CrowdCreate
Start free
Trust & Safety

Who holds the money, and who sees the data.

A donation tool sits between your supporters' cards and your bank account. That's a lot of trust. Here is exactly how the money and the data move — what Stripe handles, what stays with you, and the small amount CrowdCreate can actually see. No marketing language; just how it works.

Where your money goes

The short version: into your own Stripe account, directly. CrowdCreate never has a balance that your donations pass through.

Donations are charged on your Stripe account, not ours.

CrowdCreate uses Stripe Connect Express. When you set up, Stripe creates a connected account that belongs to you, and Stripe runs the identity verification. Every donation is charged on that account — a direct charge, in Stripe's terms. The funds settle into your Stripe balance and pay out to your bank on your Stripe payout schedule. They are never routed through a CrowdCreate balance and never wait in an account we control.

We take no cut, and the code can't take one.

A platform that wanted a percentage would set a Stripe application fee on each charge. CrowdCreate sets none — there is no fee parameter on the charge at all. That isn't a setting we promise not to flip; it's the absence of the mechanism that would let us. You keep 100% of each pledge, minus Stripe's own standard processing fee (2.9% + 30¢), which Stripe charges you directly.

You are the merchant of record.

Because the charge lives on your account, the supporter's card statement shows your name, the receipt comes from your Stripe, and refunds happen from your Stripe dashboard. This is a real trade-off, not a hidden one: it means you handle refunds and any disputes directly through Stripe, the same as any business taking card payments. We'd rather you know that up front than discover it after the first refund request.

Card numbers never touch CrowdCreate

When a supporter pays, they enter their card on a page hosted by Stripe, not on a form we control. The card number does not pass through our servers, our widget, or our database — there is nowhere in our code for it to land.

Checkout happens on Stripe's own page.

Clicking “donate” sends the supporter to Stripe Checkout — Stripe's hosted, PCI-compliant payment page. They enter their card there, on a Stripe domain, and Stripe returns them to a thank-you page afterward. CrowdCreate sends Stripe the donation amount and your account; it never receives, transmits, or stores the card number.

The PCI burden is Stripe's, by design.

Because the card details only ever touch Stripe's infrastructure, the heavy PCI-DSS compliance obligations sit with Stripe, who are certified at the highest level (PCI Service Provider Level 1). We're honest about the scope of that claim: it means card data is handled by a certified processor, not that CrowdCreate itself carries a Level 1 certification — we don't need one, because we never see a card.

Your donors' data

Here is the complete list of what we store about a donation, who can read it, and how long it lives. We keep this list short on purpose.

What we actually store.

For each pledge we keep the amount, the currency, the status, a reference to the Stripe payment, the supporter's email and name, and an optional message they chose to leave. That's it.

We do not store card numbers, and we do not store your supporters' billing or mailing addresses — those stay with Stripe. For widget analytics we count funnel steps (loaded, donate clicked, checkout opened) and hash each visitor's IP address with a salt that rotates daily, so we can de-duplicate without keeping a record of who visited from where.

Each account can read only its own data.

Your donor list, your pledges, and your Stripe connection are isolated at the database level by row-level security. The rule is enforced by Postgres itself, not by application code we have to remember to write on every query: a logged-in account can read a pledge only if it owns the site that pledge belongs to. One customer cannot read another customer's donor list, even by accident or by a bug in our app code.

Donor names and emails auto-expire after 13 months.

Each pledge is stamped with an expiry 13 months out. A scheduled job runs every night and erases the supporter's name and email from any pledge past that mark — the donation record stays for your accounting, but the personal details are gone. This isn't a promise in a policy document; it's a database job that runs on its own. If you want a donor list for the long term, export it from your dashboard before the 13-month mark.

What CrowdCreate staff can and can't see.

To run the service and support you, our systems can read the data described above. We can't see card numbers (we never hold them), and we can't move your money (the funds live in your Stripe account, not ours). We don't sell donor data and we don't use it to advertise. The full detail of what we collect and why is in our privacy policy.

We take no cut, so we don't mine your donors

Incentives decide how a company treats data more reliably than any promise. Ours are simple to read: CrowdCreate makes money from the flat $20/month subscription and nothing else.

We earn the same whether you raise $100 or $100,000.

A platform that takes a percentage of every donation has a reason to keep pushing your supporters to give more and to hold their data as leverage. We take no percentage. There's no upside for us in mining your donor list, retargeting your supporters, or keeping their data after it's served its purpose — which is exactly why it auto-expires. The only thing we're selling is the tool. Your audience is yours.

What we're honest about

A security page that only lists strengths isn't a security page. Here's where our posture is genuinely strong, and where it isn't yet — stated plainly so you can decide with the real picture.

What's genuinely solid today

  • Money goes straight to your own Stripe account; we never hold a balance you depend on.
  • Card data is handled entirely by Stripe's certified infrastructure; it never reaches us.
  • Donor data is isolated per account by database-level row security, not just app logic.
  • Donor names and emails auto-expire after 13 months, enforced by a nightly job.
  • Sign-in is handled by Supabase Auth; we don't roll our own password storage.

What we don't claim

  • We are not SOC 2 certified. We're a small, early product and haven't been through a SOC 2 audit. We won't put a badge on this page that we haven't earned.
  • We haven't commissioned a formal penetration test. If that changes, we'll say so here, with a date.
  • We're not HIPAA or PCI-certified ourselves. We don't need to be — Stripe handles cards — but we won't imply a certification we don't hold.
  • Disputes and chargebacks land on you. Because you're the merchant of record, you handle them through Stripe, not through us.

Built so the trust is the default.

Your money in your account, cards handled by Stripe, donor data isolated and short-lived. Start free, see how it works, and read the privacy policy for the fine print, or our accessibility statement for how we approach access. Security researchers: see security.txt.

Start free