GoodTally — Privacy Policy

1. Information We Collect

We collect the following categories of information:

• Account information: Your name, email address, and hashed password when you create an account.
• Organization data: Information you enter about your nonprofit, including volunteer names, contact details, event records, committee assignments, and logged volunteer hours.
• Location data:Location information you provide in connection with your organization’s address, event locations, or other features that use geographic information. We do not collect your device’s GPS location without explicit permission.
• Usage analytics:Aggregated, non-personally-identifiable data such as page views, feature usage patterns, and session duration, used to improve the Service. This data does not include your volunteers’ personal records.
• Payment information: If you subscribe to a paid plan, your payment details are collected and processed directly by Stripe, Inc. We do not store your full credit card number or sensitive payment credentials on our servers. We retain billing records such as transaction IDs and amounts for accounting purposes.
• Communications: Records of your correspondence with our support team, including emails and any information you voluntarily provide when contacting us.

2. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, operate, maintain, and improve the Service
• To create and manage your account and authenticate your access
• To process payments and send billing-related communications
• To send transactional notices such as account confirmations, security alerts, and policy updates
• To send service-related and marketing communications (see Section 6 for your opt-out rights)
• To respond to your support requests and inquiries
• To analyze aggregate usage patterns to improve and develop new features
• To comply with applicable legal obligations and enforce our Terms of Service
• To detect, investigate, and prevent fraudulent activity or security incidents

3. Organizational Data and Volunteer Privacy

When your organization uses GoodTally to manage volunteers, you may enter personal information about individuals who are not account holders — such as volunteer names, contact information, and participation records (“Volunteer Data”).

Your Responsibility as Data Controller. Your organization acts as the data controller for Volunteer Data. GoodTally processes this data solely on your behalf and per your instructions as a data processor. You are responsible for ensuring that you have obtained all necessary consents, authorizations, or other legal bases required to collect and store your volunteers’ personal information through the platform, in accordance with applicable law.

Our Commitment. GoodTally will not use, sell, or disclose Volunteer Data for any purpose other than operating the Service for your organization. Volunteer Data is treated with the same security and confidentiality standards as all other user data.

If a volunteer contacts us directly regarding their data, we will direct them to the organization that manages their records, as we cannot fulfill data subject requests on behalf of organizations without their authorization.

4. Data Storage and Security

Your data is stored on cloud infrastructure provided by Supabase, which utilizes Amazon Web Services (AWS) data centers. All data is encrypted in transit using TLS and encrypted at rest. We select infrastructure providers based on their strong security practices and compliance posture.

5. Data Sharing

We do not sell, rent, trade, or share your personal information or organization data with third parties for their own commercial purposes. We share data only with the following categories of service providers, strictly as necessary to operate the Service:

• Supabase: Database hosting, storage, and authentication services
• Stripe, Inc.: Payment processing for paid subscription plans
• Email service providers: Transactional and service-related email delivery

We require all service providers to maintain appropriate confidentiality and security obligations consistent with this Privacy Policy. We do not permit them to use your data for their own purposes.

We may also disclose your information when required by law, court order, or government authority, or when we have a good-faith belief that disclosure is necessary to protect the rights, safety, or property of GoodTally, our users, or the public.

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice within the Service prior to your information becoming subject to a materially different privacy policy.

6. Email Communications

Transactional Emails. We will send you emails that are necessary to operate your account, including account confirmations, password resets, security alerts, billing receipts, and material updates to our Terms or Privacy Policy. These emails are not optional as they are required for the functioning of the Service.

Marketing and Product Emails. From time to time, we may send you emails about new features, tips for using GoodTally, or other product-related information. You may opt out of these communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at support@goodtally.app. Opting out of marketing emails will not affect delivery of transactional emails.

We comply with the federal CAN-SPAM Act and all applicable email marketing regulations.

7. Data Retention and Deletion

We retain your account data and organization data for as long as your account is active or as otherwise necessary to provide the Service. If you delete your account, we will remove your personal information and organization data from our active systems within 30 days of your request. Residual data may remain in encrypted backup systems for up to 90 days following deletion, after which it will be permanently purged.

We may retain certain records where required by law (such as billing and transaction records) for the legally required retention period, even after account deletion.

8. Cookies and Tracking

GoodTally currently uses only essential session cookies that are strictly necessary for the Service to function, including maintaining your authenticated session while you are logged in. We do not currently use advertising cookies or third-party behavioral tracking cookies.

We may introduce analytics or performance cookies in the future to help us improve the Service. If we do so, we will update this policy with advance notice and, where required by law, provide appropriate consent mechanisms.

You may disable cookies through your browser settings, but doing so may prevent some features of the Service from functioning correctly.

9. Children's Privacy

GoodTally is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our systems. If you believe a child under 13 has provided us with personal information, please contact us at support@goodtally.app.

10. Security Measures

We implement reasonable and industry-standard technical and organizational measures to protect your information, including:

• Encryption of data in transit (TLS) and at rest
• Secure authentication infrastructure provided by Supabase
• Role-based access controls limiting data access to authorized personnel and functions
• Regular review of our security practices and infrastructure

While we take security seriously and use industry-standard practices, no system is completely secure, and we cannot guarantee the absolute security of your information. In the event of a data breach that poses a risk to your rights or interests, we will notify affected users in accordance with applicable law.

11. Your Rights

You have the following rights with respect to your personal information:

• Access: Request a copy of the personal information we hold about your account
• Correction: Update or correct inaccurate information through your account settings or by contacting us
• Export:Download your organization’s data at any time using our built-in CSV export feature
• Deletion: Request deletion of your account and associated personal data by contacting us
• Opt-Out: Opt out of marketing communications at any time (see Section 6)

To exercise any of these rights, contact us at support@goodtally.app. We will respond to verified requests within 30 days. Note that certain data may be retained as required by law.

If you are acting on behalf of volunteers whose data is stored in the platform, please be aware that their rights must be exercised through your organization as the data controller (see Section 3).

12. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days’ advance notice by email or through a prominent notice within the Service. For non-material changes, we will update the “Last Updated” date at the top of this page. We encourage you to review this page periodically. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

13. Contact Us