Privacy Policy

1. Introduction

Advocora ("we," "our," or "us") is committed to protecting privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our web application and related services (collectively, the "Service").

Advocora is a multi-tenant platform used by nonprofit organizations, campaigns, and similar groups (each, a "Customer") to manage contacts and donors, accept donations, send communications, and run advocacy and fundraising programs. This policy describes our practices for two different audiences:

• Account users: staff and administrators of a Customer who sign in to manage an organization workspace.
• Supporters: donors, contacts, and other individuals whose information is collected and managed by a Customer using the Service (for example, by submitting a donation form or signing up for emails).

For information that a Customer collects, imports, or manages within its workspace (such as donor records, gift history, and email lists), Advocora acts as a service provider or processor on behalf of that Customer. The Customer remains the controller of that information and is primarily responsible for its handling. Supporters should also review the privacy notice of the organization they interact with.

By accessing or using our Service, you agree to the terms of this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

2. Information We Collect

2.1 Information You Provide

We collect information you voluntarily provide when you:

• Create an account or organization workspace (such as your name, email address, username, password, organization name, role, and billing contact)
• Complete your profile or organization settings (such as address, phone number, branding, and team member information)
• Connect third-party services (such as a payment provider, email sending domain, or analytics provider)
• Import or enter Customer Data, including contact and donor records, household relationships, custom fields, notes, tags, and campaign materials
• Use the Service to send communications, create forms, or run campaigns
• Contact us with inquiries, support requests, or feedback

When you, as a supporter, interact with a public Advocora-hosted surface operated by a Customer (such as a donation page, signup form, or donor portal), the information you submit (such as name, address, email, phone number, donation amount, payment details, and any custom-form responses) is collected on behalf of that Customer and stored within that Customer's workspace.

2.2 Information Collected Automatically

When you access our Service, we may automatically collect:

• Device information (browser type, operating system, device identifiers)
• Log data (IP address, access times, pages viewed, referring URLs, and similar request metadata)
• Usage information (features used, actions taken within the Service, email engagement signals such as opens and clicks where applicable)
• Cookies and similar tracking technologies

2.3 Information from Third Parties

We may receive information from third-party services that you or a Customer connects to the Service, such as:

• Payment processors (for example, Stripe and Stripe Connect), which provide limited transaction and account-onboarding information necessary to process donations and manage payouts. We do not store full payment card numbers.
• Email delivery and deliverability providers, which provide sending domain status, bounce and complaint events, and other metadata used to operate email features.
• Authentication providers, where you choose to sign in using a third-party identity provider.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Create and manage accounts and organization workspaces
• Enable Customers to manage their contacts and donors, accept donations, send communications, and operate fundraising and advocacy programs
• Process donations and other payments through integrated payment providers
• Deliver transactional messages such as account notifications, donation receipts, recurring giving reminders, and security alerts
• Provide customer support and respond to comments, questions, and requests
• Monitor and analyze usage trends, debug issues, and improve performance and user experience
• Detect, prevent, and address security incidents, fraud, abuse, and other prohibited or illegal activity
• Enforce our Terms of Use and other agreements, and protect our rights, property, and safety, and that of our Customers and the public
• Comply with legal obligations and respond to lawful requests

4. How We Share Your Information

4.1 With the Customer Organization

When you, as a supporter, submit information through a Customer-operated form, donation page, or other surface hosted on the Service, that information is shared with the Customer that operates the page so it can fulfill your request, process your donation, send receipts, and continue to communicate with you in accordance with its own privacy practices.

4.2 With Account Users Within a Workspace

Customer Data within an organization workspace is accessible to authorized users of that workspace in accordance with the roles and permissions configured by the Customer's administrators.

4.3 Service Providers (Sub-processors)

We share information with third-party vendors who perform services on our behalf and that are required to operate the Service. Categories of sub-processors include:

• Cloud hosting and infrastructure providers
• Database and storage providers
• Payment processors (such as Stripe)
• Email and SMS delivery providers
• Error monitoring, logging, and analytics providers
• Customer support tooling

These providers are contractually obligated to use information only as necessary to provide their services to us and to apply appropriate safeguards.

4.4 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to enforce our agreements, protect our rights, property, or safety, or to investigate or address security or fraud issues.

4.5 Business Transfers

If we are involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will provide notice of any change in ownership or uses of personal information where required.

4.6 With Your Consent

We may share information with third parties when you have specifically directed us to do so or otherwise consented to the disclosure.

5. Data Security

We implement appropriate technical and organizational measures designed to protect personal information, including:

• Encryption of data in transit using industry-standard TLS
• Encryption of sensitive data at rest
• Password hashing using strong, industry-standard algorithms
• Row-level multi-tenant isolation so that one Customer's data is not visible to another Customer
• Role-based access controls and the ability to enable multi-factor authentication for account access
• Tokenization of payment information through our payment processor, so that full card numbers are not stored on our systems
• Regular security reviews, monitoring, and patching of our infrastructure

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect information using commercially reasonable means, we cannot guarantee absolute security.

6. Data Retention

We retain personal information for as long as your account or organization workspace is active, or as needed to provide the Service to a Customer. We may also retain certain information as required by law or for legitimate business purposes, including:

• Records of donations and payment transactions, which may be retained for accounting, tax, audit, and regulatory compliance
• Compliance with legal obligations
• Resolution of disputes
• Enforcement of our agreements
• Fraud prevention and platform security

Email engagement records, communications history, and audit logs are retained for a reasonable period to operate the Service, protect deliverability, and prevent abuse. When an organization workspace is closed, Customer Data is handled in accordance with our then-current retention and deletion policies and any contractual commitments to that Customer.

7. Your Rights and Choices

7.1 Account Information

If you are an account user, you may update, correct, or delete your account information at any time through your account settings. If you wish to delete your account entirely, please contact your organization's administrator or contact us.

7.2 Supporter Information

If you are a supporter and would like to access, correct, or delete information that a Customer has collected about you through the Service, please contact the Customer organization directly, as that organization controls that data. We will assist Customers in fulfilling valid requests where required.

7.3 Communications Preferences

You may opt out of marketing or fundraising emails sent by a Customer through the Service by using the unsubscribe link included in those messages or by managing your subscription preferences. You may continue to receive transactional messages (such as donation receipts and account-related notices) where permitted by law.

7.4 Cookies

Most web browsers accept cookies by default. You can usually modify your browser settings to decline cookies, but this may affect your ability to use certain features of the Service.

7.5 Data Access and Portability

Subject to applicable law, you may request access to the personal information we hold about you and, where applicable, request a copy in a portable format. Where Advocora processes information on behalf of a Customer, we will refer such requests to that Customer or assist them in responding.

8. Children's Privacy

Our Service is not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If we learn that we have collected information from a child under 13, we will delete that information promptly. If you believe a child has provided us with personal information, please contact us.

9. Third-Party Links and Services

The Service may contain links to third-party websites, services, or integrations, including payment provider pages, email deliverability tools, and Customer-operated websites. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing information.

10. State-Specific Privacy Rights

California Residents

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete your information, the right to correct inaccurate information, and the right to opt out of the sale or sharing of your information. We do not sell personal information for monetary consideration.

Other States

Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, Utah, and Texas) may have similar rights. Where Advocora acts as a processor on behalf of a Customer, requests should generally be directed to that Customer. You may contact us to exercise applicable rights or for assistance identifying the appropriate controller.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" above, and where appropriate, by notifying account administrators. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at: