Privacy policy

This policy explains how Cause Shield Pty Ltd (“Cause Shield”, “we”, “us”) collects, uses, and protects personal data. It covers everyone we interact with: visitors to the marketing site, customers who sign up for a Cause Shield account, the team members they invite, and donors whose data flows through our fraud-monitoring product on a customer’s behalf.

We’ve written it to satisfy the major data-protection regimes: the EU and UK General Data Protection Regulations (GDPR / UK GDPR), the Australian Privacy Act 1988 and Australian Privacy Principles (APPs), the California Consumer Privacy Act as amended by the CPRA (CCPA), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). Where a region gives you a specific right, we name it below.

How Cause Shield handles your data depends on whether you’re a customer or a donor of a customer:

• When a nonprofit, fundraising agency, or platform signs up for Cause Shield, we act as the controller of their account data (the people they invite, the billing email, the IP they signed up from).
• When their donors’ transactions flow through our fraud-monitoring product, we act as the processor. We handle donor data on behalf of our customer, who remains the controller. The customer-side terms governing that relationship are in our Data Processing Agreement. If you’re a donor and want to exercise data rights, start by contacting the charity who took your donation. They’re the right party to action a request, and we support them when they do.

From visitors to causeshield.com

• IP address, browser type, device type, the pages you viewed, the page that referred you, and any UTM parameters in the URL.
• If you submit a contact form, demo request, or newsletter signup: your email address, optionally your name, and the content of your message.
• If you accept analytics cookies, an anonymous identifier we use to understand which pages convert visitors. You can opt out at any time; see “Cookies” below.

From customers (people who sign up for an account)

• Account identity (name, email address, profile photo) handled by our identity provider, Clerk.
• Organisation name, plan tier, billing address, and last four digits of your payment method (the rest stays at Stripe; we never see the full card number).
• Activity on the dashboard you create (the people you invite, the connected accounts you add, the alert rules you build, audit log entries).
• Support correspondence you send us, including any attachments.

From your donors (data we process on your behalf)

• Transaction metadata Stripe shares with us: charge amount, currency, country, card BIN (first six digits), card fingerprint, donor email when present, and the rest of the Stripe charge object minus any PCI-scope fields. We never receive or store the full card number, CVC, or expiry date.
• Event payloads from connected fundraising platforms (Funraisin, Raisely, Classy, custom): donor email, donor name, amount, campaign metadata, and any demographic fields the platform sends.
• When your tracking snippet is installed: visitor IP, page viewed, and anonymous session identifiers.

Donor email and name from the smart webhook receiver are SHA-256 hashed with a per-organisation pepper before storage, and the raw payload is redacted to sentinel strings on disk. Plaintext values remain in scope only when our customer needs them visible (e.g. to review a flagged donation). Customers can switch to “masked” mode at any time, which hides plaintext identifiers from the dashboard.

We collect each category of data for a specific operational reason. Under GDPR / UK GDPR we additionally rely on the legal basis named in brackets:

• Running the service: authenticating you, billing you, sending alerts, generating digests, doing fraud scoring (performance of a contract).
• Securing the service: detecting abuse, blocking automated attacks, auditing changes made to accounts (legitimate interests: keeping the product safe for everyone).
• Improving the product: analysing aggregate usage patterns to decide what to build next. We don’t use customer transaction data or donor identifiers for this (legitimate interests).
• Marketing communications, only when you signed up for them explicitly. Newsletter signup is double opt-in; every email includes a one-click unsubscribe link (consent).
• Legal compliance: responding to lawful requests, meeting our tax obligations, cooperating with regulators (legal obligation).

At sign-up, customers pick the region where their customer-side data lives. The three regions today:

• AWS ap-southeast-2 (Sydney, Australia) , for Australian customers and others who prefer Australian hosting.
• AWS eu-west-1 (Dublin, Ireland) , for EU and UK customers. The EU↔UK mutual adequacy decisions mean Irish hosting satisfies UK GDPR.
• AWS us-east-1 (Virginia, USA) , for US and other-region customers.

All customer-side data (transactions, supporters, webhook events, donor identity hashes, dashboards) lives entirely in the chosen region’s Supabase project. Cause Shield’s own operational data (support tickets, internal admin, the marketing site) lives in us-east-1 regardless. Our subprocessors (Anthropic for model inference, Clerk for authentication, Resend for email delivery, Stripe for billing) are US-hosted; we rely on EU Standard Contractual Clauses (SCCs) and (where it applies) the UK International Data Transfer Addendum to authorise those transfers. Full sub-processor list and links to their privacy policies live on the Trust page.

We don’t sell personal data to anyone. We never have. We share it only with the third parties below, and only as necessary to run the service:

• Our sub-processors: Anthropic, Clerk, Resend, Stripe, Supabase, Vercel. Each is listed on the Trust page with the data they touch and a link to their own privacy policy.
• Service providers helping us run the business : our accountants, payment processor, and legal counsel, bound by contractual confidentiality obligations.
• Law enforcement or regulators : only when we’re served a valid legal request, and only to the extent the request compels disclosure. We push back on overbroad requests and notify the affected party where the law allows us to.
• An acquirer in a sale or restructure . If Cause Shield is acquired, your data may transfer to the acquirer subject to the same protections that apply now. You’ll be notified before that happens.

For California residents: we have not sold, and do not sell, personal information as “sale” is defined under CCPA. We have not shared personal information for cross-context behavioural advertising. There’s nothing for you to opt out of, but if you’d like written confirmation of that for your records, email privacy@causeshield.com.

We retain personal data for as long as needed to provide the service, meet legal obligations, and defend ourselves against legal claims. Specific retention windows:

• Customer account data: for the lifetime of the account, plus 12 months after deletion so account-recovery and billing-dispute windows are covered.
• Donor transaction data , controlled by our customer’s retention setting (Partner plans and above can configure this). Default 24 months, after which rows are anonymised.
• Audit log entries: 365 days by default; Enterprise customers can extend.
• Marketing site analytics : IP addresses are dropped from analytics events after 90 days.
• Newsletter list: we retain unsubscribed addresses indefinitely so we can prove we respected the unsubscribe if anyone asks. We never email them again.
• Support correspondence : 7 years, in case we need it for a tax or regulatory enquiry.

Wherever you live, you can email privacy@causeshield.com and ask us to action any of the rights below. We’ll respond within 30 days (the GDPR / Privacy Act standard) and won’t charge you for the first request in any 12-month period.

• Access: a copy of the personal data we hold about you, in a portable format.
• Rectification: correction of anything that’s inaccurate or incomplete.
• Erasure / deletion (“right to be forgotten”) : deletion of your data, subject to the retention windows above where a legal obligation requires us to keep something.
• Restriction: pause certain processing of your data while a dispute is resolved.
• Objection: object to processing based on legitimate interests (we’ll stop unless we can demonstrate compelling grounds that override yours).
• Portability: receive your data in a structured, machine-readable format you can send elsewhere.
• Withdraw consent : for anything we relied on consent for (the newsletter, analytics cookies), at any time, without affecting the lawfulness of processing before you withdrew.
• Complain to your regulator . In the EU, your local Data Protection Authority; in the UK, the Information Commissioner’s Office (ico.org.uk); in Australia, the Office of the Australian Information Commissioner (oaic.gov.au); in California, the California Privacy Protection Agency (cppa.ca.gov); in Canada, the Office of the Privacy Commissioner (priv.gc.ca). We’d prefer you talk to us first, but we won’t take it personally if you go straight to the regulator.

If you’re exercising rights as a donor of one of our customers, the right party to action your request is the customer (they’re the controller of your data; we’re the processor on their behalf). We’ll point you to them and support them in actioning the request.

We use a small number of cookies and similar technologies:

• Strictly necessary: authentication, session, CSRF protection. These can’t be turned off without breaking the site.
• Analytics: a first-party identifier we use to understand which marketing pages convert. No third-party advertising cookies. No cross-site tracking. If you’ve set your browser’s Do Not Track / Global Privacy Control signal, we respect it and skip this.
• Preference: your theme choice, currency display preference, dismissed banners. Strictly first-party, set only when you change a setting.

We don’t use cookies for behavioural advertising or to build profiles for sale to third parties.

We use commercially-reasonable technical and organisational measures to protect personal data, including encryption in transit (TLS 1.2+) and at rest (AES-256), per-organisation Row Level Security on customer data, scoped access tokens, regular dependency patching, and a documented incident response process with a 72-hour breach notification SLA to customers and (where required) supervisory authorities. Our full security posture lives on the Security page.

No system is perfectly secure. If you spot a vulnerability or suspect your account has been compromised, email security@causeshield.com.

Cause Shield is a B2B product for nonprofits and donation platforms. We don’t direct our marketing at children, and we don’t knowingly collect personal data from anyone under the age of 16 (or the equivalent threshold in your region, such as 13 in the US under COPPA). If you believe a child has given us personal data, email privacy@causeshield.com and we’ll delete it.

Cause Shield uses AI (Anthropic’s Claude) to score donation transactions for fraud risk and to classify fundraising- platform webhook events. These scores inform our customers’ decisions; we don’t block charges or take automated actions on donors’ behalf. A human at the customer organisation reviews every flagged event before acting on it. Donors retain the right to ask our customer for human review of any decision affecting them.

We update this policy when our practices change. Material changes (anything that affects what we collect, how we use it, or who we share it with) get notified to active customers at least 14 days before they take effect, via the in-product dashboard and email. The “Last updated” date at the top of this page reflects when the current version became effective.

For any privacy question or to exercise the rights described above: privacy@causeshield.com.

Cause Shield Pty Ltd, Australia. ABN available on request.

We don’t currently maintain an EU or UK representative under GDPR Article 27 because our establishment in those regions is limited to the targeted marketing of services to EU- and UK-based nonprofits, which we monitor regularly. We will appoint a representative if our processing scales to a level that requires one.