Privacy Policy

Who We Are

"Givvv", "we", "our" or "us" means Givvv Limited, a company registered in New Zealand, which is the entity responsible for the collection and use of Personal Data under this Privacy Policy. This Privacy Policy applies to the collection and use of Personal Data on the processing of donations for organizations hosted in New Zealand, meaning that it could apply to residents of New Zealand or other countries who make donations to organizations using our platform.

Definitions

Personal Data

"Personal Data" means any information that relates to an identified or identifiable individual, and can include information that you provide to us to facilitate a transaction (such as first and last name, email address, billing address/shipping address, zip code and phone number) and that we collect about you, such as when you engage with our Services (e.g. device information, IP address).

Platform Services

Our "Platform Services" are the donation management tools and features provided by Givvv to nonprofits, churches, and charitable organizations ("Organizations") who provide us with donor Personal Data through their fundraising activities.

Transaction Data

"Transaction Data" as used in this Privacy Policy includes Personal Data, and may include the following: your name, email address, billing address, payment method information, location, donation amount, date of donation, designation/purpose, and your phone number.

User Types

Depending on the context, "you" means Donor or Visitor:

• When you make a donation to an Organization (e.g. when you donate to a church or nonprofit that uses Givvv technology and services) but are not directly doing business with Givvv, we refer to you as a "Donor".
• When you visit givvv.org or otherwise communicate with Givvv, we refer to you as a "Visitor" (e.g. you send Givvv a message asking for more information because you are considering using our technology or services for your organization).

Our Commitment to Data Security

Givvv is a donation management platform built with enterprise-grade security and data privacy at its core. Your donation data is sensitive, and we've architected our platform to ensure that not even Givvv staff can access your organization's private donation data.

Data Ownership

You own your data. Period.

• All donation records, donor information, and transaction data belong exclusively to your organization
• We never sell, share, or use your data for any purpose other than providing our service
• You can export your data at any time
• If you close your account, all your data is permanently deleted within 30 days

Security Architecture

1. Database-Level Security (Row Level Security)

We use PostgreSQL Row Level Security (RLS) policies enforced at the database level, ensuring data isolation between organizations:

• Organizations can ONLY access their own data - this is enforced by the database itself, not just application code
• Even if there were a bug in our application code, the database would prevent cross-organization data access
• RLS policies are tested and audited regularly
• Each database query is automatically filtered to your organization_id

2. Encryption

Data in Transit:

• All data transmitted between your browser and our servers uses TLS 1.3 encryption
• All API requests use HTTPS only - no unencrypted HTTP traffic is permitted
• Payment card data is encrypted using Stripe's PCI DSS Level 1 certified infrastructure

Data at Rest:

• All database records are encrypted at rest using AES-256 encryption
• Encryption keys are managed by our infrastructure provider with automatic key rotation
• Database backups are also encrypted

3. Payment Processing

We never store credit card numbers, CVV codes, or full payment card data:

• All payment processing is handled directly by Stripe, a PCI DSS Level 1 certified payment processor
• Card data goes directly from the donor's browser to Stripe's servers
• We only store non-sensitive payment metadata (last 4 digits, card brand, expiration)
• Stripe Connect ensures funds go directly to YOUR organization's Stripe account, not ours

4. Infrastructure Security

5. Access Controls

Platform Access:

• Only authenticated users from your organization can access your dashboard
• Passwords are securely hashed using industry-standard algorithms
• Session tokens expire automatically
• Service role keys (admin access) are only used by backend services, never exposed to clients

Givvv Staff Access:

• Givvv staff CANNOT access your donation data due to RLS policies
• We can only access anonymized system logs for debugging
• Any support requests require explicit permission and are logged
• No Givvv employee has direct database access to production data

6. Data Retention & Deletion

• Active donation data is retained as long as your account is active
• When you close your account, all data is permanently deleted within 30 days
• Backup data is automatically purged according to our retention policy
• You can request immediate data deletion at any time

Data We Collect

Donation Data (Your Organization's Data)

• Donor names and contact information
• Donation amounts and dates
• Payment metadata (not card numbers)
• Designation/purpose of donations
• Transaction history

Account Data

• Organization administrator email and name
• Organization details (name, logo, settings)
• Stripe account connection details
• Subscription and billing information

Anonymous Usage Data

• Page views and navigation patterns (anonymized)
• Feature usage statistics (aggregated)
• Error logs (stripped of personal information)

Third-Party Services

We use the following trusted third-party services:

Compliance

New Zealand Privacy Act 2020

Givvv complies with the New Zealand Privacy Act 2020 and the Information Privacy Principles (IPPs). We ensure:

• Collection of personal information only for lawful purposes
• Information is collected directly from the individual where possible
• We maintain appropriate security safeguards
• Individuals have the right to access and correct their information

GDPR Compliance

For donor data provided by Organizations, Givvv acts as a data processor on behalf of the Organization (the data controller). For account and billing data, Givvv acts as the data controller. Our lawful bases for processing include performance of a contract (providing the Platform Services) and legitimate interest (improving and securing our services).

Under GDPR, you have the following rights:

• Right to access your data
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to restrict processing
• Right to object

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

California Privacy Rights (CCPA)

• We do not sell personal information
• You have the right to know what data we collect
• You have the right to delete your data
• You have the right to opt-out of data sharing

Cookies & Tracking Technologies

Givvv uses essential cookies required for authentication and session management. We do not use advertising or third-party tracking cookies.

• Essential cookies: Required for login sessions and security. These cannot be disabled.
• Analytics: We collect anonymized, aggregated usage data to improve our services. No personally identifiable information is included in analytics data.

Security Auditing

We regularly:

• Review and test Row Level Security policies
• Scan for security vulnerabilities
• Update dependencies to patch security issues
• Monitor for unusual access patterns
• Conduct security training for our team

Incident Response

In the unlikely event of a data breach:

• We will notify affected organizations within 72 hours
• We will provide details about what data was affected
• We will outline steps being taken to prevent future incidents
• We will offer support and guidance

Contact Us

If you have any questions about this Privacy Policy, please contact us:

Email: [email protected]
Security Concerns: [email protected]

We take security seriously. If you discover a vulnerability, please report it responsibly to [email protected] and we will work with you to resolve it promptly.

Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by:

• Posting the new policy on this page
• Updating the "Last Updated" date
• Sending an email to your organization's primary contact