Privacy Policy

Giving Technologies, Inc. and its affiliates and subsidiaries, (collectively, "GivingTech," "we," "our," and "us") provide this Privacy Policy ("Policy") to explain how we collect, use, and disclose information about you through our platforms and services, such as our donation forms and Fundraisers (collectively, the "Services").

Before you access, use, or submit any information through or in connection with the Services, please carefully review this Policy. By using any part of the Services, you acknowledge that you have read and understood that we may collect, use, and disclose information about you as outlined in this Policy. To the extent allowed by law, the English version of this Policy is binding, and translations in other languages are for convenience only; in case of discrepancies, the English version shall prevail.

This Policy does not cover the privacy practices of (i) organizers of Fundraisers ("Organizers"), (ii) beneficiaries of fundraisers ("Beneficiaries"), or (iii) nonprofit organizations that use the GivingTech platform ("GivingTech Clients"). We are not responsible for the privacy practices of Organizers, Beneficiaries, or GivingTech Clients, and their handling of your information may be subject to their own privacy statements.

★ EU & UK GDPR Compliance

Where the EU GDPR or UK GDPR applies to our processing of your personal data, we are committed to processing it lawfully, fairly, and transparently. Because Givingtech operates as a platform that serves nonprofit clients, our role under the GDPR depends on whose data is involved and why it is being processed. This section explains those roles, summarizes your rights, and supplements the rest of this Privacy Policy.

Our role: when we are a processor and when we are a controller

The GDPR distinguishes between a "controller" (the party that decides the purposes and means of processing personal data) and a "processor" (a party that processes personal data on behalf of a controller, on the controller's documented instructions). Depending on the data and context, Givingtech acts in one role or the other.

Donor data – Givingtech acts as a processor. When you donate to a nonprofit through the Services, the recipient nonprofit (a "GivingTech Client") is the controller of your donor personal data. The nonprofit decides why and how that data is used, owns the donor relationship, and is responsible for communications with you. Givingtech processes that data on the nonprofit's behalf — for example, to process the payment, record the transaction, issue receipts, and store the data securely — under the terms of a Data Processing Agreement entered into with the nonprofit (which forms part of our Terms of Service). If you are a donor and want to exercise rights under the GDPR in relation to your donor data, you should generally contact the nonprofit that received your donation. You may also contact us and we will route your request to the appropriate nonprofit and assist them in responding.

Our own purposes – Givingtech acts as a controller. For personal data we collect and process for our own purposes, Givingtech is the controller. This includes, for example: account and administrative data of the individuals who sign up to use Givingtech on behalf of a nonprofit; communications with our support team; platform analytics, logs, and security data; fraud prevention and anti-money-laundering analytics across the platform; KYC/AML records we are legally required to keep; and any direct marketing of Givingtech's own products and services. For this data, the rights described below can be exercised directly against us.

Payment processors. We rely on third-party payment processors to handle card and bank transactions. Those processors typically act as independent controllers for certain purposes (such as fraud prevention and regulatory compliance) and as processors for the payment execution itself. Their privacy notices describe how they handle your payment information.

Your rights under the GDPR

If you are in the EEA, the UK, or Switzerland, you have the following rights in relation to your personal data, subject to the conditions and exceptions set out in applicable law:

• Right of access — obtain confirmation of whether your personal data is being processed and a copy of that data.
• Right to rectification — have inaccurate or incomplete personal data corrected.
• Right to erasure ("right to be forgotten") — request deletion of your personal data in certain circumstances.
• Right to restrict processing — ask for processing of your data to be limited in certain circumstances.
• Right to data portability — receive the personal data you provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
• Right to object — object to processing based on legitimate interests, and object at any time to processing for direct marketing purposes.
• Rights related to automated decision-making — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects, except as permitted by law.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Who to contact. Where Givingtech is the controller of the data in question, you may exercise these rights directly with us. Where a nonprofit is the controller (for example, for your donor data), you should exercise these rights with that nonprofit; we will assist the nonprofit in responding, as required by our Data Processing Agreement with them. If you are not sure which is which, contact us and we will help you reach the right party.

To contact Givingtech about any GDPR-related matter, email [email protected]. For requests where Givingtech is the controller, we will respond within one month, though we may extend this period by up to two further months for complex or numerous requests, in which case we will tell you within one month and explain why. We may ask you to verify your identity before responding. Exercising these rights is free of charge, except where requests are manifestly unfounded or excessive.

Legal bases for processing

Where Givingtech is the controller, we process personal data only on a valid legal basis under Article 6 GDPR (and, for special category data, Article 9): (a) performance of a contract with you or to take steps at your request before entering a contract; (b) compliance with a legal obligation (for example, KYC/AML and tax reporting requirements); (c) your consent, which you may withdraw at any time; (d) our legitimate interests in operating, securing, and improving the Givingtech platform and preventing fraud, where these are not overridden by your rights and freedoms; or (e) to protect the vital interests of you or another person. Where we rely on legitimate interests, you may request more information about the balancing test we performed. Where Givingtech is a processor, the relevant nonprofit controller is responsible for identifying the legal basis for processing.

International transfers

Personal data we process may be transferred to, stored, and processed in countries outside the EEA, the UK, or Switzerland, including jurisdictions that have not been deemed to provide an adequate level of data protection. Where we make such transfers - whether as a controller or on behalf of a nonprofit controller - we rely on appropriate safeguards recognized under the GDPR, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), adequacy decisions, or other lawful transfer mechanisms. You may contact us at [email protected] to request more information about the safeguards in place.

Right to lodge a complaint

If you believe the processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority - in particular, in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. In the United Kingdom, the supervisory authority is the Information Commissioner's Office (ico.org.uk). We would, however, appreciate the opportunity to address your concerns before you approach a regulator, so please consider contacting us first at [email protected], or contacting the relevant nonprofit controller where applicable.

1 Information We Collect

As further described below, we collect information in multiple ways: when you provide information directly to us, when we collect information about you from other parties, and when we automatically collect information from your browser or device.

A. Information You Provide Directly to Us

We and our vendors may collect information from you directly when you:

• Open an account or otherwise register for the Services;
• Create a fundraiser on the Services;
• Create a peer-to-peer, crowdfunding, or team page;
• Create, register for, or purchase tickets to nonprofit events, merchandise, and/or other activities;
• Set up withdrawals or transfers;
• Donate to a fundraiser, organization, or cause;
• Post comments, leave feedback, send thank-you notes, or otherwise communicate with other users through our Services;
• Fill out a survey or questionnaire or provide feedback regarding the Services;
• Request certain features (e.g., newsletters, updates, and other products);
• Sign up for contests, awards, and events hosted by us; or
• Communicate with us for troubleshooting or support services.

The information you provide may include:

Account Registration Information: such as your name, email address, login details, country, phone number, and other information you choose to provide (such as a profile picture). If you use the Services as an organization, you may also provide your organization's name, your role/title, identification number, and other details.

Fundraiser Information: such as a fundraiser title, category, images, videos, description, and fundraiser goal(s).

Financial Information: such as payment account details for withdrawals and payment information for donations. We use third-party payment processors to process financial information. These processors may collect personal data, including via cookies, transactional data, and device-identifying information.

Publicly Available and Non-Publicly Available Communications: such as comments, feedback, and thank-you notes. Content posted on publicly available campaign pages is available to the public by default. Take care not to disclose information you do not intend to make public.

Information about Yourself and Others, Including Sensitive Information: such as information about a fundraiser's beneficiary and fundraising goals. If you provide information about others, you acknowledge that you have the authority and consent of those parties for us to access, disclose, and use the relevant data.

Chats and Other Communications: We may offer interactive chat features on the Services for customer service purposes. By using these features, you understand that we and our vendors may, in real time, collect and process the information obtained. Take care not to send financial information or other sensitive personal data through our chat services unless we specifically request it.

Biometric Information: We sometimes engage vendors to collect biometric information for identity verification, regulatory compliance, and fraud prevention. This may include a copy of your government-issued ID and a scan of the photo on that ID. Our vendors may, with your consent, employ facial recognition technology to verify your identity.

B. Information Passively or Automatically Collected

I. Device & Usage Information: When you interact with GivingTech through the Services, we automatically receive certain information from devices you use to access the Services, such as your IP address, browser type, operating system, the website from which you arrived, and inferred location data.

II. Location Information: When you use the Services to organize a fundraiser, the Services may require that you provide your postcode/zip code, city or town, and state or province of residence.

III. Cookies and Other Electronic Technologies: Please review our Cookie Policy for information on the types of cookies we or our vendors use, along with how we use those cookies and other electronic technologies. If we are unable to collect your information, we may not be able to provide you with the Services or assist you with your questions.

2 Our Use of Information Collected

GivingTech uses the information collected from the Services in a manner consistent with this Policy. We may use the information you provide for the following purposes:

• Provide, operate, and maintain the Services, including to register and maintain your account, facilitate the Know Your Customer (KYC) verification process, and to complete transactions;
• Communicate with you for various purposes, including to help you fundraise more, or for administrative purposes (e.g., to provide services and information that you request or to respond to comments and questions);
• Request your feedback;
• Personalization, marketing, and advertising;
• Analyze, improve, modify, customize, and measure the Services, including to train our artificial intelligence and machine learning models;
• Develop new products and services and conduct research and development;
• Verify your identity and detect and prevent fraud or other misuses of the Services;
• Maintain the security of your account and any associated fundraisers;
• Comply with legal obligations, law enforcement requests, and legal process, and to protect our rights, privacy, safety, or property; and
• Carry out any other purpose for which the information was collected.

We may combine information we collect from you with information we obtain from other sources. We may also aggregate and/or de-identify information collected through the Services and use such data for any purpose, including research and marketing.

3 Our Disclosure of Information Collected About You

There are certain circumstances in which we disclose information collected about you with other parties without further notice, as set forth below.

A. Business Transfers. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution, or similar event, user information may be part of the reviewed and transferred assets.

B. Affiliates and Subsidiaries. We disclose your personal information among GivingTech entities, including our affiliates and subsidiaries, for purposes consistent with this Policy, such as to provide our Services, prevent fraud, send you communications, and improve our services.

C. Agents, Consultants, and Vendors. GivingTech contracts with other companies to help us perform certain business-related functions, such as marketing, data storage, security, identity verification, fraud prevention, payment processing, legal services, and database maintenance. We provide access to your information to these companies only to the extent necessary for them to perform their services.

D. Legal Requirements. We may transfer, disclose, and preserve your information for courts, law enforcement, governmental or public authorities, or authorized third parties, where required or permitted by law, including to: comply with legal obligations or valid legal requests; respond to claims asserted against us; address alleged illegal activity or imminent harm; enforce our Terms of Service; or protect the rights, property, or safety of GivingTech, its employees, its users, or the public.

E. Organizers, Nonprofit Beneficiaries, GivingTech Clients, and International Partners. We may disclose your information to Organizers and Beneficiaries as necessary in connection with your donation or participation. If you donate to a nonprofit through GivingTech, you direct us to disclose your donation and contact information to that nonprofit. Where your donation is processed by an International Partner of GivingTech (a partner nonprofit that handles cross-border payment processing and tax receipting for a particular geographic region), we also disclose your donation and contact information to that International Partner so it can receipt and process your gift. The International Partner is an independent data controller for the data it receives. GivingTech contractually requires nonprofits to use such information solely to communicate with you about your donation and for legal and auditing requirements. GivingTech Clients may also direct us to further disclose your personal information to other third parties such as CRM tools or integration partners.

F. Aggregated Data. We aggregate, anonymize, and/or de-identify information so that it no longer relates to you individually. We then use and share that data for legally permissible purposes, including research on customer demographics, interests, and behavior.

G. Cookies and Other Electronic Technologies. Information is disclosed as stated in our Cookie Policy.

H. Other Users of Our Services. We provide your information to other users of our Services if you choose to make your information publicly available in a publicly accessible area of the Services, such as in your fundraiser or in comments.

4 Online Analytics and Tailored Advertising

Analytics. We may use third-party web analytics services on the Services, such as Google Analytics, to help us analyze how users use the Services. The information collected by such technology will be disclosed to or collected directly by these vendors, who use the information to evaluate your use of the Services. To prevent Google Analytics from using your information for web analytics, you may install the Google Analytics Opt-Out Browser Add-on.

Tailored Advertising. We may allow third-party advertising networks to place cookies or other tracking technologies on your computer, mobile phone, or other device to collect information about your use of the Services in order to (a) inform, optimize, and serve marketing content based on past visits to our website and other online services, and (b) report how our marketing content impressions and interactions relate to visits to our online services. Those parties that use these technologies may offer you a way to opt out of targeted advertising.

5 Links to Other Websites

The Services may contain links to other websites not operated or controlled by GivingTech ("Third-Party Sites"). The policies and procedures described here do not apply to Third-Party Sites. The links from the Services do not imply that GivingTech endorses or has reviewed those sites. We suggest contacting those sites directly for information on their respective privacy policies.

6 Security

We may hold your information in paper and/or electronic form. While no organization can guarantee perfect security, GivingTech has implemented and seeks to continuously improve technical and organizational security measures to protect the information provided via the Services from loss, misuse, unauthorized access, disclosure, alteration, or destruction.

7 Retention of Your Information

We retain your information only for as long as is necessary for the purpose for which it was collected and for our legitimate business operations, and only to the extent permitted or required by applicable laws. When determining the retention period, we take into account factors such as the type of products and services requested, the nature and length of our relationship with you, mandatory retention periods provided by law, anti-fraud and accounting requirements, and any applicable statute of limitations. After the applicable retention period expires, your information is either deleted or irreversibly anonymized. For details about the retention period applicable to a specific category of personal data (such as donation records, account data, KYC documentation, or communications), email [email protected].

8 Sharing Information

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

9 Changes to This Privacy Policy

GivingTech reserves the right to update or modify this Policy at any time and from time to time. We will notify you of any material updates or changes we make to this Policy. If you disagree with our revisions to the Policy, you can deactivate your account or discontinue the use of our Services. Please review this Policy periodically for any updates or changes.

By using the Services after any such update or modification, you acknowledge that you have read and understood the terms of the Policy as updated or modified.

10 Your Choices: Access, Export, and Deletion

You have meaningful control over the personal information we hold about you. At any time, you may:

• Access and update your account details from your account settings page.
• Export your data in a portable, machine-readable format by emailing [email protected].
• Request deletion of your personal information from our systems by emailing [email protected].
• Opt out of marketing emails using the unsubscribe link in any marketing email we send you, or by updating your communication preferences in your account.
• Manage cookies via the "Cookie Settings" link in our footer at any time.

We handle each request manually. We will verify your identity before acting on a request, and we will respond within the period required by applicable law. Where your personal data is held by a Recipient Charity or by an International Partner as an independent controller (see Section 3.E and the GDPR Compliance section above), you must direct your access, export, and deletion requests for their copies of your data to them; where possible, we will forward your request and identify the relevant controller. Some information may need to be retained to satisfy a legal, tax, anti-fraud, or regulatory obligation; in that case, we will explain what is retained and why.