Privacy Policy
Last updated: 1 March 2026 · Governed by UK law (UK GDPR & Data Protection Act 2018)
Summary: CharityAidHub is operated by Eternal IT. We process data on behalf of UK charities to facilitate Gift Aid claims. We do not sell your data. We do not share it with anyone except HMRC and the processors needed to run the platform. You can request deletion at any time.
1. Who we are
CharityAidHub is a software platform operated by Eternal IT ("we", "us", "our"). We provide Gift Aid management software to UK charities.
For data protection purposes, Eternal IT acts as a data processor on behalf of the charity (the data controller) for donor data, and as a data controller for account and billing data.
Contact: support@eternalitso.com
2. What data we collect
Account holders (charity staff)
- Name and email address (used to authenticate and contact you)
- Organisation name and charity number
- Login activity and session data
Donor data (processed on behalf of charities)
- Full name and home address (required by HMRC for Gift Aid claims)
- Email address (where provided for declaration purposes)
- Gift Aid declaration status and date
- Donation amounts, dates and sources
Technical data
- IP address, browser type, device type
- Pages visited and actions taken within the platform
- Error logs and diagnostic data
3. Why we collect it (lawful basis)
- Contract performance — to provide the CharityAidHub service your organisation has subscribed to
- Legal obligation — to comply with HMRC requirements for Gift Aid submissions (Schedule 5, Finance Act 2000)
- Legitimate interests — to improve the platform, prevent fraud, and ensure security
- Consent — for marketing communications (you can opt out at any time)
4. How we use your data
- To process and submit Gift Aid claims to HMRC on your behalf
- To authenticate users and manage access to your organisation's account
- To send transactional emails (sign-in links, HMRC submission receipts)
- To provide customer support
- To generate audit trails and reports required for charity governance
- To improve the platform and fix errors
5. Who we share data with
We do not sell, rent or trade personal data. We only share data with:
- HMRC — donor names, addresses and donation data as required for Gift Aid R68 submissions
- MongoDB Atlas — our database provider (data stored in EU/UK region)
- Resend — email delivery for sign-in links and submission receipts
- Cloudflare — hosting and CDN infrastructure
- Google — OAuth authentication only (we receive name and email, we do not share data back)
All third-party processors are bound by data processing agreements and process data only on our instruction.
6. Data retention
- Donor and donation data — retained for 6 years from the date of the last Gift Aid claim (HMRC requirement)
- Account data — retained for the duration of your subscription plus 12 months
- HMRC submission records — retained for 6 years (statutory requirement)
- Login and session logs — retained for 90 days
After retention periods expire, data is permanently deleted from all systems.
7. Your rights (UK GDPR)
You have the following rights regarding your personal data:
- Access — request a copy of all data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion, subject to legal retention requirements
- Restriction — request we limit processing in certain circumstances
- Portability — receive your data in a portable format
- Object — object to processing based on legitimate interests
- Withdraw consent — at any time for consent-based processing
To exercise any right, email support@eternalitso.com. We respond within 30 days.
You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Security
- All data is encrypted in transit (TLS 1.3) and at rest
- Access to donor data is restricted to authenticated charity staff only
- We use passwordless authentication (magic links and OAuth) to eliminate credential theft risk
- Regular security reviews are performed on infrastructure and code
9. Cookies
We use only essential cookies required for authentication (session management via NextAuth). We do not use advertising, analytics, or tracking cookies.
10. Changes to this policy
We may update this policy when the platform or legal requirements change. Significant changes will be notified by email to account holders. The latest version is always at charityaidhub.eternalitso.com/privacy.