Legal

Privacy Policy

Version 1.0 · Last Updated: [DATE] · Effective Date: [DATE]

1. Introduction

ImpactPlanner Ltd ("ImpactPlanner", "we", "us", or "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website at impactplanner.co.uk, register for an account, or use our platform and services (collectively, the "Services").

Please read this policy carefully. By accessing or using our Services, you confirm that you have read and understood how we handle your personal data. If you do not agree with this policy, you should not use our Services.

2. Who We Are

ImpactPlanner Ltd is the data controller responsible for your personal data.

Company Name	ImpactPlanner Ltd
Website	impactplanner.co.uk
Email	privacy@impactplanner.co.uk
Registered Address	[Registered Office Address]
Company Number	[Companies House Number]

If you have any questions about this policy or how we handle your data, please contact us at the details above.

3. What Data We Collect

We may collect the following categories of personal data:

3.1 Data You Provide Directly

Account registration data — your name, email address, job title, and organisation name when you create an account
Profile information — any additional information you choose to add to your user profile
Content and inputs — data, plans, reports, and other content you upload or create within the platform
Communications — messages you send to us via email, support tickets, or contact forms
Payment information — billing name, address, and payment card details (processed securely by our payment provider; we do not store full card numbers)
Survey and feedback responses — if you choose to participate in user research or satisfaction surveys

3.2 Data We Collect Automatically

Usage data — pages visited, features used, actions taken within the platform, session duration, and click-through data
Technical data — IP address, browser type and version, device type, operating system, screen resolution, and time zone
Log data — server logs including access times, error logs, and referral URLs
Cookies and tracking data — see Section 9 (Cookies) for full details

3.3 Data We Receive from Third Parties

Single Sign-On (SSO) providers — if you log in via Google, Microsoft, or another SSO provider, we receive your name and email address from that provider
Payment processors — confirmation of payment status from our payment provider
Analytics providers — aggregated and anonymised usage data to help us understand how the platform is used

4. How We Use Your Data

We use your personal data for the following purposes, relying on the legal bases indicated:

Purpose	Legal Basis
Creating and managing your account	Contract performance
Providing access to the platform and its features	Contract performance
Processing payments and managing subscriptions	Contract performance
Sending transactional emails (e.g. account confirmation, password reset)	Contract performance
Responding to support requests and enquiries	Contract performance / Legitimate interests
Improving and developing the platform	Legitimate interests
Monitoring platform security and preventing fraud	Legitimate interests / Legal obligation
Sending product updates and feature announcements	Legitimate interests (with opt-out)
Sending marketing communications	Consent
Complying with legal and regulatory obligations	Legal obligation
Conducting anonymised analytics and research	Legitimate interests

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time (see Section 8).

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.

5. How Long We Keep Your Data

We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.

Data Type	Retention Period
Account data	Duration of the account plus 2 years after closure
Platform content and uploads	Duration of the account plus 30 days after closure
Financial and billing records	7 years (legal/tax obligation)
Support correspondence	3 years from last interaction
Marketing consent records	Until consent is withdrawn plus 1 year
Cookie and analytics data	Up to 13 months (see Section 9)
Server and security logs	90 days

When data is no longer required, we securely delete or anonymise it in accordance with our data retention procedures.

6. Who We Share Your Data With

We do not sell your personal data. We may share it with the following categories of recipients:

6.1 Service Providers (Processors)

We use trusted third-party service providers to help us deliver the Services. These providers only process your data on our instructions and are contractually bound to keep it secure:

Cloud hosting and infrastructure
Payment processing
Email delivery
Analytics
Customer support tools
Error monitoring

A full list of our sub-processors is available upon request.

6.2 Business Transfers

If ImpactPlanner is involved in a merger, acquisition, or sale of all or part of its business, your data may be transferred to the acquiring entity. We will provide reasonable notice before this occurs.

6.3 Legal and Regulatory Requirements

We may disclose your data where required by law, court order, or a competent regulatory authority, or where necessary to protect the rights, property, or safety of ImpactPlanner, our users, or the public.

6.4 With Your Consent

We may share your data with other third parties where you have given us your explicit consent to do so.

7. International Transfers

ImpactPlanner is based in the United Kingdom. Some of our service providers may process your data outside the UK or European Economic Area (EEA). Where this occurs, we ensure appropriate safeguards are in place, such as:

Transfers to countries with a UK adequacy decision
Use of the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) as applicable
Binding Corporate Rules where relevant

You may request details of the specific transfer mechanisms we use by contacting us at privacy@impactplanner.co.uk.

8. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights in relation to your personal data:

Right	What It Means
Right of access	You can request a copy of the personal data we hold about you
Right to rectification	You can ask us to correct inaccurate or incomplete data
Right to erasure	You can ask us to delete your data in certain circumstances
Right to restrict processing	You can ask us to pause processing of your data in certain circumstances
Right to data portability	You can request your data in a structured, machine-readable format
Right to object	You can object to processing based on legitimate interests or for direct marketing
Rights re: automated decisions	You can request human review of any automated decision that significantly affects you
Right to withdraw consent	Where we process data on the basis of consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@impactplanner.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.

If you are unhappy with how we have handled your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Cookies

We use cookies and similar tracking technologies on our website and platform. Cookies are small text files stored on your device that help us recognise you and improve your experience.

9.1 Types of Cookies We Use

Category	Purpose	Examples
Strictly necessary	Essential for the website and platform to function. Cannot be disabled.	Session cookies, authentication tokens, security cookies
Performance & analytics	Help us understand how visitors use our site so we can improve it.	Google Analytics, Plausible
Functional	Remember your preferences and settings.	Language preference, theme selection
Marketing	Used to deliver relevant advertising and track campaign effectiveness.	Google Ads, LinkedIn Insight Tag

9.2 Managing Cookies

You can control and manage cookies in several ways:

Cookie banner — when you first visit our website, you will be presented with a cookie consent banner allowing you to accept, reject, or customise non-essential cookies
Browser settings — you can configure your browser to block or delete cookies. Please note that disabling certain cookies may affect the functionality of the website
Opt-out tools — for analytics cookies, you may use tools such as the Google Analytics Opt-out Browser Add-on

Strictly necessary cookies do not require your consent and cannot be disabled, as they are essential for the Services to function.

10. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, loss, alteration, or disclosure. Our security measures include:

Encryption of data in transit (TLS/HTTPS) and at rest
Access controls and role-based permissions
Regular security assessments and penetration testing
Staff training on data protection and security practices
Incident response procedures

While we take all reasonable steps to protect your data, no method of transmission over the internet is completely secure. If you suspect any unauthorised access to your account, please contact us immediately at security@impactplanner.co.uk.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, will notify you without undue delay.

11. Children's Privacy

Our Services are not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected data from a child, please contact us at privacy@impactplanner.co.uk and we will promptly delete it.

12. Links to Third-Party Websites

Our website and platform may contain links to third-party websites or integrations with third-party services. This Privacy Policy does not apply to those third-party sites. We encourage you to read their privacy policies before providing any personal data to them. We are not responsible for the privacy practices of any third-party websites.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy
Notify registered users by email or via a notice within the platform
Where required by law, seek your consent before applying the changes

We encourage you to review this policy periodically. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy.

14. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

ImpactPlanner Ltd
Email: privacy@impactplanner.co.uk
Website: impactplanner.co.uk
Registered Address: [Registered Office Address]

This Privacy Policy is governed by the laws of England and Wales.