Impact Stack Privacy Policy

This is the privacy policy the Service ’Impact Stack’provided by the More Onion group of companies, (“Privacy Policy”). We want to be as transparent as possible in how we use your data and if you have any questions feel free to reach out.


This document relates to the management of data within the Impact Stack campaigning and fundraising platform, as owned and managed by More Onione-campaigning GmbH (‘more onion’, ’Impact Stack’ or ‘we’). This privacy policy will explain how Impact Stack uses the personal data held on our servers in relation to the use of this platform by our Clients (‘clients’).

For the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (“GDPR”), the Data Protection Act 2018, the Austrian Data Protection Act  and any applicable national implementing laws, regulations and secondary legislation relating to the processing of personal data (together “Data Protection Law”), we are the data processor.

‘Personal data’ is defined in accordance with Data Protection Law.

This document should be read together with the Data Processing Agreement which lays out in further detail the roles and responsibilities of each party. This Data Processing Agreement is signed by more onion and our clients as a part of the Impact Stack contract that all clients must sign to use the Impact Stack platform.

The personal data relevant to this privacy policy is that of the supporters of our clients (‘supporters’).

This Privacy Policy does not apply to personal data collected directly by the more onion group of companies as a data controller.

The legal basis for data collection is determined by the privacy policy of our clients, who are the Data Controller.

What data do we collect?

The nature of the data collected and stored by Impact Stack is determined by clients, but may include:

  1. Personal identification information (Name, email address, postal address phone number, etc.)
  2. Information on donations made and other forms completed, including any form field values (amount of donation, motivation, messages to politicians etc)
  3. No sensitive personal data (as defined by GDPR) may be collected through Impact Stack
  4. We do not collect or store any credit card information. This type of information is passed directly to payment processors the client has a direct relationship with
  5. We do collect payment information when clients choose to ask for bank account and sort codes to process direct debits

How do we collect your data?

The data is collected through several methods:

  • Data files transferred to us by the client
  • Data files loaded into Impact Stack or a given to us via a secure file sharing folder by the client
  • Data inputted into Impact Stack forms directly by supporters
  • Data automatically imported from other tools, such as email marketing tools used by the client

How will we use your data?

Data is collected and stored for the sole purposes of clients. For further details on how this data will be processed by clients, please consult clients’ own Privacy Policies.

Personal Data will be processed to the extent necessary to provide the Impact Stack platform in accordance with both the contractual agreement and the client’s instructions (as Data Controller). We process Personal Data only on behalf of the Controller. Processing operations include, but are not limited to:

  1. sending emails to campaign targets as designed by clients
  2. sending data to third party services such as email broadcast tools and CRMs through integrations and webhooks
  3. processing donations, storing form completion data. This operation relates to all aspects of Personal Data processed
  4. Analysing the data on behalf of the client

How do we store your data?

Your information may be stored in a number of locations, including:

  1. In databases and log files on our webservers
  2. Our secure file transfer service, NextCloud
  3. On local computers or mobile devices for the purpose of data processing

Our data centres (applicable to 1. and 2.) are based in Germany and we never move personal data outside of the EEA and the UK.


We will never use supporter data held in Impact Stack for marketing purposes.

What are your data protection rights?

Supporters are entitled to the following:

The right to access – You have the right to request that More Onion Ltd or More Onion GmbH provides copies of personal data held about you. We have the right to charge a reasonable fee for the administrative costs of such requests if they are manifestly unfounded or excessive; or if an individual requests further copies of their data following a request.

The right to rectification – You have the right to request that we correct any information that you believe to be inaccurate. You also have the right to ask us to complete information that you believe to be incomplete.

The right to erasure – You have the right to request that we erase your personal data, under certain conditions.

The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions

The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.

The right to data portability – You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

Supporters should exercise these rights by directly contacting the client, ie Data Controller, who will in turn instruct us as Data Processor to action this request.

What are cookies?

Cookies are placed on your computer to collect standard internal log information and visitor behaviour information. When you visit a website that runs on Impact Stack, we may collect information from you automatically through cookies or similar technology (such as session storage).

For further information, visit

When visiting an Impact Stack site provided via one of our clients please consult their privacy policy. Impact Stack uses cookies to track information such as where you have come from before visiting the Impact Stack page and the exact URL you are visiting. This information is saved along with any form submission, such as a donation or an online action.

How do we use cookies?

We use cookies in a number of ways including:

  1. Understanding, analysing and optimising how you interact with Impact Stack
  2. To improve your experience using Impact Stack
  3. To allow our clients to analyse, optimise and to further tailor communications with you

What types of cookies do we use?

Functionality – We use some cookies designed to improve your on-site experience. For example what language you prefer and the location you are in. Also whether you have chosen to allow JavaScript within your browser. We may also use cookies to remember which forms you have completed and the values you have given for them.

Understanding, Analysis, Statistics and Optimisation – We use some cookies to help us to understand how you use the website, which pieces of content are valuable to you and which devices you use so that we/clients can improve the quality of the content and ensure that it is clear and attractive on your chosen device. We also use cookies to understand which channels for mobilising supporters work best.

The table below explains the cookies we use and why we use each of them.

Impact Stack Webform Tracking

Session cookie

The Impact Stack webform tracking cookie is used for analysis and optimisation purposes. The data from the cookie will be saved with any form submissions you make on our websites.

Drupal 7 „Java Script enabled“

Session cookie

This cookie is used to keep a record of whether the browser has Java Script enabled or not. This cookie is required for the site to function.

Impact Stack Webform prefilling

Session storage

Impact Stack saves your data in the session storage so you don’t have to fill in the same information multiple times while using the platform. This data is saves when you land on the page where your data is passed through via the URI parameter or once you have submitted a form on the platform. The data is deleted as soon as the session is closed.

How to manage your cookies

You can set your browser to not accept cookies, and the above website will tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

Privacy policies of other websites

Our websites and websites running on Impact Stack may contain links to other websites. Our privacy policy only applies to our website, so if you click on a link to another website out policy does not apply.

Protection of your data

All information you provide to Impact Stack for processing is stored on our secure servers. Any credit card information, payment transactions and form submission will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Impact Stack platform or services, you are responsible for keeping this password confidential. We ask you not to share any password with anyone.

Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your data transmitted to Impact Stack or the services. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Where we store your data

All Impact Stack services are hosted on servers in Germany, however the Impact Stack services are global and your information (including personal data) may be stored and processed in the European Union or the United Kingdom where we have operations or where we engage service providers, and we may transfer your information to countries outside of your country of residence, which may have data protection rules that are different from those of your country of residence.

The personal data that we collect from you may therefore be transferred to, and stored at, a destination inside the European Economic Area ("EEA") or the UK. It may also be processed by staff operating inside the EEA or UK who work for us or for one of our suppliers or partners. Such staff or subcontractors may be engaged in, among other things, the fulfilment of your order, the processing of your payment details or the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing inside of the EEA or the UK.

As Data Processors, We may, at the instruction of Clients (the Data Controllers), transfer data to other jurisdictions outside of the EEA or the UK. This may include using an Impact Stack integration to send data to email marketing or CRM systems with server infrastructure outside of the EEA or the UK. This type of transfer will be mentioned in the privacy policy of the data controller.

We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. In particular, this means that your personal data will only be transferred to a country that provides an adequate level of protection (for example, where the European Commission has determined that a country provides an adequate level of protection) or where the recipient is bound by standard contractual clauses according to conditions provided by the European Commission (“Standard Contractual Clauses”).

Impact Stack services are accessible via the internet and may potentially be accessed by anyone around the world. Other users may access Impact Stack services from outside the EEA or the UK. This means that where you chose to post your data on Impact Stack based websites or within the services, it could be accessed from anywhere around the world and therefore a transfer of your data outside of the EEA or the UK may be deemed to have occurred. You consent to such transfer of your data for and by way of this purpose.

Data Retention

We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. Specific timelines on data retention and expiry are to be determined by the Data Controller (the Client).

The detailed information on how long we retain data and for what purpose is regulated by the data processing agreement between Impact Stack and the client using the Impact Stack service.

We will retain de-personalised information after your account has been closed.

Please note: After you have closed your account or deleted information from your account, any information you have shared with others will remain visible. We do not control data that other users may have copied from our Websites or the services. Your profile may continue to be displayed in the services of others (e.g. search engine results) until they refresh their cache.

Age of Users

Our services are not intended for and shall not be used by anyone under the age of 16.

Changes to our privacy policy

This policy will be reviewed and updated from time to time. This Privacy Policy was last updated on the 30thNovember 2020.

How to contact us

You can contact us at if you have any questions or would like to exercise one of your data protection rights.

How to contact the appropriate authorities

Should you wish to make a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.

For individuals located in the EU: To our lead supervisory authority in Austria: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria.

For individuals located in the UK: The Information Commissioner’s Office at, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.