UK GDPR & Your Donor Data

Last updated: 2026-02-19

You already share donor data with HMRC

Every time your charity submits a Gift Aid claim, you send donor names, addresses, and donation amounts to HMRC. That’s the process working as intended. Working with Gift Aid Boost is no different — we’re automating that same process so your charity recovers more of what it’s owed, more efficiently.

If you’re worried about sharing donor data with a third party, consider this: you already do. HMRC, your payment processor, your email provider, your direct debit service — they all handle donor data on your behalf. The question isn’t whether to share data, but whether the organisation you’re sharing it with handles it responsibly.

Here’s how we do.

Your charity stays in control

Under UK GDPR, your charity is the data controller. You decide what data to upload and when. You decide which donors to contact for declarations. You decide when to submit claims to HMRC.

Gift Aid Boost is the data processor — we process your data strictly to recover Gift Aid on your behalf, and for no other purpose. We don’t make decisions about your data. We don’t use it for our own purposes. We act only on your instructions.

This is a well-established legal relationship that thousands of organisations across every sector use every day. It’s the same relationship you have with your payment processor and your email provider.

Lawful basis: legitimate interests

Your charity has a legitimate interest in recovering Gift Aid it is legally entitled to claim. This is well-established under UK data protection law and is the same basis that applies when you submit claims to HMRC directly.

You are not doing anything new by working with us — you’re doing what you already do, more effectively. The processing is necessary for the purpose (recovering Gift Aid), proportionate (we process only what’s needed), and in line with your donors’ reasonable expectations (they ticked the Gift Aid box because they wanted the charity to claim it).

What we store and for how long

We believe in keeping only what’s necessary:

  • Donor records (names, addresses, donation details): retained for 6 years, as required by HMRC for Gift Aid audit purposes
  • Declaration records (proof of donor consent): retained for 6 years, matching HMRC’s audit window
  • Uploaded files: automatically deleted after 14 days — only metadata is retained (file name, upload date, row count)
  • Processing logs: retained for 90 days for troubleshooting and security monitoring

After the retention period, data is permanently deleted. Not archived, not moved to cold storage — deleted.

What we never do

This list matters more than any promise:

  • We never sell your donor data
  • We never share it with any organisation other than those listed in our sub-processor register
  • We never use it for any purpose other than Gift Aid recovery
  • We never contact your donors for marketing — ours or anyone else’s
  • We never combine data across different charities
  • We never retain data beyond the stated retention periods

Your data is yours. We just help you make the most of it.

Data subject rights

If a donor contacts your charity requesting access to, correction of, or deletion of their personal data, your charity handles that request as the data controller. That’s as it should be — you have the direct relationship with the donor.

We provide tools to support you:

  • Export: download any individual donor’s complete record on request
  • Deletion: permanently remove a donor record from our system
  • Correction: update any field in a donor’s record

We respond to controller requests promptly, and we’ll never obstruct a data subject’s rights.

Our sub-processors

A small number of carefully selected services support specific functions — secure database hosting, email delivery for declaration emails, address verification, and file scanning. Each is contractually bound to the same data protection standards we follow.

We maintain a full register of all sub-processors, available in our compliance pack, and will notify you of any changes before they take effect.

We know that data protection decisions in charities often involve trustees, a data protection officer, or external legal advisors. We’ve made it easy to give them what they need.

Our compliance pack covers everything your legal team needs to review:

  • Data Processing Agreement summary
  • Sub-processor register with details of each service, its location, and its purpose
  • Data flow diagram showing how your data moves through our system at each stage
  • Retention schedule for every category of data
  • UK GDPR Article 28 compliance statement
  • Technical and organisational security measures

View compliance pack — you can print or save as PDF from your browser

If your legal team has questions that aren’t covered in the pack, we’re happy to discuss them directly.

Start claiming and recover what your charity is owed. Or get in touch if you have questions about data protection.