Effective Date: April 9, 2026 · Last Updated: April 9, 2026
The short version: We collect only what we need to run VolunteerFlow. We don't sell your data. You can export or delete your data at any time. VolunteerFlow acts as a data processor on behalf of your organization, which is the data controller.
Contents
1. Introduction2. Information We Collect3. How We Use Your Information4. Multi-Tenant Data Structure5. Internal Employee Access6. Sharing with Third Parties7. Cookies & Tracking8. Data Retention9. Security10. Children's Privacy11. Your Privacy Rights12. GDPR Compliance13. California Rights (CCPA/CPRA)14. Other State Privacy Laws15. Contact Information16. Changes to This Policy17. Additional NoticesVolunteerFlow is a multi-tenant Software-as-a-Service (SaaS) platform designed to help nonprofits, educational institutions, and other organizations manage volunteer programs, track volunteer hours, schedule events, and coordinate volunteer activities.
This Privacy Policy describes how VolunteerFlow ("we," "us," "our," "Company") collects, uses, discloses, and otherwise processes personal information through our platform, website, and services (collectively, the "Services"). This Privacy Policy is intended for:
As a SaaS platform, VolunteerFlow operates on a multi-tenant architecture. Organizations (nonprofits and other eligible entities) are data controllers responsible for the volunteers in their programs, while VolunteerFlow acts as a data processor. This means that organizations determine what personal information is collected from volunteers, while VolunteerFlow provides the infrastructure and tools to manage that information.
Please read this Privacy Policy carefully. By accessing or using VolunteerFlow, you agree to the practices described in this policy. If you do not agree with our privacy practices, please do not use the Services.
When volunteers register for or use the platform, either directly or through their organization's instance, we may collect:
When organizations sign up for VolunteerFlow, we collect:
For users with staff or administrative roles, we collect: full name, email address, job title and department, user role and permissions level, last login timestamp, login attempt records, user creation date and creator ID.
Information related to volunteer events includes: event title, description, location, dates/times, contact information, images and media, volunteer applications and registrations, hours logged, attendance records and check-ins.
When using our messaging features, we collect: full message content and attachments, sender and recipient information, message timestamps, read/unread status.
We automatically collect: IP address, user agent and browser information, device type and operating system, session timestamps, session duration, pages visited and features used, click and interaction data, referring URL, crash and error logs, performance metrics.
For organizations on paid plans, we collect Stripe customer ID, Stripe subscription ID, PayPal subscription ID (if applicable), current subscription plan and tier, billing cycle dates, and invoice records. We do not directly collect credit card numbers, expiration dates, or CVV codes — these are handled exclusively by Stripe and PayPal.
When files are uploaded, we collect: file name, file type and MIME type, file size, uploading user, upload timestamp, and storage path.
We use cookies and similar tracking technologies to enhance your experience. See Section 7 and our Cookie Policy for detailed information.
We use personal information to create and manage user accounts, provide core platform functionality, customize your experience, send transactional emails, diagnose technical issues, and develop and improve our Services.
We use your information to respond to inquiries and support requests, send customer support updates, provide onboarding assistance, send administrative announcements, and facilitate communication between volunteers and organization coordinators.
We use personal information to monitor for unauthorized access, prevent fraud and abuse, enforce our Terms of Service, protect the safety of VolunteerFlow and our users, and comply with law enforcement requests and legal obligations.
When an organization integrates VolunteerFlow with Checkr, we use volunteer personal information (name, email, phone, address) to facilitate background check candidate creation. Organizations are responsible for obtaining proper consent from volunteers before initiating background checks.
We use aggregated and anonymized usage data to analyze trends, measure platform performance, identify popular features, and prepare internal business reports.
We use billing information to process subscription payments and renewals, track subscription status, generate invoices and billing statements, monitor payment failures, and enforce billing terms.
We use personal information to comply with applicable laws and regulations, respond to government and law enforcement requests, establish or defend legal claims, and comply with data protection regulations (GDPR, CCPA, etc.).
VolunteerFlow operates as a multi-tenant platform where each organization has its own isolated instance. Under data protection laws (including GDPR and CCPA): Organizations using VolunteerFlow are data controllers — they determine the purposes and means by which volunteer personal information is collected and processed. VolunteerFlow is a data processor — we process personal information on behalf of organizations, according to their instructions, and only for purposes necessary to provide the Services.
Each organization's data is logically isolated within our multi-tenant architecture. Organization administrators can only access their own organization's volunteer data. Volunteers can only view and manage their profile within their associated organization.
Volunteers' personal information is managed by the organization that recruited them. The organization determines what information is collected, how it is used, who has access, how long it is retained, and whether information is shared with background check providers. Volunteers should review the privacy policy of their specific organization.
Organizations that fall under GDPR, CCPA, or other data protection regulations enter into Data Processing Agreements (DPAs) with VolunteerFlow. See our Data Processing Agreement for full details.
Important Disclosure: Authorized VolunteerFlow staff may access your organization's data for support, troubleshooting, onboarding, and compliance purposes. All access is logged, and organizations may request audit logs of staff access to their data.
To provide customer support, troubleshoot technical issues, onboard new organizations, and maintain the platform, authorized VolunteerFlow employees may access organization data. Staff roles include: Owner, Super Admin, Admin, Manager, Senior Support, Support Agent, Onboarding Specialist, Billing Specialist, and Read Only. Access is limited to what is necessary for each employee's job responsibilities.
When an organization contacts support, our team may need to view organization settings and configuration, review volunteer data to diagnose issues, check logs and system records, and test functionality to replicate and resolve issues. Support staff do not access personal information for any other purpose.
VolunteerFlow provides a "support impersonation mode" that allows authorized support staff to view the platform as if they were an organization administrator, for legitimate support and troubleshooting purposes. This feature is strictly limited to authorized personnel. Organizations are notified in their support ticket when support impersonation mode is used.
All access to organization data by VolunteerFlow staff is logged in our audit system. Every staff action generates a record containing: staff member ID and name, organization ID, action category and type, resource type and ID, field-level changes (before and after values), reason for access, IP address, session ID, and precise timestamp. Organizations can request audit logs of staff access to their data.
All access occurs over encrypted HTTPS connections. Sessions are authenticated and session activities are logged. Sensitive data (passwords, payment information) is masked and not displayed. Support access is rate-limited to prevent abuse.
VolunteerFlow staff do not access personal information for marketing purposes, do not share personal information with unauthorized parties, do not use personal information for research unless anonymized, and are subject to disciplinary action for unauthorized access. See our Employee Access & Audit Policy for full details.
VolunteerFlow shares personal information with third-party service providers to operate the platform. We only share the minimum information necessary and require third parties to protect that information.
We use Stripe to process subscription payments. Data shared: organization name, email, billing address, invoice amounts, subscription details. We do not share volunteer personal information with Stripe.
Organizations can optionally use PayPal as an alternative payment method. Data shared: organization name, email, billing address, invoice amounts.
If an organization enables SMS messaging features, we integrate with Twilio. Data shared: volunteer phone numbers, message content, message timestamps. Organizations are responsible for obtaining volunteer consent before sending SMS messages.
When an organization configures VolunteerFlow with Checkr API credentials, we facilitate background check submissions. Data shared: volunteer name, email address, phone number, and physical address. Organizations must obtain explicit written consent from volunteers before submitting background checks.
All data collected through VolunteerFlow is stored in Supabase, a cloud database and authentication platform. Supabase is a data processor and maintains strict data security standards. Data is encrypted in transit and at rest.
We use Sentry to monitor application errors, performance issues, and user sessions. Data shared: error logs, stack traces, user session data, IP addresses, user agent information, page URLs, and click events. Sentry captures 10% of normal sessions and 100% of sessions where errors occur. PII masking is enabled, which redacts common patterns of sensitive data.
We use Vercel for application hosting, deployment, and analytics. Data shared: page views, user interactions, performance metrics, device type, browser information, referring URL, and general location information. Vercel analytics data is anonymized.
VolunteerFlow does not sell, rent, or trade personal information for money or other valuable consideration. We do not share personal information with data brokers or marketing networks.
We may disclose personal information without further notice if required by law or legal process, necessary to enforce our Terms of Service, or necessary to protect the safety, rights, or property of VolunteerFlow, our users, or the public.
If VolunteerFlow is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will provide notice of such change and any choices you may have.
For full details on cookies and tracking technologies we use, please see our dedicated Cookie and Tracking Policy.
We use JWT authentication cookies (HTTP-only, Secure) to maintain your login session. These cookies are essential for the platform to function and expire 7 days from login.
Vercel Analytics and Speed Insights place cookies to track user behavior and measure website performance. These do not include personally identifiable volunteer information.
Sentry may place cookies to enable session replay functionality — capturing 10% of normal sessions and 100% of error sessions. PII masking is enabled (maskAllText: true). Session replays are retained for 90 days.
You can control cookies through your browser settings. Authentication cookies cannot be disabled without preventing login. To opt out of Vercel Analytics, visit Vercel's opt-out page. To opt out of Sentry session replay, contact legal@volunteerflow.us.
We do not currently respond to Do Not Track (DNT) signals, but you can use cookie controls in your browser to limit tracking.
By default, VolunteerFlow retains personal information for as long as your account is active or as long as needed to provide the Services.
Organizations can configure custom data retention policies through their VolunteerFlow settings, including automatic deletion of inactive volunteer records and purging of old audit logs.
When an organization closes its account, data is removed from active interfaces and may be retained in backups for up to 90 days before permanent deletion. Billing records may be retained longer for legal purposes.
Volunteers and organization representatives can request deletion of personal information. Deletion is subject to legal retention requirements, ongoing legal disputes, and the organization's data retention policies.
While we implement strong security measures, no system is completely secure. We cannot guarantee absolute protection against sophisticated cyberattacks, insider threats, or compromised credentials.
If we become aware of a security breach affecting personal information, we will notify affected users and organizations without unreasonable delay, provide information about the breach and recommended actions, and comply with notification requirements under applicable laws (GDPR, CCPA, state laws).
VolunteerFlow is not designed for children under the age of 13 and we do not intentionally collect personal information from children.
Important: VolunteerFlow does not currently implement age verification mechanisms. Organizations are responsible for obtaining appropriate parental or guardian consent before collecting information from volunteers under 13 years old.
Volunteers aged 13–17 may use VolunteerFlow if their parent or guardian has consented to their participation and the organization complies with applicable laws protecting minors.
If VolunteerFlow becomes aware that a minor under 13 has created an account without proper parental consent, we will notify the parent or guardian, provide ability to access and review the minor's information, and delete the account and personal information upon request.
To exercise any of these rights, contact us at legal@volunteerflow.us. Include your name, organization, and specific request. We will respond within 30 days or as required by law.
If you believe your privacy rights have been violated, you have the right to lodge a complaint with your supervisory authority or data protection regulator (EU: your national data protection authority; California: California Attorney General).
VolunteerFlow processes personal information based on the following legal bases under GDPR: contract performance (to provide Services), legal obligation (required by law), legitimate interests (fraud prevention, security), and consent where required.
For organizations processing EU personal information, VolunteerFlow provides a Data Processing Agreement (DPA) including sub-processor disclosures, data subject rights mechanisms, and audit rights. See our Data Processing Agreement or contact legal@volunteerflow.us.
EU residents have the right to access, rectify, erase, restrict processing, data portability, and object to processing. To exercise these rights, contact your organization administrator or VolunteerFlow support.
VolunteerFlow is headquartered in the United States. For EU personal information transferred outside the EU, transfers are authorized under Standard Contractual Clauses (SCCs) approved by the European Commission.
VolunteerFlow does not intentionally collect special categories of personal data (health data, biometrics, racial origin, etc.) unless an organization explicitly requires it with appropriate legal basis and consent.
In the past 12 months, VolunteerFlow has collected: identifiers (name, email, phone, IP), personal information (address, emergency contacts), commercial information (billing, subscription), internet activity (pages visited, sessions), geolocation data, professional information (role, hours), education information (training records), and inferences (volunteer history, preferences).
VolunteerFlow does not sell or share personal information for cross-context behavioral advertising or in exchange for money. To submit a request, contact legal@volunteerflow.us. We will respond within 45 calendar days.
In addition to CCPA/CPRA, VolunteerFlow complies with privacy laws in Colorado, Connecticut, Delaware, Illinois (BIPA), New York (SHIELD Act), Utah, Virginia, and other states with similar requirements. If you are a resident of a state with a privacy law, you generally have the right to know what personal information is collected, to access, delete, and correct it, and to opt out of sales or targeted advertising.
To exercise rights under state privacy laws, contact legal@volunteerflow.us. We will respond within timeframes specified by your state's law, typically 30–45 days.
If you have questions about this Privacy Policy or want to exercise your privacy rights, contact:
Email: legal@volunteerflow.us
For technical support or account-related issues, visit our support portal or contact your organization administrator.
If you believe your personal information has been compromised or accessed without authorization, contact legal@volunteerflow.us immediately.
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last Updated" date, notify users by email or through the platform dashboard, and provide a notice period (typically 30 days) before changes take effect. By continuing to use VolunteerFlow after changes become effective, you accept the updated Privacy Policy.
Previous versions of this Privacy Policy are available upon request at legal@volunteerflow.us.
VolunteerFlow may contain links to third-party websites or services. This Privacy Policy applies only to VolunteerFlow. We are not responsible for the privacy practices of third-party providers.
Organizations that use VolunteerFlow own the personal information they provide to the platform. VolunteerFlow does not claim ownership of this data and acts as a data processor on behalf of organizations.
Organizations using VolunteerFlow remain responsible for collecting personal information lawfully, providing their own privacy notices to volunteers, complying with data protection laws, responding to volunteer data requests, and ensuring appropriate consent for background checks.
This Privacy Policy is governed by the laws of the State of New York, United States, without regard to conflict of law provisions. Privacy rights under GDPR, CCPA, and other state privacy laws will be applied according to their respective jurisdictions.
This Privacy Policy, together with our Terms of Service and any Data Processing Agreement, constitutes the entire agreement regarding privacy and data protection. If any provision is found to be unenforceable, the remaining provisions will continue in effect.