Privacy Policy

1. Scope

This Privacy Policy applies to visitors to our marketing site, people who join a waitlist before launch, organization account holders and their authorized staff, and people who interact with public event pages (give pages, pledge forms, and live boards).

It does not apply to third-party websites or services linked from the Platform, including Square, Stripe, or Clerk, which have their own privacy policies.

If you are a Donor or guest interacting with a specific organization's event, that organization may have its own privacy notice describing how it uses your information. Contact that organization directly for donor-specific questions, receipts, or correction requests.

2. Roles: who is responsible for what

2.1 Organization event data

When an Organization uses the Platform to record gifts, pledges, or donor contact information ("Event Data"), the Organization is generally the data controller (or equivalent under applicable law). The Organization decides what fields to collect and how to use exported data after download.

Run The Fundraiser acts as a service provider and processor for Event Data. We store and process it only to provide the Services the Organization requests, such as displaying totals on a live board, generating reports, and sending inactivity notices to Account Admins.

2.2 Platform account and operational data

For information we collect to operate accounts, secure the Platform, send transactional notices, and improve reliability, Run The Fundraiser is the controller. Examples include Account Admin sign-in records, waitlist emails, and anonymized usage statistics.

3. Information we collect

3.1 Organization accounts and staff (via Clerk and related services)

When you create or use an organization account, we and our identity provider may collect:

• Name and email address (Account Admins and authorized staff);
• Phone number for one-time sign-in codes (Event Managers and Volunteers);
• Organization name and related profile details you provide;
• Authentication logs, session identifiers, and multi-factor authentication status;
• Terms acceptance version and timestamp.

3.2 Event Data (donors, pledges, and offline gifts)

Depending on how an Organization configures an event and what staff enter, Event Data may include:

• Donor or pledger name, postal address, email address, or phone number (if collected);
• Gift or pledge amounts, payment type (cash, check, sponsorship, card, bank), and timestamps;
• Optional display name shown on a public live board, or "Anonymous";
• Staff notes (for example, check number or sponsor label);
• Event configuration, branding assets, and report outputs derived from the above.

Public pledge and give forms may collect a subset of these fields. Event Managers may also enter donor contact details when recording walk-up pledges or offline gifts at the volunteer desk.

3.3 Online gift metadata (not payment credentials)

When an Organization connects Square or Stripe, we receive webhook and API metadata about completed online gifts, such as amount, currency, timestamp, payment method category, and a provider transaction identifier. We do not receive or store full credit card numbers, debit card numbers, or bank account credentials. Those are entered directly on the Payment Provider's hosted checkout pages.

For Stripe, we store each Organization's connected account identifier (acct_…) so we can create checkout sessions on their behalf. We do not store Stripe API keys or OAuth tokens for Organizations.

3.4 Waitlist and marketing (pre-launch)

If you join a waitlist on our home page before public signup opens, we collect your email address and the time of submission. We use it to send launch invitations and related product updates. Waitlist data is stored separately from Event Data.

3.5 Technical and operational data

We automatically collect limited technical information, such as:

• IP address, browser type, device type, and referring URL;
• Request timestamps and error codes needed to operate and secure the Platform;
• Structured logs and metrics that do not include donor names, contact details, or raw payment webhook bodies.

We do not use third-party advertising analytics cookies in the current version of the product.

3.6 Anonymized aggregates

After an event is purged, we retain anonymized summary statistics (for example, total raised, gift counts, and payment method breakdowns) linked to hashed identifiers, not donor names or contact information. We use these aggregates for capacity planning, inactivity enforcement, and displaying frozen summaries to Account Admins.

4. How we use information

We use personal information to:

• Provide, maintain, and improve the Platform and Services;
• Authenticate Account Admins, Event Managers, and Volunteers;
• Display live boards, manage consoles, and generate reports for authorized users;
• Match online gifts from Payment Providers to the correct event;
• Send transactional emails (for example, inactivity warnings, account notices, and operator alerts);
• Detect, prevent, and respond to fraud, abuse, and security incidents;
• Comply with law and enforce our Terms of Service and Acceptable Use Policy;
• Produce anonymized statistics that do not identify individuals.

We do not sell personal information. We do not use Event Data for cross-context behavioral advertising.

5. Legal bases (EEA, UK, and similar jurisdictions)

If you are in a jurisdiction that requires a legal basis for processing, we rely on:

• Contract: Processing needed to provide the Services you or your Organization request;
• Legitimate interests: Securing the Platform, preventing abuse, and improving reliability, balanced against your rights;
• Legal obligation: Processing required by applicable law;
• Consent: Where required, such as optional marketing emails or waitlist communications you opt into.

Organizations are responsible for establishing their own legal basis for collecting Donor Event Data.

6. How we share information

We may share personal information with:

6.1 Service providers (subprocessors)

Vendors that process data on our behalf under contractual obligations to protect it and use it only for the services they provide to us. Current categories include:

• Cloudflare (hosting, content delivery, Workers, KV storage, and related infrastructure);
• Cloudflare Email or similar providers (transactional outbound email);
• Clerk (authentication, organizations, and phone one-time codes);
• SMS delivery providers used by Clerk for phone verification;
• Square and Stripe (payment processing on the Organization's connected merchant account).

We may update subprocessors from time to time. Material changes will be reflected in an updated version of this policy.

6.2 Organizations and their authorized staff

Event Data you submit on a public form, or that staff enter about you, is visible to authorized Event Managers, Volunteers, and Account Admins for that organization and event, according to role permissions.

6.3 Legal and safety

We may disclose information if we believe in good faith that disclosure is necessary to comply with law, respond to lawful requests, protect rights and safety, or investigate fraud or security issues.

6.4 Business transfers

If we are involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to continued protection consistent with this policy.

7. Cookies and similar technologies

We use cookies and similar technologies that are necessary to operate the Platform, including session cookies from our authentication provider (Clerk) so Account Admins and staff can stay signed in.

We do not deploy a cookie consent banner in the current version because we use only essential cookies required for authentication and security. If we add non-essential analytics cookies in the future, we will update this policy and provide appropriate notice or consent mechanisms where required.

You can control cookies through your browser settings. Disabling essential cookies may prevent you from signing in.

8. Retention

Activity that resets the inactivity clock includes verified online gift writes, manage-console changes, offline entries, pledges, CSV exports, and explicit "still active" confirmations from an Account Admin.

9. Security

We use administrative, technical, and organizational measures designed to protect personal information, including TLS encryption in transit, platform encryption at rest, application-layer encryption for platform webhook secrets, access controls for staff roles, and structured logging that excludes donor PII.

No system is perfectly secure. You are responsible for protecting devices and credentials used to access the manage console.

10. Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, restrict, or port personal information, or to object to certain processing.

10.1 Organization account holders

Account Admins can export Event Data from the manage console while an event is active. To request account deletion or help with data we control directly, email privacy@runthefundraiser.com.

10.2 Donors and event guests

For Event Data controlled by an Organization, contact that Organization first. We will assist Organizations in responding to lawful requests where our role as processor requires it.

10.3 Waitlist

You may request removal from the waitlist by emailing privacy@runthefundraiser.com.

11. U.S. state privacy notices

11.1 California (CCPA/CPRA)

If you are a California resident, you may have the right to:

• Know the categories of personal information we collect, use, and disclose;
• Request access to or deletion of personal information we control directly;
• Correct inaccurate personal information;
• Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising.

We do not sell or share personal information for cross-context behavioral advertising. We do not discriminate against you for exercising privacy rights.

To submit a request, email privacy@runthefundraiser.com with "California Privacy Request" in the subject line. We may verify your identity before responding.

11.2 Other U.S. states

Residents of Colorado, Connecticut, Virginia, Texas, and other states with comprehensive privacy laws may have similar rights regarding personal information we control. Contact us at privacy@runthefundraiser.com to exercise applicable rights.

12. International transfers

We are based in the United States. If you access the Platform from outside the United States, your information may be processed in the United States and other countries where our service providers operate. Those countries may have different data protection laws than your home country.

Where required, we use appropriate safeguards for cross-border transfers, such as standard contractual clauses.

13. Children

The Platform is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information to us, contact privacy@runthefundraiser.com and we will take appropriate steps to delete it.

Organizations must not use the Platform to collect personal information from children except as permitted by law and with appropriate parental consent where required.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy with a new effective date and, where required, provide additional notice. The version in effect when you use the Platform governs our practices for that use.

15. Contact us

[LEGAL ENTITY NAME]
[STREET ADDRESS]
[CITY, STATE ZIP]
Privacy inquiries: privacy@runthefundraiser.com
General legal: legal@runthefundraiser.com