DONAIRO PRIVACY POLICY

Last Updated: June 11, 2026

This Privacy Policy explains how Donairo collects, uses, stores, shares, and otherwise processes personal information in connection with the Donairo website, applications, creator pages, dashboards, APIs, payment flows, and related services (collectively, the "Service").

In this Privacy Policy, "Donairo," "we," "us," and "our" refer to the Service made available under the Donairo name.

This Privacy Policy is intended to describe our current data practices for the Service as configured at the date above. We may update it from time to time as the Service or legal requirements evolve.

1. HOW TO REACH US

If you have questions about this Privacy Policy or our privacy practices, contact us at support@donairo.com.

If you have privacy questions, access requests, correction requests, or deletion requests, please contact us at support@donairo.com. Privacy-related requests are handled by our Privacy Officer at support@donairo.com.

2. SCOPE OF THIS POLICY

This Privacy Policy applies to information we collect when you:

1. visit public pages on the Service;
2. create or use an account;
3. create or manage a creator profile;
4. connect a payment account or receive payouts;
5. make or attempt a donation;
6. communicate with us;
7. upload images or other content; or
8. otherwise interact with the Service.

This Privacy Policy does not govern third-party services that have their own privacy notices, including PayPal or your bank. When you interact with those services, their privacy terms and notices also apply.

3. THE TYPES OF INFORMATION WE COLLECT

We collect different categories of information depending on how you use the Service.

3.1 Account and identity information

If you create an account, we may collect:

1. your name or profile name;
2. your email address;
3. your password in hashed form (we do not store your password in plain text);
4. your account role, such as supporter, creator, or admin;
5. your email verification status; and
6. timestamps such as account creation date, update date, and last login date.

3.2 Creator profile information

If you create a creator profile, we may collect and store:

1. your public display name;
2. your slug or page URL identifier;
3. your biography and mission statement;
4. your avatar and banner images;
5. your country of record, retrieved from your PayPal account when you connect PayPal;
6. your accepted donation currency and a record of any subsequent currency changes you initiate, including timestamps and the previous currency;
7. your publication and suspension status;
8. status indicators relating to any prior connection to, or disconnection from, your payment provider, including a record of the last merchant account you disconnected so late or duplicate payment-provider events can be handled correctly; and
9. your creator settings, such as donation options and page display preferences.

Your country of record is retrieved from your PayPal account at the time you connect PayPal and is treated as a permanent configuration choice in the Service because it affects payment account setup and payout eligibility. If you disconnect your payment account, we keep your country of record, your accepted donation currency, your currency change history, your donation goals, and your past donation records associated with your profile so that reconnection does not require rebuilding your profile from scratch.

3.3 Donation and transaction information

If you make, receive, or manage donations, we may collect or receive:

1. donation amount and currency;
2. platform fee, processing fee, gross amount, and creator net amount, including amounts expressed in the creator's receivable settlement currency when settlement is converted by the payment provider;
3. donation status, including pending, processing, paid, refunded, partially refunded, failed, canceled, disputed, reversed, or flagged for manual review;
4. supporter display name, if provided;
5. supporter email, which is required to process your donation and deliver your donation receipt. It is stored with the donation record for all donations, including anonymous ones, and is visible to the creator in their dashboard. Anonymous donation settings control public display only (see Section 7);
6. supporter message, if provided;
7. anonymous donation preference;
8. donation timestamps;
9. goal associations and donation display settings; and
10. payment-related metadata such as PayPal order IDs, capture IDs, a snapshot of the creator's merchant identifier at the time the order was created (retained so that an already-approved payment can be captured even if the creator later disconnects or reconnects their payment account), settlement details such as exchange rate and payment-provider fee, and refund data.

If a donation is later refunded, reversed, or partially refunded by the payment provider, we may send you an email notification containing the donation reference identifier and the amount affected. Creators may also receive a notification about the refund or reversal that does not contain donor personal information.

Donairo does not currently collect full payment card numbers directly through its own forms. PayPal's JS SDK handles payment entry, card field rendering, and card data transmission directly to PayPal's servers.

3.4 Payment account and payout information

If you connect a payment account, we may collect or receive limited payment-account information, such as:

1. your connected payment account ID;
2. status flags indicating whether charges, payouts, and account details are enabled or submitted;
3. your default payout currency; and
4. related account status updates.

PayPal may collect additional information directly from you, such as identity verification information, bank account details, tax information, and compliance information. That information is primarily processed under PayPal's own privacy practices.

3.5 Content and uploads

If you upload or publish content, we may collect and store:

1. profile images and banners;
2. fundraising goal titles, descriptions, amounts, and images;
3. impact updates and cover images; and
4. other content you submit to the Service.

Uploaded images are validated and sanitized by our systems before storage. For example, image metadata may be removed and images may be re-encoded for safety and consistency.

3.6 Communications and support information

If you contact us or request support, we may collect:

1. the content of your messages;
2. your contact details;
3. attachments or screenshots you send us;
4. support history; and
5. records relating to issue resolution.

3.7 Security, session, and device information

When you use the Service, we may collect technical and security-related information, such as:

1. IP address;
2. user agent / browser information;
3. session identifiers and session status;
4. cookie values and related session metadata;
5. request timestamps;
6. approximate country information derived from request headers or network metadata for locale and security purposes; and
7. audit logs relating to account or security events.

3.8 Verification, reset, and account-change records

We may store one-time-use or time-limited records for:

1. email verification;
2. password reset;
3. email change requests; and
4. related confirmations and audit events.

3.9 Moderation and administrative information

We may collect or generate moderation and internal administration records, including:

1. content or account review status;
2. moderation flags and related notes;
3. administrative actions such as suspension;
4. audit logs of significant account or transaction events; and
5. PayPal webhook event records.

4. HOW WE COLLECT INFORMATION

We collect information:

1. directly from you when you submit forms, create an account, create a profile, upload content, or make a donation;
2. automatically when you use the Service, including through cookies, session handling, logs, and technical request data;
3. from third parties such as PayPal when payment or payout status changes;
4. from the hosting, network, infrastructure, and technical service providers whose systems we use to operate the Service, even where Donairo operates its own application, database, and email services on that infrastructure; and
5. from security, fraud, and compliance processes.

5. HOW WE USE INFORMATION

We use personal information for the following purposes:

1. to provide, operate, maintain, and improve the Service;
2. to create and manage user accounts and creator profiles;
3. to process donations and related transaction records;
4. to set up and maintain payment-provider integrations;
5. to publish creator pages and associated public content;
6. to support fundraising goals, donation settings, and impact updates;
7. to authenticate users, create sessions, and secure accounts;
8. to detect, investigate, and prevent fraud, abuse, unauthorized access, and security incidents;
9. to communicate with users about account actions, verification, password resets, email changes, support issues, and service notices;
10. to comply with legal, tax, accounting, regulatory, sanctions, anti-fraud, and law-enforcement obligations;
11. to enforce our Terms of Service, investigate violations, and manage risk;
12. to analyze and troubleshoot performance, operational issues, and product defects; and
13. to protect the rights, safety, property, and integrity of Donairo, our users, payment providers, and others.

6. LEGAL BASES FOR PROCESSING

Depending on your location and applicable law, we may rely on one or more of the following legal bases to process personal information:

1. Contract: where processing is necessary to provide the Service, manage your account, create creator pages, process donations, or otherwise perform our obligations or take steps at your request.
2. Legitimate interests: where processing is reasonably necessary for platform security, fraud prevention, abuse prevention, service improvement, analytics of basic platform operations, moderation, support, product integrity, and business administration.
3. Legal obligation: where processing is needed to comply with applicable laws, regulations, lawful requests, accounting obligations, sanctions screening, tax obligations, dispute handling, or enforcement requirements.
4. Consent: where consent is required by law or where we choose to rely on consent, such as for certain optional communications or other uses where consent is the appropriate basis.

Where consent is the legal basis, you may withdraw that consent at any time, although withdrawal will not affect processing that occurred before withdrawal.

7. PUBLIC INFORMATION AND ANONYMOUS DONATIONS

Some information on the Service is public by design. For example, if a creator page is published, public visitors may be able to see the creator's display name, slug, biography, mission, avatar, banner, goals, updates, and other content that the creator chooses to publish.

If a creator enables public donation feeds or supporter messages, donation-related information may also be publicly displayed, such as a supporter's display name, amount, and message.

If a supporter chooses to donate anonymously, we suppress the supporter's public display name from the public donation feed. However, if the supporter also leaves a message, that message may still be displayed publicly alongside the label "Anonymous." The supporter is informed of this at the time of donation.

Anonymous donation settings control public display only and do not mean anonymity toward the creator. The creator you support can still see your name and email address in their private dashboard, and PayPal independently sends the creator its own payment notifications and receipts, which include the payer's name and email address. Donairo does not control and cannot suppress what PayPal, banks, or other financial intermediaries disclose to the creator in connection with a payment. Donairo, PayPal, banks, and other necessary service providers may also process transaction-related information required to complete, secure, record, investigate, or comply with the transaction.

8. WHEN WE SHARE INFORMATION

We may share personal information in the following circumstances:

1. With service providers and processors that help us operate the Service, such as VPS or hosting providers, data-center or network providers, DNS or delivery providers, infrastructure vendors, security providers, and other technical providers whose systems support the Service.
2. With PayPal and related payment participants to create payment orders, process payments, settle funds, manage refunds, and maintain connected payout accounts.

In the normal course of payment processing, a creator's legal name, business name, or other account details held by PayPal or related financial institutions may be disclosed to supporters, card networks, issuing banks, or other parties through statement descriptors, transaction records, receipts, refund notices, chargeback proceedings, dispute resolution, or other payment-related communications. While Donairo takes reasonable steps to display its own branding in connection with transactions, we do not control and cannot guarantee what information payment providers, card networks, or other financial intermediaries may surface about a creator's connected account.
3. With creators, where necessary to operate creator-facing donation features. In the standard creator dashboard, creators may see donation-related information such as donor name, donor display name, donor email address, anonymous status, message, amount, gross amount, and donation date — for all donations, including anonymous ones. Anonymous donation settings limit what is shown on the creator's public page only; they do not withhold the donor's identity from the creator, who in any event receives the payer's name and email address directly from PayPal's own payment notifications and receipts.
4. With authorized administrators, personnel, advisors, contractors, and affiliates who need access for support, operations, moderation, security, legal compliance, accounting, or enforcement.
5. With law enforcement, regulators, courts, rights holders, or other third parties where we believe disclosure is necessary to comply with law, respond to lawful process, protect rights or safety, investigate fraud or abuse, or enforce our agreements.
6. In connection with a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, or similar transaction, subject to appropriate confidentiality and legal protections.
7. With your direction or consent.

We do not currently use third-party advertising trackers on the Service. Separately from the disclosures described in this section — for example, showing your name, display name, message, and email address to the creator you support (including for anonymous donations, where anonymity controls public display only) — we do not sell or share personal information as those terms are defined under applicable privacy laws (including the California Consumer Privacy Act), whether for money, for other valuable consideration, or for cross-context behavioral advertising.

8.1 Tax Reporting and Documentation

Because donations made through the Service are voluntary personal gifts and not payments for goods or services, Donairo does not treat donation proceeds as earned income of the creator. Donairo will not issue tax documentation (such as IRS Form 1099-K or equivalent informational returns) to creators for donations received through the Service, nor will Donairo report donations received by creators as earned income to any tax authority. This does not limit Donairo's ability to comply with applicable law, respond to valid legal process, or cooperate with governmental authorities if required.

9. THIRD-PARTY PAYMENT AND EMAIL PROVIDERS

9.1 PayPal

PayPal is a core payment processor for the Service. We may send PayPal information such as creator email, donation amounts, currencies, donor email (if provided), and transaction metadata. We may receive back payment status, payout status, refund information, connected account status flags, settlement details, and related transaction metadata. In addition, when you connect your PayPal account, we retrieve limited identity information from PayPal about the connected merchant, including your country of record, which we use to configure your creator profile, default currency, and eligibility to receive donations through the Service.

PayPal's own privacy notice and terms govern its handling of information collected through PayPal-hosted flows and connected account onboarding.

9.2 Email providers

We send transactional emails such as account verification, password reset, and email change confirmations. Donairo may send these messages using email systems that it operates directly, including on infrastructure rented from third-party hosting providers, and may also rely on third-party infrastructure, routing, DNS, anti-abuse, delivery, or related technical services needed to send, relay, secure, and support those communications.

10. COOKIES, SESSION TOKENS, AND LOCAL STORAGE

We currently use a limited set of cookies and browser storage mechanisms, including:

1. an HTTP-only session cookie used to keep users signed in and protect authenticated sessions;
2. a locale preference cookie used to remember language selection; and
3. local storage for locale preference support.

We also may use basic server-side logging and technical request data for security, debugging, and service operations.

We do not currently use third-party analytics cookies or advertising cookies on the Service. If that changes materially, we may update this Privacy Policy and any related cookie notice or consent flow.

11. INTERNATIONAL TRANSFERS AND DATA LOCATION

Donairo is operated from Canada, and the Service is hosted on infrastructure located in the United States. Donairo may operate its own application, database, and email services on that infrastructure. As a result, personal information may be stored, processed, transmitted, or accessed in Canada, the United States, or other jurisdictions where infrastructure, network, security, or technical service providers involved in operating the Service are located or provide services.

If you are located outside Canada or the United States, including in the European Economic Area, the United Kingdom, or Switzerland, your information may be transferred to and processed in jurisdictions that may not provide the same level of legal protection as your home jurisdiction.

Where applicable law requires it, we seek to use measures intended to support lawful cross-border transfers, which may include contractual protections, provider commitments, or other safeguards appropriate to the circumstances.

12. RETENTION

We retain information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, maintain business and transaction records, comply with legal obligations, resolve disputes, prevent fraud, enforce agreements, and protect our interests.

Retention periods may vary by record type. For example:

1. account and creator profile information may be retained while the account remains active and for a reasonable period afterward;
2. session records may be retained until expiry or revocation and may be automatically deleted after their expiration period;
3. verification, reset, and email change tokens may expire automatically and may be deleted after expiry or consumption;
4. PayPal webhook event records may be retained for a limited audit period and may be automatically deleted after that period;
5. security and account-activity audit records are retained as audit history, but technical identifiers captured with them, such as IP address and browser user agent, are removed after 24 months;
6. supporter personal details on donation records (email address, name, and message) are removed 7 years after the donation, while the financial details of the transaction (amounts, currencies, fees, statuses, and payment-provider identifiers) are retained as de-identified business records;
7. donation, payout, tax, accounting, fraud, audit, and legal records may be retained for longer periods where required or reasonably necessary; and
8. backup copies may persist for a limited period under normal disaster recovery processes.

Even if you request deletion, we may retain information where necessary for legal compliance, security, fraud prevention, accounting, tax, audit, dispute resolution, enforcement, or other legitimate and lawful business purposes.

13. SECURITY

We use technical and organizational measures designed to protect personal information, including safeguards relating to authentication, session handling, password hashing, token hashing, image sanitization, rate limiting, and role-based access controls.

If a breach of security safeguards involving your personal information creates a real risk of significant harm, we will notify you and the applicable privacy regulators (including the Office of the Privacy Commissioner of Canada and, where applicable, Quebec's Commission d'accès à l'information) as soon as feasible, and we maintain a record of security incidents.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your devices, passwords, email account, and other credentials.

14. YOUR RIGHTS AND CHOICES

Depending on your location and applicable law, you may have rights that include:

1. access to personal information we hold about you;
2. correction or rectification of inaccurate information;
3. deletion or erasure of certain information;
4. restriction of processing;
5. objection to certain processing;
6. withdrawal of consent where processing is based on consent;
7. data portability for information you provided to us, where applicable; and
8. the right to complain to a data protection or privacy regulator.

You may also be able to update certain information through your account settings, such as profile details, password, and email address change requests.

To exercise rights you may have, contact us at support@donairo.com. We may need to verify your identity before acting on your request. Some rights are subject to exceptions and limitations under applicable law.

15. REGION-SPECIFIC NOTES

15.1 Canada

If Canadian privacy law applies, you may request access to and correction of your personal information, subject to applicable exceptions. You may also contact us with complaints or concerns about our privacy practices.

15.2 EEA, UK, and Switzerland

If you are in the EEA, UK, or Switzerland, you may have rights under applicable data protection laws, including the rights described above. You may also have the right to complain to your local supervisory authority or regulator.

15.3 United States

Some U.S. state privacy laws may provide additional rights depending on your state of residence and the applicability thresholds of those laws. If such laws apply, you may contact us to request information about applicable rights.

16. CHILDREN'S PRIVACY

The Service is not intended for children who are below the age required to use the Service lawfully in their jurisdiction, and creator accounts are not intended for minors. We do not knowingly collect personal information from children in violation of applicable law. If you believe a child has provided personal information to us unlawfully, contact us at support@donairo.com.

17. AUTOMATED DECISION-MAKING

We do not currently use solely automated decision-making that produces legal or similarly significant effects about users in the sense typically regulated under data protection laws. We may, however, use automated and semi-automated rules for security, fraud prevention, abuse detection, rate limiting, spam reduction, and operational risk controls.

18. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. The updated version will be effective when posted, unless a later date is stated. If we make material changes, we may provide additional notice by email, in-app notice, or other reasonable means.

19. CONTACT US

If you have questions, requests, or complaints regarding this Privacy Policy or our privacy practices, contact:

Donairo
Email: support@donairo.com