Privacy Policy

1. Introduction

Givvent, Inc. (“Givvent,” “we,” “us,” or “our”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you visit our website at givvent.com and use our charity fundraising platform (collectively, the “Platform”).

Please read this policy carefully. If you disagree with its terms, please discontinue use of the Platform. Questions or concerns may be sent to privacy@givvent.com.

2. Information We Collect

We collect information in the following ways:

• Information you provide directly. When you register for an account, create a campaign, or make a donation, you provide us with information such as your name, username, email address, password, recovery email, recovery phone number, profile photo, and billing information.
• Information from OAuth providers. If you sign in using Google or Apple, we receive basic profile information (name, email address, profile picture) from those providers in accordance with their own privacy policies and your permissions.
• Usage and device information. We automatically collect information about how you interact with the Platform, including IP address, browser type, operating system, pages visited, referring URLs, and timestamps. This data is collected via server logs and analytics tools.
• Campaign and donation data. We collect information about campaigns you create or contribute to, including donation amounts, campaign descriptions, and associated communications.
• Communications. If you contact our support team or submit feedback, we retain those communications to help resolve your inquiry and improve the Platform.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your account, and authenticate your identity.
• Process donations and disburse funds to campaign organisers.
• Send transactional communications such as email verification, donation confirmations, campaign updates, and password reset instructions.
• Personalise your experience on the Platform, including remembering your preferences and accessibility settings.
• Monitor and analyse usage trends to improve the Platform’s functionality, performance, and security.
• Detect, investigate, and prevent fraudulent transactions, abuse, and other illegal activity.
• Comply with applicable legal obligations and respond to lawful requests from public authorities.
• Send you marketing communications where you have given us consent or where we have a legitimate interest, with an easy opt-out available in every message.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, our legal bases for processing your personal data are as follows:

• Contract performance. Processing necessary to provide the services you have requested, including account management and payment processing.
• Legitimate interests. Processing necessary for our legitimate interests in operating a secure and efficient Platform, preventing fraud, and improving our services, provided that such interests are not overridden by your data protection rights.
• Legal obligation. Processing necessary to comply with applicable laws, including financial regulations and anti-money-laundering requirements.
• Consent. Where you have given us specific consent to process your data for a particular purpose, such as receiving marketing emails. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Payment Data

Givvent uses Stripe to process all payments. When you make a donation or save a payment method, your card details are transmitted directly to Stripe and are governed by Stripe’s Privacy Policy. Givvent does not store full payment card numbers on its own servers. We retain only a tokenised reference, the card brand, the last four digits, and the expiry date to display saved payment methods in your account settings. We also keep a record of each donation (amount, the campaign, date, and whether you chose to give anonymously) to issue receipts and operate the Platform.

For organisers (payouts via Stripe Connect).To receive funds, organisers connect a Stripe account to their campaign and complete Stripe’s onboarding. Stripe collects the information it needs to verify identity and enable payouts — which may include legal name, date of birth, address, and bank or debit-card details — directly from the organiser; that information is held by Stripe under its own privacy policy, not by Givvent. We store only the resulting Stripe account identifier and its payout-eligibility status so we can route donations and apply Givvent’s 2.5% platform fee. Stripe’s payment processing fee (2.9% + $0.30) is charged separately by Stripe.

Optional fee coverage. When donating, you may choose to cover the platform and processing fees so the campaign receives your full intended gift. If you do, your donation amount is increased by the fee total at checkout; we record both the amount the campaign receives and the additional amount you chose to contribute. This choice is always optional and shown clearly before you confirm.

6. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (local storage, session storage, pixels) to operate and improve the Platform. The categories of cookies we use are:

• Strictly necessary cookies. Required for core functionality such as authentication sessions and security tokens. These cannot be disabled.
• Performance & analytics cookies. Help us understand how visitors interact with the Platform. We use Vercel Analytics and privacy-friendly aggregated statistics.
• Preference cookies. Remember settings such as your theme preference, accessibility options, and notification choices.

You can control non-essential cookies through your browser settings. Note that disabling certain cookies may affect functionality. We do not currently use third-party advertising cookies.

7. Sharing & Third Parties

We do not sell your personal information. We share data only in the following circumstances:

• Service providers. We share data with trusted third-party vendors who perform services on our behalf, including Stripe (payments and payouts via Stripe Connect), Vercel (hosting and analytics), Resend (transactional and newsletter email), Supabase (database and file storage), Upstash (Redis-backed rate limiting), and hCaptcha (bot and abuse protection on sign-up). These providers are bound by data processing agreements and are not permitted to use your data for their own purposes.
• Campaign organisers. When you make a donation, the organiser may receive your name and email address unless you elect to donate anonymously.
• Legal compliance. We may disclose your information if required to do so by law, court order, or governmental authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Givvent, our users, or the public.
• Business transfers. In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred as part of that transaction. We will notify you via email and a prominent notice on the Platform before your data becomes subject to a different privacy policy.

8. Data Retention

We retain your personal data for as long as your account is active or as necessary to provide you with our services. You may delete your account at any time from your account settings. When you do, your account is deactivated immediately and permanently purged after a short grace period (currently 10 days), during which you can restore it by signing back in. After the grace period we delete or anonymise your personal data, except where we are required to retain it for legal or regulatory reasons (for example, financial transaction records which we must keep under applicable accounting laws) or where we need it to resolve outstanding disputes or enforce our agreements.

Aggregated, anonymised data that cannot reasonably be used to identify you may be retained indefinitely for analytics and product-improvement purposes.

9. Security

We implement industry-standard technical and organisational measures to protect your personal information against accidental loss, unauthorised access, disclosure, alteration, and destruction. These measures include TLS encryption in transit, bcrypt password hashing, role-based access controls, and regular security reviews. We also operate distributed rate limiting (via Upstash Redis) across sign-in, donation, and other sensitive endpoints, account lockout after repeated failed sign-in attempts, and hCaptcha bot protection on account creation, to defend against abuse, fraud, and credential-stuffing attacks. To run these controls we process limited technical data such as your IP address and request metadata.

No method of transmission over the internet or method of electronic storage is completely secure. While we strive to protect your personal data, we cannot guarantee its absolute security. In the event of a data breach that affects your rights and freedoms, we will notify affected users and, where required by law, the relevant supervisory authority within 72 hours of becoming aware of the breach.

10. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights with respect to your personal data:

• Right of access. Request a copy of the personal data we hold about you.
• Right to rectification. Request correction of inaccurate or incomplete data.
• Right to erasure. Request deletion of your personal data, subject to certain exceptions such as legal retention obligations.
• Right to restriction. Request that we limit processing of your data in certain circumstances.
• Right to data portability. Receive your data in a structured, commonly used, machine-readable format.
• Right to object. Object to processing based on legitimate interests or for direct marketing purposes.
• CCPA rights. California residents have the right to know what personal information we collect and how it is used, to request deletion, and to opt out of any sale of personal information. We do not sell personal information.

To exercise any of these rights, please contact us at privacy@givvent.com. We will respond within 30 days. You may also lodge a complaint with your local data protection authority.

11. Children's Privacy

The Platform is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@givvent.com and we will take steps to delete that information promptly.

12. International Data Transfers

Givvent is based in the United States. If you are accessing the Platform from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses approved by the European Commission, and where applicable the UK Addendum, to provide an adequate level of data protection. A copy of these clauses is available upon request.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we offer. When we make material changes, we will notify you by email or by displaying a prominent notice on the Platform. The “Last updated” date at the top of this page indicates when the policy was most recently revised. We encourage you to review this policy periodically.

14. Contact

If you have questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our Privacy Team:

• Email: privacy@givvent.com
• Postal address: Privacy Team, Givvent, Inc., 1209 Orange Street, Wilmington, Delaware 19801, United States.

If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. A list of EEA supervisory authorities is available at edpb.europa.eu.