Privacy Policy for Nonprofits, Churches, and Charities — Free Template

Nonprofits, churches, and charities collect significant personal data — donor info, member records, event registrations, volunteer applications, prayer requests. They are subject to the same privacy laws as for-profit businesses (GDPR, most state laws), and need a privacy policy that reflects their specific data practices.

What Nonprofits Collect

• Donor information: Name, email, address, phone, donation history, payment method
• Member records: Family info, attendance, ministry involvement
• Event registrations: Names, contact info, sometimes dietary or accessibility needs
• Volunteer applications: Background info, skills, availability
• Prayer requests: Personal struggles, health concerns (very sensitive)
• Children's information: Sunday school, youth groups (subject to COPPA)
• Email subscribers: Newsletter and announcement lists

The combination of sensitive content (especially prayer requests and children's data) and trust-based relationships makes privacy especially important for religious and charitable organizations.

How to Generate Your Nonprofit Privacy Policy

1. Open the privacy policy generator
2. Enter your organization name and website URL
3. Enter a contact email (use an organization email)
4. Check data types: Name, Email, Phone, Address, Payment Information, Cookies, Usage Data
5. Check third-party services: Your donation processor (Stripe, PayPal, Tithe.ly, Pushpay), email tool (Mailchimp, Constant Contact), Google Analytics if used
6. Enable GDPR if you have international donors (most do)
7. Enable COPPA — most religious orgs have children's programs
8. Generate, copy, paste into your website

Specific Sections for Nonprofits

Donor data and tax receipting. "When you make a donation, we collect your name, contact information, and donation amount to issue a tax-deductible receipt and maintain accurate records. Donor records are kept for 7 years to meet IRS and accounting requirements."

Donor anonymity options. "You may donate anonymously, in which case your name will not appear on any public donor lists. We will still need your contact information to issue a tax receipt and process the donation, but this information is kept confidential."

Member confidentiality. "Information shared with our staff or clergy is treated as confidential and is not shared outside the organization without your permission, except as required by law."

Prayer requests. "Prayer requests submitted through our website are shared only with the prayer team or pastoral staff, not posted publicly unless you indicate otherwise. Sensitive content is handled with discretion and not retained beyond the prayer cycle."

Children's programs (COPPA). "We collect information about children participating in our youth programs only with explicit parental consent. Children's information is used solely for program safety and communication and is not shared with third parties or used for marketing."

Volunteer background checks. "Volunteers in roles involving children or vulnerable adults may be required to complete background checks. Background check information is handled by our screening provider and is not retained by us beyond the verification."

Donation Platforms and Their Data Handling

Platform	Common for	What they store
Tithe.ly	Churches	Donor info, recurring giving setup
Pushpay	Churches	Same as above plus app data
Stripe	All nonprofits	Payment info, donor metadata
PayPal	Small charities	Donor info, transaction history
Network for Good	Mid-size nonprofits	Donor management + processing
Donorbox	Various	Donor management + recurring

Mention your specific donation platform in the policy as a third-party processor.

Email Newsletters and Member Communications

If you send a regular newsletter or member updates:

• Get explicit consent before adding people to the list (a donation is not consent for marketing)
• Provide an unsubscribe link in every email
• Honor unsubscribes promptly (within 10 business days)
• Mention your email practices in the privacy policy

Children's Programs and COPPA

Sunday school, youth groups, vacation bible school, and similar programs often involve children under 13. COPPA applies if you collect personal information from these children online. Best practices:

• Get parental consent before collecting any data from children under 13
• Limit collection to what is necessary (don't ask for more than you need)
• Don't use children's data for marketing
• Allow parents to review and delete their child's data
• Specify in your privacy policy how you handle children's data

Public Donor Lists and Recognition

Many nonprofits publish lists of major donors. Best practices:

• Get explicit consent before adding anyone to a public list
• Offer the option to give anonymously
• Make it easy to be removed from lists upon request
• Mention public recognition practices in the privacy policy

International Donors and GDPR

Even small US-based nonprofits often receive international donations. EU donors trigger GDPR. Enable GDPR compliance in your generated policy and:

• Get explicit consent for marketing emails to EU donors
• Provide a data subject access request process
• Honor right to deletion requests (after retaining required tax records)
• Document your data processing activities

Display Your Privacy Policy

• Footer of every page on your website
• Linked from your donation page
• Linked from event registration forms
• Linked from email subscription forms
• Mentioned in volunteer applications
• Linked from member portal login (if applicable)