Last updated: April 9, 2026
DonorGraph, Inc. ("DonorGraph," "we," "us") provides prospect research and donor intelligence software to nonprofit organizations. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our website and applications at donorgraph.com and app.donorgraph.com (the "Services").
When a nonprofit signs up, we collect the names, work email addresses, and organizational affiliations of authorized users, along with billing contact information. We do not collect payment card numbers directly; payments are processed by our PCI-compliant payment provider.
Customers may upload lists of prospects or donors ("Customer Data") through CSV import, manual entry, or integrations. Customer Data may include names, addresses, employment information, and giving history. Customer Data belongs to the customer; DonorGraph acts as a data processor for Customer Data and only uses it to provide the Services to that customer.
The Services combine Customer Data with information drawn from public and licensed sources, including: U.S. county real property and deed records, FEC political donation filings, SEC Form 4 insider filings, IRS Form 990 filings, U.S. Census data, and publicly available biographical information. Information about an individual's charitable capacity is derived from these sources and estimated using modeling techniques; it is not verified personal financial information.
We collect standard log data (IP address, browser type, pages visited, timestamps) and product telemetry (features used, search queries, errors) to operate, secure, and improve the Services.
We do not sell personal information. We share information only as follows:
Individuals whose information appears in the Services may have rights under applicable law (including the California Consumer Privacy Act and the Nevada privacy statute at NRS 603A) to request access, correction, or deletion of their personal information. To exercise these rights, email [email protected]. Because much of the data in our platform is drawn from public records, we will identify what information we hold, its source, and whether deletion is possible. We respond to verified requests within 45 days.
If you are an individual inquiring about information held about you by a specific nonprofit customer of DonorGraph, we will refer you to that nonprofit, which is the data controller for its records.
We use encryption in transit (TLS 1.2+) and at rest, role-based access controls, least-privilege credentials, and audit logging. Despite these measures, no system is perfectly secure. If we become aware of a security incident affecting Customer Data, we will notify affected customers without undue delay.
Customer Data is retained for the life of the customer's account and for 30 days thereafter, after which it is permanently deleted from production systems. Public-records data is retained as a reference dataset. Backups are purged on a rolling 90-day cycle.
The Services are intended for use by nonprofit professionals and are not directed to children under 16. We do not knowingly collect information from children.
The Services are operated from the United States. If you access them from outside the U.S., you consent to your information being processed in the U.S.
We may update this Privacy Policy from time to time. Material changes will be announced in the product and by email to account administrators at least 14 days before taking effect.
Questions about this Privacy Policy or our data practices: [email protected].