Privacy Policy

Version 1.0 | Effective April 21, 2026

BenefitsSafe ("BenefitsSafe," "we," "us," or "our") 1969 Harrington Ave, Oakland, CA 94601

1. Executive Summary

BenefitsSafe is a software platform that helps US nonprofits disburse restricted grant funds to people who rely on SSI, SSDI, Medi-Cal, CalFresh, and ABLE benefits — without putting those benefits at risk. To do this, we collect information about three groups of people: the nonprofit staff who use the platform, the beneficiaries whose expenses are being paid, and the vendors who get paid. We take privacy seriously because the people we serve are often in vulnerable financial situations, and a data leak could cost them their benefits. This policy explains, in plain language, exactly what we collect, why we collect it, how long we keep it, who we share it with, and how you can control it.

You can always contact us at privacy@benefitssafe.com with questions, corrections, or requests.

2. Definitions

• BenefitsSafe — the online platform located at app.benefitssafe.com and associated services operated by BenefitsSafe.
• Nonprofit — the 501(c)(3) organization that has a paid subscription and is using BenefitsSafe to manage grant disbursement.
• Beneficiary — an individual person who receives goods or services paid for through a Nonprofit's grant on BenefitsSafe.
• Vendor — a merchant or service provider that accepts payment from a BenefitsSafe virtual card.
• Personal Data — any information that identifies or can reasonably be linked to a specific individual (name, address, Social Security Number, benefit enrollment status, transaction history, etc.).
• Processing — any operation performed on Personal Data: collecting, recording, storing, using, sharing, or deleting it.
• Breach — unauthorized access to, use of, or disclosure of Personal Data.
• Subprocessor — a third-party service we use to help operate the platform (e.g., Stripe, AWS).

3. Information We Collect

We collect four categories of information.

3.1 Nonprofit Organization Data

When your organization signs up and uses BenefitsSafe, we collect:

• Organization legal name, trade name, and mailing address
• Employer Identification Number (EIN)
• 501(c)(3) determination status
• Primary contact information for the account owner and authorized staff
• Bank-account information collected via Stripe Connect for ACH and payout setup; we do not store full account or routing numbers ourselves
• Stripe Connect account ID and associated business-verification data (collected directly by Stripe)
• Grant program details, funder names, and restriction rules you configure

3.2 Beneficiary Personal Data

For each Beneficiary your Nonprofit enrolls, we collect:

• Full legal name and preferred name
• Date of birth
• Mailing address
• Last 4 digits of Social Security Number (full SSN only when required for Stripe Issuing cardholder verification, and never displayed back after submission)
• Benefit program enrollment: SSI, SSDI, Medi-Cal, CalFresh, ABLE, IHSS, and similar federal/state programs
• Declared income and asset information relevant to benefit eligibility rules
• Phone number and email (optional, used only for notifications you authorize)

We collect SSN and benefit-enrollment data only because Stripe Issuing (our card issuer) requires legally compliant Know-Your-Customer verification, and because our compliance engine needs benefit-program context to flag expenses that could cause a benefits violation. We do not sell, rent, or share this information with advertisers.

3.3 Transaction and Financial Data

For every card transaction, expense request, and ledger entry, we record:

• Amount, currency, merchant name, Merchant Category Code (MCC), timestamp, and approval status
• Virtual card identifier (tokenized by Stripe — we never see full card numbers)
• Grant, budget category, and risk classification (LIKELY_SAFE, NEEDS_REVIEW, LIKELY_RISKY, BLOCKED)
• Approver identity and approval notes
• Decline reason (if applicable)
• OFAC screening results (pass/fail and timestamp; we do not store the underlying sanctions-list content)

3.4 Technical and Usage Data

When you use the platform, we automatically collect:

• IP address and approximate geographic region
• Device type, browser, operating system, and language
• Pages visited, features used, buttons clicked, session duration
• Error reports and performance traces (via Sentry)
• Authentication events (login, logout, failed password attempts, MFA activity)
• Session fingerprints (a hashed combination of IP + user agent, used to detect session-cookie theft)

We do not use third-party behavioral-advertising trackers. We do not sell usage data to ad networks.

4. How We Use Your Information

Every use of your data falls into one of the categories below. Where GDPR applies, we also identify the lawful basis for each use under Article 6.

We do not use Beneficiary Personal Data to:

• Train machine-learning models without explicit Nonprofit authorization.
• Sell, rent, or license data to data brokers or advertisers.
• Make automated decisions that have a legal or similarly significant effect on a Beneficiary without human review (GDPR Art. 22 / CPRA §1798.185(a)(16)).

5. Data Retention

We keep data only as long as we need it, and then we delete it. The schedule below is the maximum retention period; we delete sooner if you request it and no legal obligation requires us to keep it.

Once a retention period ends, we delete the primary record within 30 days and the backup copy within the next backup-rotation cycle. Deletion is permanent — we do not retain "shadow" copies.

6. Who We Share Data With

We share data only with the subprocessors below, only for the purpose described, and only under written data-processing terms that require them to protect your data at least as well as we do.

OFAC sanctions screening is performed by calling the US Department of the Treasury's public SDN search API directly; the Treasury is not a commercial subprocessor and no Personal Data leaves our application in a form that could be re-identified (we send first name + last name for the screen).

Official sanctions reference: ofac.treasury.gov

We do not share your data with:

• Advertising networks
• Data brokers
• Credit bureaus (we do not run credit checks on Beneficiaries)
• Government agencies, except when required by subpoena, court order, or other lawful process; in those cases, where legally permitted, we will notify the affected Nonprofit before producing the records.

We may share aggregated, de-identified data (e.g., "nonprofits on average disburse $X in Y category") that cannot reasonably be linked back to any individual.

7. Your Privacy Rights

7.1 If You Are in the European Economic Area, UK, or Switzerland (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access (Art. 15) — Request a copy of the Personal Data we hold about you.
• Rectification (Art. 16) — Correct inaccurate or incomplete data.
• Erasure / "Right to be forgotten" (Art. 17) — Request deletion, subject to legal retention obligations (e.g., IRS 7-year rule).
• Restriction of processing (Art. 18) — Ask us to pause processing in specific circumstances.
• Data portability (Art. 20) — Receive your data in a structured, machine-readable format (we provide JSON and CSV exports).
• Object to processing (Art. 21) — Object to processing based on legitimate interest.
• Not be subject to solely automated decisions (Art. 22) — Our compliance classifier flags expenses but does not automatically approve or reject them without human review.
• Withdraw consent (Art. 7) — Withdraw consent for any processing based on consent, at any time.
• Lodge a complaint with your national Data Protection Authority.

To exercise these rights, email privacy@benefitssafe.com. We respond within 30 days (extendable by 60 days for complex requests with notice).

If you are a Beneficiary and your rights request affects data your Nonprofit controls, we may route the request to them as the Data Controller.

7.2 If You Are a California Resident (CCPA / CPRA)

Under the California Consumer Privacy Act (as amended by the California Privacy Rights Act), you have the right to:

• Know what categories of Personal Information we collect, the sources, the purposes, and the categories of third parties we share with.
• Access the specific pieces of Personal Information we have about you.
• Delete your Personal Information, subject to legal-retention exceptions.
• Correct inaccurate Personal Information.
• Opt out of "sale" or "sharing" of Personal Information. We do not sell or share your Personal Information as those terms are defined under the CCPA. Because we do not sell or share, we do not display a "Do Not Sell or Share My Personal Information" link — there is nothing to opt out of.
• Limit use of Sensitive Personal Information — Sensitive Personal Information under CCPA includes SSN and benefit-enrollment status. We use this data only for the purposes identified in Section 4 (e.g., card issuance, compliance), which are permitted uses under CCPA §1798.121(a). You may still submit a request to limit; we will honor it to the extent legally possible.
• Non-discrimination — We will not deny service, charge different prices, or provide a different level of service because you exercised a CCPA right.
• Authorized agent — You may designate someone else to submit a request on your behalf (we will verify their authorization).

To submit a CCPA request, email privacy@benefitssafe.com with the subject line "CCPA Request," or use the privacy request form in your account settings at app.benefitssafe.com. Because BenefitsSafe operates exclusively online and has a direct relationship with account holders, email is an accepted request channel under CCPA §1798.130(a)(1)(A). We verify requests by confirming the email we already have on file, or by matching at least two other data points. We respond within 45 days (extendable by 45 days with notice).

Categories of Personal Information collected in the past 12 months (CCPA §1798.110 disclosure):

7.3 All Other Users

If you are located outside the EEA/UK/Switzerland and are not a California resident, you still have the rights to access, correct, and delete your data by contacting privacy@benefitssafe.com. We respond to all reasonable requests within 30 days.

8. International Data Transfers

BenefitsSafe is operated in the United States. If you access the platform from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with a cross-border transfer regime, your data will be transferred to and processed in the United States.

For EU, UK, and Swiss data, we rely on the following transfer mechanisms:

• The EU-US Data Privacy Framework (and UK/Swiss extensions), where our US subprocessors are self-certified (Stripe, AWS, and certain others are certified; their certification status is listed at dataprivacyframework.gov).
• Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers to subprocessors that are not DPF-certified. Copies are available on request.
• Additional safeguards where required: encryption in transit (TLS 1.2+), encryption at rest (AES-256 via AWS KMS), and contractual audit and security obligations.

We do not transfer data to jurisdictions subject to US sanctions or embargoes.

9. Cookies and Similar Technologies

BenefitsSafe uses only the minimum cookies and similar technologies required to operate the platform securely. We do not use third-party advertising cookies.

All authentication cookies use HttpOnly, Secure, SameSite=Lax, and, in production, the __Secure- or __Host- cookie name prefix.

Because all cookies we set are strictly necessary or security-related, a cookie consent banner is not required under the ePrivacy Directive's "strictly necessary" exemption. If we later add analytics or marketing cookies, we will introduce a consent banner and update this policy.

10. Data Security

We apply the following technical and organizational measures:

• Encryption in transit: TLS 1.2 or higher for every connection, enforced via HSTS with a two-year max-age and preload-list enrollment.
• Encryption at rest: AES-256 via AWS KMS for all databases, backups, and object storage.
• Access controls: Role-based access control in the application (12 distinct roles), multi-factor authentication for BenefitsSafe staff, principle of least privilege on AWS IAM.
• Audit logging: Immutable AuditLog table records every data mutation with actor, timestamp, and before/after values. Retained for 2 years.
• Session security: 1-hour session expiry, session fingerprinting, session-cookie theft detection, rate limiting on authentication endpoints.
• Input validation: All inputs validated with Zod schemas before reaching the database; all database queries parameterized via Prisma ORM to prevent SQL injection.
• Content Security Policy: Restrictive CSP including frame-ancestors 'none'; additional security headers (Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy).
• Sanctions screening: OFAC screening on Beneficiary onboarding and periodically thereafter, with fail-closed enforcement at card-authorization time.
• Payment data: We never store full card numbers, CVVs, or full bank account numbers. Stripe stores card data under its PCI-DSS Level 1 certification; Plaid tokenizes bank credentials.

We align with the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) and are actively working toward SOC 2 Type 2 certification. SOC 2 status will be published at benefitssafe.com/security when complete.

No system is perfectly secure. If you discover a vulnerability, email security@benefitssafe.com. We respond to verified reports within 48 hours and do not pursue legal action against good-faith security researchers.

11. Data Breach Notification

If we determine that a Breach has occurred and it is likely to result in risk to affected individuals, we will:

• Notify the affected Nonprofit within 24 hours of confirmation, consistent with our Data Processing Agreement.
• Notify affected individuals as required by applicable law — California Civil Code §1798.82 requires "the most expedient time possible and without unreasonable delay"; GDPR Art. 34 requires notification without undue delay when there is high risk to rights and freedoms.
• Notify supervisory authorities within 72 hours where required (GDPR Art. 33; various US state attorneys general under state breach-notification laws).
• Provide, at minimum: the nature of the Breach, the categories and approximate number of individuals affected, the likely consequences, and the measures we have taken or will take.

Nonprofits are responsible for notifying Beneficiaries whose data is affected; BenefitsSafe will provide a draft notice and cooperate on remediation.

12. Children's Privacy (COPPA)

BenefitsSafe is not designed for or directed to children under 13, and we do not knowingly collect Personal Information from anyone under 13. Beneficiaries enrolled by a Nonprofit must be at least 13 years old to receive a virtual card (and card issuance via Stripe Issuing has higher age requirements that Stripe enforces). If you believe a child under 13 has submitted Personal Information to us, email privacy@benefitssafe.com and we will delete the information promptly.

For Beneficiaries between 13 and 17, the enrolling Nonprofit is responsible for ensuring that a parent or legal guardian has authorized the Beneficiary's enrollment.

13. Financial Privacy (GLBA and Regulation P)

BenefitsSafe is a software-as-a-service provider, not a bank. Virtual cards on the platform are issued by Sutton Bank and Evolve Bank & Trust, both members FDIC, via Stripe Issuing. The card-issuing banks are responsible for Gramm-Leach-Bliley Act ("GLBA") privacy notices and Regulation P compliance for cardholder relationships; BenefitsSafe supports their compliance by handling data in accordance with Stripe Issuing's terms.

To the extent GLBA's Safeguards Rule (16 CFR Part 314) applies to our processing of consumer financial information, we maintain a written information-security program consistent with the Rule's requirements, including risk assessments, access controls, encryption, multi-factor authentication, and incident response.

14. Electronic Funds Transfer Act (EFTA) / Regulation E

If your virtual card is used for electronic funds transfers governed by the Electronic Funds Transfer Act and Regulation E (12 CFR Part 1005), the card-issuing bank (Sutton Bank or Evolve Bank & Trust) is the primary party responsible for error-resolution procedures and consumer-liability limits.

If you believe there is an error on your card or an unauthorized transaction occurred:

1. Notify BenefitsSafe immediately at support@benefitssafe.com or through your dashboard's card-dispute flow.
2. We will forward your dispute to the issuing bank within one business day.
3. The issuing bank will investigate under Regulation E and report back within 10 business days (up to 45 business days for complex cases). Provisional credit may be issued after 10 business days.
4. You must notify us within 60 days of the transaction appearing on your statement to preserve your Regulation E rights; sooner is better.

Your liability for unauthorized transactions is limited per Regulation E §1005.6: $0 if you notify us before any unauthorized use; up to $50 if you notify within two business days of learning of the loss or theft; up to $500 if you notify within 60 days; unlimited after 60 days.

15. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or in applicable law. When we make material changes:

• We will post the updated policy at benefitssafe.com/privacy with a new version number and effective date.
• We will email the primary contact of every active Nonprofit at least 30 days before the changes take effect.
• Your continued use of the platform after the effective date constitutes acceptance of the updated policy.

Previous versions are available on request at privacy@benefitssafe.com.

16. Contact Us

BenefitsSafe Attn: Privacy Officer 1969 Harrington Ave, Oakland, CA 94601 Email: privacy@benefitssafe.com

For security vulnerability reports: security@benefitssafe.com.

Version History