The posture in plain English. The legal policy — if and when you need it — lives at /privacy.php.
We don't embed Google Analytics, Segment, Mixpanel, Plausible, or any other browser-side analytics in marketing or application pages. We log page-view beacons server-side to our own marketing_events table. No data leaves our infrastructure for analytics.
No LinkedIn Insight Tag, Meta Pixel, X pixel, Google Ads conversion pixel, etc. on any page. We do not retarget visitors.
Donation amounts are private to managers by default. Named visibility on the manager dashboard requires admin enablement and employee opt-in. Public impact stories require employee's explicit opt-in for external attribution.
We collect what's needed to run a CSR program (employees, donations, matches, hours, grants, payouts) — not browsing habits, not behavioral profiles, not adjacent data. Our HubSpot mirror (when enabled) is opt-in by the org admin.
Super-admin-initiated workflows for both. GDPR Article 17 (right to erasure) supported. We document the data flows; we can produce a DPA on request.
Hosted in the US by default. EU residency available on request for clients with regulatory requirements. We do not transfer personal data across regions without DPA-compliant safeguards.
Mandrill (Mailchimp Transactional): transactional email. Anthropic: AI narrative generation (data sent: aggregated, no PII beyond first name). AWS Textract: OCR (opt-in; falls back to stub when not configured). HubSpot: CRM mirror (opt-in by org admin).
Sell data. Share data with advertisers. Use employee giving data for engagement scoring, retention-risk modeling, or performance management. Train AI on individual employee data without explicit opt-in.