PRIVACY POLICY OF DONATEOPEN
Effective date: 28.05.2026
1. Introduction
We are the DonateOpen platform, available at https://donateopen.com ("Platform"). The Platform is operated by DonateOpen Co., incorporated in the State of Delaware, USA, under registration number 10116279, with its registered office at 16192 Coastal Hwy, Lewes, DE 19958, USA.
DonateOpen Co. is the operator of the Platform, the owner of its code, design, brand, and algorithms, and acts as the controller of the personal data that Users provide to DonateOpen directly in the course of using the Platform. DonateOpen does not act as a controller with respect to payment and financial data processed by Stripe as an independent payment provider, nor with respect to Donator data received by Creators through the Stripe dashboard, in relation to which Creators act as independent controllers, as set out in Section 3 of this Policy.
In this Policy, the words "DonateOpen," "we," "us," and "our" refer to DonateOpen Co. This Privacy Policy ("Policy") describes what personal data we process, on what legal bases, to whom we disclose it, and what rights you have under applicable data protection legislation, including the GDPR, UK GDPR, and CCPA/CPRA. This Policy should be read in conjunction with the Terms of Use (https://donateopen.com/terms, "Terms").
2. Definitions
- Platform — DonateOpen.com website owned, operated and represented by DonateOpen Co.
- User — any person interacting with the Platform.
- Creator — a User who creates various content and a creator page on DonateOpen.
- Donator — a User who sends a donation to a Creator.
- Guest — a User who makes a donation without creating an account on the Platform.
- Platform Visitor — a User who browses the Platform without logging in or making donations.
3. Data Controllers
A controller is a party that independently or jointly determines the purposes and means of processing personal data. DonateOpen acts as the controller of your data in relation to the operation of the Platform.
As we use the direct charges model through Stripe Connect with Creators' standard accounts, the Creator is the direct recipient of the payment. When a donation is made, a limited set of Donator data is automatically transmitted to the Creator through their Stripe dashboard: email address, donation amount, date and time, payment method (card brand, last 4 digits, or payment method type), and transaction ID.
We transmit only the minimum data necessary to confirm the payment and to comply with the requirements of the payment provider. From the moment the Creator receives this data through Stripe, the Creator becomes an independent controller with respect to the information received.
By accepting the Platform's Terms of Use, the Creator undertakes to:
- use Donator data exclusively for purposes related to the donation received;
- not use Donator data for marketing purposes without a separate, explicit consent from the Donator;
- not disclose Donator data to third parties, except as expressly required by law;
- ensure the security and confidentiality of the data received in accordance with applicable personal data protection legislation;
- delete Donator data when there is no longer a need to retain it, or upon a justified request from the Donator.
If you believe that a Creator is violating the above obligations or applicable personal data protection legislation, you may:
- contact the Creator directly to exercise your rights as a data subject;
- notify us at privacy@donateopen.com — we will review the complaint, may restrict or terminate the Creator's access to the Platform, and, where grounds exist, report the violation to the competent supervisory authority;
- file a complaint with the data protection supervisory authority in your country.
DonateOpen transmits Donator data to Creators in the minimum scope described above and binds Creators to the obligations set out above through the Terms of Use. DonateOpen does not have the technical ability to monitor the Creator's actions with the data received outside the Platform and bears no liability for such actions if they violate our Terms of Use and applicable law.
4. Personal Data We Collect
The scope of data we process depends on your role on the Platform. The processing tables for each role, including the applicable legal bases under the GDPR, are set out below. For users from other jurisdictions, the legal bases are described in Section 15.
4.1. Creator
This applies when you register on the Platform to publish information about yourself and your work to receive donations.
| Activity | Personal Data | Legal Basis |
|---|---|---|
| Registration and authentication | Email address, name or alias, displayed nickname. If signing in via Google — name, email, avatar URL to the extent permitted by you upon authorization. | Performance of a contract |
| Profile management | Avatar, activity category, country, "About me" description, links to external resources and social media. | Performance of a contract |
| Publishing works | Work title, description, cover image, link to external resource, year of release. | Performance of a contract |
| Connecting a Stripe account and receiving donations | Stripe account identifier, connection status, payout statuses, transaction identifiers, amounts. Full payment details are stored by Stripe. | Performance of a contract |
| Tax and AML reporting | Stripe account identifier, donation amounts and history, country. Other data required by applicable law is collected by Stripe. | Legal obligation |
| Responding to inquiries and support | Name, email, content of the inquiry. | Performance of a contract; legitimate interest |
| Platform security, fraud detection, and ratings manipulation prevention | Technical logs (IP address, user-agent, date and time), activity history. | Legitimate interest |
4.2. Registered Donator
This applies when you register on the Platform to send donations and access extended features.
| Activity | Personal Data | Legal Basis |
|---|---|---|
| Registration and authentication | Email address, name or alias, displayed nickname. If signing in via Google — name, email, avatar URL to the extent permitted by you upon authorization. | Performance of a contract |
| Profile management | Avatar, description, links to external resources. | Performance of a contract |
| Making donations (public donation and negative donation) | Name or nickname, selected Creator and work, donation amount, comment, date and time, transaction identifier. | Performance of a contract |
| Calculating the negative donation quota | Aggregate amount of the user's previously made positive donations. | Performance of a contract |
| Wish to Donate declarations | Name or nickname, name of the selected Creator, declared amount. | Performance of a contract |
| Transactional notifications (donation confirmations, account notifications) | Email address, notification content. | Performance of a contract |
| Responding to inquiries and support | Name, email, content of the inquiry. | Performance of a contract; legitimate interest |
| Platform security, fraud detection, and ratings manipulation prevention | Technical logs (IP address, user-agent, date and time), activity history. | Legitimate interest |
4.3. Guest
This applies when you send a donation without creating an account on the Platform. No account is created.
| Activity | Personal Data | Legal Basis |
|---|---|---|
| Making a donation | Email address, name (if provided), donation amount, selected Creator and work, date and time, transaction identifier. Full payment details are collected by Stripe through its own payment form and are not transmitted to us. | Legitimate interest (processing your donation without account creation) |
| Donation confirmation | Email address, transaction identifier, amount. | Performance of a contract (quasi-contractual relationship arising from the donation) |
| Tax and AML reporting | Amount, transaction identifier, country (if applicable). | Legal obligation |
| Platform security and fraud prevention | Technical logs (IP address, user-agent, date and time). | Legitimate interest |
4.4. Platform Visitor
This applies when you visit the Platform without logging in or making a donation.
| Activity | Personal Data | Legal Basis |
|---|---|---|
| Accessing public sections of the Platform (ratings, Creator and Donator profiles) | Technical logs (IP address, user-agent, date and time, URL of the requested page, browser type and version, browser language). | Legitimate interest (ensuring Platform operation and security) |
| Session authentication (when an active login is present) | Session cookie (see Section 9). | Performance of a contract; strictly necessary cookie |
The provision of data marked as mandatory upon registration or payment is a contractual requirement. Without it, we will be unable to create your account or process your donation.
We do not knowingly collect or process special (sensitive) categories of personal data (including data on race, religion, health, sexual orientation, political views, precise geolocation, and other categories defined as "sensitive" under applicable law).
5. Data Visibility: Ratings, Profiles, and Donations
5.1. Public by Default
Donations on the Platform are public by default. The following information is accessible to any visitor of the Platform, including unregistered persons:
- the Donator's name or nickname;
- the recipient Creator's name or nickname;
- the donation amount;
- the title of the selected work (if specified);
- the Donator's comment (if left);
- the date of the donation.
This data is displayed in public donation ratings, on Creator profile pages, and in Donator profiles. The same categories of public data apply to negative donations and Wish to Donate declarations. The functional specifics of these types of interactions are described in the Terms of Use. By submitting this information through the Platform's interface, you explicitly make it public (manifestly made public) within the meaning of applicable personal data protection legislation, including Article 9(2)(e) of the GDPR.
5.2. Hiding Name from Public Ratings
When sending a donation, the Donator may select the option "Hide my name from public ratings" (labelled in the interface as "Donate anonymously"). In this case:
- The Donator's name and nickname are hidden from all public ratings, profile pages, and any publicly accessible sections of the Platform;
- The recipient Creator can still see the email, full name, and address of the user who sent the donation — in their Stripe dashboard. This is a consequence of the direct payments model and cannot be concealed on DonateOpen's side;
- The donation record is retained in the Donator's personal account.
The option is called "anonymous" in a qualified sense: full anonymity from the Creator is technically impossible under the direct payments model.
5.3. Privacy Controls on the Platform
Users may manage the visibility of certain information in their personal account. A number of sections within the Creator and Donator dashboards include privacy controls that allow the User to set the relevant information as either public or private. When set to private, that information is not visible to other Platform users. The specific sections where these controls are available may change as the Platform develops; current options are indicated directly within the interface.
5.4. Negative Donations
The fact of a negative donation, the name of its sender, and the recipient are displayed in public ratings in the same manner as monetary donations. The name-hiding option described in Section 5.2 also applies to negative donations. The Creator has the right to publicly respond to a negative donation by posting a comment on their profile page.
5.5. Wish to Donate
This feature allows Donators to declare their intention to support a Creator, including nominating persons not yet registered on the Platform. When nominating a new candidate, users provide the Platform exclusively with publicly available information about that person (a public name or pseudonym, and links to open social media profiles or websites). The name or nickname of the declaring Donator (unless the anonymous participation option is selected), the public name of the recipient Creator, and the declared amount (predonate) are displayed in public ratings. The Platform processes the above publicly available data of the recipient Creators on the basis of legitimate interest, exclusively to enable the "Wish to Donate" feature and to subsequently invite them to the Platform.
5.6. Comments
Comments left when making a donation are published on the Creator's profile page and are accessible to all visitors. A comment may be deleted by: the comment author (through their personal account), the recipient Creator (from their page), or the Platform administration — in the event of a violation of the Terms of Use.
6. Legal Bases for Processing
The legal bases for processing are specified in the tables in Section 4 for each role and each processing activity. Additional provisions applicable depending on your jurisdiction (GDPR, CCPA/CPRA) are set out in Section 15.
7. Disclosure of Data to Third Parties
We disclose your data to the following recipients and categories of recipients:
| Recipient | Purpose |
|---|---|
| Stripe, Inc. (USA) | Payment processing. Stripe acts as an independent controller with respect to full payment data. Stripe's Privacy Policy: https://stripe.com/privacy. |
| Creators | Receive a limited set of Donator data through the Stripe dashboard and become independent controllers with respect to such data (see Section 3). |
| Google LLC | If you choose to sign in via Google Sign-In — to the extent permitted by you upon authorization. |
| Cloud infrastructure and network security providers | Platform hosting, attack protection, content delivery. They act as processors on our behalf under data processing agreements (DPA). |
| Transactional email provider | Sending donation confirmations and account notifications. Processor on our behalf under a DPA. |
| Competent government authorities | Only upon a mandatory request in accordance with applicable law, or to protect the rights, property, or security of DonateOpen, our users, or third parties. |
| Successors | In the event of a merger, sale of business, or transfer of assets, data may pass to the successor subject to the terms of this Policy. |
We do not sell or share personal data within the meaning of the CCPA/CPRA. We do not disclose data to third parties for marketing or advertising purposes. We may engage additional service providers in the future. In the event of material changes, we will update this section.
8. International Data Transfers
User data is stored on servers located in the USA. If you are in the EEA, the United Kingdom, or Switzerland, the transfer of your data outside those territories is carried out with appropriate safeguards — Standard Contractual Clauses (SCC) approved by the European Commission (for EEA users), or their respective equivalents for the United Kingdom and Switzerland. Additional technical measures also apply: encryption in transit and at rest.
9. Cookies
The Platform uses cookies and local storage technologies (including localStorage) to ensure technical functionality, user authentication, fraud prevention, and the operation of the referral program. These technologies are strictly necessary for the provision of the service. We do not use third-party analytics, tracking, or advertising cookies. A complete technical list of the tokens used, their processing purposes, and retention periods is set out in our separate Cookie Policy.
10. Authentication and Account Security
The Platform uses passwordless authentication. Login is performed in one of two ways: via a one-time code (OTP) sent to your email address, or via Google Sign-In. We do not store passwords or their hashes. We apply technical and organizational security measures — including data encryption in transit and at rest, access controls, and restriction of employee permissions on a need-to-know basis. No system can guarantee absolute security; if you discover a vulnerability or an incident, please notify us at privacy@donateopen.com.
11. Data Retention
- Active account data and donation records — retained for the entire duration of the account's existence and used in the course of Platform operation (including display in public ratings and profiles). Following account deletion, Section 12 applies: the profile is hidden, and the name and nickname in donation records are anonymized.
- Server logs and backups — retained for the minimum period necessary to ensure the security and operational continuity of the Platform, after which they are automatically deleted.
- Full payment data (card numbers, banking details) is processed and stored exclusively by Stripe; the retention period is governed by Stripe's Privacy Policy.
Where a User requests the deletion of their DonateOpen account, DonateOpen will delete or anonymize the personal data it holds in accordance with the periods set out above. However, where a Creator has a connected Stripe account, Stripe retains financial and identity data independently in accordance with its own retention policies and applicable legal requirements. DonateOpen has no ability to request or compel the deletion of data held by Stripe. Users wishing to exercise data deletion rights with respect to data held by Stripe should contact Stripe directly.
12. Account Deletion
Any registered user may delete their account at any time through the Platform settings. Upon deletion:
- the profile is immediately hidden from all Platform users;
- account data is retained on our servers for 30 calendar days in case of accidental deletion;
- during this period you may contact us to request restoration;
- upon the expiry of 30 days, account data is permanently deleted;
- all previously sent donations and comments associated with the deleted account are irreversibly anonymized: the name and nickname are removed from public ratings and profile pages and replaced with an anonymized record. This is necessary to preserve the integrity of the Platform's ratings and financial history and is consistent with Article 17(3)(b, e) of the GDPR;
- a Creator may at any time disconnect their Stripe account from the Platform and connect a different one. The data of the previous Stripe account is deleted from the Platform;
- data stored directly within Stripe is governed by Stripe's Privacy Policy.
13. Age Restrictions
The Platform is intended exclusively for persons who have reached the age of majority in their country of residence (generally 18 years of age). Registration, sending and receiving donations, Wish to Donate declarations, and any other use of Platform features by minors are not permitted. We do not knowingly collect or process personal data of minors. If we become aware that an account has been created by a minor, we will block the account and delete the associated data without undue delay. If you are a parent or legal guardian and believe that a minor has provided us with personal data, please contact us at privacy@donateopen.com — we will take steps to delete such data.
14. Changes to This Policy
We may update this Policy. The effective date of the current version is indicated at the beginning of the document. We will notify registered users of material changes by email no less than 14 calendar days before they take effect. If a change affects processing that requires your consent (for example, the introduction of analytics or marketing newsletters), such consent will be requested from you separately. With respect to processing based on other legal bases, continued use of the Platform after the changes take effect will constitute your acknowledgment of the updated Policy.
15. Personal Data Breach Notification
In the event of a personal data breach, DonateOpen will act in accordance with applicable law. Where a breach is likely to result in a risk to the rights and freedoms of natural persons, DonateOpen will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Article 33 of the GDPR. Where a breach is likely to result in a high risk to the rights and freedoms of natural persons, DonateOpen will also notify the affected Users directly without undue delay, in accordance with Article 34 of the GDPR, unless an exemption under that Article applies. Notifications to affected Users will be made to the email address associated with the account. DonateOpen maintains internal procedures for detecting, investigating, and responding to personal data breaches.
16. Additional Provisions for Specific Jurisdictions
16.1. Users from the EEA, the United Kingdom, and Switzerland (GDPR)
Data controller: DonateOpen Co. (USA).
Legal bases for processing. The specific bases for each activity are set out in the tables in Section 4. The following GDPR bases apply:
- Article 6(1)(b) — performance of a contract (providing Platform features, including publication of data in public ratings);
- Article 6(1)(c) — compliance with a legal obligation (tax, accounting, and AML legislation);
- Article 6(1)(f) — our legitimate interests (security, prevention of abuse, user support). You have the right to object — see your rights below;
- Article 6(1)(a) — your consent, where explicitly requested (at the time of this Policy's publication, no optional features requiring consent are present);
- Article 9(2)(e) — information that you have manifestly made public (applicable to donation, profile, and comment data).
Your rights under the GDPR:
- Right of access — to obtain confirmation of processing and a copy of your data.
- Right to rectification — to require the correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — to require the deletion of data where the grounds set out in Article 17 of the GDPR are met. Please note the limitations described in Section 12 (anonymization of transactional records).
- Right to restriction of processing.
- Right to data portability — to receive data in a structured, machine-readable format.
- Right to object — to object to processing based on legitimate interest.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
- Right to lodge a complaint with a supervisory authority — the data protection supervisory authority in your country of residence.
To exercise any of these rights, please submit a request to privacy@donateopen.com. We will respond within 30 days (which may be extended by a further 60 days with notice to you if necessary) and may request verification of your identity. Please note: with respect to data transmitted to the Creator through the Stripe dashboard (see Section 3), the exercise of rights is effected by contacting the Creator as an independent controller. We do not use automated decision-making processes (including profiling) that produce legal effects for users.
16.2. Users from California (CCPA/CPRA)
Data controller: DonateOpen Co. (USA).
Under the California Consumer Privacy Act (CCPA), as amended by the CPRA, you have the right to:
- know what categories of personal data we collect and for what purposes;
- request access to the specific data we have collected about you;
- request correction of inaccurate personal data;
- request deletion of your personal data (subject to the exceptions provided under applicable law);
- limit the use of sensitive personal data;
- not be subject to discrimination for exercising your rights.
We do not sell or share your personal data within the meaning defined by the CCPA/CPRA. Over the past 12 months, we have disclosed personal data to service providers for business purposes as described in Section 7. We do not collect, use, or disclose Sensitive Personal Information within the meanings defined under California law (CCPA/CPRA).
Since the Platform's launch (within the past 12 months), we have collected the categories of personal data that are detailed in Section 4 of this Policy ("Personal Data We Collect"). Such data includes Identifiers, Commercial Information, and Internet or Other Electronic Network Activity Information.
To exercise your rights, please submit a request to privacy@donateopen.com. You may designate an authorized agent to submit a request on your behalf; in such case, we may require confirmation of the agent's authority and of your identity. To verify your request, we will ask you to send an email from the address associated with your account, or to confirm account ownership by another means.
17. Contact Information
DonateOpen has assessed its processing activities and determined that the appointment of a Data Protection Officer is not mandatory under Article 37 of the GDPR, as DonateOpen does not carry out large-scale systematic monitoring of individuals, does not process special categories of data on a large scale, and is not a public authority. DonateOpen remains committed to compliance with applicable data protection legislation and responds to all data protection inquiries at privacy@donateopen.com.
For any questions relating to this Policy or the processing of your personal data, please contact us:
DonateOpen Co.
Address: 16192 Coastal Hwy, Lewes, DE 19958, USA
Email: privacy@donateopen.com