Love & Luck
Support & Join

Data Storage Policy

Generous Data Storage Guidelines & Policy

1. Purpose

This policy sets out how Generous stores, secures, and manages personal, financial, and organisational data entrusted to us by our cause partners, supporters, and users. The purpose is to ensure that all data is handled responsibly, in compliance with Australian law and international best practices, and to maintain trust in the Generous platform.

2. Scope

This policy applies to all data collected, processed, and stored by Generous in the course of delivering our fundraising services. It covers:

  • Donor and supporter information
  • Partner organisation data
  • Transactional and payment information
  • Internal business records

3. Storage Location

  • Generous uses secure cloud infrastructure hosted on Amazon Web Services (AWS) in the Asia Pacific (Sydney) region.
  • All personal and payment-related data under Generous’ control is stored in Australia, in compliance with the Australian Privacy Principles (APPs).
  • Anonymised, aggregated data may be processed by trusted third-party analytics platforms for business intelligence purposes (see Section 7).

4. Security Measures

  • Encryption in Transit: All data transmitted through the Generous platform is encrypted using TLS 1.2+ protocols.
  • Encryption at Rest: All stored data is encrypted using AES-256 or equivalent industry-standard encryption.
  • Access Controls: Access to data systems is restricted to authorised personnel only, secured with role-based permissions and multi-factor authentication.
  • Monitoring & Logging: Access and changes to data systems are logged and monitored for anomalies or unauthorised activity.
  • Backups: Data is backed up regularly in secure environments, with redundancy to ensure continuity in case of failure.

5. Data Retention and Disposal

  • Data is retained only as long as necessary to provide services, comply with legal obligations, or resolve disputes.
  • Payment card details are never stored by Generous. All payment information is processed exclusively by Stripe, a PCI-DSS Level 1 certified payment provider.
  • When data is no longer required, it is securely deleted or anonymised to prevent re-identification.

6. Compliance and Standards

Generous commits to complying with:

  • The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs)
  • PCI-DSS (via Stripe’s certified infrastructure for all payment processing)
  • Relevant international standards (e.g., ISO 27001) where applicable

7. Third-Party Services

Generous engages trusted third-party providers to support secure platform operations:

  • AWS (Asia Pacific – Sydney): Primary hosting and storage provider.
  • Stripe: Secure, PCI-DSS compliant payment provider. Generous does not store card details directly.
  • Vero: Optionally used for cause related marketing campaigns.
  • Amplitude & Segment: Used to collate anonymised, aggregated data for analytics and platform improvements. No personally identifiable information (PII) is shared in this process.

All third-party providers must meet or exceed our security and compliance standards. Contracts with providers include confidentiality and data protection obligations.

8. Review and Updates

This policy is reviewed annually or sooner if legal, regulatory, or operational changes require it. Updates will be communicated to stakeholders as necessary.

9. Contact

For questions about this policy or data security practices, please contact:

Simon Collins - Data Protection Officer

support@generous.co