
Donating means handing over personal information — your name, your address, your card. This policy explains what GiveTree collects when you give to the charity you are donating to, why we need it, who sees it, how long we keep it, and what you can demand of us.
GiveTree Technologies Inc. operates the GiveTree donation platform and is accountable for the personal information it handles, under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy law.
the charity you are donating to (BN shown on your donation receipt, the address shown on your donation receipt) is the charity you are donating to. Once your donor details reach the charity — as they must, for the charity to issue your receipt — the charity's own privacy practices govern what it does with them.
We have a designated Privacy Officer accountable for compliance, reachable at privacy@givetree.app.
We collect only what these purposes need. If a field is optional, it is marked optional.
We do not sell your personal information. We do not use it for advertising, and we do not build donor profiles for resale.
By completing a donation you consent to us using your information for the purposes in section 3 — those are the reasons you came to the form, and the donation cannot happen without them.
Anything beyond that is opt-in. Marketing, newsletters, and fundraising appeals require your express consent, given through a box that is never pre-checked and is separate from the donate button. You can say no and still donate.
You may withdraw consent at any time, on reasonable notice, by writing to privacy@givetree.app. We will stop using your information and delete it — except records we are legally required to keep, such as receipt and donation records the CRA obliges the charity to retain, and the suppression list that records the fact you asked not to be contacted.
GiveTree does not store, process, or transmit full payment card numbers on its own servers. Card data is captured directly by our PCI-DSS certified payment processor and exchanged for a token. At an in-person kiosk, the card is encrypted at the reader itself.
Your card security code (CVV/CVC) is never stored — not by us, and not by our processor after your donation is authorized. This is a hard rule of the payment card standards, and it applies even to recurring gifts, which are handled with a token rather than a stored card number.
What we retain is limited to what reconciliation and refunds require: the card brand, the last four digits, the expiry date, and the processor's transaction reference.
Some of our service providers process data outside Canada, including in the United States. While your information is in another country, it may be accessible to the courts, law enforcement, and national security authorities of that country under its laws.
We remain accountable for your information wherever it goes. We require our providers by contract to protect it to a standard comparable to what it receives here.
Donation and receipt records are kept as long as Canadian charity and tax law requires. The CRA obliges a charity to retain copies of official donation receipts for at least two years from the end of the calendar year in which the gift was received, and the underlying books and records for six years from the end of the fiscal period. We retain the records supporting those obligations for the same periods.
Information that is not tied to a receipt — analytics, incomplete donation attempts — is deleted once it is no longer needed. Records of privacy breaches are kept for 24 months, as PIPEDA requires.
Your information is encrypted in transit and at rest. Access is limited to the people who need it to do their jobs, and administrative access is logged. Kiosks require staff sign-in, do not retain donor details on the device after a session, and clear the screen between donors.
Donation history and payment data are sensitive, and we treat them that way. No system is perfectly secure — which is why the next section exists.
If a breach of our security safeguards creates a real risk of significant harm to you — identity theft, financial loss, damage to your reputation or credit — we will:
We keep a record of every breach, whether or not it meets that threshold, for 24 months, and the Privacy Commissioner may ask to see it.
You may ask us to:
We respond within 30 days. If we need more time, we will tell you within those 30 days, explain why, say how much longer we need, and tell you that you may complain to the Privacy Commissioner. There is no charge for a routine request; if a request would cost anything, we will tell you before doing the work and let you withdraw it. We will verify your identity before releasing anything.
Write to privacy@givetree.app.
Transactional messages — your tax receipt, a donation confirmation, a notice that a recurring charge failed — are part of the donation you asked for. They contain no promotions, and we send them regardless of your marketing preferences.
Fundraising and marketing messages are separate. Under Canada's anti-spam law, having donated to a registered charity within the last two years means you may receive fundraising messages from that charity — but every one of them will identify who sent it and on whose behalf, carry a valid mailing address and contact details, and include an unsubscribe link. We action an unsubscribe within 10 business days, and in practice far faster. You never have to donate again to get off a list.
At a kiosk you tap or insert a card, and optionally enter an email address or phone number to receive your receipt. That information is transmitted immediately and is not stored on the kiosk. The card is encrypted at the reader and is never readable by the kiosk software.
You can donate at a kiosk without giving your name. If you do, no tax receipt can be issued — a receipt legally requires an identified donor.
Quebec. If you live in Quebec, Law 25 gives you additional rights. Our Privacy Officer's contact details are published above. You have the right to data portability — to receive the computerized information you gave us in a structured, commonly used format, or to have it sent to someone you designate. Financial information is sensitive, and we ask for your explicit consent to use it. We tell you at the point of collection when information will be sent outside Quebec, and we assess the protection it will receive before sending it. We keep a register of confidentiality incidents for five years, and we notify the Commission d'accès à l'information where an incident presents a risk of serious injury.
Alberta and British Columbia. If you live in Alberta or British Columbia, that province's Personal Information Protection Act may govern information collected and used within the province, and you may complain to its Information and Privacy Commissioner. Your access and correction rights are equivalent, with the same 30-day response window.
We may update this policy. The "last updated" date above always reflects the current version, and we will give notice of material changes before they take effect.
Privacy Officer, GiveTree Technologies Inc. — privacy@givetree.app. Use this address to exercise any right in section 11, or to complain. We investigate every complaint and will tell you the outcome.
The charity: the charity you are donating to, the address shown on your donation receipt — support@givetree.app. Contact them about how they use your donor information after they receive it.
If we do not resolve it, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca), or, if you live in Quebec, Alberta, or British Columbia, to your provincial Commissioner. You do not need our permission to do so.