Privacy Policy

1. Introduction

Welcome to DueGood! We respect your privacy and are committed to protecting your personal information. This Privacy Policy explains how we collect, use, store, and protect your information when you use our compliance tracking platform designed for nonprofit organizations.

By using DueGood, you agree to the collection and use of information in accordance with this Privacy Policy. We may update this policy from time to time, and we will notify you of any material changes.

This policy applies to all users of DueGood, including individual users, organizational administrators, and team members within nonprofit organizations.

2. Information We Collect

Personal Information

We collect the following types of personal information:

• Account Information: Name, email address, and profile details you provide during registration
• Contact Information: Names, email addresses, and roles of organizational contacts and team members
• Authentication Data: Login credentials and authentication tokens managed through Clerk
• Communication Data: Messages, support requests, and feedback you send to us

Organizational Information

For nonprofit organizations using our platform, we collect:

• Organization Details: Organization name, type (501(c)(3), 501(c)(4), etc.), state of incorporation
• Compliance Data: Filing deadlines, regulatory requirements, compliance status tracking
• Task Information: Compliance tasks, assignments, due dates, and completion status
• Reminder Preferences: Email notification settings and reminder schedules

Uploaded Documents

We store documents you upload, which may contain:

• IRS tax forms and filings (Form 990, 1023, etc.)
• State registration documents
• Board resolutions and meeting minutes
• Financial statements and audit reports
• Internal memos and organizational documents
• Contact information for board members, employees, and contractors
• Employer Identification Numbers (EINs) and other identifiers

Usage and Analytics Data

We automatically collect certain information about how you use our service:

• Usage Statistics: Features used, pages visited, time spent in the application
• Device Information: Device type, operating system, browser type and version
• Technical Data: IP address, login timestamps, error logs
• Performance Data: Page load times, user interactions, and application performance metrics

Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience, remember your preferences, and analyze usage patterns. This includes authentication cookies from Clerk, analytics cookies from Vercel Analytics or similar services, and functional cookies for app functionality.

3. How We Use Your Information

Primary Service Functions

We use your information to:

• Provide compliance tracking and deadline management services
• Send automated reminders for important filing dates and deadlines
• Store and organize your compliance documents securely
• Enable collaboration among your organization's team members
• Generate compliance reports and status dashboards
• Provide customer support and respond to your inquiries

Service Improvement

We may use aggregated, non-personally identifiable data to:

• Analyze usage patterns to improve our platform's functionality
• Identify and fix technical issues and bugs
• Develop new features based on user needs
• Monitor and improve application performance
• Understand which compliance requirements are most common

Communications

We use your contact information to:

• Send automated compliance reminders and notifications
• Provide important service updates and security alerts
• Respond to support requests and inquiries
• Send occasional product updates (which you can opt out of)

4. Third-Party Services and Data Sharing

Service Providers

We work with trusted third-party service providers to operate our platform:

Data Sharing Within Organizations

Within your organization, authorized team members can access:

• Shared compliance tasks and deadlines
• Organizational documents uploaded by team members
• Contact information for other organization members
• Compliance status and reporting data

No Data Sales

We do not sell, rent, or trade your personal information to third partiesfor marketing or any other commercial purposes. We may only share your information:

• With your explicit consent
• To comply with legal obligations or court orders
• To protect our rights, property, or safety, or that of our users
• In connection with a business transfer or acquisition

5. Data Storage and Retention

Storage Location

Your data is stored on secure servers operated by Supabase, which may be located in the United States or other countries. We ensure that all service providers maintain appropriate security standards and comply with applicable data protection laws.

Data Retention

We retain your information for different periods based on data type:

• Account Information: Retained while your account is active and for up to 2 years after account closure
• Compliance Data: Retained for 7 years to support historical compliance tracking
• Uploaded Documents: Retained until you delete them or close your account
• Usage Analytics: Aggregated data retained indefinitely; personal identifiers removed after 2 years
• Support Communications: Retained for 3 years for quality assurance and training

Data Deletion

You can request deletion of your personal data at any time. Upon account closure, we will delete or anonymize your personal information within 30 days, except where we are required to retain certain information for legal compliance or legitimate business purposes.

6. Legal Basis for Data Processing

Our legal basis for collecting and processing your personal information depends on the type of information and the context in which we collect it:

Contractual Necessity

We process account information, organizational data, and uploaded documents to provide the compliance tracking services you've subscribed to.

Legitimate Interest

We process usage data and analytics to improve our services, ensure security, and provide customer support, which benefits both DueGood and our users.

Consent

We obtain your consent for email marketing communications and certain analytics tracking. You can withdraw consent at any time.

Legal Compliance

We may process your information to comply with applicable laws, regulations, or legal processes.

7. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information:

Access and Portability

• Request a copy of the personal information we hold about you
• Export your data in a machine-readable format
• Access your compliance history and uploaded documents through your account

Correction and Updates

• Update your profile information and preferences directly in your account
• Request correction of inaccurate personal information
• Modify your email notification preferences

Deletion and Restriction

• Delete specific documents or data through your account
• Request deletion of your entire account and associated data
• Restrict processing of your personal information in certain circumstances

Objection and Consent Withdrawal

• Opt out of marketing communications at any time
• Object to processing based on legitimate interests
• Withdraw consent for analytics tracking (may limit functionality)

California Privacy Rights (CCPA)

California residents have additional rights:

• Right to know what personal information is collected and how it's used
• Right to delete personal information (subject to certain exceptions)
• Right to opt out of the "sale" of personal information (we don't sell data)
• Right to non-discrimination for exercising privacy rights

8. Data Security

We implement comprehensive security measures to protect your information:

Technical Safeguards

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access with multi-factor authentication
• Database Security: Row-level security policies ensure data isolation between organizations
• Infrastructure Security: Secure hosting with regular security updates and monitoring

Organizational Safeguards

• Limited employee access to personal data on a need-to-know basis
• Regular security training for all team members
• Security incident response procedures
• Regular security assessments and audits

Incident Response

In the event of a data breach that may affect your personal information, we will notify you and relevant authorities as required by applicable laws, typically within 72 hours of discovering the incident.

9. Cookies and Analytics

Types of Cookies We Use

Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may limit the functionality of our platform. Most browsers allow you to:

• View and delete cookies
• Block cookies from specific sites
• Block third-party cookies
• Delete all cookies when you close your browser

10. Children's Privacy

DueGood is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If we become aware that we have collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we may have information from a child under 18, please contact us immediately.

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your country.

When we transfer your information internationally, we ensure appropriate safeguards are in place, such as:

• Adequacy decisions by relevant data protection authorities
• Standard contractual clauses approved by the European Commission
• Certification schemes and codes of conduct
• Binding corporate rules for intra-group transfers

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:

• Posting a prominent notice in your DueGood account
• Sending an email to the address associated with your account
• Updating the "Effective Date" at the top of this policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. Contact Us

If you have questions about this Privacy Policy, want to exercise your privacy rights, or need to report a privacy concern, please contact us through your account dashboard or visit our website for the latest contact information.