SDQA

Privacy policy

Last updated 17 June 2026

This policy explains how SDQA CIC looks after your personal data and your rights under UK data protection law (the UK GDPR and the Data Protection Act 2018). SDQA is a UK Community Interest Company. It is not a registered charity, so there is no Gift Aid and your giving is not personally tax-deductible.

Who is responsible for your data

The data controller is SDQA CIC, company number [CIC company number - Irfan to confirm], registered office [registered office address - Irfan to confirm]. If you have any question about this policy or your data, contact us at [privacy contact email - Irfan to confirm].

The personal data we collect and why

We only collect what we need to run SDQA and to do what you have asked us to do. The table below sets out each kind of data, what we use it for, and our lawful basis for that use.

DataWhy we use itLawful basis
Account details: your email, name, phone number, portfolio name, and country.To create and run your SDQA account, identify you when you sign in, and contact you about your giving.Contract (to provide the account you asked for).
Giving and allocation records: the projects you funded, amounts, shares, and your wallet balance and ledger.To process your giving, allocate it to projects, keep your wallet and statements accurate, and report delivery back to you.Contract, and legal obligation where financial records must be retained for accounting.
Payment reference: your Stripe customer reference. SDQA does not store your full card number; card details are handled by Stripe.To take payment securely and match it to your account.Contract.
Attribution and device data tied to a giving action: UTM campaign tags, referrer, your IP address, and browser user-agent.To understand which of our campaigns brought you here so we can run them responsibly, and to help detect fraud or abuse.Legitimate interests (measuring our own campaigns and protecting the platform), balanced against your rights. The marketing cookies that also produce this kind of data load only with your consent (see the cookie policy).
Sign-in credentials: session tokens and magic-link tokens issued to your email.To keep you securely signed in and to let you sign in by email.Contract, and our legitimate interest in account security.
Goals, scheduled giving, milestones, and notification read-state.To run the features you use: savings goals, recurring giving, progress milestones, and your notifications.Contract.
Signature enquiry details: name, email, and phone, if you make a high-value or bespoke enquiry.To respond to your enquiry and arrange the conversation you asked for.Legitimate interests, or steps taken at your request before any agreement.
Newsletter and programme interest: your email if you join the newsletter or register interest in a programme such as Amana.To send you the updates you asked for.Consent (you can unsubscribe at any time).

We do not knowingly collect data from children. SDQA is intended for adults who give or support our projects.

How long we keep your data

We keep your data only for as long as we need it. Account, giving, and wallet records are kept while your account is active and for as long as we are required to keep financial records for accounting and tax. When a legal duty means we must retain a financial record, we keep the minimum needed and remove or anonymise the rest. Sign-in tokens and magic links are short-lived and expire automatically. Campaign attribution data is kept only as long as it is useful for measuring the campaign it relates to.

Who we share your data with

We do not sell your data. We share it only with the service providers who help us run SDQA, and only as far as they need it to do their job. Each is bound by a data-processing agreement. Our providers are:

  • Supabase: Database and authentication hosting.
  • Vercel: Website hosting and delivery.
  • Stripe: Payment processing.
  • Resend: Transactional email (for example sign-in and receipts).
  • Mailchimp: Newsletter email, if you subscribe.
  • Sanity: Content management for the project pages.
  • Sentry: Error monitoring to keep the site working.

Some of these providers may process data outside the UK. Where that happens, we rely on the safeguards UK law requires, such as the UK International Data Transfer Agreement or an adequacy decision.

Your rights

Under UK data protection law you have the right to:

  • be informed about how we use your data (this policy);
  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased, the right to be forgotten (see below);
  • restrict how we use your data;
  • data portability, to receive your data in a usable format;
  • object to processing based on our legitimate interests;
  • withdraw consent at any time, where we relied on your consent;
  • not be subject to a decision based solely on automated processing.

To exercise any of these, contact us at [privacy contact email - Irfan to confirm]. We will respond within one month.

Right to erasure (right to be forgotten)

You can ask us to delete the personal data we hold about you. When you do, we remove your account and the personal data linked to it across our systems. Where a financial record must be kept for a legal accounting reason, we anonymise it rather than delete it, so it can no longer identify you, and we record why. Our internal procedure for handling an erasure request is documented and followed for every request. To make a request, contact us at [privacy contact email - Irfan to confirm].

Cookies and tracking

We use a small number of essential cookies to run the site, and, only with your consent, marketing cookies to measure our campaigns. Nothing non-essential loads until you opt in. The full detail, and how to change your choice, is in our cookie policy.

How to complain

If you are unhappy with how we have handled your data, please tell us first at [privacy contact email - Irfan to confirm]so we can put it right. You also have the right to complain to the Information Commissioner's Office (ICO), the UK regulator, at ico.org.uk.

Changes to this policy

We may update this policy. When we do, we will change the date at the top of the page. Significant changes will be highlighted on the site.

Cookies on sdqa.org.uk

We use strictly necessary cookies to run the site. With your consent we also use analytics cookies (to understand how the site is used) and marketing cookies (to measure our campaigns and reach people who care about lasting Sadaqah). Nothing non-essential loads until you choose. You can change this any time from the footer. See our cookie policy and privacy policy.