Privacy Policy

1. Introduction

Alma ("we", "us", "our") is committed to protecting the privacy of our users and their donors. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Alma platform ("Service").

This policy applies to charity administrators who use the Donation Hub, donors who interact with the kiosk, and visitors to our website.

2. Data controller & processor

When a charity uses Alma to collect and manage donor data:

• The charity is the data controller -they determine why and how donor data is processed
• Alma is the data processor -we process donor data on behalf of the charity to provide the Service

For data relating to charity administrator accounts (login credentials, contact details), Intrepidus Limited (trading as Trust Alma, company no. 14260749) is the data controller.

3. What data we collect

Charity administrator data

• Name, email address, and role
• Organisation name, charity number, and contact details
• Login credentials (password stored as a salted bcrypt hash)
• Two-factor authentication settings (TOTP secret, encrypted)
• Activity logs (actions taken within the Donation Hub)

Donor data (processed on behalf of the charity)

• Full name, phone number, email address
• Home address (required for Gift Aid declarations)
• Gift Aid declaration details (date, amount, payment method, eligibility)
• Electronic signature
• Donation history and standing order records

Website visitor data

• Information submitted through the contact form (name, email, message)
• Essential cookies required for the website to function

4. Legal basis for processing

We process personal data under the following legal bases:

• Contract: To provide the Service to charities that have registered for an account
• Legal obligation: To retain Gift Aid records for HMRC compliance (minimum 6 years)
• Legitimate interest: To maintain security, prevent fraud, improve the Service, and to recognise returning donors at the kiosk so their existing record can be re-used (see Section 5b)
• Consent: For optional communications such as product updates (donors provide consent to the charity via the kiosk declaration)

5. How we use your data

We use the data we collect to:

• Provide, maintain, and improve the Service
• Process Gift Aid declarations and generate HMRC exports
• Manage donor records and donation history
• Send transactional emails (account verification, password resets, donation receipts)
• Provide customer support
• Detect and prevent fraud or security incidents
• Generate anonymised analytics and usage statistics
• Provide AI-assisted support via the Alma chatbot (Team plan and above) -this involves sending relevant organisation and donor data to our AI provider for processing (see Section 5a below)

5a. AI Assistant data processing

Alma includes an AI-powered assistant available on Team, Business, and Enterprise plans. When a charity administrator uses the AI assistant, the following data may be sent to our AI provider (Anthropic) for processing:

• Organisation name and charity number
• Donor names, contact details, and addresses (when queried by the administrator)
• Donation amounts, payment methods, and declaration details (when queried)
• Conversation history within the current chat session

Important details about AI data handling:

• Purpose: To provide intelligent responses to administrator queries about their organisation's data and Gift Aid processes
• Retention: Conversations are not stored by Alma after the session ends. Anthropic retains API data for up to 30 days per their data processing terms
• Training: Data sent via the API is not used by Anthropic to train their AI models
• Access: Only authenticated administrators on eligible plans can use the AI assistant. Donor data is only processed when an administrator actively queries it -it is not continuously sent
• Security: All data is transmitted to Anthropic over encrypted connections (TLS 1.2+)

5b. Returning donor recognition on the kiosk

When a donor uses a charity's kiosk a second time, Alma can recognise them so they don't have to re-enter their name, address and Gift Aid declaration from scratch. There are two ways this happens:

• Mobile number lookup: The donor types their UK mobile number on the kiosk and we look for a matching record
• Name search: If the donor doesn't remember which number they registered with, they can search by first name and last name

The data being matched against was collected the last time the donor made a Gift Aid declaration at that same charity. We do this on a legitimate-interests basis: it makes the experience faster, reduces typing errors, prevents duplicate donor records, and means the donor's declaration history stays linked together for HMRC reporting.

Safeguards we apply to this lookup:

• No cross-charity searching: Each lookup is scoped to the single charity that owns the kiosk. A donor registered at Charity A will never appear in results at Charity B - their record is invisible to any other charity on the platform
• Privacy mode on screen: By default the kiosk shows only the donor's first name, the initial of their surname and a partial postcode (for example "Sarah M. - SW1A ●●A") - never the full address, email or phone number. The donor sees enough to recognise themselves; a stranger glancing at the screen does not
• "This isn't me" escape hatch: If the wrong record is found, the donor can dismiss it in one tap and either start fresh or register as a new donor
• Rate limiting: Lookup requests are rate-limited per device to make name or phone number enumeration impractical
• Reduced fields returned: Only the fields needed to pre-fill the next declaration are returned to the kiosk - we do not return the donor's full profile, marketing preferences or donation history
• Audit trail: Every declaration records whether privacy mode was active when the donor confirmed, so the charity can demonstrate which donations were processed under minimised display

If a donor does not want to be recognised on a return visit, they can either decline to enter their phone number (which will create a new record), tap "This isn't me" on the recognition screen, or contact the charity to delete their record. We have completed a written Legitimate Interests Assessment for this processing and keep it on file for ICO inspection.

6. Third-party processors

We use the following third-party services to provide the Service. Each processor has been selected for their security standards and compliance:

We hold a countersigned Data Processing Agreement on file with each sub-processor above, meeting Article 28 UK GDPR requirements. Enterprise customers can request copies for procurement review by emailing hello@trustalma.com.

We do not sell, rent, or trade personal data to any third party. Data is only shared with the processors listed above, solely for the purpose of providing the Service. See Section 5a for details on how data is processed by the AI assistant.

7. Data retention

We retain data for as long as necessary to provide the Service and comply with legal obligations:

• Gift Aid declarations: Minimum 6 years from the end of the tax year in which the donation was made (HMRC requirement)
• Donor records: Retained while the charity's account is active, subject to the charity's configured retention period
• Account data: Retained while the account is active; deleted upon request after account closure
• Activity logs: Retained for 2 years

Charities can configure auto-purge settings to automatically anonymise donor records that exceed the retention period.

8. Your rights

Under UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interest

For donors: If you are a donor and wish to exercise your rights, please contact the charity that collected your data. They are the data controller and can process your request using the GDPR tools built into Alma.

For charity administrators: Contact us directly at hello@trustalma.com.

9. Data security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Password hashing with bcrypt
• Optional two-factor authentication
• Role-based access control
• Regular automated backups
• Comprehensive audit logging

For more details, see our Security page.

10. International transfers

Our primary database is hosted in the EU. Some of our third-party processors (Vercel, Stripe, Resend, Anthropic) may process data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions, as required by UK GDPR.

11. Children's data

The Service is not directed at individuals under 18 years of age. Charity administrator accounts require users to be at least 18. Donors using the kiosk must be UK taxpayers, which inherently requires them to be of an age to pay tax.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and an in-product banner. The "Last updated" date at the top of this page indicates when the policy was last revised. A plain-English record of every change we have made is published in our Legal Changelog.

13. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

14. Contact

For any privacy-related questions or requests, please contact us at hello@trustalma.com.