Memberstack

Privacy Policy

Last updated: 5 April 2026

This Privacy Policy explains how Memberstack (“we”, “us”, “our”) collects, uses, stores, and protects personal information when you use our membership management platform (“Platform”).

1. Who We Are

Memberstack is a multi-tenant membership management platform that enables professional bodies, associations, clubs, and institutions to manage their members, payments, events, CPD tracking, and more. We operate at memberstack.org.

2. Data Roles

  • Organizations (our customers) act as data controllers for their members’ personal data. They determine the purposes and means of processing.
  • Memberstack acts as a data processor on behalf of Organizations, processing member data only as instructed to provide the Platform services.
  • For our own customer relationship (Organization admins), we act as a data controller.

3. Information We Collect

3.1 Organization Admin Data

When an Organization registers, we collect:

  • Full name, email address
  • Organization name, type, and contact details
  • Billing and payment information

3.2 Member Data (on behalf of Organizations)

When members register or are added by an Organization:

  • Full name, email address, phone number
  • Membership number, tier, and status
  • National ID or identification number (if provided)
  • Date of birth, address
  • Profile photo
  • Payment history and invoices
  • CPD records and compliance data
  • Event attendance records
  • Certificates issued

3.3 Automatically Collected Data

  • IP address and browser user agent
  • Login timestamps and activity logs
  • Device and browser information

4. How We Use Information

We process personal data to:

  • Provide and maintain the Platform services
  • Authenticate users and secure accounts
  • Process payments and generate invoices
  • Issue membership and practising certificates
  • Track CPD compliance
  • Send transactional notifications (invoices, password resets, welcome emails)
  • Provide customer support
  • Improve and develop the Platform
  • Comply with legal obligations

5. Legal Basis for Processing

We process personal data based on:

  • Contract performance — to provide services you’ve subscribed to.
  • Legitimate interests — to improve our Platform, prevent fraud, and ensure security.
  • Legal obligation — to comply with applicable laws and regulations.
  • Consent — where specifically requested (e.g., optional marketing communications).

6. Data Sharing

We do not sell personal data. We may share data with:

  • Payment processors (Lenco) — to process subscription and member payments.
  • Cloud infrastructure providers — for hosting and storage (servers located in secure data centres).
  • Email service providers — to deliver transactional emails.
  • Law enforcement — when required by law or to protect our legal rights.

Organization admins can access their own members’ data through the Platform. Members can view their own profile, invoices, and certificates.

7. Data Storage & Security

  • All data is stored on secured servers with encryption at rest and in transit (TLS 1.2+).
  • Passwords are hashed using bcrypt with a cost factor of 12.
  • JWT tokens are used for authentication with configurable expiry and revocation support.
  • Two-factor authentication (TOTP) is available for member accounts.
  • File uploads (photos, documents, certificates) are stored in encrypted object storage (MinIO/S3-compatible).
  • We implement role-based access control to restrict data access.
  • Regular backups are maintained and tested.

8. Data Retention

  • Active accounts: Data is retained for as long as the Organization’s account is active and the subscription is maintained.
  • After termination: Organization data is retained for 30 days to allow export, then permanently deleted.
  • Payment records: Retained for 7 years to comply with financial record-keeping requirements.
  • Activity logs: Retained for 12 months for security and audit purposes.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access — Request a copy of the personal data we hold about you.
  • Rectification — Request correction of inaccurate data.
  • Erasure — Request deletion of your personal data (“right to be forgotten”).
  • Portability — Receive your data in a structured, machine-readable format.
  • Restriction — Request that we limit processing of your data.
  • Objection — Object to processing based on legitimate interests.
  • Withdraw consent — Where processing is based on consent.

Members: Please contact your Organization in the first instance, as they are the data controller for your membership data. If the Organization is unresponsive, contact us directly.

Organizations: Contact us at privacy@memberstack.org.

10. Cookies

The Platform uses essential cookies and local storage for authentication (JWT tokens and organization context). We do not use third-party tracking cookies or advertising cookies.

11. Children’s Privacy

The Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take steps to delete it promptly.

12. International Data Transfers

Our servers are hosted in secure data centres. If data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place, including contractual protections with our service providers.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the Platform at least 14 days before taking effect. The “Last updated” date at the top reflects the latest revision.

14. Contact Us

For privacy-related inquiries: