1. Introduction

GivingFountain ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our donation platform and related services.

2. Information We Collect

Personal Information

We may collect personally identifiable information that you voluntarily provide, including:

• Name and contact information (email address, phone number)
• Account credentials
• Payment information (processed securely through Stripe)
• Organization details for corporate donors
• Donation history and preferences

Automatically Collected Information

With your consent, we use Vercel Analytics to collect usage data such as page views, referral sources, browser type, and device information. This data is anonymized and used solely to improve our services. No analytics data is collected unless you accept our cookie consent banner. You may also collect certain information automatically through essential cookies required for the platform to function (e.g., authentication sessions).

Location Information

When you use the "Near Me" feature to find nearby nonprofits, we request access to your device's location through your browser. This is entirely optional and requires your explicit consent.

When enabled, your coordinates are sent to our servers to find nonprofits within your selected radius. We match your location against U.S. Census Bureau ZIP code centroid data (publicly available geographic reference points) to identify nearby organizations. Your coordinates are used only for the duration of the search request and are not stored in our database.

To preserve your search settings while browsing, your location coordinates are temporarily saved in your browser's session storage. This data is automatically cleared when you close your browser tab and is never transmitted to third parties.

IP Addresses

We automatically collect your IP address when you interact with our platform. IP addresses are used for:

• Rate limiting to prevent abuse of our services
• Security monitoring and threat detection
• IP blocklist enforcement to protect against malicious actors
• Audit logging of administrative actions for accountability
• Error tracking context to help diagnose and resolve issues

IP addresses are stored in security event logs and administrative audit logs. These logs are retained as necessary for security and compliance purposes.

3. How We Use Your Information

We use the information we collect to:

• Process and manage your donations
• Provide tax receipts and donation documentation
• Send donation confirmations and impact reports
• Improve and personalize our platform
• Show nearby nonprofits when you enable location services
• Communicate with you about your account and our services
• Power AI-assisted features such as the Giving Concierge chatbot (when you choose to use them)
• Send transactional emails including donation confirmations, receipts, and notifications
• Monitor and diagnose errors to maintain platform reliability
• Enforce security measures including rate limiting and bot detection
• Comply with legal obligations
• Detect and prevent fraud

4. Information Sharing

We may share your information in the following circumstances:

• With Nonprofits: We share relevant donor information with nonprofits you donate to, enabling them to acknowledge your contribution and provide impact updates.
• Service Providers: We work with trusted third-party service providers who assist in operating our platform, as described in the "Third-Party Service Providers" section below.
• Legal Requirements: We may disclose information when required by law or to protect our rights.

We do not sell your personal information to third parties.

5. Third-Party Service Providers

We use the following third-party services to operate, secure, and improve our platform. Each provider processes data only as necessary for its designated purpose and in accordance with their respective privacy policies.

Supabase (Database & Authentication)

Supabase serves as our database and authentication provider. All user data, donation records, and nonprofit information are stored in Supabase-hosted infrastructure in the United States. Supabase acts as a data processor on our behalf and processes data according to our instructions.

Stripe (Payment Processing)

Stripe handles all payment processing on our platform. Payment card information is collected and processed directly by Stripe and is never stored on our servers. Stripe is a PCI-DSS compliant payment processor. For more information, see Stripe's Privacy Policy.

Sentry (Error Tracking & Performance Monitoring)

We use Sentry to monitor errors and platform performance. When an error occurs, Sentry may collect error stack traces, browser information, device information, IP addresses (for error context), and the page URLs where errors occur. This data is processed in the United States and is used solely to diagnose and fix technical issues. For more information, see Sentry's Privacy Policy.

Anthropic / Claude AI (Primary AI Provider)

We use Anthropic's Claude AI as our primary AI provider. When you choose to use an AI feature, the data described below is sent to Anthropic's API for processing per Anthropic's Privacy Policy:

• Giving Concierge chatbot — your chat messages, plus an anonymized geo-region (city + state derived from your IP, if available) so the assistant can prioritize local nonprofits when your request is general
• Allocation advice, donor recommendations, and impact summaries — the interests, goals, budget, and preferences you provide on those pages
• Nonprofit application "Quick Fill" — the public HTML of the nonprofit website you choose to import (no personal data)
• Administrative content tools — used by platform administrators to draft blog posts, social media copy, and category descriptions; no end-user data flows here

AI features are opt-in. We do not send your data to Anthropic unless you actively engage one of these features. We do not send your full name, email address, payment data, or donation history to Anthropic. Conversations may be retained by Anthropic for a limited period for trust-and-safety review per their published terms.

OpenAI (AI Fallback Provider, Blog Image Generation)

We use OpenAI in two roles:

• Failover for AI features. If our primary provider (Anthropic) is unavailable, the same AI features above will route to OpenAI's GPT models so the feature stays usable. The same data described in the Anthropic section may then be processed by OpenAI instead. We never send both copies — failover happens once per request.
• Blog cover image generation and visual-brief drafting in our administrative panel. This feature is used exclusively by platform administrators and does not involve end-user data.

For more information, see OpenAI's Privacy Policy. OpenAI does not use API data to train its models per their published API data-usage policy.

Cloudflare Workers AI (Blog Image Generation)

We use Cloudflare Workers AI (FLUX-1-schnell) as the primary engine for generating blog cover images, with OpenAI's image generator as a fallback. This feature is used exclusively by platform administrators when drafting blog content. No end-user data is sent to Cloudflare Workers AI. For more information, see Cloudflare's Privacy Policy.

Cloudflare Turnstile (Bot Protection)

We use Cloudflare Turnstile as a CAPTCHA verification service on login, registration, and nonprofit claim forms. Turnstile collects browser fingerprint data and interaction patterns to distinguish legitimate users from bots. This data is processed by Cloudflare in accordance with Cloudflare's Privacy Policy.

Resend (Transactional Email)

We use Resend to deliver transactional emails such as donation confirmations, receipts, and account notifications. Your email address and email content are processed through Resend's API for the sole purpose of delivering these messages. For more information, see Resend's Privacy Policy.

Charity Navigator (Nonprofit Ratings)

We use Charity Navigator's API to display nonprofit ratings, scores, and accountability information on nonprofit profile pages. When you view a nonprofit's profile, we may send that nonprofit's EIN (Employer Identification Number) to Charity Navigator to retrieve their publicly available rating data. No personal user information is shared with Charity Navigator. For more information, see Charity Navigator's Privacy Policy.

ProPublica (Nonprofit Financial Data)

We use ProPublica's Nonprofit Explorer API to retrieve IRS Form 990 financial data for nonprofits in our directory. When you view a nonprofit's profile, we may send that nonprofit's EIN to ProPublica to retrieve their publicly available tax filings. No personal user information is shared with ProPublica.

Google Ads (Conversion Tracking)

With your consent, we use Google Ads conversion tracking to measure the effectiveness of our marketing campaigns. When you complete a donation after arriving from a Google ad, a conversion event is sent to Google containing the donation amount, currency, and an opaque donation identifier (used for deduplication only). We anonymize IP addresses before they reach Google. No personally identifiable information, donor name, email, payment data, or nonprofit allocations are sent to Google. Conversion tracking only loads after you accept our cookie banner. We also retain aggregate search performance metrics in our own database for internal reporting — from Google Ads (impressions, clicks, spend, conversion counts, and the anonymized search-query phrases that triggered our ads) and from Google Search Console (organic impressions, clicks, and the anonymized search-query phrases that surfaced our pages in Google Search). These aggregates contain no individual user identifiers. For more information, see Google's Privacy Policy.

Vercel (Hosting & Analytics)

Our platform is hosted on Vercel. With your consent, we also use Vercel Analytics to collect anonymized usage data as described in the "Automatically Collected Information" and "Cookies and Tracking" sections above and below.

6. Data Security

We implement appropriate technical and organizational security measures to protect your information. All payment processing is handled by Stripe, a PCI-DSS compliant payment processor. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

Depending on your location, you may have certain rights regarding your personal information:

• Access and receive a copy of your data
• Correct inaccurate information
• Request deletion of your data
• Opt-out of marketing communications
• Data portability

To exercise these rights, please contact us at the information provided below.

8. Cookies and Tracking

We use cookies and similar technologies in two categories:

• Essential cookies: Required for authentication, security, and core platform functionality. These cannot be disabled.
• Analytics cookies: Used by Vercel Analytics to understand how visitors interact with our platform. These are only activated after you provide consent through our cookie banner.
• Marketing cookies: Used by Google Ads conversion tracking to measure the effectiveness of our advertising. These are only activated after you provide consent through our cookie banner and only fire on conversion completion pages (donation confirmation and account signup confirmation) when a Google Ads measurement ID is configured.

When you first visit our platform, a consent banner will appear. You may accept or decline analytics cookies. Your preference is stored locally in your browser and respected on all subsequent visits. You can reset your preference at any time by clearing your browser's local storage.

9. Third-Party Links

Our platform may contain links to third-party websites, including nonprofit websites. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies.

10. Children's Privacy

Our platform is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn we have collected such information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of our platform after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us: