Security & privacy

The Charity Recorder database and authentication services run on UK-hosted infrastructure in London. Application server functions also run in London. Both the database and the application server are in UK data centres.

Static assets (images, JavaScript bundles, CSS) are served from a global CDN — these contain no personal data.

Every user-owned table has Row-Level Security (RLS) enabled. This means the database itself enforces that you can only read and write your own household's data — it is not left to application code alone.

Household isolation is absolute: one household cannot access another's donation records, even in the event of a bug in the application layer.

Accounts use email and password. Email addresses are verified before first login.

Passwords are never stored in plain text. Password reset is handled via a time-limited emailed link.

Transactional emails (verification, password reset, invitations) are sent via an EU-hosted email delivery provider. Your email address is not used for marketing.

You can export all your donation data at any time as a CSV file from the Settings page.

You can request deletion of your account and all associated data from the Settings page. Data is held for 30 days after a deletion request before permanent deletion.

We do not sell your data. We do not share your data with third parties except the infrastructure providers necessary to operate the service, all of whom process data only for that purpose.

We do not provide personalised tax advice. Charity Recorder is a record-keeping tool — what you claim, if anything, is entirely your decision.

Charity Recorder is not affiliated with, endorsed by, or connected to HMRC or any government body.