Privacy Policy

Last updated: 27 May 2026

1. Who we are

CharityWatch is operated by [COMPANY NAME — complete before going live](“we”, “us”, “our”). We run a public directory of UK charities, giving donors access to transparent financial and impact information, and giving registered charities a profile page to showcase their work.

We are registered with the Information Commissioner's Office (ICO) as a data controller. ICO registration number: [ICO REGISTRATION NUMBER — complete before going live].

For any privacy-related queries, contact us at coolquickvips@gmail.com.

2. What data we collect and why

Charity administrators (account holders)

When a charity registers on the platform, we collect:

  • Email address — to create and manage your account, and to contact you about your listing
  • Contact name and role — to identify the authorised representative of the charity
  • Charity name and Charity Commission number — to verify the charity is registered and to display on your public profile
  • Profile information — tagline, description, founded year, website, donation URL, regions, categories, impact metrics, and uploaded documents — to build your public-facing charity profile

The legal basis for processing this data is contract — it is necessary to provide the service you have signed up for.

Referral tracking

When a visitor clicks through to a charity's donation page via our platform, we record a session-level referral event. This record contains the charity identifier and a session token but no personally identifiable information about the visitor. This data is used to calculate the referral volume we report back to charities and to calculate our platform fee. The legal basis is legitimate interests — it is necessary for operating our reconciliation-based fee model.

Support queries

If you contact us via the support form, we store your name, email address, subject, and message so we can respond to your query. We retain this data for up to 2 years.

3. Cookies

We use strictly necessary cookies only. These are session cookies set by our authentication provider (Supabase) that keep you logged in to your charity account. They are deleted when you sign out or when your browser session ends.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. Because we only use strictly necessary cookies, we are not required to ask for your consent under the UK Privacy and Electronic Communications Regulations (PECR).

4. Who we share data with

We do not sell your data. We use the following third-party processors:

  • Supabase Inc. — our database and authentication provider. Data is stored on servers in the EU. Supabase is GDPR-compliant and we have a Data Processing Agreement in place.
  • Vercel Inc. — our hosting provider. Vercel processes request data (IP addresses, request logs) as part of serving the application. We have a Data Processing Agreement in place.

Charity profile data (name, description, metrics, documents) is publicly visible on your charity's profile page once your listing is approved. You control what you submit.

5. How long we keep your data

  • Account data — retained for as long as your account is active. On account deletion, personal profile data is removed immediately; however a minimal record is retained (see below)
  • Contract acceptance records — your name, role, organisation registration number, and the timestamp at which you accepted our Terms of Service are retained for 6 years from the date of acceptance. This is necessary to establish, exercise, or defend legal claims under UK GDPR Article 17(3)(e) and the Limitation Act 1980
  • Referral and fee records — monthly donation reports and calculated fees are retained for 6 years for financial reconciliation and legal claims purposes
  • Support queries — retained for 2 years

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (you can also delete your account directly from the account settings page). Note that we are entitled to retain a minimal record of contract acceptance for 6 years under the legal claims exception (UK GDPR Article 17(3)(e))
  • Restriction — ask us to restrict processing of your data in certain circumstances
  • Portability — request your data in a machine-readable format
  • Object — object to processing based on legitimate interests

To exercise any of these rights, email coolquickvips@gmail.com. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to complain to the ICO at ico.org.uk.

7. Changes to this policy

If we make material changes to this policy, we will update the “last updated” date at the top and, where appropriate, notify account holders by email. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

8. Contact

For any questions about this policy or your data, contact us at coolquickvips@gmail.com.