Privacy Policy

This privacy policy explains the process in which CiviCRM LLC (“CiviCRM”, “we”, “us”) obtains, uses, stores and handles data acquired either directly through our website(s) or indirectly through related services, products or websites. The CiviCRM privacy policy (“this policy”) complies with the California Consumer Privacy Act (“CCPA”, 2018) as well as the General Data Protection Regulation (“GDPR”, 2018) implemented in the European Union. 

CiviCRM is an open source project (CiviCRM license) that produces software for nonprofit and civic sector organizations. CiviCRM LLC, the originator and legal entity behind the CiviCRM open source project, is a California-based Limited Liability Company which employs individuals and contractors throughout the world.  All individuals and contractors are aware of and are required to adhere to this privacy policy.  

For personal information contained in this policy which is used by CiviCRM, CiviCRM is the data controller under European Union data protection legislation. For personal information contained in this policy which is used by our Partners in connection with CiviCRM.com services, then the relevant partner(s) will be the data controller under European Union data protection legislation.

This policy does not apply to the practices of companies that may be affiliated with CiviCRM but that CiviCRM does not own or control, or to people that CiviCRM does not employ or manage.

This policy does not apply to any of our products or services that have a separate privacy policy.

This policy applies to any personal information that you enter into your account on the primary website for CiviCRM (https://civicrm.com, “civicrm.com”) as well as information that you enter on related websites that may be directly and indirectly be associated with CiviCRM or services that are provided on behalf of CiviCRM. 

Examples include:

‘Personal information’ (“data”, “information”) is defined as any piece of data that can be used to identify you as an individual and excludes data that may identify you as a representative of a legal entity.

Public postings to civicrm.org or related sites, direct email communications to domains under our control, and engagement on social media platforms, all of which may expose personally identifiable information, are not considered personal information and are not the type of information protected by this privacy policy.

Due to the nature of our services, we do not offer online services to children. Therefore, we do not identify it as relevant to control the age of users signing up for services.

Nonetheless, we honor The Children’s Online Privacy Protection Act (“COPPA”) of April 21, 2000. COPPA applies to any individually identifiable information about a child that is collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child. 

CiviCRM does not knowingly collect information on any person under 18 years of age. We request that children under 18 (years old) do not provide information to us without the consent of a parent or guardian.

Financial information, such as credit card numbers, is not stored in our systems and is managed by and governed by the data policies of the payment processors we use.

We do not ask for, require, or otherwise track information that is unnecessary to the operation of CiviCRM, such as social security numbers, or equivalent, gender or date of birth.

In addition to data that we explicitly ask for during user interaction, such as name, email, phone, etc., we collect data that browsers, devices, and servers typically make available including IP addresses and language preferences that may be required for the optimal use or general operation of our services. We may approximate device location based on IP addresses.

Information acquired in this manner is not automatically associated with any personally identifiable record or related information. Said information is not anonymised and could be used for the purpose of identification should there be an operational or legal requirement to do so.

CiviCRM uses 3rd party software to monitor and deliver our services. We do not own or control these 3rd parties and therefore cannot ensure that their policies of data collection, storage and use are in compliance with CCPA or GDPR. You should review their rules and policies when using third party software not developed by CiviCRM. We can provide a complete and up to date list of 3rd parties we use by request to info@civicrm.org.

We use website analytics software (Google Tag Manager, Google Analytics) to track website user engagement and related behavior for the purpose of improving our services. Data collected includes IP addresses, unique device identifiers, browser types, device types, operating systems, etc. as well as behavioral data such as clicks, page views, durations, visit dates, etc.

Analytics are used to gauge interest in the overall project as well as to determine the effectiveness of websites under our control. Analytics are not used in any way to personally identify users and therefore are not governed by this privacy policy. Users may avoid analytics tracking by declining the use of cookies.

We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For example, https://stats.civicrm.org.

All and any information that we gather from you is stored and processed on our secure servers or those of our trusted partners. We implement strict technological and procedural measures to keep your data safe and secure.We only store your data for as long as we need it to provide you with the services that you require, after which they are either deleted or anonymized. We may keep anonymized data regarding financial transactions, such as past invoices and/or contributions made to CiviCRM.

At any point in time you have the right to request that we delete or obfuscate any data that may be used to identify you as an individual. However, please bear in mind that by doing so, you may be required to cancel all or a part of the services that we provide you as we may not be able to provide you with that service without certain data.

You can edit your account information with CiviCRM at any time. Most personal information you may provide is entirely optional. You can delete your account by visiting the applicable account deletion page; however, please note that some personal information, primarily your contact information, may remain in our records to the extent necessary to protect our legal interests, to maintain a history of past financial transactions or document compliance with regulatory requirements.

You have several choices available when it comes to managing information about you:

CiviCRM may change this privacy policy periodically. CiviCRM encourages visitors to frequently check this page for any changes to its Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification through e-mail or your dashboard).

We reply personally to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).

If you have a concern regarding any CiviCRM website, product, or service, or if you have specific concerns about this policy, or if you object to any sharing of your personal information that may be permitted under this policy, you may do so by writing to us via email at info@civicrm.org. Alternatively, we can be reached at our postal mail address.

We will take reasonable steps to accommodate your requests as they relate to the operation of CiviCRM. In some instances, it may be that honoring your requests will interfere with or preclude your ability to use our websites, products, or services or may require us to terminate our relationship with you.