Deed understands that your privacy is extremely important to you. To ensure that we comply with all necessary controls, we have implemented measures which ensure that any personal data we obtain from you is processed and maintained in accordance with accepted principles of good information handling and in accordance with the applicable laws and regulations such as the Federal Trade Commission Act (FTC Act), the California Consumer Privacy Act (CCPA), the General Data Protection Regulation ("GDPR").
This policy provides you with details of the type of information we may hold about you, how we may obtain and use information and how we protect your privacy.
1.1. Scope and Application
2. Collection of Information
2.1. Information You Provide to Us
We collect information you provide directly to us, such as when you create or modify your account; request a volunteer opportunity or receive a volunteer request; make a donation using our services; create a cause, campaign, group, deed, or add other custom company, nonprofit or individual content; and, as applicable, add photos, comments, or other media regarding your volunteer and donation opportunities, contact customer support, or otherwise communicate with us. This information may include: name, email, phone number, postal address, profile picture, gender, date of birth, IP address, other contact information, details requested by a volunteer opportunity organizer, and other information you choose to provide.
Additionally, if you make a donation using our services, we may collect limited data related to that financial transaction in order to process the donation, and will store limited details of the transaction including your billing address, the date of the transaction, the amount of the transaction, and the recipient organization. Depending on the payment processing service used, your location and the nature of your transaction, we may also store a token related to your payment method in an encrypted format in a secure vault, or your credit card brand and the last 4 digits of your card number.
2.2. Information We Collect Through Your Use of Our Services
When you use our Services, we collect information about you in the following general categories:
Location Information: When you use the Services, we collect precise location data about your location from the Deed app. If you permit the Deed app to access location services through the permission system used by your mobile operating system (“platform”), we may collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.
Device Information: We may collect information about your mobile device, including, for example, the hardware model, operating system and version, software and file names and versions, preferred language, unique device identifier, advertising identifiers, serial number, device motion information, and mobile network information.
Log Information: When you interact with the Services, we collect server logs, which may include information like device IP address, access dates and times, app features or pages viewed, app crashes and other system activity, type of browser, and the third-party site or service you were using before interacting with our Services.
2.3. Important Information About Platform Permissions
Most mobile platforms (e.g., iOS) have defined certain types of device data that apps cannot access without your consent. These platforms have different permission systems for obtaining your consent. The Deed platform will alert you the first time the Deed app wants permission to access certain types of data and will let you consent (or not consent) to that request.
2.4. Information We Collect From Other Sources
We may also receive information from other sources and combine that with information we collect through our Services. For example:
If you choose to link, create, or log in to your Deed account with a social media service (e.g., Facebook), or if you engage with a separate app or website that uses our API (or whose API we use), we may receive information about you from that site or app.
If you are a corporate organizational user, your employer may have authorized the integration of employee data with our application, including details such as name, title, department, phone number, email address, date of birth, employee ID, phone number, etc., through HRIS and/or payroll or SSO integration. Your employer may have also authorized other integrations, including Slack and other third parties, although your authorization may be needed to complete certain integrations (such as Slack).
When you use messaging and support features (provided by or through third parties such as SendGrid and Papercups), Deed may also collect information that you provide from or through those services.
When you provide volunteer services or are provided with volunteer services, each party is able to provide commentary, ratings, and other media regarding the event.
3. Use of Information
We may use the information we collect about you to:
Provide, maintain, and improve our Services, including, for example, to provide products and services you request (and send related information), complete transactions you have initiated, develop new features, improve or refine existing functionality, track errors, analyze usage, provide customer support to Users, authenticate users, and send product updates and administrative messages;
Perform internal operations, including, for example, to prevent fraud and abuse of our Services; to troubleshoot software bugs and operational problems; to conduct data analysis, testing, and research; and to monitor and analyze usage and activity trends;
Send or facilitate communications (between volunteers and organizations and/ or donors and recipient organizations);
Send you communications we think will be of interest to you, including information about products, services, promotions, news, invitations to provide user feedback on the Deed platform, and events of Deed and other companies or organizations, where permissible and according to local applicable laws; and
Personalize and improve the Services, including to provide or recommend features, content, social connections, referrals, and advertisements.
Information we collect and describe in this policy is stored and processed in the United States. Our data centers are managed by AWS, which ensures all appropriate safeguards are in place.
4. Sharing of Information
We may share the information we collect about you as described in this Policy or as described at the time of collection or sharing, including as follows:
Through our services we may share your information:
Between donors, payment processors facilitating the donation, and the recipient organization, to effectuate the transaction and share details, as may be authorized and required, to request receipting for tax purposes;
Between volunteers and organizations to enable each to efficiently connect through the Services. For example, we share your name, photo (if you provide one), rating, profile data, and any other information you have submitted to the Services and that you have authorized to share with a nonprofit organization;
With other Users; and with other people, as directed by you, such as when you want to share your donation or volunteering experiences or causes and campaigns with a friend, coworker, organization (such as your employer), or on a social network (please note that if you are a corporate organizational user, your employer may limit or prevent social sharing);
With third parties to provide you a service you requested through a partnership or promotional offering made by a third party or us;
With the general public if you submit content in a public forum, such as blog comments, social media posts, or other features of our Services that are viewable by the general public;
With third parties with whom you choose to let us share information, for example other apps or websites that integrate with our API or Services, or those with an API or Service with which we integrate;
With Deed subsidiaries and affiliated entities that provide services or conduct data processing on our behalf, or for data centralization and/or logistics purposes;
With vendors, consultants, marketing partners, and other service providers who need access to such information to carry out work on our behalf;
In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation, or legal process;
In connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company;
If we otherwise notify you and you consent to the sharing; and
In an aggregated and/or anonymized form which cannot reasonably be used to identify you.
For more information on Deed’s subprocessors that are used to provide the Services, please see here: Deed Subprocessor List.
5. Social Sharing Features
The Services may integrate with social sharing features and other related tools which let you share actions you take on our Services with other apps, sites, or media, and vice versa, including LinkedIn, Facebook, Twitter and email. Your use of such features enables the sharing of information with your friends or the public, depending on the settings you establish with the social sharing service. Please refer to the privacy policies of those social sharing services for more information about how they handle the data you provide to or share through them.
If you are a corporate organizational user, please note that your employer may have limited or turned off such social sharing functionality.
6. Your Rights
6.1 Account Information
If you have registered to use Deed on your own, and not through an employment relationship or association with a corporate organizational licensing of Deed, you may correct your account information at any time by logging into your online or in-app account. If you wish to cancel your account, please email us at firstname.lastname@example.org.
If you are using Deed as a result of an organization licensing the Services for use with their employees and associates, you may send requests regarding information correction and deletion to email@example.com; however, Deed will have to collaborate with the licensing organization (the data controller) to ensure that revisions and deletions are fully implemented, as integrations with HRIS, payroll or SSO may result in some changes being reversed.
Please see section 6.7 (“GDPR and Personal Data Requests”) for information about deletion requests.
6.2 Access Rights
Deed will comply with individual’s requests regarding access, correction, and/or deletion of the personal data it stores in accordance with applicable law.
6.3 Location Information
We request permission for our app’s collection of precise location from your device per the permission system used by your mobile operating system. If you initially permit the collection of this information, you can later disable it by changing the location settings on your mobile device. However, this will limit your ability to use certain features of our Services. Additionally, disabling our app’s collection of precise location from your device will not limit our ability to determine your approximate location from your IP address.
6.4 Contact Information
We may also seek permission for our app’s collection and syncing of contact information from your device, per the permission system used by your mobile operating system. If you initially permit the collection of this information, iOS users can later disable it by changing the contacts settings on your mobile device. If such permissions are not granted, the details of your contacts will never be accessed by Deed.
6.5 Promotional Communications
If you have registered to use Deed on your own, and not through an employment relationship or association with a corporate licensing of Deed, you may opt out of receiving promotional messages from us by following the instructions in those messages. If you opt out, we may still send you non-promotional communications, such as those about your account, about Services you have requested, or our ongoing business relations.
If you are using Deed as a result of an organization licensing the Services for use with their employees and associates, you may opt out of receiving promotional messages from us by following the instructions from Deed on managing your message preferences; however, your employer or the licensing organization may continue to send you messages about Deed and the Services, and we may still send you non-promotional communications, such as those about your account, about Services you have requested, or our ongoing business relations.
6.6 Other Services
We are not responsible for the practices employed by any websites or services linked to or from our Services, including the information or content contained within them. Please remember that when you use a link to go from our Services to another website or service, our Policy does not apply to those third-party websites or services. Your browsing and interaction on any third-party website or service, including those that have a link on our Services, are subject to that third party’s own rules and policies. In addition, you agree that we are not responsible and do not have control over any third-parties that you authorize to access your user content. If you are using a third-party website or service and you allow them to access your user content, you do so at your own risk.
6.7 GDPR and Personal Data Privacy Rights
General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The main objective of the GDPR is to define the manner in which the privacy of EU citizens should be protected by unifying the data regulation rules of the EU’s member states. The GDPR therefore gives EU citizens rights regarding the collection and usage of their personal data. Personal data includes any personal information relating to a resident of the EU. Personal data can be anything from a name to a photo, an email address, bank details, posts on social networking websites, medical information, a computer IP address, and so on.
Deed has embedded privacy and the protection of information into the design of our system to ensure that we handle user data in accordance with guidelines defined by the different data protection legislators. Deed ensures that we only use the information that is necessary to provide you with the service. In the event that a data breach occurs, in spite of our Deed’s efforts to prevent such an event, we will make sure to notify the relevant Data Protection Authority of any breach without undue delay once we become aware of any breach.
If you need to make a data deletion request, please send an email to firstname.lastname@example.org with the subject "Data Deletion Request" from the email associated with your account.
If you are using the Deed services in your individual capacity and not as a user associated with a corporate organizational licensure of the Deed Services, upon your request for your data to be deleted, Deed will delete all personal information, profile images, Facebook token (if applicable), usage data, and anonymize your activity. Deed will also remove your information from any 3rd party vendors who may be sub-processors of that data. If you are using Deed as a result of an organization licensing the Services for use with their employees and associates, Deed will have to collaborate with the licensing organization (the data controller) to ensure that revisions and deletions are fully implemented, as integrations with HRIS, payroll or SSO may result in some changes being reversed.
Once data deletion is requested and account ownership is confirmed, the data deletion request enters our queue. Generally, the data is deleted within 14 calendar days of the initial request. During the deletion process data is securely purged from Deed's databases and servers. All related backup and log data will be deleted within 30 calendar days. Once data has been deleted it cannot be recovered.
7. Data Protection Officer
By email at: email@example.com
8. Data Protection Authority
In the event that you think that there was a breach in the manner in which we use your personal data we encourage you to contact us to allow us to review the situation and address it appropriately. Nevertheless, please be aware that you also have the right to lodge a complaint with the relevant data protection authority based on your location.
9. Security / Data Protection
We have designed our services to comply with applicable data protection laws, and have implemented industry standard technological and organisational controls to secure the confidentiality of your personal information.
We will not disclose confidential information about your business to anyone except where:
We are permitted to do so by law;
We have a public duty to disclose the information; and/or
We need to do so to comply with the requirements, codes or recommendations of any of our regulators.
10. Children’s Privacy
Deed does not knowingly collect or solicit any information from anyone under the age of 13 or knowingly allow such persons to register for the Services. The Services and its content are not directed at children under the age of 13. In the event that we learn that we have collected personal information from a child under age 13 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us at firstname.lastname@example.org.
11. Changes to the Policy
We may change this Policy from time to time, at our sole discretion. Changes will be notified and your continued use of the Services after such notice constitutes your consent to the changes. We encourage you to periodically review the Policy for the latest information on our privacy practices.
12. Contact Us
13. Special Clauses for Russia
13.2.1 Collection of Information. We do not process sensitive or biometrical personal data.
13.2.2. Information We Collect From Other Sources. When we receive personal data about you from third parties, we will ensure that we have an appropriate lawful basis. We will also notify you of the data processing prior to processing your data unless you are already aware of such processing or the applicable law otherwise exempts us from the notification obligation.
We may send you advertisements and communications we think will be of interest to you, including information about products, services, promotions, news, and events of Deed and other companies or organizations only subject to your prior and explicit consent.
We only retain your personal data for as long as needed to fulfill the purposes for which it is collected unless we are required or permitted by law to keep the personal data for longer. We will destroy your personal data within 30 days after we achieve the said purposes or you recall your data processing consent (where applicable) unless we may continue the data processing on the ground of another lawful basis.
Our processing actions may include the following: collection, record, systematization, accumulation, storage, clarification (update, change), extraction, use, transfer (provision and access), depersonalization, blockage, deletion, and destruction of personal data. Our data processing methods may include the processing with the use of automation tools and without the automation tools.
13.4. Sharing of Information. You hereby give your consent to the disclosure of your personal data to the persons and entities specified in Section 4 above. Paragraphs 5, 10, 11, and 13 of Section 4 above do not apply. You hereby consent that we may transfer your personal data to Deed’s subsidiaries, affiliated entities, vendors, consultants, marketing partners, and other service providers if they act as Deed’s data processors and on Deed’s behalf. We may disclose your personal data to the competent law-enforcement agencies, courts, other entities, and state bodies in cases prescribed by the applicable law.
You hereby consent that we may share your personal data with your employer if your use of the Services is based on a corporate subscription.
13.5. Your rights. You, as a data subject, has the following rights:
– Right to receive information about the processing of your personal data;
– Right to demand for clarifying, blocking, or destroying your personal data in cases where such data is incomplete, outdated, incorrect, illegally received, or such data is unnecessary for the declared processing purpose;
– Right to lodge complaints about actions (omission) of the data operator to competent authorities and bring a legal action;
– Right to defend your rights and legitimate interests, including the compensation of damages and/or moral damage, in court or according to other procedures established by the applicable law; and
– Other rights established by the applicable law.
Paragraph “Contact Information” of Section 6 above does not apply.
13.6. Security. We take all necessary administrative, legal, and technical measures to protect your personal data against unlawful or accidental access, destruction, change, blockage, copy, provision, and distribution as well as against other unlawful actions in respect of personal data. We fulfill the following data security requirements to the protection of personal data processed via information systems depending on the security level of information systems chosen by us: ensure security of premises accommodating the personal data information systems equipment in a way preventing any person without appropriate access rights from uncontrolled intrusion or stay in these premises; ensure safety of all personal data media; adopt by the general manager’s decision a document determining list of employees whose work duties require access to the personal data processed in the information system; use information security tools, of which compliance with the requirements of the information security laws is duly assessed and confirmed, when such tools are necessary for the neutralization of actual risks; appoint an employee responsible for the security of the personal data in the information system or impose this responsibility on an appropriate division; ensure that all changes of access rights with regard to the personal data in the information system are automatically recorded in the electronic messages log; and provide access to the electronic messages log only to those employees or other authorized persons who need this access for the discharge of their work duties.
Effective Date: April 1, 2019; Updated October 4, 2021; Last Reviewed November 15, 2022.