-west-1) |
| Vercel Inc. | Application hosting and content delivery | Global (UK SCCs) |
| Stripe Inc. | Subscription payment processing | US / EU |
| OpenAI Inc. | AI writing assistant (impact story generation) | US (UK IDTA / SCCs) |
| Anthropic PBC | AI monitoring and triage assistant (alert triage, weekly summary) | US (UK IDTA / SCCs) |
| Sentry | Application error monitoring | EU region |
| Resend | Transactional and notification email delivery | US (UK IDTA / SCCs) |
The Processor shall impose data protection obligations equivalent to those set out in this DPA on each sub-processor, by contract, in accordance with Article 28(4) UK GDPR, ensuring the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of UK GDPR. Executed Data Processing Agreements compliant with Article 28(4) UK GDPR are in place with each sub-processor listed above. Copies are available on request from data@impacturi.com.
The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller reasonably objects, the Processor will work with the Controller to find an alternative solution.
The Processor implements the following measures:
The Processor will notify the Controller without undue delay, and in any case within 24 hours of becoming aware of a Personal Data breach. The 72-hour statutory window for ICO notification is the Controller's (charity's) obligation, not the Processor's. The notification will include:
The Processor will assist the Controller in fulfilling its obligation to respond to Data Subject requests. Where a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller without undue delay.
The Controller can fulfil most Data Subject rights directly through the platform (viewing, editing, and deleting donor records). For data portability requests, the platform provides CSV export functionality.
Where Personal Data is transferred outside the UK (for example, to sub-processors located in the United States), such transfers are protected by appropriate safeguards. As this DPA is governed by UK law, transfers rely on:
Executed copies of applicable transfer agreements are available on request. Contact data@impacturi.com.
This DPA remains in effect for the duration of the Controller's subscription to the Impacturi platform. On termination:
The Controller has the right to audit the Processor's compliance with this DPA. The Processor will cooperate with reasonable audit requests, subject to reasonable notice and confidentiality obligations. Audits will be conducted during normal business hours and will not unreasonably disrupt the Processor's operations.
The Impacturi platform uses the OpenAI API to generate AI narrative text (impact stories and thank-you letters). The following applies to this processing:
Template clause for charity privacy notices: "We use Impacturi to generate personalised impact reports for our donors. Impacturi uses the OpenAI API to assist with writing. Donor names and giving amounts may be processed by OpenAI solely for the purpose of generating the report text. This data is not used to train AI models. OpenAI retains submitted data for up to 30 days for safety monitoring. For full details see the Impacturi Data Processing Agreement at impacturi.com/legal/dpa."
Personal data present in automated backups at the time of deletion will be purged when those backups age out of the retention window. Current retention windows are: daily backups, maximum 30 days; monthly backups, maximum 90 days. Clickonic does not restore personal data from backup solely for data access purposes after a deletion request has been fulfilled.
This means that following a deletion request or account closure, personal data may persist in encrypted backups for up to 30 days (daily backups) before those backup snapshots are overwritten. This is disclosed to data subjects in our Data Retention Policy.
Clickonic will provide reasonable assistance to the Controller in carrying out any Data Protection Impact Assessments required under Article 35 UK GDPR. This assistance includes providing information about Clickonic's processing activities, technical and organisational measures, and sub-processor arrangements on request. Requests should be directed to data@impacturi.com.
Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.
For any questions about this DPA or to request a signed copy, contact:
Data Protection contact, Clickonic Ltd
data@impacturi.com
This address is monitored by the data protection contact. For urgent matters, contact data@impacturi.com.
This DPA is governed by the laws of England and Wales. It supplements and forms part of the Impacturi service agreement.