Legal

Privacy Policy

Last updated: April 20, 2026

The short version: we don't see your donor list.

GiveTone is built so that donor names, donor email addresses, donor contact information, and giving history never reach our servers. Your mail-merge happens on your own computer, in your own tools. If the rest of this policy confuses you, remember that one sentence — the rest is about the small amount of data we do need from you, the account holder, to run the product.

1. Who this policy covers

This policy describes how GiveTone handles information about you — the person or nonprofit organization that signs up for a GiveTone account. It does not cover your donors, because GiveTone does not collect, store, or transmit donor-level data.

2. What we collect

To run the product, we collect the following information from account holders:

  • Account information: your email address, your password (stored as a hash — we never see the plain-text value), and your organization name.
  • Brand kit content: the logos, colors, mission statement, tone descriptors, and sample content you upload so we can generate on-brand communications.
  • Generated content: the letters, appeals, and other communications you create using GiveTone, stored so you can revisit and edit them later.
  • Billing information: handled by our payment processor, Stripe. We receive a subscription status and the last four digits of your card for reference. We do not see or store your full card number.
  • Usage metadata: which features you use and when, so we can detect bugs and improve the product. This is aggregate behavior data, not content.

3. What we explicitly do not collect

GiveTone's architecture prevents us from seeing the following, even if we wanted to:

  • Donor names, donor email addresses, donor mailing addresses, or donor phone numbers
  • Individual gift amounts, gift dates, or giving history
  • Your donor CRM records, lists, or exports
  • Merged, personalized copies of letters addressed to specific donors

When you use our mail-merge feature, GiveTone inserts placeholder tokens (for example, {{first_name}}) into your template. The actual substitution — where {{first_name}} becomes "Dear Jane," — happens entirely on your computer, in your email platform or word processor. The resulting personalized file is never transmitted to GiveTone.

4. How we use your information

  • To provide, operate, and improve GiveTone
  • To generate on-brand content from your brand kit and inputs
  • To authenticate you and protect your account
  • To process payments and manage your subscription
  • To contact you about product updates, billing, or support requests
  • To detect and prevent abuse, fraud, or security incidents

5. Sub-processors

GiveTone relies on a small number of trusted services to operate. Each processes specific data for specific purposes:

  • Supabase — authentication and database hosting. Stores your account and brand kit content.
  • Anthropic (Claude) — the AI model that generates communications from your brand kit and inputs. Your brand kit and prompt content are transmitted to Anthropic for inference. No donor data is ever sent to Anthropic, because we don't have any.
  • Stripe — payment processing. Handles your card details directly; we never see them.
  • Vercel — application hosting and delivery.
  • Google (Analytics 4) — website analytics for our marketing site. Collects pseudonymous traffic data (pages viewed, referral source, device class). We do not connect this data to your account, and we do not run advertising, remarketing, or cross-site tracking pixels.
  • Sentry — server-side error monitoring. Receives stack traces and error metadata so we can diagnose bugs. We configure Sentry to scrub request bodies, email addresses, and IP addresses before events are sent.

A current, canonical list of our sub-processors — including purpose and the categories of data each receives — is published at /legal/subprocessors. We will email account holders before adding a new sub-processor that materially expands the data we share.

6. How long we keep your data

We retain your account data for as long as your organization is active. You can delete your organization yourself at any time from the billing page. When you do, we immediately cancel your subscription, delete every letter you generated, delete every brand kit and uploaded image, and remove every team member from the organization.

We keep a minimal retention record of the deletion itself. It contains the organization's name, final plan, final subscription status, Stripe customer ID, the time of deletion, the account identifier (a random UUID from our authentication system) of the user who initiated the deletion, and any optional reason they typed into the confirmation form. We also keep a companion internal audit-event record of the deletion — the same fields, plus counts of how many uploaded files were purged during cleanup — so that support can investigate issues after the fact.

We keep these records so that past Stripe invoices stay reconcilable for tax and audit purposes (we're required to keep invoice-linked records for up to seven years under applicable tax rules), and so that we can detect abuse patterns such as repeated create-and-delete cycles against the free-tier allowance. The retention record does not contain donor data, letter content, brand content, team member emails, or the contents of any communication you generated.

If you would like this retention record purged earlier than the seven-year window and believe your situation permits it, email [email protected].

7. Your rights

You have the right to access, correct, or delete your account information at any time. You can do all three from the billing page: the Download my data button returns a single JSON file containing everything your organization has stored with us, and Delete this organization runs the deletion flow described in Section 6 above. For anything else, email [email protected].

Because GiveTone does not hold donor-level data, we cannot fulfill data subject requests (access, deletion, correction) on behalf of individual donors. Those requests should be directed to the nonprofit organization that holds the donor relationship, which manages donor records in its own CRM or email platform.

8. Cookies and analytics

GiveTone uses a small number of strictly necessary cookies to keep you signed in and to run the application.

We also use Google Analytics 4 on our public marketing site to understand how visitors find and use GiveTone (for example, which pages they land on, how they move through the site, and whether they convert to signup). Google Analytics sets cookies containing a pseudonymous identifier; we do not link that identifier to your account. We have disabled advertising-personalization signals and do not run advertising, remarketing, or cross-site tracking pixels.

If you prefer not to be measured, most browsers support blocking third-party analytics cookies, and browser extensions such as Google's opt-out add-on will prevent Google Analytics from collecting data on your visit.

9. Security

Account data is encrypted in transit (TLS) and at rest. We use row-level security policies in our database so that one customer cannot access another customer's data. For more detail, see our Security page.

10. Changes to this policy

If we make material changes to this policy, we will notify account holders by email and update the "Last updated" date at the top of this page. Because GiveTone's zero-knowledge posture is a core product promise, we will flag any change that expands the data we collect as a material change.

11. Contact us

Questions about this policy or our practices? Email [email protected] or visit our Contact page.