Privacy Policy
This Privacy Policy explains how Donaya ("Donaya", "we", "us", or "our") collects, uses, stores, and protects personal data when you use our website, platform, organization microsites, dashboards, payment-related features, and related services.
Donaya is a Spain-first platform that helps mission-led organizations create public pages, manage projects, products and events, receive supporter payments, and manage related records.
This policy is provided in accordance with Regulation (EU) 2016/679 (GDPR/RGPD), Organic Law 3/2018 on data protection and digital rights (LOPDGDD), and applicable Spanish information society and electronic commerce rules, including Law 34/2002 (LSSI-CE).
1. Who is responsible for your data
The data controller for Donaya's own website, platform accounts, billing, support, security, and service operation is:
| Item | Details |
|---|---|
| Name | donaya |
| Website | www.donaya.es |
| Data protection contact | contacto@donaya.es |
| Support contact | contacto@donaya.es |
For some supporter, donor, customer, attendee, and certificate-related data, the organization using Donaya may also act as an independent controller or as the main controller. Donaya may process some data on behalf of that organization to provide the platform.
The final controller and processor roles for donor and supporter data should be confirmed in Donaya's customer agreements and data processing terms.
2. What data we collect
We may collect the following categories of personal data.
Account and organization data
- Name.
- Email address.
- Password authentication data.
- Organization name.
- Organization description and public profile information.
- Billing and subscription information.
- Role, account permissions, and dashboard activity.
Supporter, donor, customer, and attendee data
- Name.
- Email address.
- Donation, order, ticket, RSVP, or payment-related information.
- Donation amount, product purchased, event attendance, or support preferences.
- Tax certificate information, when requested or required.
- Communication preferences.
Payment-related data
- Payment status.
- Stripe customer, checkout, payment, subscription, or connected-account identifiers.
- Transaction metadata needed to record donations, purchases, subscriptions, refunds, or payouts.
Donaya does not store full card numbers. Payment card processing is handled by payment providers such as Stripe.
Technical and security data
- IP address.
- Device and browser information.
- Log data.
- Session data.
- Security and fraud-prevention signals.
- Cookie and consent preferences.
Support and communication data
- Messages sent to Donaya.
- Support requests.
- Feedback.
- Email communication records.
3. Why we use your data and legal bases
We use personal data for the purposes and legal bases below.
| Purpose | Examples | Legal basis |
|---|---|---|
| Account creation and platform access | Create accounts, authenticate users, manage roles and permissions | Contract |
| Platform operation | Publish organization pages, manage projects, products, events, supporters, donations, and records | Contract |
| Payments and related records | Process donations, purchases, subscriptions, refunds, payouts, receipts, and payment status | Contract, legal obligation, legitimate interests |
| Donation certificates | Support certificate generation and certificate-related records | Contract, legal obligation |
| Service emails | Send confirmations, receipts, security notices, account messages, and operational notifications | Contract, legal obligation, legitimate interests |
| Customer support | Respond to requests, troubleshoot issues, and manage service communications | Contract, legitimate interests |
| Billing and plans | Manage subscription plans, invoices, payments, and account status | Contract, legal obligation |
| Security and fraud prevention | Protect accounts, detect misuse, prevent unauthorized access, maintain audit logs | Legitimate interests, legal obligation |
| Legal compliance | Meet tax, accounting, regulatory, dispute, and reporting obligations | Legal obligation |
| Product improvement | Understand service performance and improve the platform where permitted | Legitimate interests or consent, depending on the data and tool used |
| Optional cookies and analytics | Use analytics cookies or similar technologies if enabled | Consent |
| Marketing or supporter updates | Send optional updates where required by law | Consent or legitimate interests, depending on context and applicable law |
Where we rely on consent, you may withdraw it at any time.
4. Processing by form or feature
Account registration
We use account registration data to create and manage your Donaya account, authenticate access, assign permissions, send service messages, and secure the platform.
Organization profile
We use organization profile data to create and display public organization pages, manage projects, products, events, fundraising-related information, and administrative records.
Contact and support forms
We use contact details and message content to respond to requests, provide support, keep communication records, and improve our service operations.
Donation and payment forms
We use payment-related data to process contributions, purchases, subscriptions, tickets, and related records; send confirmations; support refunds or disputes; and share necessary information with the organization you support.
Product and order forms
We use order information to process purchases, provide confirmations, manage records, and support fulfillment by the organization where applicable.
Event RSVP forms
We use RSVP data to manage attendance, send event-related information, and help the organization administer the event.
Donation certificate forms
We use certificate information to help generate and manage donation certificates or related tax records. The organization may need to keep this information for legal, tax, or accounting purposes.
Newsletter and supporter updates
If you choose to receive updates, we use your contact details and preferences to send the relevant communications. Newsletter or supporter update consent is separate from cookie consent and should not be pre-selected.
Admin and verification documents
We may use verification or administrative documents to review organization eligibility, enable payment features, support compliance checks, prevent misuse, and maintain required records.
5. Who we share data with
We use trusted providers to operate Donaya. These may include:
- Hosting and infrastructure providers.
- Database providers.
- Payment providers, including Stripe.
- Email providers.
- Image and file hosting providers.
- Analytics providers, if enabled.
- Customer support, monitoring, logging, and security tools.
- Professional advisers where needed for legal, tax, accounting, or compliance purposes.
- Public authorities where required by law.
These providers may process personal data only as needed to provide their services to Donaya or to the organization using Donaya.
Current expected providers may include Stripe, Neon/PostgreSQL, Netlify, Cloudflare, Cloudinary, Mailgun, and any analytics provider that Donaya chooses to enable. Donaya should maintain a current subprocessor and vendor list.
6. International transfers
Some providers may process data outside the European Economic Area. Where this happens, we rely on appropriate safeguards required by data protection law, such as adequacy decisions, Standard Contractual Clauses, or equivalent contractual and technical protections.
7. How long we keep data
We keep personal data only for as long as necessary for the purposes described in this policy, including:
| Data category | Typical retention approach |
|---|---|
| Account data | While the account is active and for a reasonable period after closure |
| Payment and transaction records | As needed for accounting, tax, legal, dispute, and audit purposes |
| Donation certificate records | As needed for legal, tax, accounting, and certificate-related obligations |
| Support messages | For as long as needed to handle the request and maintain service records |
| Cookie consent records | Normally up to 6 months unless changed earlier or the policy materially changes |
| Security logs | For a limited period needed to protect the platform and investigate security events |
| Verification and compliance records | As needed for legal, compliance, fraud-prevention, audit, and platform integrity purposes |
Exact retention periods may vary depending on legal obligations, the type of data, and the final Donaya data model.
8. Mandatory and optional fields
Fields marked as required are necessary to provide the requested service. If you do not provide them, we may not be able to create your account, process your request, complete a payment, manage an RSVP, or generate a donation certificate.
Optional fields are not required to use the relevant feature, but may help Donaya or the organization provide a more complete service.
9. Your rights
Depending on your situation, you may have the right to:
- Access your personal data.
- Correct inaccurate data.
- Request deletion.
- Request restriction of processing.
- Object to certain processing.
- Request data portability.
- Withdraw consent.
- Lodge a complaint with a data protection authority.
In Spain, you may contact the Agencia Española de Protección de Datos (AEPD).
To exercise your rights, contact us at contacto@donaya.es.
If your request concerns data controlled by an organization using Donaya, we may direct the request to that organization or support the organization in responding, depending on Donaya's role.
10. Security
We use technical and organizational measures designed to protect personal data, including access controls, secure authentication, encryption where appropriate, secure hosting, monitoring, and internal access restrictions.
No online service can guarantee absolute security, but we work to protect the data we process and to reduce the risk of unauthorized access, loss, misuse, alteration, or disclosure.
11. Social media
If you interact with Donaya through social networks, the relevant social network may also process your data under its own privacy policy.
Donaya may process public profile information, messages, comments, and interaction data only to respond to your interactions, manage our relationship with you, and share information about Donaya.
12. Children
Donaya is intended for organizations and adult users. Donaya is not designed for children to create accounts. If we become aware that we have collected children's data without appropriate authorization, we will take appropriate steps to delete or protect it.
13. Changes to this policy
We may update this Privacy Policy from time to time. If changes are significant, we will take reasonable steps to notify users or make the changes clear on the platform.
14. Contact
For privacy questions or rights requests, contact:
| Item | Details |
|---|---|
| Name | donaya |
| contacto@donaya.es |