Privacy Policy

Last updated: 3 July 2026

Plain-language summary: We collect only what's needed to run the platform. We never sell your data. You can export or delete your data at any time from your dashboard.

1. Who we are

AllForAll ("we", "our", "us") operates the crisis coordination platform at alfforall.help. Contact us at hello@alfforall.help.

2. What data we collect

Account information — your name, email address, role, organisation, and location (optional).

Profile data — for providers: skills, credentials, LinkedIn URL, licence number.

Activity data — applications, donations, help requests you post, deployments.

Technical data — IP address at time of registration (for consent records), and standard server logs.

We do not collect payment card data. Monetary donations are tracked by status only; payment processing is handled by the recipient organisation.

3. How we use your data

To operate the platform — matching providers with needs, processing donations, sending impact receipts.

To send transactional emails — account verification, password resets, volunteer application confirmations (including a summary of what you offered and which organisations were notified), donation receipts, and 7-day impact updates. All such emails carry the AllForAll logo and a legal footer with links to this policy and our Terms of Use.

To ensure platform integrity — detecting abuse and rate-limiting suspicious activity.

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal basis (GDPR)

Consent — you agreed to this policy at registration. You can withdraw consent by deleting your account.

Contractual necessity — processing needed to provide the service you signed up for.

Legitimate interest — security logging to prevent fraud and protect other users.

5. Data sharing

We share your data only with:

  • Receiving organisations — when you donate or volunteer, your name, email address, and the details of your offer are shared with the relevant humanitarian organisations so they can coordinate with you directly. AllForAll is not a party to that coordination.
  • Resend (email delivery) — used to send transactional emails. Data is not used for marketing.
  • Anthropic Claude API — used for AI crisis analysis. No personal data is included in AI prompts.
  • Law enforcement — only when legally required.

6. Data retention

Account data is retained while your account is active. On deletion, personal identifiers are erased and replaced with anonymised placeholders. Donation and audit records are retained for 7 years for financial compliance.

7. Your rights

Under GDPR you have the right to: access your data, correct inaccuracies, request deletion, portability, and object to processing.

Exercise your rights from your dashboard settings, or email hello@alfforall.help.

8. Cookies

We use only a single session cookie for authentication (JWT). No tracking or advertising cookies.

9. Security

Passwords are stored using bcrypt. Data in transit is encrypted with TLS. Authentication tokens expire after 24 hours. Accounts are locked after 5 failed login attempts.

To report a security vulnerability, see our security.txt.

10. Changes

We will email registered users and update the "Last updated" date above if we make material changes to this policy.