GivingData Privacy Policy

Last Modified: March 15, 2024

Introduction

GivingData offers a grant and grantee management platform that is used by our clients to manage their grantmaking processes, and by grantees and grant applicants to view and apply for grants offered by our clients. This Privacy Policy applies to all our customers as well as their grantees, grant applicants and other visitors.

Privacy Policy of GivingData as a Processor

This Privacy Policy describes how GivingData as a Processor collects, uses, discloses, and protects personal data on behalf of its Customers. GivingData acknowledges the importance of privacy and is committed to ensuring the security and confidentiality of personally identifiable information (PII) in accordance with applicable data protection laws and regulations.

Table of Contents

Definitions

"Processor" refers to the company acting as the data processor, providing services to its Customers.

"Customer" refers to the company or organization that subscribes to Processor’s grant management platform and utilizes Processor’s platform to process personal data on its behalf.

"Personal data" refers to any information relating to an identified or identifiable individual as defined by applicable data protection laws.

Legal Basis for Collection and Use of Personal Data

GivingData (aka Processor) offers a platform for grants management to its subscribers (aka Customer) and does not directly handle or manipulate any Customer data. The collection and use of personal data are solely determined and controlled by the Customer, in accordance with its own terms of service or privacy policy. As a data processor, Processor only provides a platform to process and store customer data including any personal data in accordance with the Terms of Services (ToS).

Processor does not control the content of our Customer's application or the types of Personal Data that Customers may choose to collect or manage using the Subscription Service. We store our customers' information on our service providers' infrastructure but process in accordance with our Terms of Service (ToS), which prohibits us from using the customer data except as necessary to troubleshoot end-user support issues and provide and improve the Subscription Services.

You may connect third-party integrations to your GivingData application, which may ask for certain permissions to access data or send information to your GivingData account. It is the Customer’s responsibility to review and authorize any third-party integrations. 

We collect usage data when you or your users in your GivingData account interact with the Subscription Service. Usage data includes metrics and information regarding your use and interaction with the Subscription Service such as what product features you use the most. Additionally, the usage data could include audit logs that can be used for troubleshooting or for performing root cause analysis. 

We engage third-party services to collect and process usage data. For more information about how we protect your information with these service providers, please see Section 4 "Data Security."

Disclosure of Personal Data 

Processor does not disclose personal data to any third parties unless instructed or authorized to do so by the Terms of Services (ToS)  or by the Customer. The Processor may share personal data with sub-processors, subcontractors, or other third parties who assist in providing the services to the Customer. Any such disclosure is done in accordance with the Terms of Services (ToS).

Processor may disclose your personal information if required to do so by law. 

Data Security

The Processor takes reasonable technical and organizational measures to protect personal data from unauthorized access, alteration, disclosure, or destruction. These measures include, but are not limited to, encryption, access controls, regular security assessments, and employee training. Processor also requires its sub-processors to implement appropriate security measures to protect personal data.

In case of data breach, our goal is to notify the impacted parties, mainly our Customers and appropriate authorities where applicable, within 72 hours from when we first became aware of the breach.

Data Retention

Processor retains personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable laws and regulations. Upon the termination of the contract, the data will be removed in accordance with the Terms of Services (ToS).

Data Subject Rights

Our Customers control and are responsible for correcting, deleting or updating the information they intake using the Subscription Service and for complying with any regulations or laws that require providing notice, disclosure, and/or obtaining consent prior to transferring the Personal Data to GivingData for processing purposes.

Any consumer privacy requests should be directed to the Customer, who has control over the personal data. The Processor may assist the Customer in fulfilling its obligations to respond to any requests in accordance with Terms of Services (ToS).

International Data Transfers

The Processor intends to keep the Customer data in the same region the Customer operates in. In some cases, the Processor may transfer personal data to countries or host services in countries outside of the European Economic Area (EEA) or any other jurisdiction where the data protection laws may differ from those of the country where the data was originally collected. In such cases, Processor or relevant 3rd party service providers will ensure that appropriate safeguards, such as data security controls, standard contractual clauses or appropriate certification, are in place to protect the personal data in accordance with applicable data protection laws.

Applicable Regulatory Requirements

We (as a Processor) believe that this policy is sufficient to address any U.S. and international privacy regulations including California Consumer Privacy Act (CCPA) and General Data Protection Regulation (GDPR). If there are any questions, please contact us at the information provided below.

Data Protection Officer

The Privacy Office at GivingData is led by the Head of Security, Privacy, and Systems who will be the point of contact (acts as a Data Protection Officer aka DPO) for the EU Customers for any privacy-related matters. Please note that a DPO requirement (under article 37 of GDPR) does not fully apply to GivingData as GivingData is not involved in the systematic monitoring of data subject (Customer’s data) on a large scale. Additionally, GivingData enables its Customers to be the owner and custodian of the data.

The Privacy Officer can be contacted at: privacyofficer@givingdata.com

Google Authentication Disclaimer

GivingData's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Changes to this Privacy Policy

The Processor may update this Privacy Policy from time to time to reflect changes in its data processing practices or legal requirements. The most current version of the Privacy Policy will be posted on Processor's website or provided directly to the Customer. It is the Customer's responsibility to review this Privacy Policy periodically.

Contact Information

If you have any questions or concerns about this Privacy Policy or the processing of personal data by GivingData, please contact the Customer directly, as Processor acts on the Customer's instructions and does not directly interact with data subjects. Customers can directly reach their Customer Success Manager or the privacy group at privacy@givingdata.com.