Privacy Policy

1. Introduction

Engaij Inc. ("Engaij," "we," "us," or "our") respects your privacy and is committed to protecting your personal data. This privacy policy explains how we collect, use, store, and safeguard your information when you use our services, including our websites at engaij.com and app.engaij.ai, our platform, WordPress plugin, APIs, and any related services (collectively, the "Services").

This policy applies to all users of our Services, including:

• Organisations: Nonprofit organisations, faith-based organisations, and other entities that use our platform to manage supporter relationships, campaigns, and fundraising
• Organisation staff: Individuals who access the platform on behalf of an Organisation
• Supporters: Donors, subscribers, petition signers, and other individuals whose data is managed by Organisations through our platform
• Prospects and leads: Individuals who interact with our website, waitlist, or marketing materials

2. Information We Collect

2.1 Information You Provide Directly

We collect information you provide to us, including:

• Account information: Name, email address, organisation details, role, and phone number
• Payment information: Processed securely via our PCI-compliant payment processor. We store only card brand, last four digits, and expiry date for display purposes. We never store full card numbers or security codes.
• Content you create: Email campaigns, templates, supporter lists, donation forms, petitions, and other platform content
• Supporter data: Contact information, donation history, engagement records, communication preferences, and related data you upload or manage through our platform
• Waitlist and enquiry data: Name, email, organisation name, country, website, and current technology platforms
• Communications: Support requests, feedback, and other correspondence with us
• Consent records: Your choices regarding data processing, marketing communications, and personalisation preferences

2.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Usage data: Pages visited, features used, actions taken within the platform, and interaction patterns
• Device information: Browser type, operating system, screen resolution, and device identifiers
• Log data: IP address, access times, referring URLs, and request metadata
• Email engagement data: When Organisations send emails through our platform, we track delivery status, opens, and link clicks to provide engagement analytics. Open tracking uses a small transparent image; click tracking routes links through our delivery infrastructure. These metrics are reported to the sending Organisation.
• Location data: We may infer your approximate geographic region (country and general area, not precise location) from your IP address for the purposes of timezone detection and regional analytics
• Cookies and similar technologies: See our Cookie Policy for details
• Attribution data: UTM parameters and referral information to understand how you found our Services

2.3 Information from Third Parties

We may receive information from third-party services connected to your account, such as:

• Payment processing status and transaction results from our payment processor
• Email delivery status and engagement metrics from our email delivery infrastructure
• Social media platforms when you connect accounts for content publishing
• Publicly available information about Organisations (such as tax-exempt status from government registries) for verification purposes

2.4 Inferred and Derived Data

To help Organisations engage more effectively with their supporters, we derive additional insights from the data described above. This may include:

• Engagement scores: Calculated from interaction patterns such as email opens, clicks, and donation frequency
• Communication preferences: Inferred from your response patterns, such as preferred message length, tone, and timing
• Content affinities: Topics and causes you appear to be most interested in, based on your interactions
• Lifecycle stage: Whether you are a new, active, lapsed, or at-risk supporter, based on recency and frequency of engagement
• Demographic estimates: General area-level (not individual) characteristics derived from publicly available census or aggregate data associated with your postal code or region. These are statistical estimates about areas, not personal assessments.
• Suggested giving ranges: Personalised donation amount suggestions based on your prior giving history with the Organisation

Inferred data is used solely to help Organisations communicate more relevantly with their supporters. You have the right to access, correct, or request deletion of inferred data about you (see Section 10).

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve our Services
• Process donations and subscription payments
• Deliver email campaigns and transactional messages on behalf of Organisations
• Personalise content and communications based on your preferences and engagement history
• Generate engagement analytics and reporting for Organisations
• Send you technical notices, security alerts, and support messages
• Respond to your comments, questions, and requests
• Analyze usage patterns to improve platform performance and user experience
• Detect, prevent, and address fraud, abuse, and security issues
• Comply with legal obligations, including tax reporting requirements
• Enforce our terms of service and protect the rights of our users

4. Artificial Intelligence and Machine Learning

Engaij uses artificial intelligence ("AI") and machine learning to provide features such as content generation assistance, supporter segmentation, engagement scoring, campaign optimisation, and communication personalisation.

4.1 How AI Processes Data

• Content generation: When Organisation staff use AI features to draft email content, subject lines, or campaign copy, the Organisation's context (such as its mission, voice profile, and previous content) may be processed by our AI infrastructure to generate relevant output. All AI-generated content is presented for human review before use and is never auto-published.
• Engagement analysis: We use machine learning models to analyze supporter interaction patterns (such as opens, clicks, and donations) to calculate engagement scores and predict supporter behaviour. This processing happens within our platform infrastructure.
• Communication personalisation: AI may assist in tailoring message content, timing, and structure to individual supporter preferences. This uses behavioural patterns and, where the supporter has provided it, their first name for salutation purposes.
• Content research: AI may be used to analyze publicly available information to help Organisations research topics, trends, and content strategies for their campaigns.

4.2 AI Data Boundaries

We maintain strict boundaries on what data is processed by AI systems:

• No supporter email addresses, postal addresses, phone numbers, or financial data are transmitted to external AI service providers. Our data minimization layer strips this information before any external AI processing.
• Where AI-assisted personalisation is used for email content, only anonymized behavioural patterns (such as engagement level, content preferences, and communication timing) are processed externally. A supporter's first name may be included for salutation personalisation.
• Your Organisation's supporter data is never used to train AI models for other Organisations or for general-purpose model training by any third party.
• We do not sell or provide your data to AI service providers for their own model training or improvement purposes. Our agreements with AI providers prohibit them from using data processed on our behalf for training.
• AI-generated content is always subject to human review and approval before it is sent to supporters.
• AI-assisted content personalisation is analogous to traditional content segmentation and does not require separate consent.

4.3 AI Service Providers

We use one or more third-party AI service providers for content generation, analysis, and optimisation. We may change, add, or remove AI service providers over time as technology evolves. Regardless of which providers we use:

• All providers are bound by data processing agreements that prohibit them from retaining or using your data for their own purposes
• Our data minimization protocols apply consistently across all providers
• We maintain an internal audit log of what data categories are processed by AI systems and what personal information is stripped before processing
• Material changes to our AI processing practices will be reflected in updates to this policy

4.4 Automated Decision-Making and Profiling

We use automated processing to create supporter profiles and generate recommendations. This includes:

• Engagement scoring: Automated calculation of how actively a supporter interacts with an Organisation
• Suggested donation amounts: Personalised giving suggestions based on a supporter's prior donation history with the specific Organisation
• Segment assignment: Automatic grouping of supporters into categories (such as "new donor," "recurring donor," or "at-risk") based on their behaviour
• Send-time optimisation: Automated selection of email delivery times based on when a supporter is most likely to engage
• Content recommendations: Suggestions for which topics or messaging approaches may resonate with specific supporters

These automated processes assist Organisations in communicating more effectively, but no decisions with significant legal or similarly significant effects are made solely by automated means. Donation solicitation amounts are suggestions only; supporters always choose their own donation amount. Under GDPR, you have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you. You may request human review of any automated decision by contacting us (see Section 15).

5. Data Processing Roles

Understanding who controls your data is important. Our role depends on the context:

5.1 Engaij as Data Controller

Engaij acts as the data controller for:

• Account information of Organisation staff who use our platform
• Data collected through our own websites (engaij.com, app.engaij.ai)
• Waitlist signups and prospect enquiries
• Our own marketing communications
• Website analytics and usage data

5.2 Engaij as Data Processor

When an Organisation uses our platform to manage supporter data, Engaij acts as a data processor on behalf of the Organisation (the data controller). In this role:

• The Organisation determines the purposes and means of processing supporter data
• We process supporter data only as instructed by the Organisation and as necessary to provide the Services
• We maintain data processing agreements with Organisations that define our obligations
• Supporter data is logically segregated by Organisation (multi-tenant isolation) -- each Organisation can only access its own supporters' data
• We do not access, use, or share supporter data except as necessary to provide the Services or as required by law

If you are a supporter and wish to exercise your rights regarding data held by an Organisation through our platform, you should contact that Organisation directly in the first instance. You may also contact us, and we will assist in directing your request to the appropriate Organisation.

5.3 Organisation Responsibilities

Organisations using our platform are responsible for:

• Ensuring they have a lawful basis (such as consent or legitimate interest) for collecting and processing supporter data
• Maintaining their own privacy policy that discloses their use of our platform as a service provider
• Responding to data subject requests from their supporters
• Ensuring supporter data uploaded to our platform was collected in compliance with applicable law

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption in transit: All data transmitted between your device and our Services is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data is encrypted at rest using industry-standard encryption (AES-256 or equivalent)
• Access controls: Role-based access controls with support for multi-factor authentication
• Multi-tenant isolation: Organisation data is logically segregated at the database level. Staff of one Organisation cannot access another Organisation's supporter data.
• Payment security: We are PCI DSS compliant through the use of tokenization. Payment card data is collected and processed directly by our PCI Level 1 certified payment processor and never touches our servers.
• Infrastructure security: Our Services are hosted on professionally managed cloud infrastructure with physical security controls, network monitoring, and regular patching
• Security reviews: We conduct periodic security reviews, dependency audits, and vulnerability assessments
• Employee access: Access to production data is restricted to authorized personnel on a need-to-know basis, with audit logging

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Active accounts: Organisation account data and associated supporter data are retained while the account is active
• After account closure: Personal data is deleted or anonymized within 90 days of account closure, except where retention is required by law or legitimate business need
• Financial and tax records: Transaction records, donation receipts, and related financial data are retained for 7 years per tax and accounting requirements
• System backups: Encrypted system backups are retained for up to 30 days before automatic deletion
• Consent records: Records of consent are retained for the duration of the processing they authorize, plus a reasonable period thereafter for compliance purposes
• Security and audit logs: Retained for up to 7 years for fraud investigation and compliance purposes, with personal identifiers progressively anonymized
• Email engagement data: Retained for the duration of the supporter's relationship with the Organisation
• Waitlist data: Retained until you convert to a customer account, unsubscribe, or request deletion

8. Data Sharing

We do not sell your personal data. We share data only in the following circumstances:

8.1 Service Providers

We engage carefully selected third-party service providers to help operate our platform. These providers are bound by data processing agreements and may only process data as instructed by us. Our service providers fall into the following categories:

We maintain an internal register of sub-processors. Organisations may request the current list of sub-processors by contacting us at privacy@engaij.com. We will provide reasonable advance notice before adding new sub-processors that process supporter personal data.

8.2 Other Sharing

• Legal requirements: When required by law, regulation, court order, or other legal process
• Safety and rights: To protect the rights, property, or safety of Engaij, our users, or the public
• Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, in which case your data would remain subject to the protections in this policy
• With consent: When you or your Organisation has given explicit consent to share
• Aggregate data: We may share anonymized, aggregated data that cannot reasonably be used to identify you (such as platform-wide benchmarks)

9. Cross-Organisation Identity

When a supporter donates to multiple Organisations through our platform, we may recognize them as the same person based on their email address. This is used for:

9.1 Platform-Level Identity (Automatic)

By default, we maintain a platform-level identity to:

• Prevent fraud and detect suspicious activity
• Improve data quality and reduce duplicates
• Provide aggregate, anonymous statistics to Organisations (such as "percentage of donors who support multiple causes")

At this level, Organisations cannot see which other Organisations you support, how much you have donated elsewhere, or any details about your activity with other Organisations. Your data remains private to each Organisation.

9.2 Cross-Organisation Data Sharing (Opt-In Only)

You may choose to enable cross-organisation data sharing, which allows:

• Automatic synchronization of your contact information across Organisations you support
• A unified view of your giving history in your supporter portal

This feature is disabled by default and requires your explicit opt-in consent. You can disable it at any time, and your contact information will stop synchronizing. Even with sharing enabled, Organisations still cannot see your donation amounts or activity with other Organisations.

10. Your Rights

Depending on your location, you have some or all of the following rights regarding your personal data:

10.1 Rights Available to All Users

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data, subject to legal retention requirements
• Portability: Request your data in a structured, commonly used, machine-readable format (such as CSV or JSON)
• Objection: Object to processing of your data, including profiling
• Restriction: Request restriction of processing while a dispute is resolved
• Withdraw consent: Where processing is based on consent, withdraw that consent at any time
• Opt out of tracking: Unsubscribe from marketing emails at any time; email engagement tracking ceases when you unsubscribe

10.2 EU/EEA/UK Residents (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR):

• Lawful basis: We process your data based on: (a) your consent, (b) performance of a contract, (c) compliance with legal obligations, or (d) our legitimate interests, where these do not override your fundamental rights and freedoms
• Right to withdraw consent: You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal
• Automated decision-making: You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you. You may request human review of any automated decision.
• Right to lodge a complaint: You have the right to lodge a complaint with your local data protection authority. A list of EU/EEA data protection authorities is available at edpb.europa.eu
• International transfers: When we transfer data outside the EU/EEA, we ensure appropriate safeguards through Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the European Commission

10.3 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to know: What personal information we collect, use, disclose, and sell (we do not sell personal information)
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate personal information
• Right to opt out: Opt out of the sale or sharing of personal information. We do not sell personal information. We do not share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information: We only use sensitive personal information as necessary to provide the Services
• Non-discrimination: We will not discriminate against you for exercising your privacy rights

To submit a verifiable consumer request, contact us at privacy@engaij.com. We will verify your identity before processing your request.

10.4 Australian Residents (Privacy Act 1988)

Australian residents have rights under the Australian Privacy Principles (APPs). You may access and correct your personal information held by us. If you believe we have breached the APPs, you may lodge a complaint with us, and if not resolved satisfactorily, with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

10.5 Canadian Residents (PIPEDA)

Canadian residents have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. You may access and correct your personal information, withdraw consent, and lodge complaints with the Office of the Privacy Commissioner of Canada.

10.6 Exercising Your Rights

To exercise any of these rights, contact us at privacy@engaij.com. We will respond to your request within 30 days (or sooner where required by applicable law). If we need additional time, we will inform you of the reason and extension period.

We may need to verify your identity before processing certain requests. We will not charge a fee for processing your request unless it is manifestly unfounded or excessive.

11. Email Communications and Tracking

Our platform enables Organisations to send email communications to their supporters. This section explains how email data is handled:

• Delivery tracking: We track whether emails are delivered, bounced, or blocked to maintain sender reputation and deliverability
• Open tracking: Campaign emails may include a small transparent tracking image that records when an email is opened. This data is reported to the sending Organisation as engagement metrics.
• Click tracking: Links in campaign emails may be routed through our delivery infrastructure to record clicks. This data is reported to the sending Organisation.
• Transactional emails excluded: Tracking is explicitly disabled for transactional emails such as password resets, account notifications, and donation receipts
• IP inference: When you open a tracked email, your IP address may be used to infer your approximate geographic region and timezone. We do not infer precise locations.
• Unsubscribe: Every marketing email includes an unsubscribe mechanism. Once you unsubscribe, no further tracked emails will be sent to you by that Organisation through our platform.

12. WordPress Plugin

Organisations may use our WordPress plugin to embed donation forms, subscription forms, petition forms, and advocacy tools on their own websites. When you interact with these forms:

• Data you submit (such as name, email, and donation amount) is transmitted to our platform via encrypted API calls
• A minimal transaction record (such as a donation reference, email, and amount) may be stored locally on the Organisation's WordPress server for their administrative reference
• CAPTCHA verification may be used to prevent abuse. CAPTCHA data is processed by the CAPTCHA provider under their own privacy policy.
• GDPR consent is collected on applicable forms before data is submitted

The Organisation operating the WordPress site is the data controller for data collected through their website. Our platform acts as a data processor for this data.

13. Children's Privacy

Our Services are not directed to children under the age of 16 (or under 13 in the United States). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@engaij.com and we will promptly delete the information.

14. International Data Transfers

Engaij is based in the United States. If you access our Services from outside the United States, your data may be transferred to and processed in the United States or other countries where our service providers operate.

We ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EU/EEA/UK transfers
• Data processing agreements with all service providers that include appropriate transfer mechanisms
• Encryption of data in transit and at rest
• Compliance with applicable data protection frameworks, including the EU-U.S. Data Privacy Framework where applicable

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where required by law
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
• Notify affected Organisations so they can inform their supporters as appropriate
• Document the breach, its effects, and the remedial action taken

16. Cookies and Tracking Technologies

We use cookies and similar technologies to provide, protect, and improve our Services. For detailed information about the cookies we use, including third-party cookies, and how to manage them, please see our Cookie Policy.

17. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of material changes by:

• Posting the updated policy on this page with a new "Last updated" date
• Sending an email notification for material changes that affect how we process your data
• Providing a prominent notice on our platform where appropriate

Your continued use of our Services after any changes constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

18. Contact Us

If you have questions about this privacy policy, wish to exercise your data rights, or have concerns about our data practices, please contact us:

Privacy enquiries: privacy@engaij.com
General enquiries: hello@engaij.com
Address: Engaij Inc., Delaware, USA

We aim to respond to all privacy enquiries within 5 business days and resolve data rights requests within 30 days (or sooner where required by applicable law).

For EU/EEA/UK residents, you may also contact your local data protection authority if you have concerns about our processing of your data.

For Australian residents, you may contact the Office of the Australian Information Commissioner (OAIC) if your concern is not resolved satisfactorily.

For California residents, you may contact the California Attorney General's Office regarding CCPA/CPRA concerns.