Privacy Policy
Last updated: July 14, 2026
1. Overview
Impact Flow is a management platform used by nonprofit organizations. This policy explains what personal data we collect, how we use it, and the choices you have. It covers both the people who sign in to the platform (staff accounts) and the people whose information an organization stores in it (donors, clients, members, registrants and volunteers).
For the records an organization keeps about its own community, that organization is the data controller and we process the data on its behalf. If you want to know why an organization holds your information, or want it corrected or deleted, the organization is the right first contact — we will assist it in honoring such requests.
2. Data we collect
- Staff account data — name, email address, a hashed password (we never store the password itself), language preference, role and sign-in activity. Signing in with Google or Microsoft shares your name and email address from that provider.
- Organization data — the records an organization enters or imports: people, donations, registrations, appointments, volunteer records, notes and email messages. Its content is determined by the organization, not by us.
- Payment data — subscription payments and payments to organizations are processed by Stripe. We store transaction references, amounts and status, but card numbers never touch our servers.
- Technical data — IP addresses, timestamps and similar request metadata, used for security (for example rate limiting and audit logs) and troubleshooting.
- Support messages — what you send us when you report a problem or contact support.
3. How we use data
We use personal data only to operate the Service: authenticating users, storing and displaying organization records, sending the transactional email the organization triggers (confirmations, receipts, reminders, password resets), processing payments through Stripe, keeping the Service secure, providing support, and billing subscriptions. We do not sell personal data and we do not use it for third-party advertising.
4. AI features
When staff use the in-app help assistant, the question and the conversation in the help window are sent to an AI model provider to generate the answer. These requests are used only to produce the response; we do not use your data to train AI models. The assistant has no access to your organization’s records.
5. Service providers
We rely on a small number of service providers to run the platform: cloud hosting and database infrastructure (Vercel and our database provider), Stripe for payment processing, Resend for email delivery, and an AI model provider for the help assistant. Each processes data only as needed to provide its service to us.
6. Cookies
The Service uses only essential cookies: a session cookie that keeps you signed in and a cookie that remembers your language preference. There are no advertising or cross-site tracking cookies.
7. Retention and deletion
We keep data for as long as the organization’s account is active. When an organization cancels its plan, its data becomes read-only for 30 days (so it can be exported) and is then permanently deleted, including from routine backups as they rotate. An organization can also delete individual records at any time from within the application.
8. Security
Data is encrypted in transit, passwords are stored only as salted hashes, organization API credentials are stored encrypted, and every organization’s data is isolated from other organizations. Automated backups protect against data loss. No system is perfectly secure — if we learn of a breach affecting your data we will notify affected organizations without undue delay.
9. Your rights
Depending on where you live, you may have rights to access, correct, export or delete your personal data, or to object to certain processing. Staff can manage their own account details in the application; for anything else, contact us — or, for records held by an organization about you, contact that organization. We respond to requests at support@impactflow.example.
10. Children
The Service is for organizations and their staff and is not directed to children. Organizations that record information about minors (for example program participants) are responsible for having the appropriate consent to do so.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced in the application or by email before they take effect, and the date at the top of this page always reflects the latest version.
12. Contact
Privacy questions and requests: support@impactflow.example.
