Hidden Humanity (“we”, “us”, or “our”) is a 501(c)(3) public charity (EIN 92-2883598) based in Irvine, California. We are also registered with the UK Charity Commission (number 1212652). This Privacy Policy describes what personal data we collect, why we collect it, who we share it with, and what rights you have over it.
By visiting hiddenhumanity.org, making a donation, or signing in to your donor account, you agree to the practices described in this policy.
1. Data we collect and why
Account and identity data
When you sign in or create an account, we collect your name and email address. This is necessary to identify your account, send you donation receipts, and let you access your giving history in the donor portal.
Donation data
We record the amount, date, currency, campaign, and giving type (including zakat designation) of each donation. We also store whether you have made a UK Gift Aid declaration and the associated address details required by HMRC.
Card numbers and full payment credentials are processed exclusively by Stripe via Stripe Elements. Card data never passes through or touches our servers.
Communications data
If you contact us, submit a story, or sign up for updates, we retain the content of your message and your email address so that we can respond and follow up.
Usage and technical data
Our hosting and delivery infrastructure may collect standard server logs including IP address, browser type, and pages visited. We use this data only for security and performance purposes and do not use it for advertising.
2. Service providers and processors
We share your data only with the processors listed below and only to the extent necessary for them to provide the service described. All processors are contractually bound to protect your data and not to use it for their own purposes.
- Stripe — payment processing. Stripe handles all card tokenisation and recurring-billing management. Stripe’s privacy policy governs data it holds: stripe.com/privacy.
- Clerk — authentication and session management. Clerk stores your email address and hashed credentials and manages your active sessions. Clerk’s privacy policy: clerk.com/legal/privacy.
- AWS / CloudFront — media delivery and file storage. Campaign images and distribution proof files are stored in Amazon S3 and served through CloudFront. AWS acts as a data processor under our control.
- Vercel — application hosting. Our web application runs on Vercel’s infrastructure. Vercel processes request data as part of serving pages. Vercel’s privacy policy: vercel.com/legal/privacy-policy.
- Postmark — transactional email. Donation receipts and account notifications are sent through Postmark. Postmark processes your email address to deliver those messages.
3. Cookies and session storage
We use session cookies set by Clerk to keep you signed in. These are strictly necessary cookies; they expire when you sign out or close your browser (depending on your “Remember me” preference). We do not use advertising cookies, tracking pixels, or any third-party analytics cookies.
4. Data retention
Donation records and Gift Aid declarations are retained for at least seven years to satisfy our legal and tax obligations under US and UK charity law. Account data is retained while your account is active and for a reasonable period thereafter. Server logs are retained for no more than 90 days. If you request deletion of your account and there is no legal obligation requiring us to retain your data, we will delete or anonymise it within 30 days.
5. Your rights
Depending on where you live, you may have rights including access to data we hold about you, correction of inaccurate data, erasure of your data (subject to legal retention requirements), and restriction of processing. To exercise any of these rights, please reach out via our contact page. We will respond within 30 days (or the shorter period required by applicable law).
UK and EU residents (GDPR / UK GDPR)
Where we process data of individuals in the UK or European Economic Area, we do so on the basis of: (a) performance of a contract (processing your donation), (b) legal obligation (Gift Aid and charity-law retention), and (c) legitimate interest (fraud prevention, security). You have the right to lodge a complaint with your supervisory authority. UK residents may contact the ICO at ico.org.uk.
California residents (CCPA / CPRA)
We do not sell or share your personal information for cross-context behavioural advertising. As a nonprofit, some CCPA rights are limited. You may still request to know what data we hold about you or request deletion by contacting us via the contact page.
6. Children's data
We do not knowingly collect personal data from children under 13 years old. If you believe we have inadvertently done so, please contact us and we will promptly delete that information.
7. Security
We implement industry-standard security measures including encrypted data in transit (TLS), access control, and audit logging. No transmission over the internet is completely secure; we cannot guarantee absolute security of data you transmit to us.
8. Updates to this policy
We may update this policy from time to time. When we do, we will revise the effective date at the top of this page. Material changes will be communicated by a notice on this site or by email to registered donors. Continued use of our services after the updated policy takes effect constitutes acceptance of the revised terms.
9. Contact
Questions about this policy? Please use our contact page. We aim to respond within five business days.