Nonprofit Privacy Policy Template
A 2,000+ word nonprofit privacy policy template covering donations, volunteers, email lists, events, and GDPR/CPRA compliance.
Nonprofits earn trust by being transparent about how donor, volunteer, and supporter data is used. This guide provides a complete privacy policy template that covers donations, newsletters, events, cookie consent, and rights handling so you can reassure supporters and meet GDPR/UK GDPR and CPRA expectations.
Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator on donation forms, volunteer signups, and event pages to keep your legal stack consistent.
What to include in a nonprofit privacy policy
Data collected
Donations (name, email, address, payment via processors), volunteer applications, event registrations, newsletter opt-ins, analytics, and cookie data.
Purposes and legal bases
Process donations, issue receipts, manage volunteers, run events, send updates, analyze engagement, and maintain security. Map GDPR bases: contract/legal obligation for donations, legitimate interests for security, consent for marketing and non-essential cookies.
Sharing and processors
Payment processors, CRMs, email tools, fundraising platforms, analytics, ad pixels, event tools, and volunteer management platforms. Link to partner policies where possible.
Cookies and fundraising pixels
Explain essential cookies and non-essential analytics or ad pixels. Provide opt-in for EU/UK and Do Not Sell/Share with GPC handling for CPRA if you use advertising identifiers.
Security and retention
Describe encryption, access controls, and retention for donations, volunteer records, events, and analytics. Avoid indefinite retention of supporter data.
Rights and controls
Access, deletion, correction, objection, and opt-out of marketing. Provide contact information and response timelines.
Data and purpose table
| Data | Purpose | Legal basis | Retention | Controls |
|---|---|---|---|---|
| Donor info | Process gifts, issue receipts | Contract/legal obligation | Donation + tax period | Opt-out of marketing |
| Payment tokens | Process payments | Contract/legal obligation | Processor-defined | Managed by processor |
| Volunteer applications | Vet and schedule volunteers | Legitimate interests/consent | Program duration + defined period | Delete on request if lawful |
| Event registrations | Manage attendance and safety | Contract/legitimate interests | Event + defined period | Request deletion post-event |
| Analytics/pixels | Measure engagement and campaigns | Consent in EU/UK; opt-out CPRA | 13 months typical | Cookie banner, Do Not Sell/Share |
Step-by-step drafting process
1) Map data flows and tools
List donation platforms, CRMs, email tools, event software, volunteer systems, analytics, and ad pixels. Note data, purposes, and regions.
2) Draft clear clauses
Cover collection, purposes, legal bases, sharing, cookies/pixels, retention, security, rights, and contact. Use simple language.
3) Configure consent and opt-outs
Add opt-in cookie banner for EU/UK. Provide unsubscribe for marketing, and Do Not Sell/Share with GPC handling if using advertising identifiers for retargeting.
4) Place links on every form
Donation pages, volunteer forms, event registrations, newsletter opt-ins, and cookie banners. Add CTAs to the Privacy Policy Generator and Cookie Policy Generator.
5) Set retention rules
Define retention for donations/tax (3–7 years), volunteers, events, and analytics. Anonymize or delete older data.
6) Publish and version
Include last updated date and changelog. Notify supporters when material changes happen.
Common mistakes to avoid
Vague sharing language
Specify processors and purposes. Avoid “trusted partners” without detail.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowMissing consent for tracking
Do not run analytics or pixels for EU/UK visitors without opt-in. Honor GPC for CPRA if you use ad identifiers.
Over-retention
Purge outdated volunteer applications and expired event lists. Avoid keeping donor data beyond tax needs unless consented for ongoing marketing.
Unclear opt-outs
Make unsubscribe and data request options easy to find and fulfill them promptly.
Ignoring exemptions
Even if some laws exempt nonprofits partially, following best practices builds trust and reduces risk with global donors.
Enforcement examples and references
- Sephora (2022): $1.2M CPRA settlement for tracker disclosures and opt-out failures (California AG) underscores the need to handle pixels properly.
- Meta (2023): about €1.2B GDPR fine (Reuters) highlights the importance of transparent transfers and safeguards.
- ICO guidance on cookies and consent applies to UK visitors (ICO).
Implementation checklist
- Publish privacy and cookie policies with categories, purposes, and retention.
- Deploy cookie banner (EU/UK) and Do Not Sell/Share with GPC handling if using advertising identifiers.
- List processors (donation, CRM, email, event, volunteer, analytics) with links.
- Provide unsubscribe, access, deletion, and objection paths with SLA.
- Keep a changelog and review quarterly.
30/60/90 plan
- 30 days: Inventory data/tools, draft policy, deploy banner, and add links to donation/volunteer/event forms.
- 60 days: Publish processor list, set retention schedules, and test access/deletion workflows.
- 90 days: Re-scan pixels and cookies, refresh policy language, and republish with updated version date.
Metrics and QA
- Consent opt-in rates by region.
- Unsubscribe and request SLA compliance.
- Accuracy of tool/processor list vs. actual use.
- Cookie and pixel behavior in EU/UK and CPRA states.
- Policy link uptime across forms and footers.
Sample clauses to adapt
Collection and use
“We collect donor and volunteer information to process gifts, issue receipts, manage programs, and send updates when you opt in. We use analytics and fundraising pixels to improve campaigns where permitted. We do not sell personal data.”
Sharing
“We share data with payment processors, CRMs, email providers, event platforms, and analytics vendors. A current list is available at [link].”
Cookies and pixels
“Non-essential cookies and pixels run only after consent for EU/UK visitors. You can opt out of sale/sharing for advertising identifiers via our Do Not Sell/Share link; we honor GPC signals.”
Rights
“You may request access, correction, deletion, or objection. Contact us at [email]; we respond within 30 days.”
Resources
Testing and QA checklist
- Test donation, volunteer, and event forms to ensure policy links display and required consent boxes function.
- Scan for cookies/pixels and confirm the banner blocks non-essential trackers until consent in EU/UK.
- Verify Do Not Sell/Share and GPC handling if you use advertising identifiers for fundraising campaigns.
- Run a mock access/deletion request and confirm retention rules are followed, including backups.
- Ensure your processor list matches actual vendors in your CRM, email, and payment tools.
Audit workbook
- Donation, volunteer, event, and newsletter data categories with purposes and bases.
- Processor list with regions, safeguards, and retention.
- Cookie/pixel scan results and banner configuration.
- Retention schedules for donations, volunteers, events, and analytics.
- Policy changelog and supporter notification records.
- SLA metrics for rights requests and unsubscribe handling.
Case example
- Situation: A nonprofit added a new fundraising pixel but did not update the cookie banner or policy.
- Impact: EU visitors received tracking without consent; complaints increased during a campaign.
- Fix: Updated the banner to block the pixel until consent, refreshed the policy and cookie disclosures with the vendor, and notified supporters. Complaints dropped and donation conversion recovered.
Key takeaways
- Keep donation and volunteer flows transparent with clear policy links and consent options.
- Maintain accurate processor lists, retention schedules, and cookie disclosures.
- Honor regional consent and opt-outs for tracking used in fundraising campaigns.
- Document changes and practice rights request workflows to build trust with supporters.
Sample policy outline
- Introduction and scope (donors, volunteers, events, subscribers).
- Data collected and purposes (donations, events, volunteers, analytics).
- Legal bases (contract/legal obligation, consent, legitimate interests).
- Sharing with processors and safeguards.
- Cookies and pixels with consent/opt-outs.
- Security measures and retention timelines.
- Rights and how to exercise them.
- Changes and version history.
Reviewer cheat sheet
- Links to privacy and cookie policies and subprocessor list.
- Retention for donations, volunteers, and events.
- Consent approach for EU/UK and Do Not Sell/Share and GPC handling if using ad identifiers.
- SLA for rights requests and unsubscribe handling.
- Changelog location and date of last update.
Sample notices and banner text
- Donation form notice: “We use your info to process your gift and send a receipt. See our Privacy Policy and Terms of Service.”
- Volunteer form notice: “We use your details to review your application and coordinate shifts. See our Privacy Policy.”
- Cookie banner: “We use cookies for site performance, analytics, and fundraising. Manage preferences or see our Cookie Policy.”
Additional sample clauses
Donor stewardship
“We use your contact information to send receipts and occasional updates about the impact of your donation, if you opt in. You can opt out at any time via the link in our emails.”
Data minimization
“We collect only the information necessary to process donations or manage volunteers. Sensitive data is collected only when required and with your consent.”
Third-party fundraising
“If we run campaigns on third-party platforms, their privacy practices apply in addition to ours. We encourage you to review their policies before contributing.”
Children
“We do not knowingly collect personal data from children. If you believe a child has provided information, contact us and we will delete it.”
Glossary
- Suppression list: A list of emails kept to ensure opt-outs are honored.
- Non-essential cookies: Analytics or advertising cookies that require consent in EU/UK.
- Subprocessor: Vendor processing data for us (payment, CRM, email, analytics).
- GPC: Global Privacy Control, a browser signal indicating an opt-out preference; honor it for CPRA sale/sharing where applicable.
Quarterly review checklist
- Scan donation, volunteer, and event pages for new cookies or pixels and verify banner blocking for EU/UK visitors.
- Confirm processor list accuracy in your CRM, payment, email, and event tools.
- Review retention for donation records, volunteers, and events; purge outdated lists and suppression files.
- Test access/deletion requests and unsubscribe handling; log SLA performance.
- Update the changelog and record any supporter notices for material updates.
Quick recap
- Disclose donations, volunteers, events, cookies, and pixels clearly and keep them aligned with reality.
- Gate tracking by consent for EU/UK and provide CPRA opt-outs if you use advertising identifiers.
- Maintain accurate processor lists, retention rules, and changelogs to keep supporter trust.
Final reminders
- Re-scan forms and pages after campaigns or platform changes and update disclosures.
- Keep donor and volunteer retention timelines specific and purge data on schedule.
- Archive policy versions and track when you notify supporters about material updates.
Conclusion
A nonprofit privacy policy should show donors and volunteers exactly how their data is used, shared, and protected. By disclosing processors, honoring consent and opt-outs, and setting clear retention and rights processes, you build trust and meet legal expectations. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator for a cohesive supporter experience.