Privacy Policy

This Privacy Policy explains how GoodAct (“GoodAct,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects information when you use our website, mobile experiences (including our Android app), and related services (together, the “Services”).

GoodAct is a community where people share acts of kindness, support causes they care about, organize and attend volunteer events, and fundraise for the things that matter to them. We built this Policy to be clear, plain-spoken, and easy to act on.

The short version: we collect what you provide to set up and use your account, plus a small amount of usage data to keep the Services working. We do not sell your data, do not run third-party advertising, and do not use ad-tracking SDKs. Card numbers go directly to our payment processor (Stripe) — we never see them.

For Google Play Data safety, the categories below describe exactly what GoodAct collects. Items not listed here are not collected.

a. Information you give us directly

• Account details (required): display name, unique handle, email address.
• Profile content (optional): avatar, cover photo, bio, mobile number, gender, date of birth, website URL, contact email, city and country, and the causes you follow.
• Posts, comments, reactions, stories, RSVPs, follows, reposts, shares, and direct messages you create or send through the Services, including photos and links you attach.
• Donation records: when you donate, we store the amount, currency, recipient, optional message, status, timestamp, and the Stripe session and payment-intent identifiers. We do not store card numbers or bank details — those are handled directly by Stripe.
• Reports, contact submissions, and feedback you send us (for example, when you contact support or report a post).

b. Information we collect automatically

• Usage activity: the posts you view, react to, or follow; events you RSVP to; story views; notifications you read; terms acceptance and cookie-consent choices.
• Device and connection data: IP address, browser or app version, operating system, language, and approximate location inferred from IP. Server logs briefly retain IP addresses for abuse prevention and rate-limiting.
• Cookies and similar technologies used to keep you signed in, remember your preferences, and measure how the Services are working. You can manage these from the cookie banner or your device settings.
• What we do NOT collect automatically: Android Advertising ID, IMEI or hardware identifiers, browsing history outside GoodAct, contact lists from your address book, calendar, audio recordings, files outside the photos you choose to upload, or precise GPS location.

c. Information from others and from optional features

• Sign-in providers: if you sign in with a third-party provider (such as Google), we receive basic profile information (name, email, profile photo) from that provider.
• Find-friends contact matching (optional): if you choose to find friends by importing contacts, identifiers (email addresses or phone numbers) are hashed with SHA-256 before they are sent to GoodAct. We never receive or store the raw email addresses or phone numbers from your address book — only the one-way hashes used for matching.
• Mentions, tags, messages, and reports: if another person mentions you, sends you a message, or reports content involving you, we receive information about you in that context.

We use the information we collect to:

• Provide the Services: create and authenticate your account, render your profile and feed, deliver messages and notifications, run events and donations, and find friends you already know on GoodAct.
• Personalize your experience: recommend posts, people, and causes based on what you follow and your city and country.
• Communicate with you: send transactional emails and notifications such as sign-in links, donation receipts, event reminders, and account updates. Marketing emails are off by default and can be unsubscribed from at any time.
• Keep GoodAct safe: detect fraud, abuse, spam, and policy violations; enforce our Terms; and protect users.
• Improve the Services: understand how the Services are used so we can fix bugs, improve performance, and design new features.
• Comply with legal obligations and respond to lawful requests.

We do not sell your personal information, do not use third-party advertising or ad-tracking SDKs, do not profile you for advertisers, and do not use your data to train AI models.

Information on GoodAct may be shared in the following ways:

• With other people on the Services. Your profile, posts, comments, reactions, stories, RSVPs, and donation records (for completed public donations) are visible to others according to the visibility you choose. Direct messages are visible only to you and the other members of that conversation.
• With service providers that help us run GoodAct, under contracts that limit how they can use your information:
  • Cloud hosting and database — for storing your account, posts, and media.
  • Stripe — payment processing for donations. Card details are entered directly into Stripe’s PCI-compliant systems and never reach our servers. We receive only the donation amount, currency, status, and Stripe session/payment-intent IDs.
  • Transactional email delivery — for sign-in links, receipts, and notifications.
• For safety and legal reasons, including responding to lawful requests, enforcing our Terms, and protecting the rights, property, or safety of GoodAct, our users, and the public.
• In a business transfer such as a merger, acquisition, or sale of assets, in which case we will notify you before your information becomes subject to a different policy.

We do not share your information with data brokers, advertisers, or analytics platforms that profile users across the web.

You have meaningful controls over your information:

• Update your profile at any time from Settings.
• Control post visibility: set posts to public, followers-only, or hidden, and adjust who can repost your content.
• Control location visibility: hide your city and country from your public profile.
• Delete your posts, comments, reactions, stories, or messages at any time.
• Block or report other people if you feel unsafe or see something that breaks our rules.
• Manage notifications and emails: unsubscribe from non-essential emails using the link at the bottom of every message, or adjust preferences in Settings.
• Manage cookies from the cookie banner.
• Remove imported contact hashes: clear synced contacts from Settings → Find friends at any time.

You can delete your account at any time from Settings, or by contacting us. When you delete your account, we permanently remove or anonymize:

• your profile, avatar, cover photo, bio, and contact details;
• your posts, comments, reactions, stories, and reposts;
• your follows, RSVPs, and direct messages you have sent;
• imported contact hashes;
• notification history.

We retain a limited amount of data after deletion only where we are legally required to (for example, donation records and receipts must be retained for tax and anti-fraud purposes for up to 7 years), or where it is necessary to prevent abuse, resolve disputes, or enforce our Terms. Anonymized aggregate data may be retained for analytics.

Account deletion takes effect within 30 days. Some content (such as messages you sent to other users) may remain visible to those recipients in their own copies of the conversation, similar to a sent email.

We keep information only as long as we need it:

• Account and profile data: for as long as your account is active.
• Posts, comments, messages, and other user content: until you delete them or your account is deleted.
• Donation records: up to 7 years after the donation, to meet tax, accounting, and anti-fraud requirements.
• Server and security logs (including IP): typically up to 90 days, longer where needed to investigate abuse.
• Email delivery and bounce logs: up to 90 days for deliverability and abuse prevention.
• Cookie consent records: for the lifetime of the consent (up to 13 months) so we can prove your choice if asked.

We use technical and organizational safeguards including:

• encryption in transit (HTTPS / TLS) for all traffic;
• encryption at rest for our managed database and file storage;
• row-level security policies that prevent users from reading or modifying data they shouldn’t;
• scoped service-provider access controls and audit logging;
• payment isolation: card data goes directly to Stripe and never touches our servers.

No system is perfectly secure. Use a strong, unique password and tell us immediately if you believe your account has been compromised.

GoodAct is not intended for people under 13 years of age (or the higher minimum age set by your country, where applicable). We require all users to confirm their date of birth at sign-up and we do not knowingly collect information from children below the minimum age. If you believe a child has provided us with personal information, please contact us so we can delete it.

GoodAct is a global community. We may process and store your information in countries other than your own, including the United States and the European Union. Where required by law (for example, for transfers out of the EEA, UK, or Switzerland), we use appropriate safeguards such as the European Commission’s Standard Contractual Clauses to protect your information when it crosses borders.

Depending on where you live (including under the EU/UK GDPR, California’s CCPA/CPRA, and similar laws), you may have the right to:

• access a copy of the personal information we hold about you;
• correct information that is inaccurate or incomplete;
• delete your information (see Section 6);
• port your information to another service;
• restrict or object to certain processing, including the right to opt out of “sale” or “sharing” of personal information (note: GoodAct does not sell or share personal information for cross-context behavioral advertising);
• withdraw consent where we rely on it (for example, for marketing emails);
• lodge a complaint with your local data protection authority.

To exercise these rights, contact us using the details in Section 13. We will respond within the time required by applicable law (typically within 30 days).

The GoodAct Android app is distributed through the Google Play Store. The summary below mirrors what we declare in our Google Play Data safety section so it’s easy for you to verify:

• Data is encrypted in transit: yes, via HTTPS/TLS.
• You can request that your data be deleted: yes, from Settings or by contacting us.
• Data we collect: name, email, user IDs, optional phone number, optional approximate location (city/country only), optional gender and date of birth, photos you upload, in-app messages and content, app interactions, donation records, and hashed contacts (for find-friends, only if you opt in).
• Data we do NOT collect: precise (GPS) location, web browsing history, files outside the photos you upload, calendar, audio, device or advertising IDs, financial card numbers, health and fitness data, and crash logs (as of the current release).
• Data shared with third parties: none for advertising or analytics. Donations are processed by Stripe under the “payment processor” role defined by Google Play.

If you have questions about this Policy, want to exercise a privacy right, or want to delete your data, please reach out through our contact page. We read every message and aim to respond within 30 days.

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you through the Services or by email before the changes take effect, and we will update the “Last updated” date at the top of this page.