Privacy Policy

1. Introduction

Alma ("we", "us", "our") is committed to protecting the privacy of our users and their donors. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Alma platform ("Service").

This policy applies to charity administrators who use the Donation Hub, donors who interact with the kiosk, and visitors to our website.

2. Data controller & processor

When a charity uses Alma to collect and manage donor data:

• The charity is the data controller — they determine why and how donor data is processed
• Alma is the data processor — we process donor data on behalf of the charity to provide the Service

For data relating to charity administrator accounts (login credentials, contact details), Alma is the data controller.

3. What data we collect

Charity administrator data

• Name, email address, and role
• Organisation name, charity number, and contact details
• Login credentials (password stored as a salted bcrypt hash)
• Two-factor authentication settings (TOTP secret, encrypted)
• Activity logs (actions taken within the Donation Hub)

Donor data (processed on behalf of the charity)

• Full name, phone number, email address
• Home address (required for Gift Aid declarations)
• Gift Aid declaration details (date, amount, payment method, eligibility)
• Electronic signature
• Donation history and standing order records

Website visitor data

• Information submitted through the contact form (name, email, message)
• Essential cookies required for the website to function

4. Legal basis for processing

We process personal data under the following legal bases:

• Contract: To provide the Service to charities that have registered for an account
• Legal obligation: To retain Gift Aid records for HMRC compliance (minimum 6 years)
• Legitimate interest: To maintain security, prevent fraud, and improve the Service
• Consent: For optional communications such as product updates (donors provide consent to the charity via the kiosk declaration)

5. How we use your data

We use the data we collect to:

• Provide, maintain, and improve the Service
• Process Gift Aid declarations and generate HMRC exports
• Manage donor records and donation history
• Send transactional emails (account verification, password resets, donation receipts)
• Provide customer support
• Detect and prevent fraud or security incidents
• Generate anonymised analytics and usage statistics

6. Third-party processors

We use the following third-party services to provide the Service. Each processor has been selected for their security standards and compliance:

We do not sell, rent, or trade personal data to any third party. Data is only shared with the processors listed above, solely for the purpose of providing the Service.

7. Data retention

We retain data for as long as necessary to provide the Service and comply with legal obligations:

• Gift Aid declarations: Minimum 6 years from the end of the tax year in which the donation was made (HMRC requirement)
• Donor records: Retained while the charity's account is active, subject to the charity's configured retention period
• Account data: Retained while the account is active; deleted upon request after account closure
• Activity logs: Retained for 2 years

Charities can configure auto-purge settings to automatically anonymise donor records that exceed the retention period.

8. Your rights

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest

For donors: If you are a donor and wish to exercise your rights, please contact the charity that collected your data. They are the data controller and can process your request using the GDPR tools built into Alma.

For charity administrators: Contact us directly at privacy@trustalma.com.

9. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Password hashing with bcrypt
• Optional two-factor authentication
• Role-based access control
• Regular automated backups
• Comprehensive audit logging

For more details, see our Security page.

10. International transfers

Our primary database is hosted in the EU. Some of our third-party processors (Vercel, Stripe, Resend) may process data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions, as required by UK GDPR.

11. Children's data

The Service is not directed at individuals under 18 years of age. Charity administrator accounts require users to be at least 18. Donors using the kiosk must be UK taxpayers, which inherently requires them to be of an age to pay tax.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top of this page indicates when the policy was last revised.

13. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. Contact

For any privacy-related questions or requests, please contact us at privacy@trustalma.com.