Privacy Policy

Last updated: 1 April 2026

1. Who we are (Data Controller)

NGO Toolkit Lab is operated by Muneeb Bin Yousuf ("we", "us", "our"), trading as NGO Toolkit Lab at ngotoolkitlab.com. For the purposes of the UK GDPR and EU GDPR, Muneeb Bin Yousuf is the data controller responsible for your personal data.

Contact: hello@ngotoolkitlab.com

2. What data we collect

  • Email address and organisation name — collected when you verify your email to access the free tier or create an account.
  • Project inputs — the content you enter into tool wizards (project names, descriptions, sector, location). Stored to enable project reuse across sessions and devices.
  • Usage data — which tools you use, which stages you complete, export actions. Collected via PostHog (anonymised where possible).
  • Payment data — handled entirely by LemonSqueezy. We do not store card numbers or payment instrument details.
  • Session data — a session cookie is set when you log in or verify your email, used solely to keep you authenticated.

3. Legal basis for processing (GDPR)

We process your personal data on the following legal bases under Article 6 UK/EU GDPR:

  • Contractual necessity (Art. 6(1)(b)) — processing your email address and project inputs to deliver the service you have requested.
  • Legitimate interests (Art. 6(1)(f)) — product analytics to improve the service. We have conducted a legitimate interests assessment and concluded this does not override your rights.
  • Consent (Art. 6(1)(a)) — non-essential cookies and analytics, only after you accept via our consent banner. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — where required by applicable law (e.g. financial record-keeping for paid transactions).

4. How we use your data

  • To generate and deliver documents based on your inputs
  • To identify you across sessions so you can reuse previous projects
  • To send verification and access codes via email
  • To understand how the product is used and improve it
  • To process payments (via LemonSqueezy)

We do not sell your personal data. We do not use your project content to train or fine-tune AI models. Your inputs are processed solely to generate outputs for you.

5. Cookies and tracking

We use:

  • Session cookie — an HttpOnly, Secure cookie to keep you logged in for 30 days. This is strictly necessary and does not require consent.
  • PostHog — product analytics (EU region). Tracks tool usage and wizard completion. Activated only with your consent.
  • Google Analytics 4 — web analytics. Tracks page views and traffic sources. Activated only with your consent.

Analytics only activate after you accept cookies via the consent banner. You can withdraw consent at any time by clearing your cookies or contacting us.

6. Data storage and security

Personal data is stored in a PostgreSQL database hosted in the EU (Neon / Vercel EU region). We use HTTPS throughout. Passwords are never stored — authentication is via one-time email codes or single-use magic links. We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, or disclosure.

7. International data transfers

When you use our document generation tools, your project inputs are sent to Google's Gemini API to generate document content. Google LLC is based in the United States. This constitutes a transfer of personal data outside the UK/EEA. This transfer is made subject to Google's Standard Contractual Clauses (SCCs) as approved by the European Commission, and Google's UK International Data Transfer Addendum. Google's applicable data processing terms are available atai.google.dev/gemini-api/terms.

Under Google's API usage policies, data submitted via the Gemini API is not used by Google to train or improve their AI models by default.

Other sub-processors (Resend, LemonSqueezy, PostHog) also have their own data transfer and processing terms. Links are provided in Section 8 below.

8. Third-party sub-processors

  • Google Gemini API — AI-powered document generation. Your project inputs are processed by Google to generate document content on our behalf. Google acts as a data processor under our instructions.Google Privacy Policy
  • Resend — transactional email delivery (verification and access codes).Resend Privacy Policy
  • LemonSqueezy — payment processing. Card and payment data is handled entirely by LemonSqueezy and is not accessible to us.LemonSqueezy Privacy Policy
  • PostHog — product analytics, EU-hosted.PostHog Privacy Policy
  • Vercel / Neon — infrastructure and database hosting (EU region).

9. Automated processing

Our service uses automated processing (AI-powered generation) to create document content from your inputs. This does not constitute automated decision-making with legal or similarly significant effects as defined under Article 22 UK/EU GDPR — all generated documents are presented to you for review and editing before any use or submission. No decisions about you are made solely by automated means.

10. Your rights (GDPR)

Under UK GDPR and EU GDPR, you have the following rights:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your personal data ("right to be forgotten").
  • Right to restrict processing — request that we limit how we use your data.
  • Right to data portability — receive your data in a structured, commonly used format.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email hello@ngotoolkitlab.com. We will respond within 30 days. We may ask you to verify your identity before processing your request.

11. Right to complain

You have the right to lodge a complaint with a data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, you may contact your local national supervisory authority. We would, however, appreciate the opportunity to address your concerns before you contact a supervisory authority — please reach out to us first.

12. Data retention

Account data is retained for as long as your account is active. Project data is retained for 2 years after last activity. You may request deletion at any time. Payment records may be retained for up to 7 years to comply with financial record-keeping obligations.

13. Changes to this policy

We may update this policy to reflect changes in our practices or legal requirements. Material changes will be communicated via the website. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

Privacy enquiries: hello@ngotoolkitlab.com