Skip to main content

Giving Toolbox

Download Free

Privacy Policy

Effective Date: May 24, 2026 Last Updated: May 24, 2026

The Short Version

We’re Giving Toolbox, a mobile app built for 501(c)(3) nonprofits and community foundation fund holders. We take your privacy seriously — here’s the plain-English version:

  • We collect the information you give us (name, email, phone, your organization’s details, expense receipts, donor contacts, donations) and basic technical information about how the app is used.
  • We use it to run the app — process your expenses, handle payments through Stripe, send confirmation emails, scan your receipts with AI, generate event marketing content with AI, and keep your data synced across your team’s devices.
  • We never sell your data. Not to advertisers, not to data brokers, not to anyone.
  • We share it only with trusted service providers who help us run the app (AWS for hosting, Stripe for payments, AI Service Provider for AI features, Amazon SES for email, Sinch for winner SMS notifications, Apple for push notifications — see the full list below).
  • We encrypt your data in transit and at rest. Payment card numbers never touch our servers — Stripe handles those directly.
  • Your App Lock PIN and biometric data never leave your device. The PIN is stored only in the iOS Keychain. Face ID and Touch ID are processed entirely by iOS — we never receive or store biometric data.
  • You own your data. You can access, correct, export, or delete it anytime through the app or by emailing us.
  • Financial records are retained for 7 years because the IRS requires it. Everything else gets deleted when you delete your account.

Keep reading for the full details.

1. Who We Are

Giving Toolbox is owned and operated by Nimble Dragon Media, Inc., a New York corporation (“we,” “us,” “our,” or “Nimble Dragon Media”).

Contact us:

  • Email: support@givingtoolbox.com
  • Phone: 845-796-9716
  • Mail: Nimble Dragon Media, Inc., 518 Broadway, Suite 1, Monticello, NY 12701

This Privacy Policy covers the Giving Toolbox mobile app for iOS, the Giving Toolbox website at givingtoolbox.com, the public fundraising pages we host at nonprofitgive.org on behalf of our nonprofit customers, the golf tournament registration pages we host at teefastgolf.com, and all related services (together, the “Services”).

2. Who This Policy Applies To

Giving Toolbox is used by four different kinds of people, and we handle their data differently:

Nonprofit Organizations — the 501(c)(3) organizations that sign up for a Giving Toolbox account. The organization is our customer. When we talk about “your data” as an organization, we mean your org details, your team’s information, your expense records, your donor lists, your grant data, and your financial reports.

Organization Staff, Admins, and Volunteers — the individuals who use Giving Toolbox on behalf of a nonprofit. This includes the account owner, admins, staff who submit expenses, and volunteers who check in to shifts. Your data belongs to the organization employing you — they control it, and you should ask them about their internal policies.

Community Foundation Fund Holders — individuals, families, or nonprofit organizations that hold named funds (Donor-Advised Funds, Scholarship Funds, Agency Endowments, Field of Interest Funds, Designated Funds, or Fiscally Sponsored Projects) at a community foundation and use Giving Toolbox to track their fund activity. Fund holders create their own independent accounts and control their own data. The community foundation is not a party to the fund holder’s Giving Toolbox account.

Donors, Attendees, and Bidders — the general public who interact with a Giving Toolbox-hosted fundraising page, ticket purchase, auction, raffle, golf tournament registration, or peer-to-peer campaign. Your data is collected jointly by Nimble Dragon Media and the nonprofit you are supporting. The nonprofit is the owner of the relationship with you; we are the technology provider. If you want to access, change, or delete your data, you can contact either us or the nonprofit directly.

3. What Information We Collect

Information You Give Us

Account Information (from nonprofit org owners, admins, and fund holders):

  • Name, email, phone number, password (stored only as a bcrypt hash — we never see your actual password)
  • Organization name, Employer Identification Number (EIN), street address, website, fiscal year end month
  • Organization logo image (optional)

Expense Data (from staff, admins, and owners):

  • Receipt images captured via camera or imported from your photo library or Files app (including PDFs)
  • Vendor name, date, amount, and line items extracted from the receipt
  • Notes, IRS 990 expense category, program tags, grant fund tags, event tags
  • Mileage: start address, end address, and distance traveled. The app records your starting and ending location when you tap Start and Stop — it does not record a continuous GPS route between those points.
  • Reimbursement status and payment method

Donor, Contact, and Attendee Data:

  • Contact first name, last name, email, phone, position/title
  • Business card images if you scan them
  • Donor donation history
  • Event attendee names, emails, phone numbers, dietary restrictions (if provided), ticket types
  • Silent auction bidder names, phone numbers (optional, for winner notifications), bid amounts
  • Raffle buyer names, phone numbers (optional, for winner notifications), ticket quantities
  • Peer-to-peer fundraiser participant names, personal fundraising page content, activity logs
  • Volunteer shift signups, check-in and check-out times

Golf Tournament Data (TeeFast module):

  • Registrant names, email addresses, and foursome group assignments
  • Hole sponsor names and contact information
  • Mulligan purchase records
  • Contest winner names (Closest to the Pin, Longest Drive, Hole-in-One)
  • Player card emails sent to registered golfers on tee sheet lock

Fund Holder Data (community foundation fund holders only):

  • Fund name, fund type, and community foundation name
  • Fund balance, balance as-of date, and spending policy
  • Contribution records (donor name, amount, date, source)
  • Distribution records (recipient, amount, date, status)
  • Statement reconciliation records
  • Fund agreement information (optional)

Payment Information:

  • When someone makes a donation or buys a ticket, they enter their card information into a Stripe-hosted form. We never see, store, or transmit card numbers. Stripe handles all of that. What we receive from Stripe is a transaction ID, the donation amount, the fee amount, and a token — not the card.
  • For nonprofit organizations that connect their Stripe account to receive funds, we receive a Stripe Account ID (a token, not banking credentials).

App Lock and Biometric Authentication:

  • If you set up App Lock, the 6-digit PIN you choose is stored only in the iOS Keychain on your device. We never transmit, receive, or have access to your PIN.
  • Face ID and Touch ID authentication is processed entirely by iOS on your device. We never receive, store, or have access to any biometric data.

Communications:

  • If you email, call, or message us, we keep a record.

Information We Collect Automatically

Device and Usage Information:

  • Device type, operating system version, app version
  • Crash reports (so we can fix bugs)
  • IP address of the device making API calls to our servers
  • Time and type of actions taken in the app (for audit logs — for example, “expense #123 was approved by [admin name] at 3:42 PM”)

Log Data:

  • Web server logs on our API, including IP address, user agent (browser/device identifier), and the request made
  • Audit logs of significant account actions (account creation, logout, password change, account deletion)

Information We Do NOT Collect

  • We do not collect your device contacts — when you scan a business card, we read only that one card; we do not read your address book.
  • We do not run third-party analytics SDKs inside the app. No Google Analytics, no Facebook SDK, no advertising trackers.
  • We do not use cookies on our mobile app (the website uses essential cookies only — see Section 10).
  • We do not collect information from children. Giving Toolbox is for nonprofit staff, adult donors, and adult attendees.
  • We do not store, receive, or process biometric data. Face ID and Touch ID are handled entirely by iOS.

4. How We Use Your Information

We use your information to:

  • Run the app. Create and manage your account, sync data across your team’s devices, let you scan receipts, track expenses, manage grants, accept donations, run events, check volunteers in, and generate reports.
  • Process payments. When donations come in, we route them through Stripe to your nonprofit’s bank account (minus Stripe’s fees and our platform fee).
  • Power AI features. We use an AI service for four features in the app:
    • Receipt scanning — receipt images are sent to extract vendor, date, amount, and category
    • Business card scanning — card images are sent to extract contact name, email, phone, title, and company
    • AI Marketing Composer — bullet points you provide are sent to generate event marketing content (event description, email invitation, social media posts, press release)
    • AI Impact Email Composer — event attendance and outcome data you provide are sent to generate a post-event impact email to attendees
    In all four cases, only the content you explicitly submit is sent. The data is processed for that one request and is not retained by our AI service provider for training purposes.
  • Send transactional emails and SMS messages. Donation receipts, ticket confirmations, event reminder emails, password resets, account deletion confirmations, auction winner payment links, raffle winner notifications, golf tournament player card emails.
  • Generate audit trails. When an expense is approved, rejected, or edited, we record who did it and when. Financial records require this for IRS compliance and internal accountability.
  • Keep the app secure. Detect fraud, prevent abuse, rate-limit login attempts, lock out suspected attackers.
  • Comply with legal obligations. Retain financial records for the 7 years the IRS requires, respond to valid legal requests, and cooperate with tax and law enforcement agencies when required.
  • Improve the app. Fix bugs, understand which features are useful, plan new features. We do this using aggregated and de-identified data whenever possible.
  • Communicate with you about the service. Important account notices, security alerts, material changes to terms. We do not send marketing email to nonprofit staff without consent.

5. When We Share Your Information

We share information only in these specific situations:

With Service Providers (Data Processors)

We work with a small number of companies to run the app. They only get the data needed to do their job, and they are contractually required to protect it:

ProviderWhat They DoWhat They Receive
Amazon Web Services (AWS)Hosts our servers, database, and receipt imagesAll app data — stored encrypted at rest in the us-east-2 region (Ohio)
StripeProcesses payments and manages nonprofit bank connectionsPayment and payer information — see stripe.com/privacy
AI Service ProviderPowers AI receipt scanning, business card scanning, marketing content generation, and impact email generationThe receipt image, business card image, or text content you submit for that specific AI request — not retained for training
Amazon SESSends transactional emailsRecipient email address, email body
SinchSends SMS winner notifications for auctions and rafflesPhone number, message body — only when a winner phone number is provided and a notification is triggered
AppleProcesses in-app subscription purchases and sends push notificationsApple ID for purchases; device push token for notifications
Let’s EncryptSSL certificates for our serversNothing personal

We do not use Google Analytics, Facebook SDK, Meta Pixel, or any ad-tech partner.

With the Nonprofit You Support

If you donate to, buy a ticket from, register for an event from, or bid in an auction run by a nonprofit using Giving Toolbox, your name, email, phone (if provided), and donation amount are shared with that nonprofit. They need it to thank you, send you a tax receipt, and follow up.

With Your Organization

If you are staff or a volunteer using Giving Toolbox under a nonprofit organization’s account, the organization’s owners and admins can see everything you do in the app that is relevant to that organization — expense submissions, volunteer shifts, payment acceptance activity, etc. This is a normal part of how workplace apps function.

For Legal Reasons

We may disclose information if we are legally required to (subpoena, court order, government request), to enforce our Terms of Service, to protect our rights or property, or to protect the safety of users or the public. If we receive a government request for your data, we review it carefully and push back on overreach.

Business Transfers

If Nimble Dragon Media is acquired, merged, or sells substantially all of its assets, information may be transferred to the successor entity. If that happens, we will notify you and the new owner will be bound by this Privacy Policy (or provide notice and the opportunity to opt out of any material changes).

With Your Consent

For anything else, we ask first.

6. Payment Information and PCI Compliance

We want to be very clear about this: we never store, transmit, or process credit card numbers.

When a donor enters their card into a donation form, that card information goes directly to Stripe, a PCI-DSS Level 1 certified payment processor. The card never passes through our servers. We receive only a token and the transaction details from Stripe.

For in-person payments accepted through the app, the same rule applies — cards are processed directly by Stripe, and we never see the card numbers.

7. Data Retention

We retain your information for as long as your account is active and as long as needed to provide the service. When you delete your organization account, the following happens:

Deleted immediately or within 30 days:

  • All active sessions are deleted (every device is logged out immediately)
  • All join codes are revoked
  • Staff invitations and pending admin invitations are voided
  • Receipt images stored in our system are deleted from S3 within 30 days
  • Donor contact records, volunteer records, event attendee data, and golf tournament records are deleted

Retained for 7 years (marked as deleted but not purged):

  • Financial records — expense records, donation records, grant records, 990 categorization data, payment transaction records, fund holder contribution and distribution records
  • Why: The IRS requires nonprofits to retain financial records for 7 years. We keep these in case your organization needs to produce them for an audit. After 7 years, they are permanently purged.

Retained indefinitely (de-identified):

  • Aggregated usage data with no link to you personally, used to improve the product

If you just want to stop using the app without deleting the account, the account is marked inactive but data is preserved until either you delete it or we delete it per our inactive-account cleanup policy (after 24 months of no activity, we will email the owner and begin a deletion process).

8. Your Privacy Rights

You have the following rights regarding your personal information:

  • Access — Get a copy of the personal information we have about you.
  • Correction — Ask us to correct information that is wrong.
  • Deletion — Ask us to delete your personal information. (Note: for financial records, the IRS-required 7-year retention applies — we will mark them deleted and stop using them, but cannot purge them until the retention period expires.)
  • Export — Get a copy of your data in a machine-readable format. Nonprofit account owners can export donor lists, expense reports, and financial data through the app at any time.
  • Opt Out of Communications — Unsubscribe from non-transactional emails at any time. Transactional emails (receipts, password resets, security alerts) cannot be disabled — they are required to run the service.

How to exercise these rights:

  • Through the app: Most of these are self-service. You can update your profile, export data, and delete your account directly in settings.
  • By email: Send a request to support@givingtoolbox.com. We will respond within 45 days. We may ask you to verify your identity first.

California Residents (CCPA/CPRA): California law gives you the rights above plus the right to know categories of information collected in the past 12 months, the right to opt out of the “sale” or “sharing” of personal information (we do not sell or share for cross-context behavioral advertising — so there is nothing to opt out of), and the right to be free from discrimination for exercising these rights. We do not collect “sensitive personal information” as defined by the CPRA.

Authorized Agents: You may designate an authorized agent to make a request on your behalf. We will require reasonable proof of the authorization before responding.

9. Security

We take security seriously. Our measures include:

  • Encryption in transit — All communication between your device and our servers uses HTTPS/TLS.
  • Encryption at rest — Databases and receipt storage are encrypted at rest on AWS.
  • Password hashing — Passwords are stored as bcrypt hashes. We never see your actual password.
  • Session tokens — Stored in the iOS Keychain on your device.
  • App Lock and biometric authentication — If you enable App Lock, your 6-digit PIN is stored only in the iOS Keychain on your device. We never transmit or store it. Face ID and Touch ID are processed entirely by iOS — biometric data never leaves your device or passes through our systems.
  • Privacy screen — When iOS takes a screenshot for the app switcher, a blur overlay is applied so financial data is never visible in the task manager.
  • Short-lived receipt URLs — When you view a receipt, the URL is valid for only 60 seconds.
  • Access controls — Giving Toolbox staff have limited access to customer data, on a strict need-to-know basis.
  • Rate limiting — We rate-limit login attempts and sensitive operations to prevent brute-force attacks.
  • Audit logs — We keep logs of significant account actions so anomalies can be investigated.
  • No card data — We never touch payment card numbers; Stripe handles all card processing.

No system is perfectly secure. If a breach happens that affects your data, we will notify you as required by applicable law — typically within 72 hours of discovery, where possible.

10. Cookies and Similar Technologies

The Giving Toolbox mobile app does not use cookies.

Our website at givingtoolbox.com, the public fundraising pages at nonprofitgive.org, and the golf tournament pages at teefastgolf.com use a small number of essential cookies to:

  • Keep you logged in to the account dashboard
  • Remember your preferences (such as accepting this cookie notice)
  • Protect against CSRF and other attacks

We do not use advertising cookies, tracking pixels, or third-party analytics cookies on any of our web properties.

11. Children’s Privacy

Giving Toolbox is not intended for children under 13. We do not knowingly collect personal information from children under 13. If we discover that a child under 13 has provided us with personal information, we will delete it. If you believe a child has provided us with information, please contact us at support@givingtoolbox.com.

Some features of Giving Toolbox — such as volunteer hour tracking — may be used by organizations whose volunteers include teenagers. If a volunteer is under 18, the nonprofit organization is responsible for obtaining parental consent before that minor provides information through Giving Toolbox.

12. United States Only

Giving Toolbox is designed for and operated in the United States. Our servers are located in the United States. If you access Giving Toolbox from outside the United States, you understand and agree that your information will be transferred to, stored, and processed in the United States, which may have different data protection laws than your home country.

We do not currently offer the service to users in the European Union, United Kingdom, or other jurisdictions outside the United States. If you are outside the United States, please do not use Giving Toolbox.

13. Third-Party Links and Services

Giving Toolbox integrates with Stripe for payments. When you connect your nonprofit’s Stripe account, you are governed by Stripe’s terms and privacy policy, which you can read at stripe.com/privacy.

Public fundraising pages may link out to external websites operated by the nonprofit hosting the page. Those websites have their own privacy policies, and we are not responsible for them.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will:

  • Update the “Last Updated” date at the top of this policy
  • Send an email to account owners describing the change
  • Post a notice in the app
  • Give you at least 30 days to review the changes before they take effect

Your continued use of Giving Toolbox after the new policy takes effect means you accept the revised policy.

15. How to Contact Us

If you have questions about this Privacy Policy or how we handle your information:

Email: support@givingtoolbox.com Phone: 845-796-9716 Mail: Nimble Dragon Media, Inc. Attn: Privacy 518 Broadway, Suite 1 Monticello, NY 12701 United States

We respond to all privacy inquiries within 45 days.

Giving Toolbox is a product of Nimble Dragon Media, Inc. © 2026. All rights reserved.

Giving Toolbox

The complete financial and operations platform for mission-driven organizations.
© 2026 Nimble Dragon Media, Inc.
FUNDRAISERS
PRODUCT
COMPANY
GET THE APP
Free on iPhone. iOS 17+.
Download Free
Built for 990 compliance · No IT department needed · Free to start