Privacy policy | RaiseGood

Who we are

RaiseGood is operated by RaiseGood. You can reach us using the contact information below.

Who this policy covers

We describe practices for these groups:

Organization staff and administrators. People who sign in to manage organizations, events, auctions, raffles, billing, and related settings.
Event attendees and supporters. People who register for a specific event, buy event admission or raffle tickets, place bids, or look up receipts. Attendees do not use the same staff sign in flow; they register per event with contact information and a PIN they choose.
Platform operations. A limited set of authorized personnel may access systems to operate the service, protect security, meet legal duties, and help customers. Access is limited by role and legitimate business need.

Personal information we collect

The details below depend on how you use RaiseGood.

Organizations and staff accounts

Identity and sign in. We use Logto as our identity provider. That includes account identifiers, email, and profile details you or Logto supply for authentication and session management.
Organization profile and verification. Information needed to run the product and meet nonprofit verification rules, such as organization name, employer identification number (EIN), evidence of IRS recognized 501(c)(3) status, and related onboarding data you submit.
Payment and payout references. Subscription and fundraising flows use Stripe. We store references needed to run billing, attendee payments, and payouts (for example Stripe account identifiers, subscription identifiers, payment intent identifiers, and payout references). We do not store full payment card numbers on our own servers; card details are collected by Stripe according to its terms and security practices.

Attendees

Registration. Name, email address, optional phone number, and a PIN you choose for sign in and receipt lookup.
How we store your PIN. We store a one way hash of your PIN, not the PIN in plain text.
Activity and receipts. Bids, event admission and raffle ticket purchases, receipt line items, and payment status associated with your activity at events your organization runs.

Technical and security information

Network and device data such as IP address, browser type, dates and times of requests, and similar diagnostics.
Cookies and similar technologies used to keep you signed in, maintain sessions, and remember preferences.
Application and infrastructure logs, and optional telemetry (for example OpenTelemetry) when enabled in a deployment, used to troubleshoot, secure, and improve reliability. We do not use these logs to sell personal information.

How we use personal information

Provide, operate, and improve RaiseGood, including live event features and the attendee experience.
Authenticate staff, protect accounts, detect fraud and abuse, and secure the service.
Process platform subscriptions, attendee payments, and nonprofit payouts through Stripe.
Communicate about the service, including support responses, security notices, and required legal or policy updates.
Meet legal, regulatory, and tax obligations, respond to lawful requests, and enforce our terms.
Analyze aggregate or de identified usage through Umami (which we use on an ongoing basis) and, when enabled, through Statsig or similar tools, to understand product usage without focusing on individuals.

Legal bases and international visitors

Our service is operated primarily in the United States. Fundraising payments and Stripe Connect flows are designed for United States dollars and United States nonprofit onboarding as described in our product documentation.

United States. We process personal information as needed to perform our contract with you, pursue legitimate interests that are not overridden by your rights (such as security and service improvement), and comply with law.

European Economic Area, United Kingdom, and Switzerland. We operate the service in the United States and, unless we tell you otherwise, we process and store personal information in the United States. If you use RaiseGood from these regions, you understand that your information will be transferred to the United States, which may have different data protection rules than your country. Where GDPR, UK GDPR, Swiss law, or similar rules apply, we may rely on contract, legitimate interests, legal obligation, or consent as appropriate for each type of processing. You may have rights to access, correct, delete, restrict, or object to certain processing, and to lodge a complaint with a supervisory authority. Contact us using the information below to exercise those rights.

Who we share information with

We share personal information with service providers that help us run RaiseGood, and when the law requires.

Logto for staff authentication and session management. See Logto’s privacy information.
Stripe for subscriptions, payment processing, Stripe Connect accounts, and payouts. See Stripe’s privacy policy.
Pusher or a compatible realtime host (including self hosted options such as Soketi when configured) for live updates during events. See Pusher’s privacy policy when you use Pusher’s cloud.
Umami for product and marketing-site analytics, which we use on an ongoing basis. We aim to keep analytics events low detail so they do not identify individuals. See Umami’s privacy policy. The analytics script is loaded over HTTPS from analytics.yelle.software.
Statsig when enabled for feature flags or experimentation. See Statsig’s privacy policy.
Cloud infrastructure and databases where we host applications and store data, including providers that offer servers, storage, networking, and backups.
Resend for transactional email when your organization uses notification features that send email through our integration.
Twilio for SMS notifications when your organization enables SMS through our integration.

We may update our subprocessors from time to time. Contact us for a current list.

We may also share information if we believe in good faith that disclosure is required by law, to protect rights and safety, or as part of a merger, acquisition, or asset sale, subject to lawful restrictions.

Cookies and similar technologies

We describe cookies and similar technologies in the categories below.

Strictly necessary. Session and authentication cookies from Logto (and related security tokens) are required to keep staff signed in and to protect accounts. You cannot use staff sign in without these technologies.
Analytics (Umami). We always use Umami for analytics; it may set cookies or use similar storage.
Feature flags and experimentation (Statsig). When your deployment enables Statsig, it may set cookies or use similar storage.

You may block non essential cookies through browser settings or extensions. Blocking Umami may limit our ability to measure product usage; blocking Statsig, when in use, may affect how some features behave.

We do not use advertising cookies or sell personal information for cross context behavioral advertising through this site.

Retention

We keep personal information while your account or event relationship is active and as needed to provide the service and meet the purposes in this policy.

After you end your relationship with us, we may keep certain records for legal, tax, accounting, audit, or fraud prevention reasons, then delete or de identify them when those needs end, unless a longer period is required by law.

If you submit a valid request to erase or restrict processing, we will confirm what we did or explain any legal exception within the time required by applicable law.

Security

We use administrative, technical, and organizational measures designed to protect personal information, including encryption in transit, access controls, and hashing for attendee PINs. Payment card data is handled by Stripe. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or export personal information, and to opt out of certain processing. We will verify requests as required by law. We aim to respond within the time required by applicable law (for example, about 30 days under GDPR and about 45 days under CCPA and CPRA, with extensions where the law allows). To exercise rights, contact us using the email below (and include enough detail for us to locate your account or event participation).

[email protected]

We use Umami for analytics on an ongoing basis; you may limit tracking through browser controls or extensions where available. Statsig, when enabled in a deployment, may be turned off or limited by deployment configuration. Where providers offer opt out tools, you may use those as well.

Children

RaiseGood is not directed at children under 13 in the United States, and we do not knowingly collect personal information from children under that age in the US. A higher age may apply where local law requires it (for example, 16 in certain European jurisdictions for some types of processing). Organizations that run events are responsible for complying with laws that apply to collecting information from minors, including the Children’s Online Privacy Protection Act where it applies.

Nonprofits and attendee information

Nonprofit organizations decide what attendee information they need to collect for each event and how they use it for fundraising. Where GDPR, UK GDPR, or similar law applies, the nonprofit is typically the data controller for attendee personal data collected at its events, and we act as a data processor when we process that data to run RaiseGood (for example registration, bidding, raffles, receipts, and payments). If you have questions about how a specific organization uses your data, contact that organization directly.

Organizations that need a Data Processing Agreement for GDPR, UK GDPR, or similar obligations may request one by contacting us at the email below (or the support address in the site footer).

United States state privacy rights (including California)

If you live in a state that grants privacy rights, you may have the right to know what personal information we collect, the purposes for which we use it, and whether we disclose it to third parties. You may have the right to request access, correction, or deletion, and to opt out of certain sales or sharing of personal information.

We do not sell personal information for money. We use subprocessors to run the service as described above, which can involve disclosures that state laws characterize as “sharing” or “targeted advertising” in specific cases. You can contact us to exercise rights your state provides.

We will not discriminate against you for exercising these rights.

Changes to this policy

We may update this policy from time to time. We will post the updated version on this page and change the “Last updated” date. If a change is material, we will provide advance notice when practicable, including at least 14 days before the change takes effect, through a banner in the product or an email to administrators, unless a shorter period is required by law or we must make an immediate change for security or legal reasons.