Privacy Policy

Last updated: March 30, 2026

Samfora AB, org. nr "559364-7448" ("Samfora", "we", "us") operates the donor data platform at samfora.io. This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR).

1. Data Controller

Samfora AB is the data controller for personal data collected through the Platform for account management and platform operations. For donor data uploaded by NGOs, Samfora acts as a data processor on behalf of the NGO (the data controller).

2. Data We Collect

Account data: Name, email address, organization name, role — collected when you create an account.

Usage data: Pages visited, features used, session duration, IP address, browser type — collected automatically to improve the Platform.

Donor data (processed on behalf of NGOs): Donor names, contact information, donation history, payment methods — uploaded or collected by NGOs through the Platform.

Payment data: Payment information is processed directly by Stripe and is not stored on our servers.

3. How We Use Your Data

  • To provide and maintain the Platform
  • To manage your account and provide customer support
  • To improve and develop new features
  • To send service-related communications
  • To comply with legal obligations

We do not sell your personal data. We do not use donor data for advertising purposes.

4. Legal Basis for Processing

We process personal data based on:

  • Contract performance — to provide the Platform services
  • Legitimate interest — to improve our services and ensure security
  • Consent — where required, such as for analytics cookies on public pages
  • Legal obligation — to comply with applicable laws

5. Third-Party Processors

We use the following third-party services that may process personal data:

| Service | Purpose | Data Location | | -------- | --------------------------- | ------------- | | Stripe | Payment processing | EU/US | | Vercel | Hosting and deployment | EU | | PostHog | Product analytics | EU | | Supabase | Database and authentication | EU |

All processors are bound by data processing agreements in compliance with GDPR.

6. Data Retention

Account data is retained for the duration of your account and for 12 months after termination. Usage data is retained for 24 months. Donor data is retained as long as the NGO maintains an active account and deleted within 90 days of account termination, unless a longer retention period is required by law.

7. Your Rights

Under GDPR, you have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten")
  • Restrict processing
  • Data portability — receive your data in a structured format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time

To exercise your rights, contact us at privacy@samfora.org.

8. Cookies

We use essential cookies required for the Platform to function. On public pages, we use analytics cookies (PostHog) with your consent via a cookie banner. Within the authenticated application, we use session-based analytics that do not require cookie consent.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including encryption in transit (TLS), access controls, and regular security reviews.

10. International Transfers

Your data is primarily stored and processed within the EU. Where data is transferred outside the EU (e.g., Stripe's US infrastructure), it is protected by Standard Contractual Clauses or adequacy decisions.

11. Children

The Platform is not intended for use by individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Platform. The "last updated" date at the top reflects the most recent revision.

13. Contact & Complaints

For privacy-related questions or to exercise your rights:

  • Email: privacy@samfora.org
  • Samfora AB, Stockholm, Sweden

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se.