Privacy Policy
Last updated: July 7, 2026
At AnyAngel, privacy is not a feature — it is a foundational principle. We handle personal account and contribution data, and we take that responsibility seriously. This policy explains in detail how we protect your data, what consents we require, and the technical and organizational measures we implement.
Data Protection Layers
Your data is protected by multiple security layers, from the moment it enters our platform to the moment it is deleted.
All data is encrypted both in transit and at rest using industry-standard protocols.
- TLS 1.3 for all data in transit between your browser and our servers
- AES-256 encryption for all data at rest in our databases
- Payment data is handled by PCI-DSS compliant providers — full card details never touch our servers
- Encryption keys are rotated regularly and managed through a dedicated key management service
Strict access policies ensure only authorized processes interact with your data.
- Role-based access control (RBAC) for all internal systems
- Multi-factor authentication required for any infrastructure access
- Zero-trust architecture — every request is verified regardless of origin
- Audit logs for all data access events, reviewed regularly
Our infrastructure is designed with security-first principles at every level.
- Hosted on SOC 2 Type II certified cloud infrastructure
- Network isolation with private subnets and strict firewall rules
- Automated vulnerability scanning and dependency auditing
- Regular penetration testing by independent security firms
Where we use AI to power recommendations, we do so with strict privacy boundaries.
- Personalization runs on your interests and platform activity — never on sensitive personal content
- AI models are never trained or fine-tuned on your personal data
- Recommendations are generated with your consent and can be turned off at any time
- No third-party AI providers have access to your raw personal data
Information We Collect
We collect only the minimum data necessary to provide our services. We do not collect data from third-party sources.
Account Information
To create and manage your account, authenticate your identity, and communicate with you.
- Full name
- Email address
- Authentication credentials (hashed, never stored in plain text)
Contribution & Campaign Data
To process contributions, run campaigns, and display your support activity.
- Campaigns you create or support
- Contribution amounts and history
- Messages of support you post
Usage Data
To improve the platform, personalize your experience, and detect technical issues.
- Feature usage patterns
- Session duration
- Language preference
Optional Data
To personalize campaign recommendations and your public supporter presence.
- Profile bio and interests
- Public supporter display preferences
Consents
We operate on a consent-first model. You are always in control of what data we process and how.
Required Consents
Terms of Service & Privacy Policy
You must accept our Terms of Service and this Privacy Policy to use the platform. This covers the basic data processing needed to provide our core services.
Payment Processing
To make a contribution, you consent to your payment being processed by our payment provider. We do not store full card details on our servers.
Optional Consents
Activity Notifications
Receive notifications about your contributions, campaign updates, and Give Forward activity. You can enable or disable this at any time from your profile settings.
Anonymous Usage Analytics
Allow us to use anonymized, aggregated usage patterns to improve the platform. No individual data is ever identifiable.
You can withdraw any optional consent at any time from your profile settings. Withdrawing required consents will result in account deactivation. Previously processed data based on valid consent remains lawful.
How We Use Your Information
We use your information exclusively to:
- Provide and improve our startup-support services
- Recommend campaigns and founders relevant to your interests
- Personalize your experience on the platform
- Send you relevant notifications about your activity (with your consent)
- Detect and prevent security threats and abuse
- Comply with legal obligations
We will NEVER:
- Sell your data to third parties
- Share your data with advertisers
- Use your personal data to train AI models without your consent
- Profile you for purposes unrelated to the service
- Transfer your data to countries without adequate protection without safeguards
Your Rights
Under GDPR, CCPA, and applicable data protection laws, you have the following rights:
- Right of Access — Request a copy of all personal data we hold about you
- Right to Rectification — Correct any inaccurate or incomplete data
- Right to Erasure — Request permanent deletion of your data (completed within 30 days)
- Right to Data Portability — Export your data in a standard, machine-readable format
- Right to Restrict Processing — Limit how we process your data in certain circumstances
- Right to Object — Object to data processing based on legitimate interests
- Right to Withdraw Consent — Revoke any consent at any time without affecting prior processing
- Right to Lodge a Complaint — File a complaint with your local data protection authority
You can exercise most of these rights directly from your profile settings. For requests that require manual processing, contact us at privacy@anyangel.org and we will respond within 30 days.
Data Retention
We retain data only as long as necessary for the purposes described in this policy.
| Data Type | Retention Period |
|---|---|
| Contribution and payment records | Retained as required by financial and tax regulations |
| Campaign content | Retained while the campaign is active |
| Account information | Retained while your account is active |
| Usage analytics (anonymized) | Retained for up to 24 months |
| All data upon account deletion | Permanently deleted within 30 days, except where retention is legally required |
Regulatory Compliance
AnyAngel is designed to comply with major data protection regulations:
- GDPRGDPR (General Data Protection Regulation) — EU
- CCPACCPA (California Consumer Privacy Act) — US
- SOC 2 Type IISOC 2 Type II — Infrastructure security standards
- PCI-DSSPCI-DSS — Payment processing handled by compliant providers
Sub-Processors
Third-party services that process personal data on behalf of AnyAngel.
Transferências Internacionais de Dados
Alguns dos nossos sub-processadores estão localizados fora do Brasil. Todas as transferências internacionais são realizadas com base em mecanismos adequados nos termos dos Art. 33 a 36 da LGPD.
Os Estados Unidos não possuem decisão de adequação da ANPD. As transferências para processadores norte-americanos são amparadas por Cláusulas Contratuais Padrão (SCC), nos termos do Art. 33, II da LGPD.
| Processador | País | Base legal (LGPD) | Finalidade |
|---|---|---|---|
| Amazon Web Services (AWS) | EUA | Art. 33, II — SCC | Hospedagem, armazenamento e infraestrutura |
| MongoDB Atlas | EUA | Art. 33, II — SCC | Banco de dados principal |
| Stripe | EUA | Art. 33, II — SCC | Processamento de pagamentos das contribuições |
Data Protection Officer (DPO)
If you have questions about how your personal data is processed, wish to exercise your data protection rights, or want to report a privacy concern, you can contact our Data Protection Officer directly.
dpo@anyangel.orgContact & Data Protection Officer
For privacy inquiries, data requests, or to report a concern, write to us at privacy@anyangel.org