Privacy policy

About you (the site owner): your email address, the display name you chose for your widget, and your website URL. That's it. We don't ask for or store your real name, address, phone, or banking details — Stripe Express handles all of that on Stripe's infrastructure.

About your donors: the name and email they enter at Stripe Checkout, the donation amount, the currency, the timestamp, and the URL where the widget was loaded. We never see card numbers, CVCs, expiration dates, or full billing addresses — Stripe holds all of that on their PCI-compliant systems.

About widget visitors who didn't donate: we record that the widget was loaded on a page (counts and timestamps) along with the originating URL and a one-way hash of the visitor's IP. The hash is salted with a daily-rotating value, so an IP can't be back-derived and can't be correlated across days.

Donor names and emails: auto-deleted after 13 months by a nightly cleanup job. The donation amount and timestamp are retained indefinitely so your tax records stay intact, but the personally-identifying parts are removed.

Widget event logs: retained for analytics. No identifying data — only counts, timestamps, and originating URLs.

Your account: kept while your subscription is active and for 30 days after cancellation, then deleted entirely. Email us before that window if you want it kept longer (for tax reasons, e.g.).

Stripe: we have to. Stripe processes every donation and provides the connected account that holds your money. Their handling of your data is governed by their privacy policy.

Supabase: hosts our database. Your data sits in a Postgres database in their US infrastructure; row-level-security policies scope every read to the authenticated user (you).

Cloudflare: hosts our application code. No data is stored on Cloudflare; they only deliver our code to your browser.

Nobody else. We don't sell, rent, or syndicate any of your data, your donors' data, or your widget's analytics. We don't run advertising on your widget. We don't email your donors directly.

We keep cookies to a minimum and use only first-party ones — no third-party advertising cookies, no cross-site tracking pixels, and no analytics SDK on either the marketing site or the embedded widget. The cookies we do set:

• Sign-in (Supabase Auth): session cookies that keep you logged into your account. Set only after you sign in.
• Attribution (cc_utm): if you arrive from a campaign or referral link, we store a first-party cookie for up to 90 days recording only which channel you came from (e.g. a utm_source value). It lets us see which channels actually bring people to us. It does not follow you to other sites and we don't share it with anyone.
• Stripe connection (short-lived): during the one-time step where you connect your Stripe account, we set a brief security cookie that ties the redirect back to your session. It's cleared as soon as the connection finishes.

The donation widget you embed sets no cookies on your donors' browsers. Its event beacons (widget loaded, donate clicked, donation completed) go to a first-party endpoint we control, carry no cookies, and identify visitors only by a daily-salted one-way IP hash that can't be reversed or correlated across days.

You can request a full export or full deletion of your data by emailing privacy@crowdcreate.app from the address tied to your account. We respond within 5 business days. EU residents have GDPR-equivalent rights; California residents have CCPA-equivalent rights; we apply both globally because the engineering is easier than gating by jurisdiction.

We'll email every active subscriber at least 14 days before any material change to this policy and post a diff on this page. The policy in effect when you signed up applies to your account until you accept changes.