Kindora Privacy Policy

In Plain Language

At Kindora, your data belongs to you. We use AI to help you find funders and write grants, but you're always in control. We don't sell your information, don't share it with other organizations, and don't use it to train AI models. Your grant applications and funder research stay private.

We're a small team building tools to democratize access to funding. We take privacy seriously, but we'll be honest about what we can deliver as a growing startup. If you have questions, email us directly—you'll likely hear back from one of the founders.

1. What Information We Collect

To Create Your Account:

• Your name, email, and role
• Organization name, mission, and basic details
• Billing information for paid plans

To Provide Our Services:

• Organizational information you share (programs, budget, impact data)
• Grant documents and applications you upload
• Funder lists you want us to analyze
• How you use the platform (which features, success rates)

Automatically:

• Basic technical data (IP address, browser type)
• Platform usage to improve our services
• Error logs to fix bugs and improve performance
• Essential cookies for login and security
• Product analytics (via PostHog) to understand feature usage and improve our services — this runs automatically for all users and identifies logged-in users by email and name
• Error monitoring (via Sentry) to detect and fix bugs — we configure it not to send default personal information, console breadcrumbs, or your name/email

2. How We Use Your Information

Our Core Services:

• Funder Matching: AI analyzes your organization to find aligned funding opportunities
• Intelligence Briefs: We research specific funders and create strategic reports for you
• Kindora Draft: AI helps write grant applications and connect with funders based on your organization and the funder's priorities
• Platform Improvement: We use product analytics, operational metrics, and aggregated reporting to make our tools better

Legal Basis for Processing:

• Contract performance: To provide our AI-powered funder matching and grant writing services
• Legitimate interests: To improve our platform and prevent misuse
• Consent: For marketing communications

Product Analytics: We use PostHog to track feature usage patterns, success rates, and platform performance. For logged-in users, analytics are associated with your email and name so we can understand how different organizations use Kindora and improve the experience. This data is used solely for product improvement and is never sold or shared for advertising.

What We Don't Do:

• Sell or rent your data to anyone
• Share your content with other customers
• Use your information for advertising
• Train AI models on your private content

3. AI and Third-Party Services

Most of our value comes from AI analysis, so here's exactly how it works:

Our AI Partners

We work with three trusted AI providers: OpenAI, Anthropic, and Perplexity. All have strong privacy commitments when using their APIs through business accounts:

• Your data isn't used to train their AI models
• Data is deleted within 30 days of processing
• All communications are encrypted end-to-end
• Each provider maintains SOC 2 or equivalent security standards

Our AI Services:

• Funder Matching: Analyzing your organization to identify aligned funding opportunities
• Content Research: Gathering and analyzing public information about foundations and funders
• Grant Writing: Helping draft applications tailored to specific funder requirements
• Strategic Analysis: Creating intelligence briefs with funder insights and recommendations

What This Means

When you use Kindora Draft or request funder research, we securely send relevant information to these AI services to generate your results. The AI providers process your data only to fulfill your request, then delete it. Your original data stays in our secure database.

What We Share with AI Services:

• For funder matching: Your organization's mission, programs, and target populations
• For grant writing: Relevant organizational information and funder requirements
• For research: Funder names and your specific research questions
• We never share: Full grant applications, donor lists, or financial details unless specifically needed for your request

Other Service Providers

In addition to AI providers, we use the following third-party services to operate Kindora:

• PostHog (privacy policy): Product analytics and session recording (sampled at 25%) to understand feature usage and improve the platform. Logged-in users are identified by email and name.
• Sentry (privacy policy): Error monitoring and performance tracking. We configure Sentry not to send default personal information, console breadcrumbs, or your name/email.
• Stripe (privacy policy): Payment processing for subscriptions and credit purchases. Stripe handles all payment card data directly — we never store card numbers.
• Resend (privacy policy): Transactional and marketing email delivery. Resend receives your email address and name to deliver messages on our behalf.

Your Control Over AI

You're always in control of AI recommendations. Match scores and funder suggestions are just that—suggestions you can accept, reject, or override. You can see why we recommended each funder and adjust your preferences anytime. You control all outreach and applications.

4. Data Security

How We Protect Your Data:

• All data encrypted in transit (when moving) and at rest (when stored)
• Database access restricted to authorized team members only
• Row Level Security (RLS) ensures users can only access their own data at the database level
• Two-factor authentication available for your account
• Data stored in secure, SOC 2 compliant infrastructure (Supabase, USA data centers)
• Regular backups with encryption

Our Commitment: If we ever experience a security incident affecting your data, we'll email you within 2 business days with details about what happened and what we're doing about it.

Reality Check: We're a small startup, so we rely on industry-leading security providers rather than building everything ourselves. This actually makes you safer—companies like Supabase have dedicated security teams we couldn't afford to hire.

Internal Access for Support

When you report an issue or request help, our support staff may access your account data to diagnose and resolve the problem. This access is:

• Limited: Staff only view data directly relevant to the reported issue
• Read-only: Support access is view-only — staff cannot modify your data, funder matches, or pipeline
• Logged: Every support access session is recorded in our audit log, including who accessed what and when

You can request a copy of your access logs at any time by emailing privacy@kindora.co.

5. Your Rights and Control

Access Your Data: Email privacy@kindora.co to request a copy of all your data. We'll send it within 5 business days.

Correct Your Data: Update your information anytime in your account settings, or email us for help.

Delete Your Data: You can delete your account anytime from your settings. We'll remove your data within 30 days (some billing records may be retained for tax purposes).

Download Your Data: Export your funder lists, grant drafts, and organization profile anytime from your dashboard.

Questions or Concerns: Email privacy@kindora.co and you'll hear from a founder within 2 business days.

6. Data Retention

While Your Account is Active: We keep your data to provide ongoing service and improve your recommendations over time.

After Account Deletion:

• Most data deleted within 30 days
• Some billing records kept for 7 years (tax requirements)
• Analytics records and aggregated reporting data may be retained to improve our service

If You Stop Paying: We'll keep your data for 90 days in case you want to reactivate, then delete it.

7. Kira AI Conversations

Kira AI is our grant writing assistant that helps you draft applications. Here's exactly what we store and for how long:

What We Store:

• Saved Applications & Drafts: Grant applications you save are retained while your account is active, so you can reuse successful responses
• Writing Personas: Custom writing styles you create are kept while your account is active
• Chat Conversation Logs: Raw chat conversations with Kira AI are automatically deleted after 90 days
• Token Usage: We track AI usage for billing purposes

Your Control:

• Chat History Toggle: You can turn off chat history in Settings → Data & Privacy. When off, conversations are deleted after 72 hours instead of 90 days. This applies retroactively to existing conversations.
• Account Deletion: When you delete your account, all Kira AI data (saved applications, personas, and conversation history) is permanently removed after the 30-day grace period
• Data Export: Download a copy of your data, including Kira AI history, via Settings → Data & Privacy

What's Sent to AI Providers:

When you use Kira AI, we send relevant context to our AI partners (OpenAI, Anthropic) to generate responses. Per their business API terms:

• Data is retained up to 30 days for abuse monitoring by the AI provider
• Your data is never used to train their AI models
• Data is deleted by the provider after processing

Why We Keep Saved Applications: The ability to reuse successful grant responses is one of Kira AI's most valuable features. We keep your saved applications so you can build a library of winning content over time. Raw conversation logs (the back-and-forth chat) are less valuable and are deleted after 90 days to protect your privacy.

Kindora AI Conversations:

Kindora AI is our funder research assistant that helps you explore and evaluate potential funders. Kindora AI conversations are automatically deleted after 90 days. When you delete your account or organization, all Kindora AI conversation data is permanently removed after the 30-day grace period.

8. MCP & API Access

Kindora offers a public MCP (Model Context Protocol) server that provides access to publicly available IRS 990 foundation data and open grant opportunities. This allows AI assistants like Claude to help users research funders.

What the MCP Server Does:

• Searches and retrieves public IRS Form 990 and 990-PF data
• Provides foundation profiles, grant histories, and giving statistics
• Searches open grant opportunities from foundations and government sources
• All data accessed is public records

What the MCP Server Does NOT Do:

• Does not collect or store personal information
• Does not access your Claude conversations or files
• Does not store your IP address in plaintext (all identifiers are one-way hashed)
• Does not track individual users across sessions or days
• Does not modify any data (read-only access)

Rate Limiting:

The MCP server is rate-limited to 100 requests per hour to prevent abuse. Client identifiers are one-way hashed (SHA-256) and never stored in plaintext. Rate limit data is stored temporarily (1 hour) and used solely for enforcement.

Anonymized Usage Analytics:

We collect anonymized usage data to improve search quality and understand which tools are most useful. This includes the search queries you submit (e.g., "youth education"), tool names, result counts, and response times. All data is associated with an anonymized, daily-rotating identifier that cannot be used to identify you or track you across days.

We do not collect your IP address, conversation content (beyond the search query itself), or any personally identifiable information in our analytics. Analytics are processed by PostHog (privacy policy).

MCP Privacy Policy: For the complete MCP-specific privacy policy, see our MCP Privacy Policy on GitHub.

9. Public Records & Funder Profile Pages

Kindora displays publicly available foundation data sourced from IRS Form 990 and 990-PF filings on our funder profile pages. This may include foundation names, EINs, grant histories, geographic reach, officer names, and contact information as filed with the IRS.

Requesting Removal of Personal Information

If you are a foundation officer or individual whose personal contact information (such as a phone number, personal email address, or personal mailing address) appears on a Kindora funder profile page, you may request its removal by emailing privacy@kindora.co.

What We Will Remove

• Personal phone numbers
• Personal email addresses
• Personal or residential mailing addresses

What Remains on Profile Pages

Basic foundation information derived from public IRS filings — such as the foundation name, EIN, grant history, filing data, and geographic information — will remain on our site, consistent with standard practice across nonprofit transparency platforms.

Response Time: We will process removal requests within 5 business days and confirm completion by email.

10. Public-Source Prospect Intelligence

Customers on plans that include donor / prospect research can opt to enrich their own prospect lists with Kindora's prospect intelligence pipeline. This pipeline aggregates information about individual prospects from public records and freely-licensed datasets to help fundraisers prepare informed, respectful outreach. We do not purchase prospect data from commercial wealth-screening vendors. All sources are public records or freely-licensed datasets, and every record we surface is cited back to its source.

Sources We Aggregate

• SEC EDGAR — public filings from the U.S. Securities and Exchange Commission, including insider holdings (Forms 3/4/5), S-1 holder lists, 8-K material event filings, and Form 144 notices of proposed sale. Used to identify potential liquidity events for prospects who serve as officers or directors of publicly-traded companies.
• LittleSis — organizational affiliations, board memberships, and family relationships from the Public Accountability Initiative's open dataset.¹
• Wikipedia and Wikidata — biographical summaries and structured facts (employer, board memberships, philanthropic activity) under the Creative Commons licenses each project publishes under.
• News sources via Tavily — public news mentions of donor activity, exit announcements, and major gifts. We retrieve search results from a third-party search API; we do not crawl publishers directly.
• The Giving Pledge — the publicly-published list of signatories.
• Aggregated IRS Form 990 trustee data — board-member listings already disclosed for foundations on funder profile pages (Section 9), now also linked to individual prospect records when a customer's prospect appears on a foundation's 990.
• Federal Election Commission contributor records — used in a restricted manner described below.

Why We Collect This

Prospect research helps fundraisers approach donors with genuine context — understanding a prospect's existing philanthropic interests, board commitments, and capacity — rather than relying on cold outreach. Aggregating public records into one place is a long-standing practice in the fundraising profession, and our position is that doing it transparently, with full source citation and customer opt-out, is preferable to the opaque commercial alternatives.

FEC Contributor Records — Restricted Use

Federal Election Commission contributor records are used to assess donor capacity but are never used to draft solicitation messages, in compliance with 11 CFR § 104.15. FEC data may inform internal capacity scoring and due-diligence display surfaces visible to a fundraiser, but is explicitly excluded from any AI-generated outreach copy, message brief, or solicitation draft Kindora produces.

Customer Opt-Out for Individual Prospects

Customers who do not wish to enrich a particular prospect can exclude that contact from prospect intelligence runs at any time. To request that Kindora delete an existing prospect's enrichment records, the customer admin can email privacy@kindora.co with the prospect identifier; we will purge the prospect's enrichment records within 5 business days and confirm by email.

Individual prospects who learn that a Kindora customer is researching them and wish to be excluded from future enrichment can also email privacy@kindora.co directly. We will work with the relevant customer's admin to honor the request.

No Commercial Wealth-Screening Data

We do not purchase prospect data from commercial wealth-screening vendors. All sources listed above are public records or freely-licensed datasets, and every record surfaced in a customer's prospect view links back to the original source URL.

¹ LittleSis content is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) by the Public Accountability Initiative. Where Kindora surfaces a record sourced from LittleSis, we display this attribution alongside the record.

11. Legal Stuff

Children's Privacy: Kindora isn't intended for anyone under 16. If we learn we've collected data from someone under 16, we'll delete it immediately.

International Users: If you're outside the US, your data may be processed here, but with the same protections.

Changes to This Policy: We'll email you at least 30 days before making significant changes. Minor updates will be posted on our website.

Business Changes: If Kindora is acquired, we'll notify you and ensure your privacy rights are protected under the new ownership.

Communications: We may send you helpful content about fundraising best practices, feature updates, and platform improvements. Unsubscribe from all communications: Email privacy@kindora.co or use the unsubscribe link in any email.

12. Your European & UK Privacy Rights (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the GDPR, UK GDPR, and Swiss FADP give you specific rights and place specific obligations on Kindora. This section explains them.

Our Role: Processor and Controller

For the constituent, donor, and prospect data you bring into Kindora (for example, by connecting your CRM), you are the data controller and Kindora is your data processor — we process that data only on your documented instructions to provide the Services. For your account, billing, security, and product-analytics data, Kindora acts as an independent controller. Customers acting as controllers can request our Data Processing Addendum (DPA), which incorporates the EU Standard Contractual Clauses, by emailing legal@kindora.co.

Your Rights

Subject to applicable law, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data (the 'right to be forgotten')
• Restrict or object to certain processing
• Receive your data in a portable, machine-readable format
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with your local supervisory authority

Legal Bases for Processing

We process personal data under one or more of: performance of a contract (to deliver the Services), legitimate interests (to operate, secure, and improve the Services, balanced against your rights), consent (e.g., marketing email, which you can withdraw at any time), and legal obligation (e.g., retaining billing records).

International Data Transfers

Kindora is based in the United States, and your data is processed and stored primarily in the U.S. When we transfer personal data from the EEA, UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (together with the UK International Data Transfer Addendum and the Swiss adaptation), plus technical safeguards such as encryption in transit and at rest.

Sub-processors

We engage vetted sub-processors to help deliver the Services, each under a data processing agreement with protections no less strict than our own. Our current sub-processors are: Supabase, Microsoft Azure, and Vercel (infrastructure); Anthropic, OpenAI, Perplexity, and Cohere (AI); Tavily, Apify, Firecrawl, OutScraper, Enrich Layer, Tomba, and Decodo (research and enrichment); Stripe (payments); Resend and MailerLite (email); and PostHog and Sentry (analytics and monitoring). We give at least 30 days' notice before adding or replacing a sub-processor; the current sub-processor list is public, and you can also request a copy from privacy@kindora.co.

How to Exercise Your Rights

To exercise any of these rights, email privacy@kindora.co. We will respond within 30 days (extendable where permitted by law). If you are in the EEA or UK and we have not yet listed an Article 27 representative here, you may contact us directly at the same address; we are appointing a representative and will publish their details on this page.

13. Contact Us

Privacy Questions: privacy@kindora.co

General Support: support@kindora.co

Security Issues: security@kindora.co

Our Promise: You'll hear back from a real person (likely a founder) within 2 business days. We're a small team, but we're responsive and we care about getting this right.