This Privacy Policy describes how Hibox for Nonprofits ("Hibox", "we", "us", or "our") collects, uses, stores, shares, and protects your personal information when you use our website, web application, mobile services, integrations, and related products (collectively, the "Services"). This policy applies to all visitors, trial users, paying customers, and any individuals whose information is processed through the Services. By using the Services, you agree to the practices described in this Privacy Policy.
Contents
- Information We Collect
- How We Use Information
- Legal Bases for Processing
- SMS / Text Messaging Program
- How We Share Information
- Sub-Processors
- Cookies & Tracking
- Analytics & Advertising
- Data Security
- Data Retention
- Your Privacy Rights
- California Privacy Rights
- European / UK Rights (GDPR)
- Children's Privacy
- International Transfers
- Do Not Track Signals
- Changes to This Policy
- Contact Us
1. Information We Collect
1.1 Information You Provide Directly
- Account information: first and last name, email address, mobile phone number, password (hashed), organization name, organization size, role, and timezone.
- Profile information: avatar / profile photo, bio, job title, department, language preference, theme, and notification preferences.
- Organization & program data: records you create about clients, volunteers, programs, training courses, certifications, board members, donors, grants, intake forms, attendance, case notes, and uploaded documents (collectively, "Customer Content").
- Communications: messages, emails, in-app chats, and SMS you send to us (or send through our Services to your contacts), support tickets, feedback, and survey responses.
- Billing & payment information: billing name, billing address, plan selection, and partial payment-card data (last 4 digits, brand, expiry). Full card numbers are tokenized and processed by our PCI-DSS-compliant payment processor and never stored on Hibox servers.
- SMS opt-in records: the timestamp, IP address, and user agent at the moment you check the SMS consent box, retained as proof of consent under TCPA recordkeeping obligations.
1.2 Information Collected Automatically
- Device and browser type, operating system version, screen resolution, and language settings.
- IP address and approximate location (city / region / country) derived from IP.
- Usage data: pages viewed, features used, click events, search queries, and timestamps.
- Performance and diagnostic data: load times, error reports, stack traces, and crash logs.
- Referring URLs, UTM parameters, and affiliate tracking codes set via cookies for attribution.
1.3 Information from Third Parties
- OAuth / SSO providers (Google, Microsoft) when you sign in or connect a calendar / mail account: profile info and tokens you authorize.
- Affiliates / referrers: referral codes and click-through data when you sign up via a partner link.
- Public sources / enrichment: limited business contact information about your organization (name, public email, address) for support and onboarding.
2. How We Use Information
- Provide, operate, maintain, secure, and improve the Services.
- Authenticate users and protect accounts (including 2FA codes via SMS or email and login alerts).
- Send transactional messages — account verification, password resets, billing receipts, security notifications.
- Send program-related notifications (compliance reminders, certification expiry alerts, program updates, board meeting reminders, grant deadlines) in line with your notification preferences.
- Respond to support inquiries and customer service requests.
- Process payments and prevent fraudulent transactions.
- Detect, investigate, and prevent fraudulent or unauthorized activity, abuse, and security incidents.
- Generate aggregated, de-identified analytics to understand product usage and improve features.
- Comply with legal obligations, respond to lawful requests, and enforce our Terms of Service.
- Send occasional product announcements (you can opt out at any time from your account settings).
3. Legal Bases for Processing (EEA / UK)
- Contract performance: to deliver the Services you request and to administer your account.
- Legitimate interests: to secure the platform, prevent fraud, improve features, and run the business.
- Consent: for SMS marketing-style notifications, optional cookies, and any processing where consent is required by law.
- Legal obligation: to comply with tax, accounting, anti-fraud, and law-enforcement requirements.
4. SMS / Text Messaging Program
We do not share your phone number, mobile information, or SMS opt-in consent with any third parties or affiliates for marketing or promotional purposes — full stop. All categories of personal information described in this policy exclude phone numbers and SMS opt-in consent from any third-party sharing for marketing or promotional purposes.
When you provide your phone number and check the SMS consent box during registration (or otherwise opt in via account settings), you agree to receive recurring text messages from Hibox for Nonprofits at the number provided. Hibox sends SMS through our service provider Twilio. By opting in, you acknowledge and agree to the following:
- Program name: Hibox for Nonprofits SMS Notifications.
- Sender brand: Hibox for Nonprofits (sent from a verified Twilio toll-free number).
- Types of messages: account verification codes (2FA / one-time passwords), password reset confirmations, login and security alerts, program reminders, certification & license expiry notifications, compliance deadline alerts, board meeting reminders, grant deadline reminders, billing notices, and other transactional account messages.
- Message frequency: varies based on your account activity and notification settings; expect occasional messages, with higher volume around deadlines and scheduled events.
- Message and data rates may apply. Carrier charges apply per your wireless plan. Hibox does not charge a fee to participate.
- Opt out: Reply STOP at any time to unsubscribe from all SMS messages from the Program. You will receive a single confirmation message, after which no further texts will be sent. You may opt back in from your account settings.
- Get help: Reply HELP, or contact us at [email protected].
- Carriers: Carriers (including AT&T, Verizon, T-Mobile, etc.) are not liable for delayed or undelivered messages.
- Eligibility: You must be 18+ and the account holder or authorized user of the mobile number provided.
Full SMS Program terms are available in our SMS Terms & Conditions.
5. How We Share Information
We share personal information only in the limited circumstances described below:
- With your organization: data created within an organization workspace is accessible to other authorized members of that organization, based on assigned role and permissions.
- Service providers (sub-processors): trusted vendors performing services on our behalf — cloud hosting, email delivery, SMS delivery, error monitoring, analytics, and payment processing. These providers are contractually bound to protect your data and may use it only to provide services to us.
- Legal compliance: when required by applicable law, valid legal process, court order, or to respond to lawful requests from public authorities.
- Safety & rights protection: when we reasonably believe disclosure is necessary to protect our rights, property, or safety, or that of our users or the public.
- Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to standard confidentiality protections and continued application of this Privacy Policy.
- With your consent: for any other purpose disclosed at the time we collect the information.
We do not sell, rent, lease, or trade your personal information. We do not share your phone number or SMS opt-in consent with third parties or affiliates for marketing or promotional purposes under any circumstances.
6. Sub-Processors
The principal sub-processors we use to deliver the Services include:
- Amazon Web Services (AWS) — cloud hosting, storage, and database services.
- Twilio Inc. — SMS message delivery for the SMS Program.
- SendGrid / Postmark — transactional email delivery.
- Stripe — payment processing (PCI-DSS Level 1).
- Cloudflare — DNS, CDN, and bot/abuse mitigation.
- Sentry — error and crash monitoring (with PII scrubbing).
7. Cookies & Tracking Technologies
We use the following categories of cookies:
- Strictly necessary: session, CSRF protection, load balancing, and security cookies required for the Services to function.
- Functional: remember preferences such as language, theme, and timezone.
- Performance / analytics: measure traffic and usage patterns to improve the product.
- Affiliate tracking: persistent cookies (e.g.,
affiliate_ref,affiliate_referral_id) that attribute sign-ups to referring partners.
You can manage cookies through your browser settings. Note that disabling strictly necessary cookies may break core functionality such as sign-in.
8. Analytics & Advertising
We may use first-party or privacy-respecting analytics tools to understand product usage. We do not allow third-party advertising networks to track you across the Services, and we do not display third-party advertisements within the application.
9. Data Security
- TLS 1.2+ encryption for all data in transit.
- Encryption at rest for sensitive fields (passwords are hashed using bcrypt; tokens are stored as hashes where applicable).
- Principle-of-least-privilege role-based access controls (RBAC) and Spatie permission scopes.
- Cloudflare Turnstile bot challenges on public sign-up endpoints and rate limiting on authentication routes.
- Continuous logging, audit trails, and intrusion detection on production infrastructure.
- Regular dependency scanning, security reviews, and patching of known vulnerabilities.
No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. If you become aware of a security issue, please contact us immediately at [email protected].
10. Data Retention
We retain your information for as long as your account is active or as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:
- Active account data: retained while your account is active.
- Closed account data: retained up to 90 days after termination, then deleted or anonymized (excluding records required by law).
- Billing & tax records: retained for at least 7 years to satisfy tax and accounting requirements.
- SMS opt-in / opt-out records: retained for the duration of your account plus a minimum of 4 years to satisfy TCPA recordkeeping requirements.
- Audit logs: retained for up to 12 months for security investigations.
11. Your Privacy Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal information; object to certain processing; and withdraw consent at any time. To exercise these rights, email [email protected]. We will respond within the timeframe required by applicable law (typically 30–45 days).
12. California Privacy Rights (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell or share.
- Request deletion of personal information.
- Request correction of inaccurate personal information.
- Opt out of the "sale" or "sharing" of personal information.
- Limit the use of sensitive personal information.
- Be free from retaliation or discrimination for exercising these rights.
We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. To submit a request, email [email protected].
13. European / UK / Swiss Rights (GDPR / UK GDPR)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights to access, rectification, erasure, restriction, portability, and objection regarding your personal data. You may also lodge a complaint with your local supervisory authority. Our lawful bases are described in Section 3.
14. Children's Privacy
The Services are not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
15. International Data Transfers
Hibox is operated from the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the U.S. or other countries where our service providers operate. Where required, we rely on Standard Contractual Clauses (SCCs) and equivalent safeguards to provide an adequate level of protection.
16. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Because there is no consistent industry standard for how to respond to DNT signals, we currently do not respond to them. We do, however, honor opt-out choices made through our account settings and the methods described in this Privacy Policy.
17. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be communicated via email or in-app notice prior to taking effect. Your continued use of the Services after changes take effect constitutes acceptance of the updated Privacy Policy.
18. Contact Us
Questions, requests, or concerns about this Privacy Policy can be sent to:
- Privacy: [email protected]
- Support: [email protected]