Privacy Policy

Your privacy is critically important to us. This comprehensive policy explains how we collect, use, and protect your information.

Last Updated: June 24, 2025Effective Date: June 24, 2025

Table of Contents

Welcome to GraffitAid. We are committed to protecting your privacy and handling your data transparently and responsibly.

This Privacy Policy explains how GraffitAid Global Foundation ("GraffitAid," "we," "us," or "our") collects, uses, maintains, and discloses information from users ("you," "your," or "User") of our website, mobile applications, and platform (collectively, the "Service").

This policy applies to all GraffitAid services and is designed to comply with major privacy regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable privacy laws.

1. Information We Collect

We collect information to provide, improve, and protect our services. The types of information we collect depend on how you use our Service.

a. Information You Provide Directly

  • Account Information: Name, email address, username, password, and profile picture when you create an account
  • Profile Information: Bio, location (optional), social media links, and other profile details you choose to share
  • User-Generated Content: Bricks, campaigns, comments, messages, images, videos, and other content you create and share
  • Payment Information: Billing address and transaction history (payment details are processed by third-party providers)
  • Communications: Messages you send to us through support channels, feedback forms, or surveys
  • Identity Verification: Government-issued ID or other documents for verification purposes when required

b. Information We Collect Automatically

  • Device Information: IP address, browser type, operating system, device identifiers, and mobile network information
  • Usage Data: Pages visited, features used, search queries, click patterns, and time spent on our Service
  • Location Data: Approximate location based on IP address (precise location only with your explicit consent)
  • Cookies and Tracking: Information collected through cookies, web beacons, and similar technologies
  • Log Information: Server logs including access times, app crashes, and system activity

c. Information from Third Parties

  • Social Media: Public profile information when you connect social media accounts
  • Payment Processors: Transaction confirmations and fraud prevention data
  • Analytics Providers: Aggregated usage statistics and performance metrics
  • Security Services: Threat detection and account security information

2. Lawful Basis for Processing (GDPR)

For users in the European Union, we process your personal data based on the following lawful grounds:

  • Contract Performance: To provide our services and fulfill our contractual obligations
  • Legitimate Interests: To improve our services, prevent fraud, and ensure security
  • Consent: For marketing communications and optional features (you can withdraw consent anytime)
  • Legal Obligation: To comply with applicable laws and regulations
  • Vital Interests: To protect users' safety and prevent harm

3. How We Use Your Information

We use collected information for the following purposes:

Service Operations

  • Create and manage your account
  • Provide core platform features (creating bricks, campaigns, donations)
  • Process transactions and send transaction confirmations
  • Provide customer support and respond to inquiries
  • Send service-related notifications and updates

Improvement and Personalization

  • Analyze usage patterns to improve our services
  • Personalize content and recommendations
  • Conduct research and analytics
  • Test new features and optimize performance
  • Generate aggregated, anonymized insights

Safety and Security

  • Detect and prevent fraud, abuse, and illegal activities
  • Protect account security and platform integrity
  • Enforce our Terms of Service and Community Guidelines
  • Investigate and resolve disputes
  • Comply with legal obligations and law enforcement requests

Communications

  • Send promotional emails and newsletters (with your consent)
  • Notify you about platform updates and new features
  • Share important policy changes and service announcements
  • Send donation receipts and campaign updates

4. Sharing Your Information

We do not sell your personal information. We may share information in the following circumstances:

Public Information

Content you choose to make public (bricks, campaigns, public profile information) is visible to other users and may be indexed by search engines.

Service Providers

We share information with trusted third-party providers who help us operate our services:

  • Cloud Hosting: Firebase, Google Cloud Platform for data storage and infrastructure
  • Payment Processing: Stripe, PayPal for donation processing
  • Email Services: SendGrid, Mailchimp for transactional and marketing emails
  • Analytics: Google Analytics, Mixpanel for usage analytics
  • Customer Support: Zendesk, Intercom for support services
  • Security: Auth0, Cloudflare for authentication and security

Legal Requirements

We may disclose information when required by law or to:

  • Respond to legal process, court orders, or government requests
  • Investigate potential violations of our terms
  • Protect the rights, property, or safety of GraffitAid, users, or the public
  • Prevent fraud, abuse, or illegal activities

Business Transfers

In the event of a merger, acquisition, or sale of assets, user information may be transferred as part of the transaction, subject to equivalent privacy protections.

5. Data Security

We implement comprehensive security measures to protect your information:

Technical Safeguards

  • Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Regular Audits: Security assessments and penetration testing
  • Vulnerability Management: Regular security updates and patch management

Organizational Measures

  • Employee training on data protection and security
  • Background checks for personnel with data access
  • Incident response procedures and breach notification protocols
  • Regular security awareness programs

6. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations:

  • Account Data: Until you delete your account, plus up to 90 days for backup deletion
  • User Content: Until deleted by you or account termination
  • Payment Records: 7 years for tax and legal compliance
  • Support Communications: 3 years for service improvement
  • Analytics Data: 26 months in aggregated, anonymized form
  • Legal Hold: Longer retention may be required for ongoing legal matters

After retention periods expire, we securely delete or anonymize your information.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to enhance your experience:

Types of Cookies

  • Essential Cookies: Required for basic site functionality and security
  • Preference Cookies: Remember your settings and preferences
  • Analytics Cookies: Help us understand how you use our service
  • Marketing Cookies: Used for targeted advertising (with your consent)

Third-Party Tracking

We may use third-party analytics and advertising services that set their own cookies. You can manage cookie preferences in your browser settings or through our cookie consent manager.

Do Not Track

We respect browser Do Not Track signals and will not track users who have enabled this setting.

8. Your Rights and Choices

You have important rights regarding your personal information:

Account Management

  • Access: View and download your personal data through account settings
  • Update: Modify your profile and account information anytime
  • Delete: Permanently delete your account and associated data
  • Export: Download your data in a portable format

Communication Preferences

  • Unsubscribe from marketing emails using the link in any email
  • Adjust notification preferences in account settings
  • Opt out of targeted advertising through our privacy center

Data Processing Rights

  • Restrict Processing: Limit how we process your data
  • Object to Processing: Object to data processing for marketing purposes
  • Data Portability: Receive your data in a machine-readable format
  • Withdraw Consent: Withdraw previously given consent anytime

To exercise these rights, contact us using the information provided below. We will respond within 30 days (or as required by applicable law).

9. International Data Transfers

GraffitAid operates globally, and your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place:

  • Adequacy Decisions: Transfers to countries with adequate protection as determined by relevant authorities
  • Standard Contractual Clauses: EU-approved contractual terms for data transfers
  • Certification Schemes: Privacy Shield successors and similar frameworks
  • Binding Corporate Rules: Internal policies ensuring consistent protection

10. Children's Privacy

Our Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children below these ages. If we discover that a child has provided personal information, we will:

  • Immediately delete the information from our systems
  • Notify the child that their account has been terminated
  • Not use the information for any purpose
  • Not disclose the information to third parties

Parents or guardians who believe their child has provided information to us should contact us immediately.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act:

Your Rights

  • Right to Know: Request details about personal information we collect, use, and share
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: Opt out of the sale of personal information (we don't sell data)
  • Right to Non-Discrimination: We won't discriminate against you for exercising these rights

Information We Collect

In the past 12 months, we have collected the following categories of personal information:

  • Identifiers (name, email, IP address)
  • Commercial information (transaction history)
  • Internet activity (usage data, device information)
  • Geolocation data (approximate location)
  • Audio/visual information (profile pictures, uploaded content)

Exercising Your Rights

To exercise your California privacy rights, contact us at privacy@graffitaid.com or use our privacy request form. We may need to verify your identity before processing requests.

12. European Union Rights (GDPR)

Under the General Data Protection Regulation, EU residents have enhanced rights:

Expanded Rights

  • Right of Access: Obtain confirmation of processing and copies of your data
  • Right to Rectification: Correct inaccurate personal data
  • Right to Erasure: Request deletion in certain circumstances
  • Right to Restrict Processing: Limit processing under specific conditions
  • Right to Data Portability: Receive data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Rights Related to Automated Decision-Making: Protection against solely automated decisions

Data Protection Authority

You have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights.

Data Protection Officer

Our Data Protection Officer can be reached at dpo@graffitaid.com for privacy-related inquiries.

13. Automated Decision Making

We may use automated systems for:

  • Content Moderation: Detecting spam, inappropriate content, and policy violations
  • Fraud Prevention: Identifying suspicious transactions and account activity
  • Personalization: Recommending relevant content and campaigns
  • Security: Detecting and preventing unauthorized access

These systems are designed to enhance user experience and platform safety. You can request human review of automated decisions that significantly affect you.

14. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant authorities within 72 hours (where required)
  • Inform affected users without undue delay
  • Provide clear information about the breach and our response
  • Offer guidance on protective measures you can take
  • Conduct a thorough investigation and implement additional safeguards

Our Service may contain links to external websites and integrate with third-party services. We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any information.

When you interact with third-party features (social media plugins, payment processors), those parties may collect information according to their own privacy policies.

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  • We will notify you by email if you have an account with us
  • We will post a notice on our website and in our app
  • We will update the "Last Updated" date at the top of this policy
  • For significant changes, we may seek your explicit consent

We encourage you to review this Privacy Policy regularly. Continued use of our Service after changes take effect constitutes acceptance of the updated policy.

17. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Inquiries

Email: contact@graffitaid.com

Response Time: 2-3 business days

Privacy Requests

Email: privacy@graffitaid.com

Response Time: 30 days maximum

Data Protection Officer (EU)

Email: contact@graffitaid.com

Languages: English, German, French

Add Your Brick