Privacy Policy
Last updated: January 18, 2026
This Privacy Policy includes important information about your personal data and we encourage you to read it carefully.
We provide online donation management services to nonprofits, churches, and charitable organizations of all sizes who use our technology and services to collect donations from supporters. We want to be clear about how we use the Personal Data entrusted to us.
This Privacy Policy ("Policy") describes the "Personal Data" that we collect about you, how we use it, how we share it, your rights and choices, and how you can contact us about our privacy practices. This Policy also outlines your data subject rights, including the right to object to some uses of your Personal Data by us.
Who We Are
"Givvv", "we", "our" or "us" means Givvv Limited, a company registered in New Zealand, which is the entity responsible for the collection and use of Personal Data under this Privacy Policy. This Privacy Policy applies to the collection and use of Personal Data on the processing of donations for organizations hosted in New Zealand, meaning that it could apply to residents of New Zealand or other countries who make donations to organizations using our platform.
Definitions
Personal Data
"Personal Data" means any information that relates to an identified or identifiable individual, and can include information that you provide to us to facilitate a transaction (such as first and last name, email address, billing address/shipping address, zip code and phone number) and that we collect about you, such as when you engage with our Services (e.g. device information, IP address).
Platform Services
Our "Platform Services" are the donation management tools and features provided by Givvv to nonprofits, churches, and charitable organizations ("Organizations") who provide us with donor Personal Data through their fundraising activities.
Transaction Data
"Transaction Data" as used in this Privacy Policy includes Personal Data, and may include the following: your name, email address, billing address, payment method information, location, donation amount, date of donation, designation/purpose, and your phone number.
User Types
Depending on the context, "you" means Donor or Visitor:
- When you make a donation to an Organization (e.g. when you donate to a church or nonprofit that uses Givvv technology and services) but are not directly doing business with Givvv, we refer to you as a "Donor".
- When you visit givvv.org or otherwise communicate with Givvv, we refer to you as a "Visitor" (e.g. you send Givvv a message asking for more information because you are considering using our technology or services for your organization).
Our Commitment to Data Security
Givvv is a donation management platform built with enterprise-grade security and data privacy at its core. Your donation data is sensitive, and we've architected our platform to ensure that not even Givvv staff can access your organization's private donation data.
Data Ownership
You own your data. Period.
- All donation records, donor information, and transaction data belong exclusively to your organization
- We never sell, share, or use your data for any purpose other than providing our service
- You can export your data at any time
- If you close your account, all your data is permanently deleted within 30 days
Security Architecture
1. Database-Level Security (Row Level Security)
We use PostgreSQL Row Level Security (RLS) policies enforced at the database level, ensuring data isolation between organizations:
- Organizations can ONLY access their own data - this is enforced by the database itself, not just application code
- Even if there were a bug in our application code, the database would prevent cross-organization data access
- RLS policies are tested and audited regularly
- Each database query is automatically filtered to your organization_id
2. Encryption
Data in Transit:
- All data transmitted between your browser and our servers uses TLS 1.3 encryption
- All API requests use HTTPS only - no unencrypted HTTP traffic is permitted
- Payment card data is encrypted using Stripe's PCI DSS Level 1 certified infrastructure
Data at Rest:
- All database records are encrypted at rest using AES-256 encryption
- Encryption keys are managed by our infrastructure provider with automatic key rotation
- Database backups are also encrypted
3. Payment Processing
We never store credit card numbers, CVV codes, or full payment card data:
- All payment processing is handled directly by Stripe, a PCI DSS Level 1 certified payment processor
- Card data goes directly from the donor's browser to Stripe's servers
- We only store non-sensitive payment metadata (last 4 digits, card brand, expiration)
- Stripe Connect ensures funds go directly to YOUR organization's Stripe account, not ours
4. Infrastructure Security
Database Hosting: Supabase (AWS-backed)
- SOC 2 Type II certified
- ISO 27001 certified
- GDPR compliant
- Data hosted in secure AWS data centers
- Automatic daily backups
- 99.9% uptime SLA
Application Hosting: Netlify
- SOC 2 Type II certified
- DDoS protection
- Automatic SSL/TLS certificates
- CDN with edge caching for performance
Payment Processing: Stripe
- PCI DSS Level 1 certified (highest level)
- Used by millions of businesses worldwide
- Advanced fraud detection
- 3D Secure support
5. Access Controls
Platform Access:
- Only authenticated users from your organization can access your dashboard
- Passwords are securely hashed using industry-standard algorithms
- Session tokens expire automatically
- Service role keys (admin access) are only used by backend services, never exposed to clients
Givvv Staff Access:
- Givvv staff CANNOT access your donation data due to RLS policies
- We can only access anonymized system logs for debugging
- Any support requests require explicit permission and are logged
- No Givvv employee has direct database access to production data
6. Data Retention & Deletion
- Active donation data is retained as long as your account is active
- When you close your account, all data is permanently deleted within 30 days
- Backup data is automatically purged according to our retention policy
- You can request immediate data deletion at any time
Data We Collect
Donation Data (Your Organization's Data)
- Donor names and contact information
- Donation amounts and dates
- Payment metadata (not card numbers)
- Designation/purpose of donations
- Transaction history
Account Data
- Organization administrator email and name
- Organization details (name, logo, settings)
- Stripe account connection details
- Subscription and billing information
Anonymous Usage Data
- Page views and navigation patterns (anonymized)
- Feature usage statistics (aggregated)
- Error logs (stripped of personal information)
Third-Party Services
We use the following trusted third-party services:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Payment and donor info |
| Supabase | Database & authentication | All application data (encrypted) |
| Netlify | Application hosting | Server logs (IP addresses, request metadata) |
| Resend | Email delivery | Email addresses, receipt content |
Compliance
New Zealand Privacy Act 2020
Givvv complies with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs). We ensure:
- Collection of personal information only for lawful purposes
- Information is collected directly from the individual where possible
- We maintain appropriate security safeguards
- Individuals have the right to access and correct their information
GDPR Compliance
For donor data provided by Organizations, Givvv acts as a data processor on behalf of the Organization (the data controller). For account and billing data, Givvv acts as the data controller. Our lawful bases for processing include performance of a contract (providing the Platform Services) and legitimate interest (improving and securing our services).
Under GDPR, you have the following rights:
- Right to access your data
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to data portability
- Right to restrict processing
- Right to object
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
California Privacy Rights (CCPA)
- We do not sell personal information
- You have the right to know what data we collect
- You have the right to delete your data
- You have the right to opt-out of data sharing
Cookies & Tracking Technologies
Givvv uses essential cookies required for authentication and session management. We do not use advertising or third-party tracking cookies.
- Essential cookies: Required for login sessions and security. These cannot be disabled.
- Analytics: We collect anonymized, aggregated usage data to improve our services. No personally identifiable information is included in analytics data.
Security Auditing
We regularly:
- Review and test Row Level Security policies
- Scan for security vulnerabilities
- Update dependencies to patch security issues
- Monitor for unusual access patterns
- Conduct security training for our team
Incident Response
In the unlikely event of a data breach:
- We will notify affected organizations within 72 hours
- We will provide details about what data was affected
- We will outline steps being taken to prevent future incidents
- We will offer support and guidance
Contact Us
If you have any questions about this Privacy Policy, please contact us:
Email: [email protected]
Security Concerns: [email protected]
We take security seriously. If you discover a vulnerability, please report it responsibly to [email protected] and we will work with you to resolve it promptly.
Changes to This Policy
We may update this privacy policy from time to time. We will notify you of any material changes by:
- Posting the new policy on this page
- Updating the "Last Updated" date
- Sending an email to your organization's primary contact
Summary
In Plain English:
- ✓ You own your data, not us
- ✓ Your data is isolated from other organizations using database-level security
- ✓ Even we can't see your private donation data
- ✓ All data is encrypted in transit and at rest
- ✓ We never sell or share your data
- ✓ You can export or delete your data anytime
- ✓ We use industry-leading, certified infrastructure providers
- ✓ Credit card data never touches our servers
- ✓ We're compliant with NZ Privacy Act, GDPR, and CCPA
By using Givvv, you acknowledge that you have read and understand this Privacy Policy. Your use of the Platform is also governed by our Terms of Service.