Privacy Policy

Last updated · June 8, 2026

Draft for counsel review. Reflects standard practice for a US platform processing payments via Stripe, but specific GDPR / CCPA / state-law obligations need legal sign-off before public launch.

This Privacy Policy describes how Nediva, Inc. ("Nediva") collects, uses, and discloses information about you when you use our platform.

1. Information we collect

You provide

Account details: email, display name, optional profile photo and bio.
Donation details: amount, frequency, optional message, optional anonymity preference.
Nonprofit-account details: organization name, EIN, mailing location, website, Stripe Connect onboarding data.
Communications you send us.

Automatically

Usage data: pages visited, features used, approximate timing.
Device data: browser type, operating system, IP address.
Cookies and similar technologies; see our Cookie Policy.

From third parties

Stripe processes payments and shares limited transaction metadata with us (amount, success/failure, last4 of card for receipts).
Supabase Auth handles credential storage; passwords are never visible to us.

2. How we use information

To operate the Service, process donations, and route funds to nonprofits.
To send transactional emails (receipts, milestone notifications, account messages).
To prevent fraud, abuse, and unauthorized access.
To improve the Service, including aggregate analytics.
To comply with legal obligations.

3. Sharing

We share information with: (a) the nonprofit you donate to (donor name, amount, optional message — subject to the anonymity disclosure in §3.1 below); (b) Stripe and other payment processors; (c) Resend or comparable provider for transactional email; (d) Supabase for hosting and authentication; (e) law enforcement or other parties when required by law.

3.1 What "Anonymous" means on Nediva

Choosing to donate anonymously hides your name and avatar from the public-facing nonprofit page, supporter lists, and comments. It does not make the donation untraceable. We retain your full identity for the following purposes and may disclose it to the parties below:

The recipient nonprofit's back-office donor record (so the nonprofit can issue a valid IRS-compliant tax receipt under IRC §170 and meet its own donor-acknowledgment obligations).
Stripe, for KYC, fraud screening, OFAC sanctions screening, and anti-money-laundering checks required by the Stripe Connect agreement and applicable law.
Federal, state, and local tax and law-enforcement authorities, where required by valid legal process or by tax-reporting rules (including IRS Form 990 substantiation rules and state charitable- solicitation registries).

Anonymity on Nediva is therefore a display preference, not a legal cloak. If you require a fully anonymous gift, please use a donor-advised fund.

3.2 Subprocessors

We rely on the following subprocessors. Each is bound by contractual confidentiality and security obligations; this list is current as of the "Last updated" date above and may change with notice.

Stripe, Inc. — payment processing, card vaulting, Stripe Connect payouts, fraud and KYC.
Supabase, Inc. — Postgres database, authentication, file storage, realtime infrastructure.
Vercel, Inc. — application hosting and edge delivery.
Resend, Inc. — transactional email (receipts, milestone notifications, account messages).
PostHog, Inc. — product analytics (pseudonymous event data only).
Sentry (Functional Software, Inc.) — error and performance monitoring.
Endaoment — independent donor-advised-fund sponsor for optional DAFpay grants; receives only the data necessary to route a grant you initiate.

We do not sell personal information. We do not share donor data with advertisers.

4. Retention

Account data is retained while your account is active. Donation records are retained for at least seven years to support tax and accounting obligations. Deleted accounts have personal identifiers removed; aggregate financial records are preserved as required.

5. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data, and to object to certain processing. To exercise these rights, contact privacy@aishtamidhats.com.

California residents (CCPA)

California residents have specific rights under the CCPA, including the right to know what categories of personal information we collect, to request deletion, and to opt out of sale (we do not sell). Contact us using the email above to exercise these rights.

EU/UK residents (GDPR)

Residents of the EU and UK have rights under GDPR including access, rectification, erasure, restriction, portability, and objection. The lawful bases for our processing are: contract (operating your account, processing donations), legitimate interest (fraud prevention, service improvement), and legal obligation (tax records).

6. Security

We implement industry-standard administrative, technical, and physical safeguards. Payment data is handled by Stripe (PCI DSS Level 1). Authentication data is handled by Supabase. No system is perfectly secure; if you believe your account has been compromised, contact us immediately.

7. Children

The Service is not directed to children under 13 (or 16 in the EU/UK). We do not knowingly collect personal information from children.

8. International transfers

Information may be transferred to and processed in the United States or other countries where our service providers operate. Appropriate safeguards (such as Standard Contractual Clauses) are in place where required.

9. Changes

We will notify you of material changes by email or in-app notice prior to the change taking effect.

10. Contact

Privacy questions: privacy@aishtamidhats.com.