NationBuilder is a software as a service company. There are thousands of campaigning groups that use its services. Like Google, it can be asked to provide information for police investigations, under the laws of California. But otherwise it is a site hosting the databases of each organisation using its service, like any cloud data provider. I don't think that makes it a data controller, as the data is managed by each organisation hosting there. But I am not a lawyer.
Each organisation mentioned in the article has registered under the Data Protection Act, where they list all the many things political parties need to do to campaign in elections and maintain their databases. They should explain this in their privacy policies. As we see in the article, they don't do that very well.
Several of the limitations on commercial data protection do not apply to political parties. Since voting is a civic duty, you cannot opt out of electoral communications, be it from a council or a political party. For that reason, electoral law entitles political parties to the complete register of electors. You can opt out of the edited version sold to businesses, but not from political communications. Party officers sign an agreement that they will not use the electoral roll for non-political purposes. For the same reason, you cannot opt out of political telephone calls during election periods. It is electoral law that determines what parties can do in such circumstances.
Nevertheless, all parties maintain opt-out lists. There is no point communicating with someone who is not going to vote for you. NationBuilder is designed so that every email blast includes an opt-out link. If you use it to record telephone contacts, the telephone volunteer can mark the record do not call.
NationBuilder, and some rival systems, do pull in data from Twitter and Facebook that has been made available to everyone (not just friends), starting with followers of political party accounts. A deduplication routine each night tries to find matches with people in the database: but they have to be confirmed by a human being before the records are merged.
That is the state of the art as far as most UK parties go. A lot of local parties just use spreadsheets, and have no database. The Conservative Party commissioned a special voter database that failed on polling day last year, containing details of all the voter responses to surveys, so they could deliver to each voter in marginal constituencies a letter about the issue they were most concerned about (there is an article on Conservative Home that explains this).
Nowhere in the UK have I come across the extensive data collection and analysis done in the Obama 2012 campaign, when the Democrats and Republicans purchased lots of commercial demographic data, and even went as far as commissioning psychometric tests of voters in different towns, to work out how likely they were to vote at all. (A talk at a London data science meetup explained how they could explain 90% of the variance in probability to vote through a nested decision tree trained on such data.)
In short, most political parties are using data in the ways they are registered to use it under the Data Protection Act, but are not making this clear in their privacy policies.