How does Paddle Up collect information?

Contact data, event/fundraising data via MongoDB, payments via Stripe, technical data via Firebase.

What security measures are in place?

Administrative, technical controls including MongoDB access controls and Firebase secure sign-in.

With service providers like Stripe, Google Firebase, MongoDB under confidentiality terms; no selling of data.

Legal

Privacy policy

This policy describes how Paddle-Up collects, uses, shares, and protects information when you visit our website or use our services.

Last updated: March 26, 2026

Who we are

Paddle-Upprovides event and fundraising software for nonprofits and schools. This policy applies to information processed through our websites and services (collectively, the "Services").

Information we collect

Depending on how you interact with us, we may collect:

Contact and account data: Name, email, phone, organization name, role, and similar details you provide when you contact us, request a demo, create an account, or subscribe to updates. Accounts for the Services may be authenticated using Firebase Authentication (Google), which processes credentials and session identifiers needed for sign-in.
Event and fundraising data: Information your organization enters into the Services—such as campaigns, attendees, donors, bids, tickets, and communications needed to run events. This data is stored in our MongoDB databases as part of providing the Services.
Payment and transaction data: Card and bank payment details are collected and processed by Stripe. We may receive limited transaction metadata (e.g., amount, status, last four digits of a card) as needed to operate the Services.
Technical and usage data: IP address, device and browser type, approximate location derived from IP, pages viewed, diagnostic logs, and product analytics events collected through Firebase Analytics (Google), as configured for the Services. See our Cookie Policy for cookies and similar technologies.

How we use information

We use information to:

Provide, maintain, and improve the Services.
Process transactions and communicate about your account.
Respond to inquiries and provide support.
Detect, prevent, and address fraud, abuse, and security issues.
Comply with law and enforce our Terms & conditions.

Where the GDPR or similar laws apply, we rely on appropriate legal bases such as contract, legitimate interests (e.g., securing our Services), and consent where required.

How we share information

We may share information with:

Service providers: Vendors that host infrastructure, send email, or provide other support—subject to confidentiality and data-processing terms where required.
Stripe: Payment processing is handled by Stripe. Stripe's use of information is described in Stripe's privacy policy and terms.
Google (Firebase): We use Firebase Authentication for account sign-in and Firebase Analytics for product analytics. Google's use of information is described in Google's and Firebase's privacy documentation, subject to our configuration and applicable law.
MongoDB: We use MongoDB to host application and fundraising data for the Services. MongoDB's processing of infrastructure data is subject to our agreements with MongoDB and MongoDB's privacy terms.
Legal and safety: When required by law, legal process, or to protect rights, safety, and security.
Business transfers: In connection with a merger, acquisition, or sale of assets, subject to appropriate safeguards.

We do not sell your personal information in the conventional sense. We do not share personal information for cross-context behavioral advertising where prohibited by applicable law.

Retention

We retain information for as long as needed to provide the Services, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary based on data type and legal requirements.

Security

We use administrative, technical, and organizational measures designed to protect information—including access controls for MongoDB and secure sign-in flows via Firebase. No method of transmission or storage is completely secure; we encourage strong passwords and access controls for organizational accounts.

Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or export certain personal information, or to object to or restrict certain processing. You may also have the right to lodge a complaint with a supervisory authority.

California residents (CCPA/CPRA): You may have the right to know the categories of personal information we collect, the purposes for collection, and certain disclosures. You may request deletion or correction of personal information we hold, subject to exceptions. We do not "sell" or "share" personal information as those terms are defined under California law for cross-context behavioral advertising.

To exercise rights, contact us using the information below. We may need to verify your request.

International transfers

If you access the Services from outside the United States, your information may be processed in the United States or other countries where we or our providers operate. We use appropriate safeguards required by applicable law for cross-border transfers.

Children

The Services are intended for organizations and adults acting on their behalf. We do not knowingly collect personal information from children under 13 for direct marketing. If you believe we have collected such information, contact us and we will take appropriate steps.

Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date.

Contact us

For privacy questions or requests, reach us through our contact page. Related policies: Cookie Policy, Terms & conditions.