Privacy Policy & Data Security

Our Commitment to Data Security

Givvv is a donation management platform built with enterprise-grade security and data privacy at its core. Your donation data is sensitive, and we've architected our platform to ensure that not even Givvv staff can access your organization's private donation data.

Data Ownership

You own your data. Period.

• All donation records, donor information, and transaction data belong exclusively to your organization
• We never sell, share, or use your data for any purpose other than providing our service
• You can export your data at any time
• If you close your account, all your data is permanently deleted

Security Architecture

1. Database-Level Security (Row Level Security)

We use PostgreSQL Row Level Security (RLS) policies enforced at the database level, ensuring data isolation between organizations:

• Organizations can ONLY access their own data - this is enforced by the database itself, not just application code
• Even if there were a bug in our application code, the database would prevent cross-organization data access
• RLS policies are tested and audited regularly
• Each database query is automatically filtered to your organization_id

2. Encryption

Data in Transit:

• All data transmitted between your browser and our servers uses TLS 1.3 encryption
• All API requests use HTTPS only - no unencrypted HTTP traffic is permitted
• Payment card data is encrypted using Stripe's PCI DSS Level 1 certified infrastructure

Data at Rest:

• All database records are encrypted at rest using AES-256 encryption
• Encryption keys are managed by our infrastructure provider (Supabase) with automatic key rotation
• Database backups are also encrypted

3. Payment Processing

We never store credit card numbers, CVV codes, or full payment card data:

• All payment processing is handled directly by Stripe, a PCI DSS Level 1 certified payment processor
• Card data goes directly from the donor's browser to Stripe's servers
• We only store non-sensitive payment metadata (last 4 digits, card brand, expiration)
• Stripe Connect ensures funds go directly to YOUR Stripe account, not ours

4. Infrastructure Security

5. Access Controls

Platform Access:

• Only authenticated users from your organization can access your dashboard
• Multi-factor authentication (MFA) available
• Passwords are hashed using bcrypt with individual salts
• Session tokens expire automatically
• Service role keys (admin access) are only used by backend services, never exposed to clients

Givvv Staff Access:

• Givvv staff CANNOT access your donation data due to RLS policies
• We can only access anonymized system logs for debugging
• Any support requests require explicit permission and are logged
• No Givvv employee has direct database access to production data

6. Data Retention & Deletion

• Active donation data is retained as long as your account is active
• When you close your account, all data is permanently deleted within 30 days
• Backup data is automatically purged according to our retention policy
• You can request immediate data deletion at any time

Data We Collect

Donation Data (Your Organization's Data)

• Donor names and contact information
• Donation amounts and dates
• Payment metadata (not card numbers)
• Designation/purpose of donations
• Transaction history

Account Data

• Organization administrator email and name
• Organization details (name, logo, settings)
• Stripe account connection details
• Subscription and billing information

Anonymous Usage Data

• Page views and navigation patterns (anonymized)
• Feature usage statistics (aggregated)
• Error logs (stripped of personal information)

Third-Party Services

We use the following trusted third-party services:

Compliance

GDPR Compliance

• Right to access your data
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restrict processing
• Right to object

California Privacy Rights (CCPA)

• We do not sell personal information
• You have the right to know what data we collect
• You have the right to delete your data
• You have the right to opt-out of data sharing

Security Auditing

We regularly:

• Review and test Row Level Security policies
• Scan for security vulnerabilities
• Update dependencies to patch security issues
• Monitor for unusual access patterns
• Conduct security training for our team

Incident Response

In the unlikely event of a data breach:

• We will notify affected organizations within 72 hours
• We will provide details about what data was affected
• We will outline steps being taken to prevent future incidents
• We will offer support and guidance

Contact Us

For security concerns, privacy questions, or data requests:

Email: [email protected]
Security Researcher Disclosure: [email protected]

We take security seriously. If you discover a vulnerability, please report it responsibly to [email protected] and we will work with you to resolve it promptly.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email to your organization's primary contact