Legal

Data Processing Agreement

Last updated: 17 June 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Impacturi(the "Processor", "we", "us") operated by Clickonic Ltd, and the organisation subscribing to the Impacturi platform (the "Controller", "you", "your organisation").

This DPA is entered into pursuant to Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Impacturi platform. "Processing" has the meaning given in the UK GDPR. "Data Subject" means the individual to whom the Personal Data relates. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and purpose of processing

The Processor processes Personal Data solely to provide the Impacturi platform services, specifically:

  • Storing and displaying donor records (names, organisations, contact details, donation amounts and history)
  • Generating impact pages and reports using donor and donation data
  • Providing CRM integration services (importing donor data from external systems)
  • Recording page view analytics (anonymised where possible)
  • Sending platform notifications to subscribed users

3. Categories of data subjects and personal data

Data subjects:

  • Charity staff and administrators (platform users)
  • Corporate donor contacts
  • Individual donors (where charity uploads individual donor data)

Categories of personal data:

  • Names and job titles
  • Email addresses and phone numbers
  • Organisation names and addresses
  • Donation amounts, types, and dates
  • Testimonials and quotes (where provided by the Controller)
  • CRM identifiers and external system references

Clickonic does not intentionally process special category data. However, charities supporting beneficiaries with health conditions, disabilities, or financial hardship may upload content that constitutes special category data under UK GDPR Article 9. Charities are responsible for ensuring appropriate safeguards are in place for any such data they upload.

4. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by law
  • Ensure that all persons authorised to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7)
  • Not engage a sub-processor without the prior written authorisation of the Controller (see Section 6)
  • Assist the Controller in responding to Data Subject rights requests (access, rectification, erasure, portability, restriction, objection)
  • Assist the Controller in meeting its obligations under Articles 32 to 36 of the UK GDPR (security, breach notification, impact assessments, prior consultation)
  • At the choice of the Controller, delete or return all Personal Data on termination of the service, and delete existing copies unless required by law to retain them
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Obligations of the Controller

The Controller shall:

  • Ensure it has a lawful basis for processing the Personal Data it uploads to the platform
  • Ensure Data Subjects have been informed about the processing in accordance with Articles 13 and 14 of the UK GDPR
  • Ensure the accuracy of Personal Data provided to the Processor
  • Notify the Processor promptly of any Data Subject rights requests received directly

6. Sub-processors

The Controller provides general written authorisation for the Processor to engage the following sub-processors:

Sub-processorPurposeLocation
Supabase Inc.Database hosting, authentication, file storageIreland (eu-west-1)
Vercel Inc.Application hosting and content deliveryGlobal (UK SCCs)
Stripe Inc.Subscription payment processingUS / EU
OpenAI Inc.AI writing assistant (impact story generation)US (UK IDTA / SCCs)
Anthropic PBCAI monitoring and triage assistant (alert triage, weekly summary)US (UK IDTA / SCCs)
SentryApplication error monitoringEU region
ResendTransactional and notification email deliveryUS (UK IDTA / SCCs)

The Processor shall impose data protection obligations equivalent to those set out in this DPA on each sub-processor, by contract, in accordance with Article 28(4) UK GDPR, ensuring the sub-processor provides sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of UK GDPR. Executed Data Processing Agreements compliant with Article 28(4) UK GDPR are in place with each sub-processor listed above. Copies are available on request from data@impacturi.com.

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller reasonably objects, the Processor will work with the Controller to find an alternative solution.

7. Technical and organisational security measures

The Processor implements the following measures:

  • Encryption at rest: All database records are encrypted using AES-256 via the hosting provider (Supabase)
  • Encryption in transit: All connections use TLS 1.2 or higher
  • Access control: Row-level security (RLS) enforced at the database layer. Each charity can only access its own data. No cross-tenant data access is possible
  • Authentication: User authentication via Supabase Auth with secure password hashing (bcrypt)
  • Staff access: Platform administrators do not have routine access to customer data. Access is only granted in exceptional circumstances with the Controller's knowledge
  • Backups: Automated database backups managed by the hosting provider
  • Monitoring: Application error logging and uptime monitoring

8. Personal data breach notification

The Processor will notify the Controller without undue delay, and in any case within 24 hours of becoming aware of a Personal Data breach. The 72-hour statutory window for ICO notification is the Controller's (charity's) obligation, not the Processor's. The notification will include:

  • The nature of the breach, including where possible the categories and approximate number of Data Subjects and records affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach
  • The name and contact details of the Processor's point of contact

9. Data subject rights

The Processor will assist the Controller in fulfilling its obligation to respond to Data Subject requests. Where a Data Subject contacts the Processor directly, the Processor will redirect the request to the Controller without undue delay.

The Controller can fulfil most Data Subject rights directly through the platform (viewing, editing, and deleting donor records). For data portability requests, the platform provides CSV export functionality.

10. International data transfers

Where Personal Data is transferred outside the UK (for example, to sub-processors located in the United States), such transfers are protected by appropriate safeguards. As this DPA is governed by UK law, transfers rely on:

  • Standard Contractual Clauses (SCCs) with the UK Addendum as approved by the UK Information Commissioner's Office under the UK GDPR and Data Protection Act 2018. Where a sub-processor operates under EU SCCs, the International Data Transfer Addendum (UK Addendum) is applied to ensure the transfer also meets UK GDPR requirements.
  • The sub-processor's own data protection certifications and policies

Executed copies of applicable transfer agreements are available on request. Contact data@impacturi.com.

11. Duration and termination

This DPA remains in effect for the duration of the Controller's subscription to the Impacturi platform. On termination:

  • The Controller may request export of all their data via CSV before account closure
  • The Processor will delete all Personal Data within 30 days of account termination, unless required by law to retain it
  • The Processor will confirm deletion in writing on request

12. Audit rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor will cooperate with reasonable audit requests, subject to reasonable notice and confidentiality obligations. Audits will be conducted during normal business hours and will not unreasonably disrupt the Processor's operations.

13. AI processing (OpenAI)

The Impacturi platform uses the OpenAI API to generate AI narrative text (impact stories and thank-you letters). The following applies to this processing:

  • Data sent to OpenAI: Impact story bullet points entered by charity staff, donor names, and donation amounts. No special category data or contact details (email addresses, phone numbers) are sent to OpenAI.
  • Purpose: Generating AI narrative text at the explicit request of the charity user. No processing occurs without a direct user action.
  • Model training: Per OpenAI's enterprise API terms, data submitted via the API is not used to train OpenAI models. OpenAI retains submitted data for up to 30 days for abuse monitoring purposes, after which it is deleted.
  • Sub-processor listing: OpenAI Inc. (US) is listed as a sub-processor in Section 6 of this DPA.

Template clause for charity privacy notices: "We use Impacturi to generate personalised impact reports for our donors. Impacturi uses the OpenAI API to assist with writing. Donor names and giving amounts may be processed by OpenAI solely for the purpose of generating the report text. This data is not used to train AI models. OpenAI retains submitted data for up to 30 days for safety monitoring. For full details see the Impacturi Data Processing Agreement at impacturi.com/legal/dpa."

14. Backup retention and personal data deletion

Personal data present in automated backups at the time of deletion will be purged when those backups age out of the retention window. Current retention windows are: daily backups, maximum 30 days; monthly backups, maximum 90 days. Clickonic does not restore personal data from backup solely for data access purposes after a deletion request has been fulfilled.

This means that following a deletion request or account closure, personal data may persist in encrypted backups for up to 30 days (daily backups) before those backup snapshots are overwritten. This is disclosed to data subjects in our Data Retention Policy.

15. Data Protection Impact Assessments (DPIA)

Clickonic will provide reasonable assistance to the Controller in carrying out any Data Protection Impact Assessments required under Article 35 UK GDPR. This assistance includes providing information about Clickonic's processing activities, technical and organisational measures, and sub-processor arrangements on request. Requests should be directed to data@impacturi.com.

16. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the main service agreement between the parties.

17. Contact

For any questions about this DPA or to request a signed copy, contact:

Data Protection contact, Clickonic Ltd
data@impacturi.com

This address is monitored by the data protection contact. For urgent matters, contact data@impacturi.com.

This DPA is governed by the laws of England and Wales. It supplements and forms part of the Impacturi service agreement.