Zero-trust by design.

GIVE→ALIGN operates a strict click-out model. When you donate, you're sent to the charity's own Stripe / payment page. We never see card numbers, CVVs, expiry dates, or bank routing info — not even hashed. Stripe Checkout opens against the charity's account, not ours. The architectural impact: a compromise of GIVE→ALIGN cannot expose donation payment data because that data has never traversed our stack.

The one place card data does pass through Stripe-for-us is the one-time $8.99 access fee. Even there, we use Stripe Checkout Sessions — your card data goes directly from your browser to Stripe over their PCI-DSS Level 1 infrastructure. Our backend receives only a session ID and a "paid: true" confirmation. We never see, store, or log card details.

We ask for an email, a name, a password, and your cause interests. That's the entire personal-data footprint of the app. We do not collect:

• Address, phone number, or date of birth
• Income, employer, or financial information
• Device fingerprints or marketing analytics IDs
• Third-party cookies (only a first-party session cookie)
• Browsing history outside our own pages

Less data collected = less data at risk. It's that simple.

Passwords are hashed with bcrypt at cost factor 12 (industry standard) — never stored in plaintext, never transmitted to third parties. Session tokens are JWTs with short TTLs, served as HttpOnly, Secure, SameSite=Lax cookies. Brute-force protection caps login attempts at 10 per IP per minute.

Our MongoDB instance runs inside an Emergent-managed Kubernetes cluster with TLS termination at the ingress, encryption at rest on the underlying volumes, and no public ingress to the database itself. Our application code is the only client that can read or write.

JWT signing keys, the Stripe API key, the MongoDB URI, and the Anthropic LLM key all live in environment variables — never checked into source, never logged. Our deployment validator actively scans the repo for hardcoded secrets and rejects builds that contain them.

GIVE→ALIGN does not sell, rent, lease, or otherwise share your personal data with any third party for marketing, advertising, analytics, or any purpose not strictly essential to delivering the donor-matching service. This is the entire business model — there is no path by which selling data would benefit us. See the full privacy disclosure for the legal language.

GIVE→ALIGN follows the spirit and architecture of the EU's General Data Protection Regulation: data minimisation (we collect only what the matching service strictly needs), purpose limitation (donor data is never repurposed for marketing), right to access and right to erasure (an admin cascade-delete endpoint wipes every trace of a user across donations, intents, favourites, email log, and reset tokens in a single transaction), and lawful basis (legitimate interest + explicit consent on signup).

We deliberately say “GDPR-aligned”, not “GDPR-certified”: we have not yet appointed a formal Data Protection Officer or filed Data Processing Agreements with each subprocessor. Those are roadmap items as we scale into EU markets. We'd rather under-promise and over-deliver than the inverse.