Privacy Policy
Last updated: June 15, 2026
1. Who we are (data controller)
GiveRadar is operated by Timmermans Media OÜ, registered in Estonia (Sepapaja tn 6, 15551 Tallinn). We are the data controller for the personal data described here. For any privacy question or to exercise your rights, contact [email protected].
2. What data we collect
Account data: your name, email address, and a hashed password.
Charity claim data: when claiming a charity profile, your name, job title, work email, and phone number, used to verify your connection to the organization.
Review data: your name (shown publicly with the review), email (for verification, never shown publicly), and your review text.
Submission data: if you submit a charity for inclusion, your name and email.
Billing data: for paid API plans, payment is handled by Stripe; we store a Stripe customer and subscription identifier, not your card details.
Usage and security data: with your consent, anonymous analytics (see cookies below). For security and abuse prevention we briefly process your IP address (for rate limiting and, if you accept it, reCAPTCHA).
Research pilot data: if you opt in to a research pilot, the data you voluntarily provide, handled under a separate informed-consent form, analyzed only in aggregate, and never linked to identifiable individuals in any public report.
3. Lawful basis for processing
- Account, claims, billing, transactional email - performance of a contract (GDPR Art. 6(1)(b)): providing the service you asked for.
- Reviews you submit - your consent (Art. 6(1)(a)) to publish, plus our legitimate interest (Art. 6(1)(f)) in showing community feedback.
- Analytics (Google Analytics) - your consent (Art. 6(1)(a)), given via the cookie banner.
- reCAPTCHA on sign-up and login - our legitimate interest (Art. 6(1)(f)) in preventing abuse and spam; it runs only on those security-sensitive forms.
- IP address for rate limiting and security - our legitimate interest (Art. 6(1)(f)) in keeping the service available and free of abuse.
- Charity officer and registry data we publish - our legitimate interest (Art. 6(1)(f)) in charity transparency, using information that is already public in official government registries and filings (see section 5).
4. How we use your data
- To provide access to your GiveRadar account and saved preferences.
- To verify charity claims and reviews via email.
- To display your reviews on charity profiles (name shown, email never shown).
- To send transactional emails (welcome, verification codes, claim status). We do not send marketing email.
- To keep the service secure and available, and, with consent, to understand anonymous usage.
5. Personal data we publish
GiveRadar is a charity research database. Some of the charity information we display includes personal data of individuals who are not our users - typically the names, roles, and (for some charities) the publicly filed compensation of directors, trustees, and senior officers, and contact details published by the charity. This information is sourced from official government registries and public filings (for example IRS Form 990 in the US or the Charity Commission in the UK) and from charities' own public websites.
We process this under our legitimate interest in charity transparency and accountability, balanced against the limited privacy expectation in information that organizations are legally required to publish. Compensation figures and contact details are shown to signed-in users rather than anonymously.
If you are named in our data and want it corrected or removed (including a personal email address scraped from a website), email [email protected]. We review such requests and action valid ones, normally within 30 days.
6. What we do not do
- We do not sell your personal account data.
- We do not send marketing emails without your consent.
- We do not share your account email with charities or other users.
- We do not use your data for advertising or behavioral profiling.
- We do not use your personal data to train AI models.
7. Cookies and consent
We ask for your consent before setting any non-essential cookies. When you first visit, a banner lets you Accept or Decline; declining is as easy as accepting, and nothing non-essential loads until you accept. You can change your choice any time via the "Cookie settings" link in the footer.
| Cookie / tool | Purpose | Consent |
|---|---|---|
| sessionid, csrftoken | Sign-in session and form security | Essential (no consent needed) |
| gr_consent | Remembers your cookie choice (6 months) | Essential (no consent needed) |
| Google Analytics (_ga) | Anonymous usage statistics | Loads only after you accept |
| Google reCAPTCHA | Spam protection on sign-up and login forms | Always on (security) |
We use no advertising or cross-site tracking cookies.
8. Data retention
- Account data: kept while your account is active; deleted on request, and we may remove long-inactive accounts.
- Reviews: kept while displayed; removed on verified request.
- API usage logs: for authenticated API and MCP requests we log the endpoint and query parameters (never your API key) for 90 days, for support and abuse prevention.
- Verification codes: short-lived and invalidated after use or expiry.
- Security and rate-limit data (IP): processed transiently (minutes) and not stored long-term in our database.
- Analytics: retained according to Google Analytics settings (no more than 14 months).
- Charity and registry data: maintained as part of the public database, independently of user accounts.
9. International transfers
Our servers and primary data are in the EU (Germany). Some processors we use are based in the United States - Google (Analytics, reCAPTCHA, Fonts) and Stripe (payments). Where personal data is transferred to the US, it is protected by the EU-US Data Privacy Framework (to which these providers self-certify) and/or the European Commission's Standard Contractual Clauses.
10. Data security
We use HTTPS for all connections, bcrypt password hashing, CSRF protection on all forms, HSTS, and a content security policy. Database access is restricted to localhost. Servers are hosted on Hetzner (EU, Germany) with regular security updates.
11. Your rights (GDPR)
If you are in the EU/EEA (and under similar laws elsewhere) you have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion ("right to be forgotten").
- Object to processing based on legitimate interest, including the publication of data about you.
- Withdraw consent for analytics at any time via "Cookie settings".
- Receive a copy of your data in a portable format.
To exercise any of these, email [email protected]. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority; ours is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).
12. Third-party services (sub-processors)
- Hetzner - server hosting (EU, Germany).
- Cloudflare - content delivery, caching, and DDoS protection (processes request metadata such as IP at the edge).
- Google Analytics - anonymous usage statistics (consent-based).
- Google reCAPTCHA - spam protection on sign-up and login (consent-based).
- Resend - transactional email delivery.
- Stripe - payment processing for paid API plans.
13. Changes and contact
We may update this policy; material changes will be reflected by the "last updated" date above. For any privacy question, contact [email protected].
Timmermans Media OÜ