Privacy Policy

How we collect, use, and protect your personal information

Privacy Policy

Effective Date: 14 October 2025

1. Introduction

Mushroom Computing Ltd ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use The Charity CRM service and our website.

Important: This Privacy Policy applies to personal data we process as a data controller. When you use The Charity CRM to manage your charity's data (such as donor records), we act as a data processor on behalf of your organisation, and your organisation's privacy policy applies to that data.

2. Who We Are

Data Controller: Mushroom Computing Ltd
Company Registration: 9312662 (England and Wales)
VAT Number: GB 273 9861 56
Address: 19 Graham Rd., West Bromwich, West Midlands, B71 4ED, United Kingdom
Email: [email protected]
Data Protection Officer: [email protected]

3. Information We Collect

3.1 Personal Data You Provide

We collect information you provide directly to us, including:

  • Account Information: Name, email address, phone number, job title, organisation details
  • Billing Information: Billing address, payment method details (processed securely by Stripe)
  • Service Data: Data you input into The Charity CRM system, including donor records, contact information, fundraising data
  • Communications: Information you provide when contacting our support team
  • Marketing Preferences: Your communication preferences and consent records

3.2 Information We Collect Automatically

  • Usage Data: Log files, IP addresses, browser type, device information
  • Cookies and Tracking: See our Cookie Policy below
  • Performance Data: System performance metrics and error logs

3.3 Charity-Specific Data

When charities use our service, we process data as a data processor on behalf of the charity (data controller). This includes:

  • Donor Information: Contact details, donation history, Gift Aid declarations (processed per charity's instructions)
  • Fundraising Data: Campaign information, event attendee lists, volunteer records
  • Compliance Data: Information required for charity regulatory reporting

Note: For data processed on behalf of charities, the charity's privacy policy applies to data subjects. We process this data only according to the charity's instructions and our Data Processing Agreement.

4. Legal Basis for Processing

We process your personal data under the following legal bases:

  • Contract Performance: To provide The Charity CRM service and fulfill our contractual obligations
  • Legitimate Interests: For service improvement, security, and direct marketing to organisations
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: Where you have provided specific consent for certain processing activities

5. How We Use Your Information

We use your personal data to:

  • Provide, maintain, and improve The Charity CRM service
  • Process payments and billing
  • Provide customer support and respond to inquiries
  • Send service-related communications and updates
  • Conduct marketing activities (with appropriate consent)
  • Ensure security and prevent fraud
  • Comply with legal obligations and charity sector regulations
  • Support Gift Aid processing and charity compliance reporting

6. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

  • Service Providers: With trusted third-party providers who assist in delivering our services (e.g., Stripe for payments, cloud hosting providers) under appropriate data processing agreements
  • Legal Requirements: When required by law, court order, or to protect our legal rights
  • Business Transfers: In connection with mergers, acquisitions, or asset sales (with continued privacy protection)
  • Charity Compliance: With regulatory bodies when required for charity sector compliance or as instructed by charity clients
  • Data Processing: For charity client data, we share only as instructed by the charity under our Data Processing Agreement

We never sell your personal data to third parties.

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

  • Encryption of data in transit and at rest
  • Regular security assessments and penetration testing
  • Access controls and authentication systems
  • UK-based secure data centres with physical security
  • Regular backups and disaster recovery procedures
  • Staff training on data protection and security

8. Data Retention

We retain personal data for as long as necessary to:

  • Provide our services and fulfill contractual obligations
  • Comply with legal and regulatory requirements
  • Resolve disputes and enforce our agreements

Charity Client Data: We retain charity client data only as instructed by the charity under our Data Processing Agreement. We support charity-specific retention requirements, including:

  • Gift Aid record retention (6 years from the end of the accounting period)
  • Donor data retention as required by charity regulations and the charity's instructions
  • Secure deletion within 30 days of contract termination unless legally required to retain

9. Your Rights Under UK Data Protection Law

Under the UK Data Protection Act 2018 and UK GDPR, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Limit how we use your data
  • Right to Data Portability: Receive your data in a portable format
  • Right to Object: Object to certain types of processing
  • Rights Related to Automated Decision-Making: Protection from solely automated decisions

To exercise these rights, contact us at [email protected]. We will respond within one month.

10. International Data Transfers

Your data is primarily stored and processed in the UK. If we transfer data outside the UK, we ensure adequate protection through:

  • Adequacy decisions by the UK government
  • Standard contractual clauses approved by the ICO
  • Other appropriate safeguards as required by UK law

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Enable essential website functionality
  • Analyse website usage and performance
  • Provide personalised content and advertising
  • Remember your preferences and settings

You can control cookies through your browser settings. Some features may not work properly if cookies are disabled.

12. Third-Party Services

Our service integrates with third-party providers:

  • Stripe: Payment processing (see Stripe's privacy policy)
  • Google Analytics: Website analytics (see Google's privacy policy)
  • Cloudflare: Security and performance services

13. Children's Privacy

The Charity CRM is not intended for use by children under 16. We do not knowingly collect personal data from children under 16 without parental consent.

14. Data Processing Agreements for Charities

When providing The Charity CRM service to charitable organisations, we enter into Data Processing Agreements (DPAs) that:

  • Define the scope and purpose of data processing activities
  • Specify data retention periods and deletion procedures
  • Outline security measures and incident response procedures
  • Ensure compliance with charity sector regulations
  • Provide for data subject rights fulfillment
  • Include provisions for sub-processor arrangements

Charities can request a copy of our standard DPA by contacting [email protected].

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Email notification to registered users
  • Prominent notice on our website
  • In-app notifications where applicable

16. Contact Information and Complaints

For privacy-related questions or concerns:

  • Email: [email protected]
  • Address: Mushroom Computing Ltd, 19 Graham Rd., West Bromwich, West Midlands, B71 4ED, United Kingdom

If you're not satisfied with our response, you can complain to the Information Commissioner's Office (ICO):

  • Website: www.ico.org.uk
  • Phone: 0303 123 1113

Related Documents:

Last updated: 14 October 2025