Last updated: 2026. For a specific data processing agreement, email info@legacylink.tech.
Roles
The institution is the Controller under UK-GDPR. SalesCollab (Pty) Ltd, operating LegacyLink, is the Processor, engaged under a written UK-flavoured DPA that references the ICO's International Data Transfer Addendum where relevant.
Lawful basis and PECR
- Alumni relationship communications are generally processed on the basis of legitimate interests, with the soft opt-in under PECR for direct electronic marketing to existing supporters.
- Consent-based channels (WhatsApp, SMS) are captured with a granular, timestamped record and are individually revocable.
- Fundraising communications follow the Fundraising Regulator's Code of Fundraising Practice, including a clear opt-out on every channel.
Data subject rights
Access, rectification, erasure, restriction, portability, and objection rights are surfaced through the in-product privacy centre and honoured within the statutory one-month window.
Gift Aid and HMRC (roadmap)
Gift Aid declarations, HMRC-format claim files and audit-friendly receipting are on the Phase 2 roadmap for UK institutions on the flat-SaaS pricing model.
International transfers
Transfers outside the UK use the ICO's UK IDTA (or the EU SCCs with the UK Addendum) with the receiving processor, supported by a Transfer Risk Assessment.
Security controls
- Tenant isolation via row-level security.
- AES-256 encryption at rest, TLS 1.2+ in transit.
- Least-privilege operator access with MFA.
- Append-only audit logs on privileged actions.
Breach notification
LegacyLink notifies the institution without undue delay so it can meet its 72-hour obligation to the ICO where the breach is likely to result in a risk to individuals.
Shared responsibility: LegacyLink provides the platform controls described above. Each institution (the data controller) is responsible for its own lawful basis, alumni notices, retention decisions, and any additional local requirements. This page is app-owner editable content, not independent legal advice or a certification issued by a third party.
