TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Nonprofit Privacy Policy Template
Compliance

Nonprofit Privacy Policy Template

A 2,000+ word nonprofit privacy policy template covering donations, volunteers, email lists, events, and GDPR/CPRA compliance.

TermsBox Team|November 30, 20259 min read

Nonprofits earn trust by being transparent about how donor, volunteer, and supporter data is used. This guide provides a complete privacy policy template that covers donations, newsletters, events, cookie consent, and rights handling so you can reassure supporters and meet GDPR/UK GDPR and CPRA expectations.

Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator on donation forms, volunteer signups, and event pages to keep your legal stack consistent.

What to include in a nonprofit privacy policy

Data collected

Donations (name, email, address, payment via processors), volunteer applications, event registrations, newsletter opt-ins, analytics, and cookie data.

Purposes and legal bases

Process donations, issue receipts, manage volunteers, run events, send updates, analyze engagement, and maintain security. Map GDPR bases: contract/legal obligation for donations, legitimate interests for security, consent for marketing and non-essential cookies.

Sharing and processors

Payment processors, CRMs, email tools, fundraising platforms, analytics, ad pixels, event tools, and volunteer management platforms. Link to partner policies where possible.

Cookies and fundraising pixels

Explain essential cookies and non-essential analytics or ad pixels. Provide opt-in for EU/UK and Do Not Sell/Share with GPC handling for CPRA if you use advertising identifiers.

Security and retention

Describe encryption, access controls, and retention for donations, volunteer records, events, and analytics. Avoid indefinite retention of supporter data.

Rights and controls

Access, deletion, correction, objection, and opt-out of marketing. Provide contact information and response timelines.

Data and purpose table

Data Purpose Legal basis Retention Controls
Donor info Process gifts, issue receipts Contract/legal obligation Donation + tax period Opt-out of marketing
Payment tokens Process payments Contract/legal obligation Processor-defined Managed by processor
Volunteer applications Vet and schedule volunteers Legitimate interests/consent Program duration + defined period Delete on request if lawful
Event registrations Manage attendance and safety Contract/legitimate interests Event + defined period Request deletion post-event
Analytics/pixels Measure engagement and campaigns Consent in EU/UK; opt-out CPRA 13 months typical Cookie banner, Do Not Sell/Share

Step-by-step drafting process

1) Map data flows and tools

List donation platforms, CRMs, email tools, event software, volunteer systems, analytics, and ad pixels. Note data, purposes, and regions.

2) Draft clear clauses

Cover collection, purposes, legal bases, sharing, cookies/pixels, retention, security, rights, and contact. Use simple language.

3) Configure consent and opt-outs

Add opt-in cookie banner for EU/UK. Provide unsubscribe for marketing, and Do Not Sell/Share with GPC handling if using advertising identifiers for retargeting.

4) Place links on every form

Donation pages, volunteer forms, event registrations, newsletter opt-ins, and cookie banners. Add CTAs to the Privacy Policy Generator and Cookie Policy Generator.

5) Set retention rules

Define retention for donations/tax (3–7 years), volunteers, events, and analytics. Anonymize or delete older data.

6) Publish and version

Include last updated date and changelog. Notify supporters when material changes happen.

Common mistakes to avoid

Vague sharing language

Specify processors and purposes. Avoid “trusted partners” without detail.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Missing consent for tracking

Do not run analytics or pixels for EU/UK visitors without opt-in. Honor GPC for CPRA if you use ad identifiers.

Over-retention

Purge outdated volunteer applications and expired event lists. Avoid keeping donor data beyond tax needs unless consented for ongoing marketing.

Unclear opt-outs

Make unsubscribe and data request options easy to find and fulfill them promptly.

Ignoring exemptions

Even if some laws exempt nonprofits partially, following best practices builds trust and reduces risk with global donors.

Enforcement examples and references

  • Sephora (2022): $1.2M CPRA settlement for tracker disclosures and opt-out failures (California AG) underscores the need to handle pixels properly.
  • Meta (2023): about €1.2B GDPR fine (Reuters) highlights the importance of transparent transfers and safeguards.
  • ICO guidance on cookies and consent applies to UK visitors (ICO).

Implementation checklist

  • Publish privacy and cookie policies with categories, purposes, and retention.
  • Deploy cookie banner (EU/UK) and Do Not Sell/Share with GPC handling if using advertising identifiers.
  • List processors (donation, CRM, email, event, volunteer, analytics) with links.
  • Provide unsubscribe, access, deletion, and objection paths with SLA.
  • Keep a changelog and review quarterly.

30/60/90 plan

  • 30 days: Inventory data/tools, draft policy, deploy banner, and add links to donation/volunteer/event forms.
  • 60 days: Publish processor list, set retention schedules, and test access/deletion workflows.
  • 90 days: Re-scan pixels and cookies, refresh policy language, and republish with updated version date.

Metrics and QA

  • Consent opt-in rates by region.
  • Unsubscribe and request SLA compliance.
  • Accuracy of tool/processor list vs. actual use.
  • Cookie and pixel behavior in EU/UK and CPRA states.
  • Policy link uptime across forms and footers.

Sample clauses to adapt

Collection and use

“We collect donor and volunteer information to process gifts, issue receipts, manage programs, and send updates when you opt in. We use analytics and fundraising pixels to improve campaigns where permitted. We do not sell personal data.”

Sharing

“We share data with payment processors, CRMs, email providers, event platforms, and analytics vendors. A current list is available at [link].”

Cookies and pixels

“Non-essential cookies and pixels run only after consent for EU/UK visitors. You can opt out of sale/sharing for advertising identifiers via our Do Not Sell/Share link; we honor GPC signals.”

Rights

“You may request access, correction, deletion, or objection. Contact us at [email]; we respond within 30 days.”

Resources

  • GDPR.eu
  • ICO cookie guidance
  • oag.ca.gov/privacy/ccpa
  • FTC business guidance

Testing and QA checklist

  • Test donation, volunteer, and event forms to ensure policy links display and required consent boxes function.
  • Scan for cookies/pixels and confirm the banner blocks non-essential trackers until consent in EU/UK.
  • Verify Do Not Sell/Share and GPC handling if you use advertising identifiers for fundraising campaigns.
  • Run a mock access/deletion request and confirm retention rules are followed, including backups.
  • Ensure your processor list matches actual vendors in your CRM, email, and payment tools.

Audit workbook

  • Donation, volunteer, event, and newsletter data categories with purposes and bases.
  • Processor list with regions, safeguards, and retention.
  • Cookie/pixel scan results and banner configuration.
  • Retention schedules for donations, volunteers, events, and analytics.
  • Policy changelog and supporter notification records.
  • SLA metrics for rights requests and unsubscribe handling.

Case example

  • Situation: A nonprofit added a new fundraising pixel but did not update the cookie banner or policy.
  • Impact: EU visitors received tracking without consent; complaints increased during a campaign.
  • Fix: Updated the banner to block the pixel until consent, refreshed the policy and cookie disclosures with the vendor, and notified supporters. Complaints dropped and donation conversion recovered.

Key takeaways

  • Keep donation and volunteer flows transparent with clear policy links and consent options.
  • Maintain accurate processor lists, retention schedules, and cookie disclosures.
  • Honor regional consent and opt-outs for tracking used in fundraising campaigns.
  • Document changes and practice rights request workflows to build trust with supporters.

Sample policy outline

  • Introduction and scope (donors, volunteers, events, subscribers).
  • Data collected and purposes (donations, events, volunteers, analytics).
  • Legal bases (contract/legal obligation, consent, legitimate interests).
  • Sharing with processors and safeguards.
  • Cookies and pixels with consent/opt-outs.
  • Security measures and retention timelines.
  • Rights and how to exercise them.
  • Changes and version history.

Reviewer cheat sheet

  • Links to privacy and cookie policies and subprocessor list.
  • Retention for donations, volunteers, and events.
  • Consent approach for EU/UK and Do Not Sell/Share and GPC handling if using ad identifiers.
  • SLA for rights requests and unsubscribe handling.
  • Changelog location and date of last update.

Sample notices and banner text

  • Donation form notice: “We use your info to process your gift and send a receipt. See our Privacy Policy and Terms of Service.”
  • Volunteer form notice: “We use your details to review your application and coordinate shifts. See our Privacy Policy.”
  • Cookie banner: “We use cookies for site performance, analytics, and fundraising. Manage preferences or see our Cookie Policy.”

Additional sample clauses

Donor stewardship

“We use your contact information to send receipts and occasional updates about the impact of your donation, if you opt in. You can opt out at any time via the link in our emails.”

Data minimization

“We collect only the information necessary to process donations or manage volunteers. Sensitive data is collected only when required and with your consent.”

Third-party fundraising

“If we run campaigns on third-party platforms, their privacy practices apply in addition to ours. We encourage you to review their policies before contributing.”

Children

“We do not knowingly collect personal data from children. If you believe a child has provided information, contact us and we will delete it.”

Glossary

  • Suppression list: A list of emails kept to ensure opt-outs are honored.
  • Non-essential cookies: Analytics or advertising cookies that require consent in EU/UK.
  • Subprocessor: Vendor processing data for us (payment, CRM, email, analytics).
  • GPC: Global Privacy Control, a browser signal indicating an opt-out preference; honor it for CPRA sale/sharing where applicable.

Quarterly review checklist

  • Scan donation, volunteer, and event pages for new cookies or pixels and verify banner blocking for EU/UK visitors.
  • Confirm processor list accuracy in your CRM, payment, email, and event tools.
  • Review retention for donation records, volunteers, and events; purge outdated lists and suppression files.
  • Test access/deletion requests and unsubscribe handling; log SLA performance.
  • Update the changelog and record any supporter notices for material updates.

Quick recap

  • Disclose donations, volunteers, events, cookies, and pixels clearly and keep them aligned with reality.
  • Gate tracking by consent for EU/UK and provide CPRA opt-outs if you use advertising identifiers.
  • Maintain accurate processor lists, retention rules, and changelogs to keep supporter trust.

Final reminders

  • Re-scan forms and pages after campaigns or platform changes and update disclosures.
  • Keep donor and volunteer retention timelines specific and purge data on schedule.
  • Archive policy versions and track when you notify supporters about material updates.

Conclusion

A nonprofit privacy policy should show donors and volunteers exactly how their data is used, shared, and protected. By disclosing processors, honoring consent and opt-outs, and setting clear retention and rights processes, you build trust and meet legal expectations. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator for a cohesive supporter experience.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Terms of Service Generator

Create terms of service for your platform

Related Articles

Compliance

Australian Data Protection Laws: A Complete Business Guide

Understand Australian data protection laws including the Privacy Act 1988, state legislation, and compliance requirements for businesses.

April 4, 202612 min read
Compliance

Australian Privacy Act 1988: What Businesses Need to Know

A practical guide to the Australian Privacy Act 1988, covering the 13 APPs, compliance requirements, penalties, and how the Act applies to your business.

April 4, 202616 min read
Compliance

Australian Privacy Legislation: A Complete Guide

Learn about Australian privacy legislation, including the Privacy Act 1988, APPs, and compliance steps for businesses handling personal information.

April 4, 202612 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What to include in a nonprofit privacy policy
  • Data collected
  • Purposes and legal bases
  • Sharing and processors
  • Cookies and fundraising pixels
  • Security and retention
  • Rights and controls
  • Data and purpose table
  • Step-by-step drafting process
  • 1) Map data flows and tools
  • 2) Draft clear clauses
  • 3) Configure consent and opt-outs
  • 4) Place links on every form
  • 5) Set retention rules
  • 6) Publish and version
  • Common mistakes to avoid
  • Vague sharing language
  • Missing consent for tracking
  • Over-retention
  • Unclear opt-outs
  • Ignoring exemptions
  • Enforcement examples and references
  • Implementation checklist
  • 30/60/90 plan
  • Metrics and QA
  • Sample clauses to adapt
  • Collection and use
  • Sharing
  • Cookies and pixels
  • Rights
  • Resources
  • Testing and QA checklist
  • Audit workbook
  • Case example
  • Key takeaways
  • Sample policy outline
  • Reviewer cheat sheet
  • Sample notices and banner text
  • Additional sample clauses
  • Donor stewardship
  • Data minimization
  • Third-party fundraising
  • Children
  • Glossary
  • Quarterly review checklist
  • Quick recap
  • Final reminders
  • Conclusion
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.