GiveTree
Legal

Privacy Policy

Last updated: July 13, 2026

Donating means handing over personal information — your name, your address, your card. This policy explains what GiveTree collects when you give to the charity you are donating to, why we need it, who sees it, how long we keep it, and what you can demand of us.

The short version

  • We collect what a donation requires — your name and address (the CRA requires both on a tax receipt), your contact details, and the gift itself.
  • We never see your full card number. It goes straight to our payment processor and comes back as a token. Your security code is never stored by anyone, ever.
  • We do not sell your information and we do not use it for advertising.
  • the charity you are donating to receives your donor details — they have to, in order to receipt and thank you.
  • You can demand your data, correct it, or withdraw consent. We answer within 30 days.

Contents

  1. Who is responsible
  2. What we collect
  3. Why we collect it
  4. Consent, and withdrawing it
  5. Payment information
  6. Who we share it with
  7. Where your data is processed
  8. How long we keep it
  9. How we protect it
  10. If there is a breach
  11. Your rights
  12. Emails and texts
  13. Cookies
  14. Giving kiosks
  15. Quebec, Alberta, British Columbia
  16. Changes
  17. Contact and complaints

1. Who is responsible

GiveTree Technologies Inc. operates the GiveTree donation platform and is accountable for the personal information it handles, under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy law.

the charity you are donating to (BN shown on your donation receipt, the address shown on your donation receipt) is the charity you are donating to. Once your donor details reach the charity — as they must, for the charity to issue your receipt — the charity's own privacy practices govern what it does with them.

We have a designated Privacy Officer accountable for compliance, reachable at privacy@givetree.app.

2. What we collect

What you give us

  • Donor details — full name and mailing address. These are not optional extras: the CRA requires both on an official donation receipt.
  • Contact details — email address and/or phone number, so we can send your receipt in the format you chose.
  • Donation details — amount, frequency, the campaign and charity you chose, and whether you covered the processing fee.
  • Account details — for charity staff using kiosk sign-in: email address and password.

What we collect automatically

  • Device and browser type, and approximate location from your IP address.
  • How you moved through the donation form — used to find where donors get stuck, and to detect fraud.

We collect only what these purposes need. If a field is optional, it is marked optional.

3. Why we collect it

  • To process your donation and deliver it to the charity you are donating to.
  • To issue your official tax receipt. Canadian tax law requires your name and address on it; without them, no receipt can be issued.
  • To send you the receipt and confirmation in the format you selected.
  • To manage recurring gifts, including telling you if a scheduled charge fails.
  • To detect and prevent fraud and unauthorized transactions.
  • To meet our legal, tax, and accounting obligations.

We do not sell your personal information. We do not use it for advertising, and we do not build donor profiles for resale.

4. Consent, and withdrawing it

By completing a donation you consent to us using your information for the purposes in section 3 — those are the reasons you came to the form, and the donation cannot happen without them.

Anything beyond that is opt-in. Marketing, newsletters, and fundraising appeals require your express consent, given through a box that is never pre-checked and is separate from the donate button. You can say no and still donate.

You may withdraw consent at any time, on reasonable notice, by writing to privacy@givetree.app. We will stop using your information and delete it — except records we are legally required to keep, such as receipt and donation records the CRA obliges the charity to retain, and the suppression list that records the fact you asked not to be contacted.

5. Payment information

GiveTree does not store, process, or transmit full payment card numbers on its own servers. Card data is captured directly by our PCI-DSS certified payment processor and exchanged for a token. At an in-person kiosk, the card is encrypted at the reader itself.

Your card security code (CVV/CVC) is never stored — not by us, and not by our processor after your donation is authorized. This is a hard rule of the payment card standards, and it applies even to recurring gifts, which are handled with a token rather than a stored card number.

What we retain is limited to what reconciliation and refunds require: the card brand, the last four digits, the expiry date, and the processor's transaction reference.

6. Who we share it with

  • the charity you are donating to — receives your donation details and the donor information needed to issue your receipt, to keep its books, and to thank you. This sharing is not optional; it is the point of the donation.
  • Our payment processor — receives what is required to complete the transaction.
  • Service providers — hosting, email, and text-message delivery. They are bound by contract to use your information only to provide their service to us, and to protect it to a comparable standard.
  • Authorities — where we are legally compelled, or where disclosure is necessary to investigate fraud.

That is the complete list. We share your information with no one else.

7. Where your data is processed

Some of our service providers process data outside Canada, including in the United States. While your information is in another country, it may be accessible to the courts, law enforcement, and national security authorities of that country under its laws.

We remain accountable for your information wherever it goes. We require our providers by contract to protect it to a standard comparable to what it receives here.

8. How long we keep it

Donation and receipt records are kept as long as Canadian charity and tax law requires. The CRA obliges a charity to retain copies of official donation receipts for at least two years from the end of the calendar year in which the gift was received, and the underlying books and records for six years from the end of the fiscal period. We retain the records supporting those obligations for the same periods.

Information that is not tied to a receipt — analytics, incomplete donation attempts — is deleted once it is no longer needed. Records of privacy breaches are kept for 24 months, as PIPEDA requires.

9. How we protect it

Your information is encrypted in transit and at rest. Access is limited to the people who need it to do their jobs, and administrative access is logged. Kiosks require staff sign-in, do not retain donor details on the device after a session, and clear the screen between donors.

Donation history and payment data are sensitive, and we treat them that way. No system is perfectly secure — which is why the next section exists.

10. If there is a breach

If a breach of our security safeguards creates a real risk of significant harm to you — identity theft, financial loss, damage to your reputation or credit — we will:

  • report it to the Office of the Privacy Commissioner of Canada as soon as feasible;
  • notify you directly, as soon as feasible, describing what happened, what information was involved, what we have done, and what you can do;
  • notify others who can reduce the harm — your payment processor, the charity, credit bureaus, or law enforcement.

We keep a record of every breach, whether or not it meets that threshold, for 24 months, and the Privacy Commissioner may ask to see it.

11. Your rights

You may ask us to:

  • Access the personal information we hold about you — and to tell you how it has been used and who it has been disclosed to.
  • Correct it if it is inaccurate or incomplete. Do this promptly if a receipt was issued with the wrong details. If we disagree that a correction is warranted, we will record your disagreement on the file and pass that note to anyone we shared the information with.
  • Delete it, where we are not legally required to keep it.
  • Stop contacting you. Transactional messages — your receipt, a failed-payment notice — will still be sent, because they are the service you asked for.

We respond within 30 days. If we need more time, we will tell you within those 30 days, explain why, say how much longer we need, and tell you that you may complain to the Privacy Commissioner. There is no charge for a routine request; if a request would cost anything, we will tell you before doing the work and let you withdraw it. We will verify your identity before releasing anything.

Write to privacy@givetree.app.

12. Emails and texts

Transactional messages — your tax receipt, a donation confirmation, a notice that a recurring charge failed — are part of the donation you asked for. They contain no promotions, and we send them regardless of your marketing preferences.

Fundraising and marketing messages are separate. Under Canada's anti-spam law, having donated to a registered charity within the last two years means you may receive fundraising messages from that charity — but every one of them will identify who sent it and on whose behalf, carry a valid mailing address and contact details, and include an unsubscribe link. We action an unsubscribe within 10 business days, and in practice far faster. You never have to donate again to get off a list.

13. Cookies

We use cookies that are strictly necessary to run the donation form — keeping your session alive and protecting against cross-site request forgery — and a small amount of analytics to understand where donors get stuck. We do not use advertising or cross-site tracking cookies, and we do not let third parties track you across the web from our forms.

14. Giving kiosks

At a kiosk you tap or insert a card, and optionally enter an email address or phone number to receive your receipt. That information is transmitted immediately and is not stored on the kiosk. The card is encrypted at the reader and is never readable by the kiosk software.

You can donate at a kiosk without giving your name. If you do, no tax receipt can be issued — a receipt legally requires an identified donor.

15. Quebec, Alberta, and British Columbia

Quebec. If you live in Quebec, Law 25 gives you additional rights. Our Privacy Officer's contact details are published above. You have the right to data portability — to receive the computerized information you gave us in a structured, commonly used format, or to have it sent to someone you designate. Financial information is sensitive, and we ask for your explicit consent to use it. We tell you at the point of collection when information will be sent outside Quebec, and we assess the protection it will receive before sending it. We keep a register of confidentiality incidents for five years, and we notify the Commission d'accès à l'information where an incident presents a risk of serious injury.

Alberta and British Columbia. If you live in Alberta or British Columbia, that province's Personal Information Protection Act may govern information collected and used within the province, and you may complain to its Information and Privacy Commissioner. Your access and correction rights are equivalent, with the same 30-day response window.

16. Changes

We may update this policy. The "last updated" date above always reflects the current version, and we will give notice of material changes before they take effect.

17. Contact and complaints

Privacy Officer, GiveTree Technologies Inc. — privacy@givetree.app. Use this address to exercise any right in section 11, or to complain. We investigate every complaint and will tell you the outcome.

The charity: the charity you are donating to, the address shown on your donation receipt — support@givetree.app. Contact them about how they use your donor information after they receive it.

If we do not resolve it, you may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca), or, if you live in Quebec, Alberta, or British Columbia, to your provincial Commissioner. You do not need our permission to do so.

Before publishing: this document was drafted against PIPEDA and the Privacy Commissioner's guidance on meaningful consent, breach reporting, and cross-border processing; Quebec's Law 25; Alberta and BC PIPA; Canada's anti-spam legislation; and the PCI-DSS rules on card data. It still needs review by Canadian privacy counsel, and two things must be confirmed as facts before it goes live: the named Privacy Officer, and the actual list of service providers and where they process data.
Terms of Service Contact
Powered by GiveTree. Your donation is made to the charity you are donating to, a registered Canadian charity, BN shown on your donation receipt.
GiveTree