Demonstration mode — worked-example data, no database or payment provider connected. Real giving begins once the owner crosses the database and payment-provider gates.
Everflame FundraisingLog in / Sign up

⚠ Draft — for lawyer review only

This document is general information, not legal advice. It has not been settled by a lawyer and must not be relied on until it has. It is shown here while its version is a draft (0.1-draft).

Privacy Policy

Version: 0.1-draft · Effective date: [TO BE SET ON LAWYER SIGN-OFF] · Last updated: 2026-07-10 · Operator: [see Operator block — OWNER-DECISION]

Shared facts (the Operator's identity, governing-law state, third-party recipients, and retention periods) are single-sourced and set out in the Operator and shared facts section (§§A–E) at the foot of this page, so this policy and the Terms of Service cannot contradict each other and every fact this page cites is reachable here.

In short

  • This policy explains how the Everflame platform (the Platform) handles your Personal Information.
  • The Platform is built for Australian fundraising and is written to comply with the 13 Australian Privacy

Principles (APPs), whether or not the Privacy Act's small-business exemption applies to the Operator.

  • The strongest facts here are things the Platform does not do: it stores no card numbers, runs

no advertising or behavioural tracking, and never mines, sells, or rents your data.

  • This is general information for your own decision, not legal advice, and it is a **draft for lawyer

review** — it is not yet in force.

This is general information for your own decision or for review with a registered tax adviser. The platform records, computes and assembles; it does not advise, and it does not prepare or lodge any return, statement or distribution for a fee.

[FLAG-FOR-LAWYER: the caveat above is reproduced verbatim from the product interface so the legal documents and the UI say the same thing. Its "registered tax adviser" referent is tax-framed; on a privacy document the lawyer may prefer "or other relevant adviser". It is kept verbatim here for UI parity and is not altered by this draft.]


P1. Who we are, and the scope of this policy

This policy covers how the Platform handles Personal Information. The Platform is operated by [OPERATOR LEGAL NAME] (the Operator); the Operator's identity, ABN (if any), and contact details are in the Operator and shared facts section (§A) at the foot of this page. [FLAG-FOR-LAWYER: the Operator's legal identity is an OWNER-DECISION and is not yet finalised — no operating company exists yet; see §A.]

Our two roles. The data a fundraising campaign generates belongs to the Recipient that earned it and the Donor who gave it — it is never the Platform's to mine, sell, or rent. So for giving data the Platform acts largely as a custodian handling data on behalf of each Recipient, while for its own accounts, bookings, and site operation it collects Personal Information in its own right. [FLAG-FOR-LAWYER: whether the Platform is, for privacy-law purposes, an "APP entity" collecting for itself, a service provider handling data on behalf of each Recipient, or both — and whose privacy policy governs which data — is a lawyer determination.]

Open and transparent management of Personal Information is an APP 1 obligation; this policy is the Platform's statement of how it meets it.

P2. The kinds of Personal Information we collect

We collect only the information the product actually uses. Depending on how you use the Platform, that may include:

  • When you give (a donation): your name, your email, your donor-wall display preference (first name

only / full name / anonymous / not listed), the gift amount, and whether you chose to cover the payment processing fee.

  • A dedication, where a campaign offers one: where a campaign enables it, a gift may carry a dedication

("in memory of" or "in honour of" someone), a dedicatee's name, and an optional short message. [FLAG-FOR-LAWYER: a dedication field is supported by the data model but is not exposed on the current public donation form; treat as a capability, not present collection.]

  • A Donor record held for a Recipient: full name, email, phone, and postal address, and whether the

Donor has an account — held so a Recipient can maintain its own supporter relationships.

  • Consents: for each channel (email, post, SMS) whether you granted or withheld consent, when, and from

where it was captured.

  • When you hold an account (Organisation users): your email, full name, and role.
  • When you book a call: your name, email, chosen time, an optional note, and where the booking came

from; and, if you choose to complete the optional post-booking form, your organisation, role, number of entities, and what you would like to discuss (never required).

  • Account security: your account email and any backup-recovery email addresses you add.

What we do not collect (this is the important part):

  • No card numbers or other sensitive cardholder data — card details are entered with and held by the

Payment Provider, not us (see P6).

  • No advertising or behavioural-tracking data — the Platform runs no analytics, advertising, or

tracking pixels (see P7 / "Cookies and storage").

  • No full bank credentials for a Recipient — for payouts the Platform holds only display fragments (the

last three digits of a BSB and the last four of an account number) plus the Payment Provider's connected-account identifier, never full bank details.

  • [FLAG-FOR-LAWYER: APP 3.3 restricts collecting "sensitive information" (a term the Privacy Act 1988

(Cth) separately defines). A cause a Donor supports, or a dedication, could in some cases imply a health, religious, or similar affiliation. The Platform does not seek sensitive information; a lawyer should confirm whether any field is capable of being "sensitive information" and whether specific consent wording is needed. The definition's own section number is verify-before-cite and is not asserted here.]

P3. How and why we collect it, and the purposes we use it for

We collect most Personal Information directly from you — when you give, pledge, enquire, book a call, or hold an account. In three cases we also hold information that reaches us indirectly (not from the individual it is about):

  • A recovery contact you add for someone else. A backup-recovery email address you add to protect your

account may belong to a colleague or another person; we hold it for account security, and that person may receive an account-recovery or account-takeover confirmation email even though they never signed up.

  • A Donor record a Recipient enters. A Recipient may enter a supporter's contact details into its own

Donor records held on the Platform.

  • A beneficiary contact sourced from a public register. For payout onboarding, an Organisation's

official contact is taken from a public register (the ABR / ACNC), not typed by a campaign creator, and the onboarding link is sent to that register-sourced address.

[FLAG-FOR-LAWYER: where Personal Information is collected indirectly (not from the individual it is about), APP 5 notice obligations may require reasonable steps to notify — or ensure the awareness of — that individual about the collection. Confirm the notice mechanism for recovery contacts and register-sourced beneficiary contacts.]

We use the information we collect to:

  • process and record a gift, and issue the correct receipt;
  • deliver a Recipient's acknowledgement of your gift;
  • operate accounts and provide account security and recovery;
  • respond to a "book a call" enquiry; and
  • meet legal record-keeping duties (see P9).

We use your information only for these purposes and directly related purposes (APP 6). We do not use giving data for the Platform's own marketing, and we do not sell, rent, or mine it.

P4. Direct marketing and electronic messages

This section describes the live product's messaging. While the public site runs in demonstration mode (see P14), no email is sent at all — the messaging described below applies once an email provider is connected.

  • From the Platform: the Platform itself sends transactional messages only — receipts, booking

confirmations, account-recovery links, and beneficiary-onboarding links. It does not send the Platform's own marketing email to Donors.

  • From a Recipient to its Donors: a Recipient may communicate with its own Donors under the consents the

Donor has given, which are recorded per channel and can be withdrawn at any time.

  • Commercial electronic messages (where sent) carry accurate sender identification and a working

unsubscribe, and are sent only with consent. Under the Spam Act 2003 (Cth), a commercial electronic message requires (i) consent, (ii) accurate sender identification, and (iii) a functional unsubscribe facility. [FLAG-FOR-LAWYER: the exact statutory time-limits (e.g. the period an unsubscribe request must be actioned within) and the consent taxonomy (express vs inferred) are verify-before-cite — confirm against ACMA / the primary source before stating any day-count.]

  • [FLAG-FOR-LAWYER: the Do Not Call Register Act 2006 (Cth) would apply if phone or SMS channels were

ever used for marketing calls. The consent model includes SMS and post channels, but the built product sends no such marketing today; confirm applicability if that changes.]

P5. Cookies, storage, and tracking

The Platform uses no third-party analytics, no advertising or tracking pixels, and no cross-site tracking cookies. Client-side storage is strictly functional:

  • localStorage — your theme preference, and the session markers used by the demonstration account

previews.

  • sessionStorage — the "last page" value that powers the Back button, and a once-per-session marker so

a support prompt is not shown twice.

  • An everflame_admin session cookie — set only when an authorised administrator signs in to the

account-administration area. It is an HttpOnly, signed, strictly-necessary cookie that keeps that administrator signed in; it is never set for an ordinary visitor and is not used for tracking.

  • When real accounts ship, an essential authentication session cookie (via the database provider). It is

strictly necessary to keep you signed in and is not used for tracking.

Because this storage is functional and essential only, and Australia has no general cookie-consent mandate for functional storage, no cookie-consent banner is used. [FLAG-FOR-LAWYER / STANDING NOTE: if any analytics or third-party script is added later, this section and the consent posture must be revisited.]

P6. Payments and the card-data boundary

This section describes how the live product handles payments once a payment provider is connected. While the public site runs in demonstration mode (see P14), no live payment is taken and no card details are collected at all.

The Platform holds no sensitive cardholder data. When you pay:

  • your card details are entered with, and held by, the Payment Provider (Stripe) — not the Platform;
  • the Platform keeps only the gift record, the Payment Provider's charge identifier, and, for a

recurring gift, the Payment Provider's instrument token — never your card number; and

  • funds route to the Recipient's own Payment-Provider account and are never pooled on a Platform

balance. The Platform takes custody of no donor funds.

[FLAG-FOR-LAWYER: name the Payment Provider (Stripe) and reference its data-processing terms correctly; confirm the provider at go-live.]

P7. Who we share information with

We share Personal Information only with the service providers that let the Platform operate. The full list — Supabase (database, Australian region), Stripe (payments), Resend (email), Vercel (hosting), and the ABR / ACNC registers (Organisation verification only) — and each provider's data-region note are set out in the Operator and shared facts section (§D) at the foot of this page (single source).

Personal Information reaches three kinds of audience:

  • Service providers — the third parties listed in §D, under the Platform's instructions.
  • A Recipient — a Recipient sees the giving data for gifts made to it; that is the purpose of the

product.

  • The public — where you choose it at gift time, your chosen display name appears on a campaign's

public donor wall (see P16, "Public display — the donor wall"). This is the only way your Personal Information is shown publicly, and it happens only on your explicit choice.

We do not sell, rent, or mine Personal Information.

[FLAG-FOR-LAWYER: APP 8 cross-border disclosure. Only the database region (Supabase, Sydney) is confirmed Australian. Stripe, Resend, and Vercel may process outside Australia. This policy does not claim "all data stays in Australia" beyond the database; confirm each provider's processing region.]

P8. Data quality, security, and the immutable record

We take reasonable steps to keep Personal Information accurate and secure, including:

  • an append-only, hash-chained audit record of compliance- and money-bearing actions that is never

rewritten;

  • role-based access for Organisation users (board / administration / oversight roles); and
  • fail-closed security tokens for account recovery.
  • [FLAG-FOR-LAWYER: the Notifiable Data Breaches scheme (Privacy Act 1988 (Cth), Part IIIC). Whether the

NDB scheme binds the Operator depends on the coverage question (see P15). As a matter of practice, the Platform commits to assess and, where required, notify eligible data breaches; confirm the statutory applicability.]

  • [FLAG-FOR-LAWYER: the "reasonable steps" security representation must not over-promise. An independent

penetration test has not yet been run (a pre-launch gate). This policy says "reasonable steps"; it does not say your data is "safe" or "secure" in absolute terms. A lawyer should calibrate this wording.]

P9. Retention and deletion

You can ask us to erase your contact data. But the receipts and financial records the law requires us to keep are retained notwithstanding an erasure request — an erasure request cannot override a retention duty — and the immutable audit record is never rewritten. When we erase contact data, the underlying financial records (receipt, gift, ledger entry, audit entry) are kept as the law requires.

The retention periods are set out in the retention table in the Operator and shared facts section (§E) at the foot of this page. [FLAG-FOR-LAWYER / ACCOUNTANT: the specific year-counts (tax-receipt, charity, and ancillary-fund record-keeping periods) are not asserted here until verified against current ATO / ACNC / state requirements.]

P10. Access, correction, portability, and your consents

  • You may request access to, and correction of, your Personal Information (APP 12, APP 13).
  • Your consents are yours to give and to withdraw, per channel.
  • Portability: a Recipient's full contact and giving record is exportable to it in an ordinary,

portable form on request; a Donor's own giving record can likewise be provided in a portable form.

[FLAG-FOR-LAWYER: confirm the operational route for an access/correction request (the contact address and a response timeframe) — this ties to the Operator contact in §A.]

P11. Overseas supporters and other jurisdictions

The Platform is Australian and built to Australian law. The site is reachable globally, so a supporter may be elsewhere. [FLAG-FOR-LAWYER: the GDPR (EU) and UK GDPR are a flagged consideration only for this AU-focused site — a lawyer decides whether to add EU/UK representations (a lawful-basis statement, an EU/UK contact, data-subject rights). This draft does not add GDPR clauses speculatively.]

P12. Children

The Platform is not directed at children and does not knowingly collect Personal Information from a child. [FLAG-FOR-LAWYER: the age threshold (16 or 18) and any parental-consent wording is a lawyer item.]

P13. Complaints

If you have a privacy concern, contact the Operator using the details in the Operator and shared facts section (§A) at the foot of this page. If a complaint is not resolved, you may be able to take it to the Office of the Australian Information Commissioner (OAIC). [FLAG-FOR-LAWYER: confirm the OAIC is the correct external body given the coverage question (P15), and confirm the Operator's complaint contact.]

P14. Demonstration mode

Before the Operator connects a live database and payment provider, the public site runs in demonstration mode: it shows worked-example data, takes no payment, and does not store or email what you type. If you enter a name or email into a demonstration form, that input is processed transiently to render the demonstration and is not saved or sent. This policy governs the live product; this paragraph tells a demonstration-mode visitor the truth about their input.

P15. Privacy Act coverage — a note

This policy is written to comply with the 13 APPs regardless of whether the Privacy Act's small-business exemption applies. [FLAG-FOR-LAWYER: the Privacy Act 1988 (Cth) has a small-business exemption (turnover threshold in the order of AUD $3 million) with carve-outs (for example, entities that trade in personal information, or that provide a benefit or service to collect or disclose personal information), and a small business can opt in. Whether the exemption applies to the Operator is a lawyer determination and may change once an operating company has turnover. Do not cite the exemption's section/subsection numbers unless the primary source has been opened and quoted.]

P16. Public display — the donor wall

Some campaigns show a public donor wall — a list of supporters shown on the campaign page. Whether your name appears there, and how, is your explicit choice at the time you give:

  • Not listed — your name does not appear on the wall. **This is the default: if you make no choice, you

are not listed.**

  • First name only — only your first name is shown.
  • Full name — your name is shown as you gave it.
  • Anonymous — your gift is acknowledged on the wall without your name.

You can ask to change or remove your donor-wall display at any time (see P10, access and correction). Removing your name from the wall does not delete the receipt and financial records the law requires us to keep (see P9); it changes only what is displayed publicly.

[FLAG-FOR-LAWYER / OPEN BUILD ITEM: the donor wall is the product's one public display of a Donor's Personal Information. At go-live the change/removal path must include a donor-wall leg: the current contact erasure removes a Donor's contact record but does not clear the wall-display choice carried on retained gift records, so a wall-removal request needs an explicit mechanism before the wall ships live. Confirm the change/removal route and its response timeframe.]

P17. Changes to this policy

We may update this policy. The version and effective date are shown at the top; material changes will be notified. This policy is a draft for lawyer review (checklist 2I.2) and is not yet in force.


Operator and shared facts

The facts referenced above — the Operator, the governing-law state, the defined terms, the third-party recipients of data, and the retention periods — are set out here so this page is self-contained.

A. The Operator (OWNER-DECISION — do not resolve by assumption)

The legal person that operates the Everflame platform is not yet finally determined. No operating company exists yet: the intended companies (an Everflame operating company and VirgoLabs) are not incorporated (checklist Track 3B/3C). Until the Operator is confirmed, both documents use the placeholder tokens below, and no session prints a company name as the operative Operator.

[OPERATOR LEGAL NAME] — the legal person that operates the Everflame platform [OPERATOR TYPE] — individual / incorporated association / company, once decided [ABN / ACN, if any] [PRINCIPAL PLACE OF BUSINESS — Australian address] [CONTACT EMAIL — e.g. privacy@everflamefundraising.com.au]
  • [FLAG-FOR-LAWYER: the Operator's legal identity for the go-live demo is an OWNER-DECISION. The

current legal person behind the site is the site owner / an existing incorporated-association context; the options are (a) the individual owner, (b) the existing incorporated association (with its ABN), or (c) holding publication until an operating company exists. This choice drives the Operator block, the governing-law state (§B), the IP-owner reference, and the contact points in both documents.]

  • "Everflame", "Everflame Fundraising", and "the Platform" name the software/service (the product

brand, NEXT_PUBLIC_BRAND default "Everflame Fundraising"), not the Operator. The intended product domain is everflamefundraising.com.au. [OWNER-CONFIRM: confirm this domain is secured before go-live; it is stated here as the intended domain, not asserted as already owned.]

B. Governing law and jurisdiction (OWNER-DECISION)

Governing-law state: [AUSTRALIAN STATE OR TERRITORY — OWNER-DECISION], following from the Operator's principal place of business (§A).
  • **[FLAG-FOR-LAWYER: the governing-law state and the courts with jurisdiction follow from the Operator's

principal place of business and are a lawyer/owner decision. No state is guessed.]**

C. Defined terms (authored once; used by both documents)

  • the Platform / Everflame — the Everflame fundraising software and service.
  • the Operator — the legal person that runs the Platform (§A, placeholder).
  • Recipient / Organisation — an entity that receives gifts through the Platform (a non-charitable

not-for-profit, a registered charity, a deductible-gift-endorsed entity, or an administering body).

  • Donor / Supporter / "you" — a person who gives, pledges, enquires, or holds an account.
  • Gift — a voluntary payment made to a Recipient through the Platform.
  • Pledge — a commitment that stores a card and is charged only if a campaign goal is reached

(an all-or-nothing campaign).

  • Payment Provider — the compliant third-party payment processor that holds card data and moves funds

(Stripe; see §D).

  • Personal Information — has the meaning given in the Privacy Act 1988 (Cth).

D. Third-party recipients of data (service providers)

These are the third parties that process data so the Platform can operate. The Platform does not sell, rent, or mine Personal Information; these are service providers under the Platform's instructions.

Service providerRoleData-region note
Supabase (Postgres database)Stores the Platform's recordsProvisioned in an Australian region (Sydney, ap-southeast-2) — the intended and configured region. [FLAG-FOR-LAWYER: confirm the region at go-live; no database exists yet.]
Stripe (Payment Provider)Card entry, charging, fund settlement to each Recipient's own account[FLAG-FOR-LAWYER: Stripe may process outside Australia — an APP 8 cross-border matter.]
Resend (email delivery)Sends transactional email (receipts, confirmations, recovery links)[FLAG-FOR-LAWYER: may process outside Australia — APP 8.]
Vercel (web hosting)Serves the website and server functions[FLAG-FOR-LAWYER: confirm the data-region for edge/functions; APP 8 cross-border.]
ABR — ABN Lookup (abr.business.gov.au)Verifies an Organisation's ABNReceives Organisation identifiers (ABN), not Donor Personal Information.
ACNC register (via data.gov.au)Verifies an Organisation's charity/DGR statusReceives Organisation identifiers, not Donor Personal Information.
  • [FLAG-FOR-LAWYER: APP 8 cross-border disclosure.] Only the database region (Supabase, Sydney) is

confirmed Australian. Stripe, Resend, and Vercel may process outside Australia. The documents must not claim "all data stays in Australia" beyond the database.

E. Retention periods (FLAG — do not assert year-counts without verification)

The Platform retains receipts and financial records for at least the period the applicable regime requires, measured from the later of the record's making or the obligation it supports. An erasure request never overrides a retention duty; the immutable audit record is never rewritten.

Record kindRetention basisPeriod
Tax and ordinary receiptsTax record-keeping (ATO)[FLAG-FOR-LAWYER / ACCOUNTANT: confirm the year-count against current ATO requirements — do not state a number until verified.]
Gift / ledger / distribution recordsFinancial and charity/ancillary-fund record-keeping (ACNC and, where relevant, ancillary-fund administration)[FLAG-FOR-LAWYER / ACCOUNTANT: confirm each year-count against current ACNC / ancillary-fund requirements.]
Immutable audit recordLegal obligation (append-only; never rewritten)Retained for at least the longest applicable record-keeping period. [FLAG-FOR-LAWYER: confirm.]
Erased Donor contact dataErasable on requestRemoved on request except where a retention duty above requires the underlying financial record to be kept.
  • Once the periods are confirmed, the confirmed year-counts are recorded here (single source) and both

documents cite this table — they do not restate a number independently.