top of page

Empowering Cyber Security for Charities and Not-for-Profits

Privacy Policy

Last revised - 8th October 2025

Mira Software Ltd, trading as “Charity Cyber” (“we”, “our”, “us”) operates www.charitycyber.co.uk and the Charity Cyber Portal (together, the “Service”).

This Privacy and Cookie Policy explains how we collect, use, store, and protect your personal information, and how we use cookies and similar technologies.

1. Definitions

For the purposes of this Policy:

  • Account means a unique account created for your organisation to access the Service.

  • Personal Data means information relating to an identified or identifiable individual.

  • Customer Data means data submitted by you, such as domains, IP addresses, uploaded files, and user account details.

  • Usage Data means data collected automatically when using the Service (e.g., IP address, browser/device type, login activity, usage logs).

  • Reports means analyses, alerts, or recommendations generated by the Service based on Customer Data or Usage Data.

  • Service Provider means a third party engaged by us to process data on our behalf (e.g., hosting, billing, email delivery).

2. Information we collect

We may collect:

  • Account information – name, email, organisation details, and login credentials.

  • Subscription/payment data – processed securely by Stripe; we do not see or store full card details.

  • Usage Data – IP address, login activity, device/browser info.

  • Uploaded files – stored securely in Microsoft Azure.

  • Communications – emails and notifications sent via Mailgun.

3. How We Use Your Information

We use your information to:

  • Provide and maintain the Service.

  • Manage your Account and subscription.

  • Process payments.

  • Send notifications, updates, and reports.

  • Monitor usage for security and performance.

  • Respond to enquiries and support requests.

  • Comply with legal or regulatory obligations.

  • To support business changes, such as a merger, acquisition, or sale of assets. If this happens, your data will remain subject to protections consistent with this Policy.

  • Improve the Service through anonymised analysis.

4. Lawful Basis for Processing

We process data under the following lawful bases (UK GDPR and Data Protection Act 2018):

  • Contract – to deliver the Service.

  • Legal obligation – to comply with applicable laws.

  • Legitimate interests – to secure, monitor, and improve the Service.

  • Consent – for non-essential cookies and marketing communications.

5. Data Retention

We retain personal data only as long as necessary to provide the Service and comply with our legal obligations:

  • Account and subscription data – retained while your organisation has an active subscription.

  • Billing records – retained for up to 6 years to meet legal and tax requirements.

  • Uploaded files – retained until deleted by you or your account is closed (subject to limited backup retention).

  • Communications – retained as required for support and compliance.

  • Usage Data – retained for a limited period unless required for security or compliance.

Deleted data may remain in secure backups for a limited period before being permanently removed. Aggregated or anonymised data that does not identify you may be retained indefinitely.

6. Sharing of Data

We share data only with trusted third parties required to deliver the Service. Our core providers include:

  • Bubble – web application front-end and hosting.

  • Xano – backend database and API services.

  • Microsoft Azure – file storage, AI services, and permissions management.

  • Mailgun – email delivery.

  • Stripe – billing and subscription management.

  • Wix – hosting of our public marketing website.

  • Microsoft Clarity – analytics and user behaviour insights on our marketing website. Clarity uses cookies and similar technologies to collect anonymised usage data (e.g., pages visited, clicks, scroll depth). Some processing may occur outside the UK, subject to Microsoft’s Data Protection Addendum and applicable safeguards.

We may also use specialist threat intelligence providers (for example, to perform vulnerability scans or dark web monitoring). In these cases, we typically send only technical query data (such as IP addresses or domains) rather than personal data. Results are then processed and stored securely in the UK.

Our core data storage (Xano backend and Microsoft Azure file storage) is located in the United Kingdom. Some providers may process data outside the UK. Where this occurs, we ensure that appropriate safeguards (such as adequacy regulations or the UK Standard Contractual Clauses) are in place to protect your personal data.

Microsoft Azure OpenAI Services

We use Microsoft Azure OpenAI services hosted in the UK South region to provide parts of our Service. All data is stored in the UK, within our Azure resource. However, for technical reasons, some processing operations may occur globally across Microsoft’s secure infrastructure. Microsoft does not use Customer Data to train foundation models, and any processing outside the UK is protected under Microsoft’s Data Protection Addendum and applicable safeguards.

From time to time, we may engage other carefully selected providers where necessary, always in line with our data protection obligations.

We may also disclose data:

  • To comply with legal obligations.

  • To protect our rights and users’ safety.

  • In connection with business transfers (e.g., merger, acquisition, or sale).

We do not sell or rent your data.

7. Cookies and Similar Technologies

What are cookies?

Cookies are small text files stored on your device when you visit a website or application. They help us recognise you, improve your experience, and measure site performance. Cookies may be set by us (“first-party cookies”) or by trusted service providers that we use (“third-party cookies”), such as Stripe or analytics providers.

Marketing website

Our marketing website may use both essential and non-essential cookies (such as analytics and marketing cookies). If you are in the UK or EU, you will see a cookie banner on the site allowing you to accept or reject non-essential cookies. A detailed list of cookies currently in use is available through the website’s cookie consent banner.

Analytics Cookies

We use analytics tools, including Microsoft Clarity, to understand how visitors interact with our site. Clarity uses cookies and tracking technologies to collect information such as pages visited, time spent on site, links clicked, and basic device/browser details. This helps us improve our website experience. Data may be processed outside the UK with appropriate safeguards in place.

Web application (Portal)

Our web application uses only essential cookies required for:

  • Logging in and maintaining sessions.

  • Security functions such as CSRF protection.

  • Payment processing (e.g., Stripe fraud prevention).

These cookies are strictly necessary for the Service to function and cannot be disabled.

Email Tracking

Some of our emails may contain tracking pixels that help us understand whether an email has been opened or a link clicked. This helps us improve our communications and measure engagement. You can disable tracking by setting your email client to block images or unsubscribe from our emails at any time.

Managing Cookies

You can control cookies in your browser settings. Disabling essential cookies may prevent the Service from functioning correctly.

8. Security of Data

We apply a “security by design” approach and use technical and organisational measures to protect your data, including:

  • Encryption – all data is encrypted in transit (TLS/HTTPS) and at rest.

  • Access controls – access to systems is role-based and limited to authorised personnel.

  • Data separation – customer data is logically separated to ensure organisations cannot access each other’s information.

  • Monitoring – we monitor systems for vulnerabilities and potential threats on an ongoing basis.

  • Testing – our platform may be subject to independent security reviews or penetration testing.

  • Incident response – in the unlikely event of a security incident affecting your data, we will act promptly and in accordance with our legal obligations.

 

No system is 100% secure, but our goal is to minimise risks through layered defences, regular review, and continuous improvement.

9. Your Rights

Under the UK GDPR and Data Protection Act 2018, you have the following rights in relation to your personal data:

  • Access – request a copy of the data we hold about you.

  • Correction – request that inaccurate or incomplete data is corrected.

  • Deletion – request deletion of your data (“right to be forgotten”).

  • Restriction – request limitation of processing in certain circumstances.

  • Objection – object to processing based on legitimate interests.

  • Portability – request transfer of your data to another service provider.

  • Withdrawal of consent – withdraw consent where processing is based on consent (e.g., marketing emails).

If you delete your Account, all associated Customer Data and Personal Data will be permanently deleted from our active systems. This process is irreversible, though we may retain limited records where required by law (e.g., billing records).

You may exercise these rights by contacting us at info@charitycyber.co.uk . We may need to verify your identity before processing your request. Requests will be handled within one month in line with applicable law.

If you are dissatisfied with how we process your data, you have the right to complain to the Information Commissioner’s Office (ICO): https://ico.org.uk/make-a-complaint/.

10. Communications and Updates

We may use your contact details to send you important updates about the Service, such as feature releases, security notices, or new functionality that may benefit your organisation. These messages form part of our service communications and are sent under our legitimate interests in keeping you informed.

We may also send occasional newsletters or product announcements that relate to similar services we provide. You can opt out of these communications at any time by clicking the “unsubscribe” link in any email or by contacting us at info@charitycyber.co.uk

We do not sell or share your contact details for marketing by third parties.

11. Children's data

The Service is intended for use by organisations and is not directed at individuals under 18. We do not knowingly collect personal data from children under 16. If we learn that we have collected such data without parental consent, we will delete it.

12. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, or legal requirements.

  • Minor changes (e.g., clarifications) will be effective immediately upon posting, with the “last updated” date at the top of this page reflecting the change.

  • Material changes (e.g., changes to how we process data) will be notified to you by email or through the Service before they take effect.

By continuing to use the Service after an update, you agree to the revised Policy.

13. Contact Us

Mira Software Ltd (trading as Charity Cyber)

Castle Hill House

High Street
Huntingdon
PE29 3TE

info@charitycyber.co.uk

Get Started

Take the first step towards strengthening your charity’s cyber resilience. Choose your plan and subscribe today — simple setup, instant access, and all core features included.

bottom of page