EVENT DONATIONS APP Privacy Policy

Last updated: May 13, 2026

1. Introduction

This Privacy Policy (this “Policy”) explains how Lepta Payment Solutions Limited (“Lepta,” “we,” “us,” or “our”) collects, uses, stores, and shares personal data in connection with the Event Donations mobile app (the “App”). The App enables authorized volunteers to collect donations on behalf of designated legal entities using Tap-to-Pay technology.

This Policy applies to two categories of individuals:

  • Volunteers: individuals authorized by a legal entity to use the App to collect donations; and
  • Donors: individuals who make donations through the App.

Payment processing is provided by Stripe, Inc. (“Stripe”). Stripe’s processing of your personal data is governed by Stripe’s Privacy Policy, available at stripe.com/privacy. The legal entity receiving your donation may also have its own privacy policy, which will be made available to you at the point of donation.

2. Who is responsible for your data?

Depending on the activity, different parties are responsible for your personal data:

  • The legal entity (data controller): The organization receiving the donation is the data controller for the donation transaction flow, including the collection and processing of donor personal data for the purposes of receiving donations and issuing tax receipts. The legal entity instructs Lepta to collect and transmit this data on its behalf.
  • Lepta as data processor: For the core donation transaction flow—including the collection and transmission of donor personal data via the App, and the transfer of transaction records to the legal entity’s systems—Lepta acts as a data processor on behalf of the legal entity. Lepta processes this data only on the legal entity’s documented instructions.
  • Lepta as data controller: Lepta determines the purposes and means of processing for a limited set of internal activities: the operation, security and maintenance of the Lepta platform (including server logs and incident response), administration of admin user accounts, selection and management of Lepta’s own service providers, and compliance with Lepta’s own legal obligations. Lepta does not act as a data controller for fraud monitoring, anti-money-laundering screening, or analytics across the data of multiple legal entities.
  • Stripe: Stripe processes payment card data and donor personal data in its capacity as an independent payment service provider. Stripe is not a sub-processor of Lepta. Stripe’s role and obligations are governed by Stripe’s Privacy Policy and its agreements with Lepta. Stripe is self-certified under the EU–U.S. Data Privacy Framework.
  • Google: Where the App uses the Google Places API for address autocomplete, the App sends the donor’s partial address query and device location data to Lepta’s server, which forwards the request to Google. Google acts as a sub-processor of Lepta for this purpose. Google, LLC is self-certified under the EU–U.S. Data Privacy Framework. Google’s processing is governed by Google’s Privacy Policy.

3. What personal data we collect

3.1 Volunteer data

When you sign in to the App with an authorization code, we collect:

  • Your name (first and last)
  • Your email address

This data is stored in encrypted secure storage on your device and is cleared when you sign out. It is also transmitted to Stripe in connection with payment processing.

If you download the App but do not enter an authorization code, no personal data about you is collected, stored, or transmitted by the App or by Lepta.

3.2 Donor data

When a donor makes a donation through the App, the following data may be collected, depending on the session configuration:

  • Email address (used for delivery of donation receipts)
  • Name (first and last)
  • Mailing address (street address, city, state/province, postal/zip code, country)—collected only in jurisdictions where required by law for the issuance of a tax receipt

This donor data is transmitted directly to Stripe’s servers via the Stripe API. It is not written to or stored in Lepta’s own database or the App’s portal.

3.3 Payment card data

Payment card data (card number, expiry, CVC) is handled entirely by the Stripe SDK integrated into the App. Lepta does not have access to, process, or store payment card data at any point.

3.4 Device location data

After you enter an authorization code and begin the Tap-to-Pay onboarding process, the App requests permission to access your device’s precise location. This is required for two purposes:

  • Stripe Terminal SDK requirement: Stripe requires confirmation of the device’s precise location to verify that Tap-to-Pay is being used in an approved country. This is a mandatory prerequisite of the Stripe Terminal SDK, without which the App cannot initialize or accept payments.
  • Address autocomplete: The App uses the Google Places API to provide high-quality address autocomplete results when a donor is entering their mailing address. Device location data is used to improve the relevance of these suggestions.

Location data is not stored by Lepta in the App’s portal or database.

3.5 Data not collected

The App does not collect, use, or transmit:

  • Advertising identifiers (IDFA or GAID)
  • Crash data, performance data, or diagnostic telemetry (no crash reporting or performance monitoring SDKs are included in the App)
  • Cross-app or cross-site tracking data
  • Biometric data (including facial recognition data)

The App uses a local-only logging library for development diagnostics. In production builds, only informational-level messages are logged, and these logs remain on the device and are never transmitted to any server.

4. How we use your personal data

Purpose Data used Legal basis (GDPR) Retention
Volunteer onboarding and authentication Volunteer name, email, authorization code Legitimate interest (Art. 6(1)(f))—necessary to operate the donation collection service On device: until sign-out.
In Stripe: per Stripe’s Retention Policy
Processing donations Donor name, email, payment card data (via Stripe SDK), donation amount Performance of contract (Art. 6(1)(b))—necessary to process the donation transaction Stripe: per Stripe’s Retention Policy.
Legal entity: per its financial record-keeping obligations
Issuing tax receipts Donor name, email, mailing address Legal obligation (Art. 6(1)(c))—required by domestic tax law in specified jurisdictions Legal entity: per applicable tax record retention requirements
Issuing tax receipts Donor name, email, mailing address Legal obligation (Art. 6(1)(c))—required by domestic tax law in specified jurisdictions Legal entity: per applicable tax record retention requirements
Tap-to-Pay country verification Device precise location Legitimate interest (Art. 6(1)(c),(f))—necessary to comply with Stripe Terminal SDK requirements and payment network rules; and to determine if it is being used in an approved country Not stored
Address autocomplete Device location Legitimate interest (Art. 6(1)(f))—improving accuracy of address entry for donors Not stored
Server operation IP addresses, user-agent strings, URL parameters (standard server logs) Legitimate interest (Art. 6(1)(f))—security and system integrity Transient; 60days
Religious context Where the legal entity is a religious association, donation data may in context reveal the donor’s religious or philosophical beliefs (Art. 9(1) GDPR) Art. 9(2)(d)—processing carried out in the course of legitimate activities of a religious association, with appropriate safeguards. The legal entity warrants reliance on this condition. Per the retention periods above

Where the App offers donors the option to receive a donation receipt or letter of appreciation, this is based on the donor’s freely given consent. The consent mechanism operates as follows:

  • The opt-in is presented as a separate, clearly labelled toggle or checkbox that is off by default.
  • The donation itself is not conditional on opting in—a donor may complete the donation without consenting to receiving a receipt or letter.
  • The donor is informed, at the point of opting in, that their contact details (name, email, and where applicable, mailing address) will be shared with the legal entity receiving the donation for the purpose of issuing the receipt or letter.
  • Consent may be withdrawn at any time by contacting Lepta or the legal entity (see Section 9 below).

6. Where your data is stored and who it is shared with

Lepta does not maintain its own database of donor personal data. The data flows as follows:

  • On the device: Volunteer name and email are stored in encrypted secure storage on the device and cleared on sign-out.
  • Stripe: Donor name, email, mailing address (where collected), and payment data are held on Stripe’s servers. Stripe is a PCI DSS Level 1 certified payment service provider. Stripe’s data retention, security measures, and privacy practices are governed by Stripe’s Privacy Policy (stripe.com/privacy). Stripe is self-certified under the EU–U.S. Data Privacy Framework.
  • The legal entity: Transaction data required for the legal entity’s financial records is transferred from Stripe to the legal entity’s IT system. This mirrors the existing data flow used for donate.jw.org.
  • Watchtower Bible and Tract Society of New York, Inc. (“WTNY”): WTNY provides Lepta’s wider IT environment under an IT Service Agreement, including the HuB enterprise resource planning system, Microsoft 365/SharePoint Online (Lepta’s Client Resources platform), Microsoft Azure cloud services, Microsoft Power BI, Microsoft Exchange (email), backup services, and domain hosting, all from the United States. WTNY acts as Lepta’s processor and sub-processor and processes personal data only on Lepta’s documented instructions. WTNY’s onward sub-processor for the Microsoft 365/SharePoint Online/Azure/Power BI/Exchange layer is Microsoft Ireland Operations Limited, which in turn relies on Microsoft Corporation (US, DPF-certified) for service delivery. WTNY itself is not certified under the EU–U.S. Data Privacy Framework; appropriate safeguards for the Lepta-to-WTNY transfer are described in Section 7 below. Donor and volunteer personal data submitted through the App is not transmitted to WTNY by Lepta: per the App data flow, donor and volunteer data is sent from the App to the Lepta Portal (hosted on Amazon Web Services, Inc in the United States) and from there to Stripe, which is the system of record.
  • Amazon Web Services, Inc. (server logs, United States—sub-processor): The App’s backend is hosted on Amazon Web Services, Inc. (“AWS”) in the United States (us-east-1 region). AWS is self-certified under the EU–U.S. Data Privacy Framework. Standard server request logs may transiently contain data such as IP addresses, user-agent strings, and URL parameters. These logs are retained for 60 days and then deleted.
  • Google (address autocomplete): When a donor enters a mailing address, the App uses the Google Places API to provide autocomplete suggestions. Google’s processing of this data is governed by Google’s Privacy Policy. Google, LLC is self-certified under the EU–U.S. Data Privacy Framework.

Lepta’s portal (admin dashboard) does not store donor PII in its own database. The admin dashboard renders payment and donation data via Stripe’s Embedded Payments interface, pulling data directly from Stripe in real time.

The only personal data stored in the portal’s own database consists of admin user accounts (name, email, hashed password) for the representatives of legal entities who manage the system. These are not donor records.

A complete list of Lepta’s sub-processors is available at lepta.io/resources.

7. International data transfers

Your personal data may be transferred to and processed in countries outside your country of residence, including the United States. Where such transfers involve personal data originating in the European Economic Area (EEA), the United Kingdom, or Switzerland, appropriate safeguards are in place. The full details of the transfer mechanisms are set out in the Lepta Data Transfers Addendum, available at leptapay.com/legal/dta. A summary of the safeguards for each transfer is provided below.

  • Stripe (United States—independent controller): Stripe is self-certified under the EU–U.S. Data Privacy Framework (DPF) and the UK Extension to the DPF. The European Commission’s adequacy decision (Implementing Decision (EU) 2023/1795 of 10 July 2023) applies to transfers of personal data to Stripe. Lepta monitors Stripe’s DPF certification status.
  • WTNY (United States—sub-processor): WTNY is not certified under the Data Privacy Framework. Transfers of personal data from Lepta to WTNY are protected by the EU Standard Contractual Clauses (Module 2: Controller to Processor, where Lepta acts as controller; Module 3: Processor to Processor, where Lepta acts as processor) approved by the European Commission and incorporated into the IT Service Agreement between Lepta and WTNY. The Standard Contractual Clauses are accompanied by Additional Safeguards Addenda providing supplementary measures, including encryption of personal data in transit and at rest, contractual commitments to redirect requests, to resist and challenge government access requests under US surveillance law, to notify Lepta of any binding legal demands for personal data (subject to applicable legal restrictions), and to disclose only the minimum amount of personal data required to satisfy any unavoidable order. WTNY’s onward sub-processor for the Microsoft 365/SharePoint Online/Azure/Power BI/ Exchange services is Microsoft Ireland Operations Limited (Ireland), contracted under the Microsoft Customer Agreement; Microsoft Ireland Operations Limited in turn relies on Microsoft Corporation (United States, self-certified under the EU–U.S. Data Privacy Framework), which provides the underlying service from Microsoft data centres in the United States.
  • Google (United States—sub-processor): Google, LLC is self-certified under the EU–U.S. Data Privacy Framework. The adequacy decision applies to transfers to Google as a DPF-certified sub-processor for the Google Places API.
  • AWS (United States—sub-processor): Lepta’s backend is hosted on AWS in the United States (us-east-1 region). AWS is self-certified under the EU–U.S. Data Privacy Framework. The adequacy decision applies to transfers to AWS as a DPF-certified sub-processor.
  • Transfers to the legal entity’s HuB instance: Transaction data is transferred from Stripe to the legal entity’s instance of the HuB system. The transfer mechanism for this leg depends on the location of each legal entity and is covered by the legal entity’s own data processing arrangements.

Lepta is established in Ireland (EEA) and is not itself eligible for certification under the Data Privacy Framework, which is available only to U.S. based organisations. Lepta relies on the EU SCCs and supplementary measures (for non-DPF-certified US recipients) and the DPF adequacy decision (for DPF-certified US recipients) as the lawful mechanisms for Restricted Transfers.

8. Data retention

Lepta retains personal data only as long as necessary for the purposes described in this Privacy Policy:

Data category Storage location Retention period
Volunteer name and email Device (encrypted) Until sign-out
Volunteer name and email Stripe Per Stripe’s Retention Policy
Donor name, email, address Stripe Per Stripe’s Retention Policy (retained as long as services continue, plus any period required by applicable law)
Donor transaction data Legal entity (HuB) Per the legal entity’s financial record-keeping obligations under applicable law
Payment card data Stripe (exclusively) Per Stripe’s retention policy and PCI DSS requirements
Device location Not stored Not applicable—used in real time only
Server logs (IP, user-agent) AWS 60 days
Lepta IT environment data (HuB ERP, Microsoft 365/ SharePoint Client Resources, file/print/email/backup) WTNY (processor/sub-processor) Per Lepta’s retention instructions and Section 9.3 of the HuB Terms and Conditions, which provides for return of Client Data in a structured, commonly used, machine-readable format, and post termination assistance for a minimum of 90 days.

9. Your rights

Depending on your location, you may have the following rights in relation to your personal data:

  • Right of access: You have the right to request a copy of the personal data we hold about you.
  • Right to rectification: You have the right to request correction of inaccurate or incomplete personal data.
  • Right to erasure: You have the right to request deletion of your personal data, subject to any legal obligations requiring its retention.
  • Right to restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability: Where processing is based on your consent or the performance of a contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object: Where processing is based on legitimate interests, you have the right to object to such processing. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Right to withdraw consent: Where processing is based on consent (such as the receipt opt-in), you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Because donor personal data is processed and stored by Stripe and, where applicable, by the legal entity that received the donation, requests to exercise rights such as access, rectification, erasure, or portability of donor data may need to be coordinated with Stripe and/or the relevant legal entity. We will assist in facilitating such requests.

For volunteer data stored locally on your device, you may delete this data at any time by signing out of the App.

10. Children’s data

The App is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without parental authorisation, as required by Article 8 General Data Protection Regulation. Donations made by minors (persons under 18 or the age of majority in their jurisdiction) may be refunded at the request of a parent or guardian by contacting the legal entity that received the donation. A parent or guardian may exercise data subject rights on behalf of a child by contacting Lepta using the details in Section 12. If you believe that a child has provided personal data through the App without appropriate authorisation, please contact us and we will take steps to delete such data.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App or by other appropriate means before the changes take effect. The “Last updated” date at the top of this policy indicates when it was most recently revised.

12. Contact us

If you have questions about this Privacy Policy, wish to exercise your data subject rights, or have a complaint, please contact:

Lepta Payment Solutions Limited
Watch Tower House, Blackditch, Newcastle, Co. Wicklow, A63 RF61 Ireland
[email protected]
Data Protection Officer / Privacy Contact: Daniel Melinder

Lepta’s lead supervisory authority is the Data Protection Commission of Ireland.

You also have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement.

Picture of an arrow icon pointing up