Back to Home

Privacy Policy

Last updated: November 21, 2025

1. Introduction

Community Pledge ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our fundraising and campaign management platform (the "Service"). Please read this policy carefully. If you do not agree with the terms of this privacy policy, please do not access the service.

2. Information We Collect

We may collect information about you in a variety of ways. The information we may collect via the Service includes:

Personal Data You Provide to Us

We collect personally identifiable information, such as your name, email address, and demographic information (like your date of birth), that you voluntarily give to us when you register with the Service or when you choose to participate in various activities related to the Service, such as creating teams and campaigns.

Data You Upload About Others (User-Generated Content)

A core feature of our Service is the ability to upload and manage lists of contacts for fundraising purposes. This data may include names, email addresses, phone numbers, and physical addresses of third parties. We process this information on your behalf and at your direction. You are responsible for ensuring you have the appropriate legal basis (e.g., consent) to collect and process this information. Our responsibilities regarding this data are outlined in our Terms of Service.

Financial Data

We collect financial information related to donations and platform fees, such as donation amounts and transaction IDs. Most payment data is processed by our third-party payment processor, Square. We do not store full credit card numbers on our servers. We encourage you to review Square's privacy policy and contact them directly for responses to your questions.

Automatically Collected Data

We automatically collect certain information when you access the Service, such as your IP address, browser type, operating system, access times, and the pages you have viewed directly before and after accessing the Service. We also maintain detailed audit logs of actions you take within the Service for security and operational purposes.

For security purposes, we collect and store session metadata including device fingerprints, geographic location data (country, city, timezone, and approximate coordinates derived from IP address), device information (browser name/version, operating system), and session activity timestamps. This information helps us detect unauthorized access, prevent account takeovers, and maintain audit trails for security investigations.

Communication Preferences

We collect and store your communication preferences, including:

  • Email notification preferences and unsubscribe status with timestamps
  • SMS/text message opt-in and opt-out status with timestamps
  • Do-not-call preferences

These preferences are used to honor your communication choices and comply with CAN-SPAM, TCPA, and other communication laws.

3. How We Use Your Information

Having accurate information about you permits us to provide you with a smooth, efficient, and customized experience. Specifically, we may use information collected about you via the Service to:

  • Create and manage your account.
  • Operate your campaigns and process donations and pledges.
  • Facilitate consultations, including scheduling and communication.
  • Email you regarding your account or service-related matters.
  • Monitor and analyze usage and trends to improve your experience with the Service.
  • Prevent fraudulent transactions, monitor against theft, and protect against criminal activity.
  • Enforce our Terms of Service and other policies.
  • Respond to product and customer service requests.

4. Disclosure of Your Information

We may share information we have collected about you in certain situations. Your information may be disclosed as follows:

  • By Law or to Protect Rights: If we believe the release of information about you is necessary to respond to legal process, to investigate or remedy potential violations of our policies, or to protect the rights, property, and safety of others.
  • Third-Party Service Providers: We may share your information with third parties that perform services for us or on our behalf, including:
    • Square - Payment processing and donation transactions
    • Microsoft Graph API - Email delivery and calendar services
    • AWS SNS - SMS text message delivery
    • Vercel - Application hosting, edge functions, and content delivery
    • Neon - PostgreSQL database hosting with encryption and automatic backups
    • Upstash - Redis caching for session management and rate limiting
    • HaveIBeenPwned - Password breach checking (using k-anonymity to protect your privacy - we never send your full password)

    We carefully vet all third-party service providers and ensure they maintain appropriate security and privacy standards. We are working to execute Data Processing Agreements with all subprocessors that handle personal data on our behalf to ensure GDPR compliance.

  • Public Campaign Pages: Information you designate for public display on your campaign pages, such as campaign name and goals, will be visible to the public.
  • Team Members: Your information will be visible to other members of the teams you belong to, according to the roles and permissions configured for that team.
  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

5. Data Security, Storage, and Retention

We use administrative, technical, and physical security measures to help protect your personal information. While we have taken reasonable steps to secure the personal information you provide to us, please be aware that despite our efforts, no security measures are perfect or impenetrable.

Encryption and Security Measures

We implement industry-standard security practices to protect your data:

  • Password Security: Passwords are hashed using bcrypt with 12 salt rounds. We check all passwords against known breach databases (using k-anonymity to protect your privacy) and prevent reuse of your last 5 passwords. Password history is encrypted using AES-256-GCM encryption with PBKDF2 key derivation (100,000 iterations, SHA-256).
  • Data Encryption at Rest: Sensitive data including multi-factor authentication secrets and password history are encrypted using AES-256-GCM authenticated encryption with randomly generated salts and initialization vectors.
  • Multi-Factor Authentication: We support TOTP-based two-factor authentication and WebAuthn/FIDO2 passkeys for passwordless authentication. MFA secrets are encrypted before storage. Admin users are required to enable MFA.
  • Session Security: All sessions expire after 30 days for security purposes. Sessions are rotated after sensitive operations like password changes to prevent session fixation attacks.
  • Rate Limiting and Account Protection: We implement rate limiting on authentication attempts and automatically lock accounts after 5 failed login attempts for 30 minutes to prevent brute-force attacks.
  • Security Monitoring: We maintain comprehensive audit logs of all authentication events, account changes, and security-sensitive operations. We actively monitor for suspicious activity and generate security alerts for unusual login patterns or unauthorized access attempts.

Data Retention

We will retain your personal information only for as long as is necessary for the purposes set out in this Privacy Policy, and to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. Audit logs and security event data are retained according to our retention policies, typically for a minimum of 365 days for compliance and security investigation purposes.

6. Your Data Rights

Depending on your geographic location and citizenship, you may have certain rights regarding your personal information under data protection laws such as GDPR (European Union) or CCPA (California). These may include the right to:

  • Request access to your personal data.
  • Request correction of the personal data that we hold about you.
  • Request erasure of your personal data.
  • Object to processing of your personal data.
  • Request restriction of processing your personal data.
  • Request the transfer of your personal data.
  • Withdraw consent at any time where we are relying on consent to process your personal data.

To exercise these rights, please contact us using the contact information provided below. You can also review and change your information in your account settings.

7. Policy for Children

We do not knowingly solicit information from or market to children under the age of 13 (or 16 in certain jurisdictions). If you become aware of any data we have collected from children under this age, please contact us using the information provided below.

8. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last updated" date. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

9. Contact Us

If you have questions or comments about this Privacy Policy, please contact us at admin@communitypledge.com.

© 2025 Community Pledge. All rights reserved.