GivalgoGivalgo DiscoverBeta
Home

Privacy Policy

Last updated: May 19, 2026 · Effective: May 19, 2026

1. About this policy

This policy explains how Givalgo, Inc.(“Givalgo”, “we”, “our”) collects, uses, discloses, and protects personal information in connection with the Givalgo Discover product (the “Service”), available atdiscover.givalgo.ai. It applies to website visitors, account holders, and anyone who contacts us. Givalgo Discover is currently offered to United States customers; Section 10 covers the additional rights granted to California residents.

Givalgo Discover's organisation data is built entirely from publicly available U.S. government sources — primarily the IRS Exempt Organisations Business Master File, IRS Publication 78, the IRS Form 990 XML corpus, and the IRS Auto-Revocation list. We do not collect or process personal information about the donors, beneficiaries, employees, or board members of those nonprofits beyond what the IRS itself publishes.

2. Information we collect

2.1 Information you provide directly

  • Account details — name, email address, and authentication credentials, handled by Clerk on our behalf. We never see or store your password.
  • Billing information — name, billing address, country, and tax identifiers if applicable. Payment card details are submitted directly to Stripe and never touch our servers. We retain only the Stripe customer ID, last-four digits, and invoice history that Stripe surfaces.
  • Support communications — messages you send via the Help button, support@givalgo.ai, or in response to our emails.
  • Survey or feedback responses, when you choose to provide them.

2.2 Information collected automatically

  • Usage telemetry — search queries you run, organisations you save, recently-viewed orgs, Verify Now reports you generate, and feature interactions. Stored against your Clerk user ID so we can power your personal dashboard.
  • Technical data — IP address (hashed for anonymous users, see §5), browser user-agent, referrer URL, page-load timestamps, and request latency. Used for security, abuse prevention, and aggregate performance metrics.
  • Quota counters — daily search / verify counts per user (or per hashed IP for anonymous visitors) so we can enforce free-tier limits without storing detailed browsing history.

2.3 Information from third parties

  • Authentication confirmation from Clerk (and from any SSO provider — Google, Microsoft, etc. — you sign in with).
  • Subscription status, invoice events, and payment-method metadata from Stripe.
  • Bounce / complaint feedback from Amazon SES so we can stop emailing addresses that don't want our messages.

3. How we use your information

  • Service delivery — provisioning accounts, returning search results, generating AI summaries (when you request them), persisting your saved orgs and recent activity, processing subscription payments via Stripe, and rendering your personalised dashboard.
  • Communication — sending transactional emails (welcome, quota warnings, trial-ending reminders, subscription receipts, support replies). We do not send marketing emails without your explicit opt-in.
  • Security & abuse prevention — detecting scraping, brute-force authentication attempts, payment fraud, and enforcing per-IP rate limits.
  • Product improvement — analysing aggregate (non-identifying) usage patterns to find bugs, prioritise features, and tune search relevance.
  • Legal compliance — responding to lawful requests, retaining records for tax / accounting purposes, and complying with applicable export-control and sanctions regulations.

4. Sharing & disclosure

We do not sell, rent, or trade your personal information. We share it only with the service providers that make the product work, and only to the extent each provider needs:

  • Amazon Web Services (us-east-2, Ohio) — cloud infrastructure, RDS PostgreSQL database, OpenSearch cluster, Lambda compute, and Amazon SES for transactional email.
  • Stripe, Inc. — PCI-DSS Level 1 certified payment processor. Receives only the information necessary to process subscriptions (email, name, billing address, payment method).
  • Clerk, Inc. — authentication and user management. Stores hashed credentials, manages sessions, and surfaces sign-in / sign-up UI.
  • Anthropic, PBC — provides the LLM that generates AI summaries when you click “Generate summary” on an org page. Only the org's public IRS-derived data is sent; nothing about you personally.
  • Sentry, Inc. — error tracking. Captures stack traces and request metadata when something breaks. Configured to scrub personal data.

We may disclose information when required by law (court order, subpoena, lawful government request) or to protect Givalgo, our users, or third parties from harm. In the event of a merger, acquisition, or asset sale, your information may transfer to the acquiring entity; we will notify you by email at least 14 days before any such transfer takes effect.

5. Cookies & tracking

Givalgo Discover uses only the cookies necessary to operate the Service:

  • Clerk session cookies — keep you signed in
  • CSRF tokens — protect against cross-site request forgery
  • Preference cookies — remember your tier, recently-viewed orgs, and view-mode preferences (1-year duration)

We do notuse Google Analytics, Facebook Pixel, ad-tech retargeting, cross-site tracking, or any third-party behavioural-advertising tools. The only external script loaded outside Clerk and Stripe is Sentry's error reporter, configured to omit URL parameters and form values from breadcrumbs.

For anonymous visitors, we hash IP addresses with a rotating salt (QUOTA_ANON_SALT) before storing them so that the same visitor can't be tracked across sessions or correlated against external datasets.

6. Data security

  • TLS 1.2+ encryption in transit on every request
  • AES-256 encryption at rest for the database and backups (AWS-managed)
  • Production secrets stored in AWS Secrets Manager; never in source code
  • Database in a private VPC subnet with no public ingress
  • Per-user and per-IP rate limiting + Clerk Attack Protection on authentication
  • HMAC verification on every Stripe webhook
  • All admin operations gated by Clerk-issued, @givalgo.ai-only tier checks

7. Data retention

CategoryRetention
Account profile (name, email, tier)Until you delete your account + 3 years (for audit / dispute)
Payment records & invoices7 years (tax / accounting compliance)
Saved orgs & search historyUntil you delete them, or you delete your account
Anonymous quota counters90 days, rolling
Support communications3 years from last contact
Email logs (welcome / quota / billing sends)2 years
Security audit logs1 year

Earlier deletion is available on request to support@givalgo.ai, subject to any legal obligations that require longer retention (e.g. tax records).

8. Hosting location

Our infrastructure is hosted in AWS's us-east-2 region (Ohio, United States). All personal information is stored and processed in the United States.

9. Children's privacy

Givalgo Discover is not directed to individuals under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, contact support@givalgo.ai and we will delete it.

10. Your privacy rights

All users have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete information
  • Delete your account and associated data (Settings → Account → Delete account, or by emailing us)
  • Export your data in a portable, machine-readable format
  • Opt out of any non-transactional emails

We will respond to verifiable requests within 30 days. Complex requests may be extended by an additional 60 days, with notice. Email support@givalgo.ai.

11. California privacy rights (CCPA / CPRA)

California residents have the right to:

  • Know what personal information we collect, use, and share
  • Delete personal information we have collected
  • Correct inaccurate personal information
  • Opt out of the “sale” or “sharing” of personal information — note that Givalgo does not sell or share personal information as those terms are defined under CCPA
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising any of the above rights

To exercise these rights, email support@givalgo.ai with “CCPA Request” in the subject line. We may need to verify your identity before fulfilling the request.

12. Changes to this policy

We may update this policy from time to time. Material changes will be announced by updating the “last updated” date above and, for signed-in users, surfacing a one-time notice the next time you visit.

13. Contact

For questions about this policy, privacy concerns, or data-subject requests, write to us at support@givalgo.ai. Mailing address available on request.