This policy explains how CrowderaPAY collects, uses, stores, and protects personal data across our platform, website, APIs, and related services for customers, donors, and website visitors.
Introduction
This Privacy Policy describes how CrowderaPAY collects, uses, discloses, and protects personal data when you interact with our platform, website, APIs, and related services (collectively, the "Services").
CrowderaPAY is operated by four affiliated legal entities (The Crowdera Solution Pte Ltd in Singapore; My Crowdera Solutions Sdn Bhd in Malaysia; Bharat Crowdera Ventures Pvt Ltd in India; and The Crowdera Solutions Inc in the USA). The entity responsible for your personal data depends on your country and is set out in Section 3 below.
We respect your privacy and are committed to protecting your personal data in accordance with applicable laws, including:
- The Digital Personal Data Protection Act, 2023 (India)
- The Personal Data Protection Act 2012 (Singapore)
- The Personal Data Protection Act 2010 (Malaysia)
- The General Data Protection Regulation (EU) 2016/679 (GDPR)
- The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- The Digital Millennium Copyright Act (DMCA) and applicable US federal and state privacy laws
Who This Policy Applies To
This Policy applies to three categories of individuals:
- Customers: Nonprofits and charitable organizations that use CrowderaPAY to accept donations.
- Donors: Individuals and entities that make donations through a Customer using CrowderaPAY.
- Website visitors: Anyone who visits our website or marketing pages.
Data Controller and Data Processor
The entity responsible for your personal data depends on your role:
- If you are a Customer, the CrowderaPAY entity that contracts with you is the data controller for your personal data.
- If you are a Donor, the nonprofit you are donating to is the data controller. CrowderaPAY acts as a data processor on behalf of the nonprofit.
- If you are a website visitor, CrowderaPAY acts as the data controller for cookie, analytics, and marketing data.
Contact your regional data controller:
- Singapore and Southeast Asia: privacy-sg@pay.crowdera.com
- India: privacy-in@pay.crowdera.com
- Malaysia: privacy-my@pay.crowdera.com
- USA, Canada, and Rest of World: privacy-us@pay.crowdera.com
- General privacy inquiries: privacy@pay.crowdera.com
What Data We Collect
From Customers (Nonprofits)
When you register or use our Services as a Customer, we collect:
- Organizational data: legal name, registration number, tax exemption certificates, registered address, operating countries, website URL
- Authorized representative data: name, title, email, phone, government-issued identification (for KYB purposes)
- Banking and payout data: bank account details, IBAN or equivalent, beneficiary information
- Transaction data: campaigns created, donations received, fees incurred, payouts issued
- Support data: communications with our support team
From Donors
When a donor makes a donation through a CrowderaPAY Customer, we collect on behalf of the Customer:
- Identification data: name, email address, phone number (optional), country of residence
- Payment data: payment method type, last four digits of card (where applicable), tokenized payment identifier (full card numbers are never stored on our servers)
- Transaction data: donation amount, currency, date, campaign, designation, recurring schedule
- Tax data: address (for tax receipt purposes), tax identification where voluntarily provided
- Device and technical data: IP address, device type, browser, referring URL
From Website Visitors
When you visit pay.crowdera.com or related pages, we collect:
- Analytics data: pages visited, time on page, clicks, referrers
- Device data: browser, operating system, device type, screen size
- Location data: approximate location based on IP address (not precise GPS)
- Cookie data: per our Cookie Policy
How We Use Your Data
We use personal data for the following purposes:
- To provide the Services: process donations, issue tax receipts, settle payouts, provide dashboards and reporting, enable cross-border partner flows.
- To ensure security and prevent fraud: screen transactions against sanctions lists, detect suspicious activity, verify Customer identities during KYB.
- To comply with legal obligations: respond to regulatory inquiries, maintain audit trails, comply with tax and anti-money laundering requirements.
- To communicate with you: send service updates, respond to support requests, notify you of material changes to the Services.
- To improve the Services: analyze usage patterns, run A/B tests, train our AI donation recommendation models (on aggregated and anonymized data only).
- For marketing to Customers: send newsletters, product updates, and relevant offers (you can opt out at any time).
We do not use donor personal data for advertising or targeted marketing. We do not sell personal data to third parties.
Legal Basis for Processing
Where required by law (including GDPR), we process personal data on the following bases:
- Contract: to provide the Services under our Customer Agreement or a Donor's donation transaction.
- Legal obligation: to comply with tax, anti-money laundering, and financial regulation requirements.
- Legitimate interest: to secure the Services, prevent fraud, improve our product, and communicate with Customers about their accounts.
- Consent: for marketing communications and non-essential cookies (consent can be withdrawn at any time).
International Data Transfers
CrowderaPAY operates across four countries and serves donors globally. Personal data may be transferred between jurisdictions to provide the Services. When we transfer personal data across borders, we rely on:
- Standard Contractual Clauses approved by the European Commission (for EU data)
- Adequacy decisions where available
- Explicit consent where required
- Other lawful transfer mechanisms under applicable law
Donor data is stored in region-appropriate data centers. Indian donor data is stored in India. EU donor data is stored in the EU. USA donor data is stored in the USA. Enterprise Customers can request specific data residency arrangements.
Data Retention
We retain personal data for as long as necessary to:
- Provide the Services
- Comply with legal and regulatory obligations (including tax record retention, typically 7 to 10 years depending on jurisdiction)
- Resolve disputes and enforce our agreements
After the retention period expires, personal data is deleted or anonymized in accordance with our Data Retention Schedule, available on request.
Your Rights
Depending on your jurisdiction, you have the following rights with respect to your personal data:
- Right of access: to obtain a copy of the personal data we hold about you.
- Right of correction: to correct inaccurate or incomplete personal data.
- Right of erasure: to request deletion of your personal data, subject to legal retention obligations.
- Right of portability: to receive your personal data in a structured, machine-readable format.
- Right of restriction: to restrict processing in certain circumstances.
- Right to object: to object to processing based on legitimate interests or direct marketing.
- Right to withdraw consent: for processing based on consent.
- Right to lodge a complaint: with your local data protection authority.
To exercise your rights, email the appropriate regional privacy contact listed in Section 3. We respond within the timeline required by your local law (30 days under GDPR, 15 days under DPDP India, 30 days under PDPA Singapore).
Security
We protect personal data with industry-standard security measures:
- TLS 1.3 encryption in transit, AES-256 encryption at rest
- PCI-DSS SAQ D Level 2 certification
- Role-based access control with least-privilege enforcement
- Multi-factor authentication for all internal system access
- Continuous monitoring, logging, and alerting
- Annual third-party penetration testing
- Documented incident response plan with breach notification procedures
In the event of a personal data breach that may risk your rights and freedoms, we will notify you and the relevant regulator within the timeline required by law (72 hours under GDPR, 72 hours under DPDP India where reasonably practicable, as soon as practicable under PDPA Singapore).
Children's Privacy
The Services are not directed to children under 16 (or a higher age where required by local law). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact privacy@pay.crowdera.com so we can delete it.
Specific Jurisdictional Notices
India (DPDP)
Bharat Crowdera Ventures Pvt Ltd is the data fiduciary for personal data of Indian donors and Customers. Our Data Protection Officer in India can be reached at privacy-in@pay.crowdera.com. Data principals (donors and Customers) have the rights set out in the Digital Personal Data Protection Act, 2023.
Singapore (PDPA)
The Crowdera Solution Pte Ltd is registered as a data controller under the Personal Data Protection Act 2012. Our Singapore Data Protection Officer can be reached at privacy-sg@pay.crowdera.com. Complaints may be submitted to the Personal Data Protection Commission of Singapore.
European Union (GDPR)
Where we process personal data of EU residents, we do so in compliance with the General Data Protection Regulation. Data subjects have the full set of rights listed in Section 10. Complaints may be submitted to your national data protection authority.
California (CCPA/CPRA)
California residents have the right to know what personal data we collect, to delete it, to opt out of its sale (note: we do not sell personal data), and to non-discrimination for exercising these rights. To exercise these rights, email privacy-us@pay.crowdera.com.
Malaysia (PDPA 2010)
My Crowdera Solutions Sdn Bhd is registered as a data user under the Personal Data Protection Act 2010. Data subjects have rights of access and correction under the PDPA.
Updates to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to Customers and by a prominent notice on our website at least 30 days before they take effect.