Privacy Policy | Donairo

DONAIRO PRIVACY POLICY

Last Updated: March 22, 2026

This Privacy Policy explains how Donairo collects, uses, stores, shares, and otherwise processes personal information in connection with the Donairo website, applications, creator pages, dashboards, APIs, payment flows, and related services (collectively, the "Service").

In this Privacy Policy, "Donairo," "we," "us," and "our" refer to the Service made available under the Donairo name.

This Privacy Policy is intended to describe our current data practices for the Service as configured at the date above. We may update it from time to time as the Service or legal requirements evolve.

1. HOW TO REACH US

If you have questions about this Privacy Policy or our privacy practices, contact us at support@donairo.com.

If you have privacy questions, access requests, correction requests, or deletion requests, please contact us at support@donairo.com.

2. SCOPE OF THIS POLICY

This Privacy Policy applies to information we collect when you:

1. visit public pages on the Service;
2. create or use an account;
3. create or manage a creator profile;
4. connect a payment account or receive payouts;
5. make or attempt a donation;
6. communicate with us;
7. upload images or other content; or
8. otherwise interact with the Service.

This Privacy Policy does not govern third-party services that have their own privacy notices, including Stripe or your bank. When you interact with those services, their privacy terms and notices also apply.

3. THE TYPES OF INFORMATION WE COLLECT

We collect different categories of information depending on how you use the Service.

3.1 Account and identity information

If you create an account, we may collect:

1. your name or profile name;
2. your email address;
3. your password in hashed form (we do not store your password in plain text);
4. your account role, such as supporter, creator, or admin;
5. your email verification status; and
6. timestamps such as account creation date, update date, and last login date.

3.2 Creator profile information

If you create a creator profile, we may collect and store:

1. your public display name;
2. your slug or page URL identifier;
3. your biography and mission statement;
4. your avatar and banner images;
5. your selected country;
6. your publication and suspension status; and
7. your creator settings, such as donation options and page display preferences.

Your selected country is treated as a permanent configuration choice in the Service because it affects payment account setup and payout eligibility.

3.3 Donation and transaction information

If you make, receive, or manage donations, we may collect or receive:

1. donation amount and currency;
2. platform fee, processing fee, gross amount, and creator net amount;
3. donation status, including pending, paid, refunded, partially refunded, failed, canceled, or disputed;
4. supporter display name, if provided;
5. supporter email, if provided;
6. supporter message, if provided;
7. anonymous donation preference;
8. donation timestamps;
9. goal associations and donation display settings; and
10. payment-related metadata such as Stripe checkout session IDs, payment intent IDs, charge IDs, settlement details, and refund data.

Donairo does not currently collect full payment card numbers directly through its own forms. Stripe-hosted checkout is used for payment entry and card handling.

3.4 Payment account and payout information

If you connect a payment account, we may collect or receive limited payment-account information, such as:

1. your connected payment account ID;
2. status flags indicating whether charges, payouts, and account details are enabled or submitted;
3. your default payout currency; and
4. related account status updates.

Stripe may collect additional information directly from you, such as identity verification information, bank account details, tax information, and compliance information. That information is primarily processed under Stripe's own privacy practices.

3.5 Content and uploads

If you upload or publish content, we may collect and store:

1. profile images and banners;
2. fundraising goal titles, descriptions, amounts, and images;
3. impact updates and cover images; and
4. other content you submit to the Service.

Uploaded images are validated and sanitized by our systems before storage. For example, image metadata may be removed and images may be re-encoded for safety and consistency.

3.6 Communications and support information

If you contact us or request support, we may collect:

1. the content of your messages;
2. your contact details;
3. attachments or screenshots you send us;
4. support history; and
5. records relating to issue resolution.

3.7 Security, session, and device information

When you use the Service, we may collect technical and security-related information, such as:

1. IP address;
2. user agent / browser information;
3. session identifiers and session status;
4. cookie values and related session metadata;
5. request timestamps;
6. approximate country information derived from request headers or network metadata for locale and security purposes; and
7. audit logs relating to account or security events.

3.8 Verification, reset, and account-change records

We may store one-time-use or time-limited records for:

1. email verification;
2. password reset;
3. email change requests; and
4. related confirmations and audit events.

3.9 Moderation and administrative information

We may collect or generate moderation and internal administration records, including:

1. content or account review status;
2. moderation flags and related notes;
3. administrative actions such as suspension;
4. audit logs of significant account or transaction events; and
5. Stripe webhook event records.

4. HOW WE COLLECT INFORMATION

We collect information:

1. directly from you when you submit forms, create an account, create a profile, upload content, or make a donation;
2. automatically when you use the Service, including through cookies, session handling, logs, and technical request data;
3. from third parties such as Stripe when payment or payout status changes;
4. from the hosting, network, infrastructure, and technical service providers whose systems we use to operate the Service, even where Donairo operates its own application, database, and email services on that infrastructure; and
5. from security, fraud, and compliance processes.

5. HOW WE USE INFORMATION

We use personal information for the following purposes:

1. to provide, operate, maintain, and improve the Service;
2. to create and manage user accounts and creator profiles;
3. to process donations and related transaction records;
4. to set up and maintain payment-provider integrations;
5. to publish creator pages and associated public content;
6. to support fundraising goals, donation settings, and impact updates;
7. to authenticate users, create sessions, and secure accounts;
8. to detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents;
9. to communicate with users about account actions, verification, password resets, email changes, support issues, and service notices;
10. to comply with legal, tax, accounting, regulatory, sanctions, anti-fraud, and law-enforcement obligations;
11. to enforce our Terms of Service, investigate violations, and manage risk;
12. to analyze and troubleshoot performance, operational issues, and product defects; and
13. to protect the rights, safety, property, and integrity of Donairo, our users, payment providers, and others.

6. LEGAL BASES FOR PROCESSING

Depending on your location and applicable law, we may rely on one or more of the following legal bases to process personal information:

1. Contract: where processing is necessary to provide the Service, manage your account, create creator pages, process donations, or otherwise perform our obligations or take steps at your request.
2. Legitimate interests: where processing is reasonably necessary for platform security, fraud prevention, abuse prevention, service improvement, analytics of basic platform operations, moderation, support, product integrity, and business administration.
3. Legal obligation: where processing is needed to comply with applicable laws, regulations, lawful requests, accounting obligations, sanctions screening, tax obligations, dispute handling, or enforcement requirements.
4. Consent: where consent is required by law or where we choose to rely on consent, such as for certain optional communications or other uses where consent is the appropriate basis.

Where consent is the legal basis, you may withdraw that consent at any time, although withdrawal will not affect processing that occurred before withdrawal.

7. PUBLIC INFORMATION AND ANONYMOUS DONATIONS

Some information on the Service is public by design. For example, if a creator page is published, public visitors may be able to see the creator's display name, slug, biography, mission, avatar, banner, goals, updates, and other content that the creator chooses to publish.

If a creator enables public donation feeds or supporter messages, donation-related information may also be publicly displayed, such as a supporter's display name, amount, and message.

If a supporter chooses to donate anonymously, we suppress the supporter's public display name from the public donation feed. However, if the supporter also leaves a message, that message may still be displayed publicly alongside the label "Anonymous." The supporter is informed of this at the time of donation. Anonymous donation settings do not mean complete anonymity. Donairo, Stripe, banks, and other necessary service providers may still process transaction-related information required to complete, secure, record, investigate, or comply with the transaction.

8. WHEN WE SHARE INFORMATION

We may share personal information in the following circumstances:

1. With service providers and processors that help us operate the Service, such as VPS or hosting providers, data-center or network providers, DNS or delivery providers, infrastructure vendors, security providers, and other technical providers whose systems support the Service.
2. With Stripe and related payment participants to create checkout sessions, process payments, settle funds, manage refunds, and maintain connected payout accounts.

In the normal course of payment processing, a creator's legal name, business name, or other account details held by Stripe or related financial institutions may be disclosed to supporters, card networks, issuing banks, or other parties through statement descriptors, transaction records, receipts, refund notices, chargeback proceedings, dispute resolution, or other payment-related communications. While Donairo takes reasonable steps to display its own branding in connection with transactions, we do not control and cannot guarantee what information payment providers, card networks, or other financial intermediaries may surface about a creator's connected account.
3. With creators, where necessary to operate creator-facing donation features. In the standard creator dashboard, creators may see donation-related information such as donor display name, donor email address (if provided and the donation is not anonymous), anonymous status, message, amount, gross amount, and donation date. Public anonymity controls may limit what is shown publicly. Donors who choose to be anonymous will have their email, name, and identity withheld from the creator.
4. With authorized administrators, personnel, advisors, contractors, and affiliates who need access for support, operations, moderation, security, legal compliance, accounting, or enforcement.
5. With law enforcement, regulators, courts, rights holders, or other third parties where we believe disclosure is necessary to comply with law, respond to lawful process, protect rights or safety, investigate fraud or abuse, or enforce our agreements.
6. In connection with a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, or similar transaction, subject to appropriate confidentiality and legal protections.
7. With your direction or consent.

We do not currently use third-party advertising trackers on the Service, and we do not sell personal information for money as that phrase is commonly used in privacy laws.

8.1 Tax Reporting and Documentation

Because donations made through the Service are voluntary personal gifts and not payments for goods or services, Donairo does not treat donation proceeds as earned income of the creator. Donairo will not issue tax documentation (such as IRS Form 1099-K or equivalent informational returns) to creators for donations received through the Service, nor will Donairo report donations received by creators as earned income to any tax authority. This does not limit Donairo's ability to comply with applicable law, respond to valid legal process, or cooperate with governmental authorities if required.

9. THIRD-PARTY PAYMENT AND EMAIL PROVIDERS

9.1 Stripe

Stripe is a core payment processor for the Service. We may send Stripe information such as creator email, creator country, donation amounts, currencies, donor email (if provided), and transaction metadata. We may receive back payment status, payout status, refund information, connected account status flags, settlement details, and related transaction metadata.

Stripe's own privacy notice and terms govern its handling of information collected through Stripe-hosted flows and connected account onboarding.

9.2 Email providers

We send transactional emails such as account verification, password reset, and email change confirmations. Donairo may send these messages using email systems that it operates directly, including on infrastructure rented from third-party hosting providers, and may also rely on third-party infrastructure, routing, DNS, anti-abuse, delivery, or related technical services needed to send, relay, secure, and support those communications.

10. COOKIES, SESSION TOKENS, AND LOCAL STORAGE

We currently use a limited set of cookies and browser storage mechanisms, including:

1. an HTTP-only session cookie used to keep users signed in and protect authenticated sessions;
2. a locale preference cookie used to remember language selection; and
3. local storage for locale preference support.

We also may use basic server-side logging and technical request data for security, debugging, and service operations.

We do not currently use third-party analytics cookies or advertising cookies on the Service. If that changes materially, we may update this Privacy Policy and any related cookie notice or consent flow.

11. INTERNATIONAL TRANSFERS AND DATA LOCATION

Donairo is operated from Canada, and the Service is hosted on infrastructure located in the United States. Donairo may operate its own application, database, and email services on that infrastructure. As a result, personal information may be stored, processed, transmitted, or accessed in Canada, the United States, or other jurisdictions where infrastructure, network, security, or technical service providers involved in operating the Service are located or provide services.

If you are located outside Canada or the United States, including in the European Economic Area, the United Kingdom, or Switzerland, your information may be transferred to and processed in jurisdictions that may not provide the same level of legal protection as your home jurisdiction.

Where applicable law requires it, we seek to use measures intended to support lawful cross-border transfers, which may include contractual protections, provider commitments, or other safeguards appropriate to the circumstances.

12. RETENTION

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, maintain business and transaction records, comply with legal obligations, resolve disputes, prevent fraud, enforce agreements, and protect our interests.

Retention periods may vary by record type. For example:

1. account and creator profile information may be retained while the account remains active and for a reasonable period afterward;
2. session records may be retained until expiry or revocation and may be automatically deleted after their expiration period;
3. verification, reset, and email change tokens may expire automatically and may be deleted after expiry or consumption;
4. Stripe webhook event records may be retained for a limited audit period and may be automatically deleted after that period;
5. donation, payout, tax, accounting, fraud, audit, and legal records may be retained for longer periods where required or reasonably necessary; and
6. backup copies may persist for a limited period under normal disaster recovery processes.

Even if you request deletion, we may retain information where necessary for legal compliance, security, fraud prevention, accounting, tax, audit, dispute resolution, enforcement, or other legitimate and lawful business purposes.

13. SECURITY

We use technical and organizational measures designed to protect personal information, including safeguards relating to authentication, session handling, password hashing, token hashing, image sanitization, rate limiting, and role-based access controls.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your devices, passwords, email account, and other credentials.

14. YOUR RIGHTS AND CHOICES

Depending on your location and applicable law, you may have rights that include:

1. access to personal information we hold about you;
2. correction or rectification of inaccurate information;
3. deletion or erasure of certain information;
4. restriction of processing;
5. objection to certain processing;
6. withdrawal of consent where processing is based on consent;
7. data portability for information you provided to us, where applicable; and
8. the right to complain to a data protection or privacy regulator.

You may also be able to update certain information through your account settings, such as profile details, password, and email address change requests.

To exercise rights you may have, contact us at support@donairo.com. We may need to verify your identity before acting on your request. Some rights are subject to exceptions and limitations under applicable law.

15. REGION-SPECIFIC NOTES

15.1 Canada

If Canadian privacy law applies, you may request access to and correction of your personal information, subject to applicable exceptions. You may also contact us with complaints or concerns about our privacy practices.

15.2 EEA, UK, and Switzerland

If you are in the EEA, UK, or Switzerland, you may have rights under applicable data protection laws, including the rights described above. You may also have the right to complain to your local supervisory authority or regulator.

15.3 United States

Some U.S. state privacy laws may provide additional rights depending on your state of residence and the applicability thresholds of those laws. If such laws apply, you may contact us to request information about applicable rights.

16. CHILDREN'S PRIVACY

The Service is not intended for children who are below the age required to use the Service lawfully in their jurisdiction, and creator accounts are not intended for minors. We do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information to us unlawfully, contact us at support@donairo.com.

17. AUTOMATED DECISION-MAKING

We do not currently use solely automated decision-making that produces legal or similarly significant effects about users in the sense typically regulated under data protection laws. We may, however, use automated and semi-automated rules for security, fraud prevention, abuse detection, rate limiting, spam reduction, and operational risk controls.

18. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The updated version will be effective when posted, unless a later date is stated. If we make material changes, we may provide additional notice by email, in-app notice, or other reasonable means.

19. CONTACT US

If you have questions, requests, or complaints regarding this Privacy Policy or our privacy practices, contact:

Donairo
Email: support@donairo.com