Organization360

Org360.app: Data Protection & GDPR Compliance

Details on how NonprofitBuilder LLC protects your data.

Data Controller

  • Entity: NonprofitBuilder LLC (owns and operates Org360)
  • Location: Coppet, Switzerland
  • Data Protection Officer (DPO): Muqaddus Jehan Kundi ( [email protected] )

Data Hosting & Processors

All processors are bound by GDPR-compliant Data Processing Agreements (DPAs).

Data Type Location/Provider Compliance Mechanism
Survey & Account Data Hetzner servers (Germany/EU)Stored exclusively in the EU
Transactional Emails Postmark (ActiveCampaign LLC, USA)EU–U.S. Data Privacy Framework, SCCs
Payments Stripe Payments Europe Ltd. / Stripe, Inc. Data Privacy Framework, SCCs
Optional AI-generated Reports OpenAI, Anthropic, Google (Gemini), Grok GDPR-compliant DPAs

Important: AI Features & Privacy

  • No automatic data sharing: No personal data, respondent answers, organisation names, or identifiers are ever sent to the AI automatically.
  • Explicit consent: AI report generation only happens when the client explicitly clicks to generate an AI report.
  • Data masking: Obvious personal or organisational identifiers are stripped or masked before sending data to the AI provider.
  • User warning: The platform warns users in real time if capitalised words are typed in open-text fields, reducing risk.

What We Collect and Why

We collect only the strictly necessary data to run your account and deliver surveys:

  • Data: Name, email, organisation, survey responses.
  • Usage: Emails are never used for marketing and are never sold or shared.

Access to Your Data by Our Team

  • We do not access or view your surveys, responses, or identifiable data without your explicit consent.
  • Exception: Fully anonymised reports may be reviewed solely to improve the quality and accuracy of AI-generated insights.

Sensitive Personal Data

We strongly advise clients not to collect special-category data (race, religion, political opinions, health, sexual orientation, etc.). If you do, you are the data controller for that data.

Deletion

  • Immediate deletion: When an account or survey is deleted, all related personal data is permanently removed.
  • Retention: No copies are kept, except legally required payment records held by Stripe.
  • Backups: Automatically overwritten within 90 days.

Your Rights & Questions

You may request access, correction, deletion, restriction, or portability of your data at any time.

Contact our DPO: [email protected]

We commit to responding within one week.