Privacy Policy
Instrumento.io — Impact Measurement Platform for Nonprofits
Effective date: January 1, 2025 · Version 1.0.0
Template notice: This document is a template and must be reviewed by qualified legal counsel before publication. See
.docs/legal/README.md
1. Introduction
Instrumento.io ("we," "us," or "our") operates the Instrumento.io impact measurement platform. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you use our Service, and describes your rights under applicable privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and the Brazilian Lei Geral de Proteção de Dados (LGPD).
2. Data Controller
For users in the European Economic Area, the United Kingdom, and Switzerland, Instrumento.io acts as the data controller for account and usage data, and as a data processor for the program data you upload on behalf of your organization. Our contact for data protection matters is:
Data Protection Contact Email: [email protected] Website: instrumento.io/legal/privacy
3. Data We Collect
3.1 Categories of Personal Data
| Category | Examples | Lawful Basis (GDPR) | Retention |
|---|---|---|---|
| Account data | Name, email address, password hash, profile photo | Contract (Art. 6(1)(b)) | Duration of account + 30 days |
| Organization data | Organization name, type, country, program descriptions | Contract (Art. 6(1)(b)) | Duration of subscription + 30 days |
| Program data | Beneficiary records, survey responses, attendance logs | Contract / Legitimate interest (Art. 6(1)(b)(f)) | As configured by Customer; default 7 years |
| Usage data | IP address, browser type, pages visited, feature usage | Legitimate interest (Art. 6(1)(f)) | 12 months |
| Payment data | Billing name, last 4 digits of card, billing address | Contract (Art. 6(1)(b)) | 7 years (tax law) |
| Communications | Support emails, feedback, survey responses | Legitimate interest (Art. 6(1)(f)) | 3 years |
| Cookie data | Session cookies, analytics cookies, preference cookies | Consent (Art. 6(1)(a)) | See Cookie Policy |
3.2 Special Categories
We do not intentionally collect special categories of personal data (health data, racial or ethnic origin, political opinions, etc.) unless you explicitly provide such data as part of your program data. If you do, you are responsible for ensuring you have a valid lawful basis under Art. 9 GDPR.
3.3 Data from Third Parties
We may receive data about you from:
- Google OAuth: name, email address, and profile photo if you sign in with Google.
- Stripe: payment confirmation and billing details.
- Analytics providers: aggregated usage statistics.
4. How We Use Your Data
We use personal data for the following purposes:
- Providing the Service: creating and managing your account, processing payments, delivering features.
- Improving the Service: analyzing usage patterns, fixing bugs, developing new features.
- Communications: sending transactional emails (receipts, password resets, notifications), product updates, and marketing communications (with consent where required).
- Security: detecting and preventing fraud, abuse, and unauthorized access.
- Legal compliance: meeting our obligations under applicable law.
- AI features: where you use AI-powered features, your data may be processed by our AI subprocessors (see Subprocessor List). We do not use your program data to train AI models without your explicit consent.
5. Data Sharing and Disclosure
We do not sell your personal data. We share data only in the following circumstances:
| Recipient | Purpose | Transfer Mechanism |
|---|---|---|
| Subprocessors (see full list at /legal/subprocessors) | Service delivery | DPA + SCCs / adequacy decision |
| Law enforcement | Legal obligation | Required by law |
| Business transfers | Merger, acquisition, or asset sale | Legitimate interest; notice provided |
| With your consent | Any other purpose | Explicit consent |
6. International Data Transfers
We are headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to and processed in the United States and other countries. We rely on the following transfer mechanisms:
- Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to subprocessors.
- UK International Data Transfer Agreements (IDTAs) for UK transfers.
- Adequacy decisions where applicable.
7. Data Security
We implement commercially reasonable technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256).
- Access controls and role-based permissions.
- Regular security assessments and penetration testing.
- Incident response procedures with 72-hour breach notification to supervisory authorities where required.
No system is completely secure. If you believe your account has been compromised, contact us immediately at [email protected].
8. Your Rights
8.1 GDPR Rights (EEA, UK, Switzerland)
| Right | Description | How to Exercise |
|---|---|---|
| Access (Art. 15) | Obtain a copy of your personal data | Settings → Privacy → Export Data, or email [email protected] |
| Rectification (Art. 16) | Correct inaccurate data | Settings → Profile, or email [email protected] |
| Erasure (Art. 17) | Request deletion of your data | Settings → Privacy → Delete Account, or email [email protected] |
| Restriction (Art. 18) | Restrict processing of your data | Email [email protected] |
| Portability (Art. 20) | Receive your data in a machine-readable format | Settings → Privacy → Export Data |
| Object (Art. 21) | Object to processing based on legitimate interest | Email [email protected] |
| Withdraw consent | Withdraw consent at any time | Cookie settings or email [email protected] |
We will respond to requests within 30 days. You also have the right to lodge a complaint with your local supervisory authority.
8.2 CCPA/CPRA Rights (California Residents)
California residents have the right to:
- Know what personal information we collect, use, disclose, and sell.
- Delete personal information we hold about you.
- Correct inaccurate personal information.
- Opt out of the sale or sharing of personal information (we do not sell personal information).
- Non-discrimination for exercising your rights.
To exercise these rights, contact us at [email protected] or use the in-app Data Subject Request form at /privacy/dsr.
8.3 LGPD Rights (Brazil)
Brazilian residents have rights equivalent to those listed under GDPR above, exercisable via the same channels.
9. Cookies
We use cookies and similar tracking technologies as described in our Cookie Policy at instrumento.io/legal/cookies.
10. Children's Privacy
The Service is not directed to children under 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us at [email protected].
11. Changes to This Policy
We will notify you of material changes to this Privacy Policy via email or in-app notification at least 30 days before the changes take effect. The "effective date" at the top of this document indicates when the current version took effect.
12. Contact Us
Instrumento.io Email: [email protected] Data Subject Requests: instrumento.io/privacy/dsr Website: instrumento.io