Privacy Policy
Effective Date: May 22, 2026
This Privacy Policy describes how SolutionBox, LLC (“Potluck,” “we,” “us,” or “our”) collects, uses, and protects information when you use the Potluck platform at usepotluck.org and any organization websites powered by Potluck.
Contact for privacy questions:
privacy@usepotluck.org
SolutionBox, LLC — 8166 Ohara Drive, Davison, MI 48423
1. Who This Policy Covers
This policy applies to two groups of people:
- Organization administrators — the people who create and manage a Potluck account on behalf of their nonprofit or community organization
- Donors and website visitors — people who visit an organization’s Potluck-powered website or submit a donation
2. US Only
Potluck is a United States-only service. We do not knowingly collect or process data from individuals or organizations located in the European Union or European Economic Area. If you are accessing Potluck from the EU or EEA, do not use this service.
3. Information We Collect
From Organization Administrators
When you create a Potluck account and set up your organization, we collect:
- Name and email address (provided at signup)
- Organization name, mission statement, and description
- Logo and other images you upload
- Contact information (address, phone, public email)
- Billing information — handled entirely by Stripe; we never see or store your full card number
- IP address and browser information when you use the dashboard
From Donors and Website Visitors
When someone visits an organization’s Potluck-powered website or submits a donation, we collect:
- Name and email address if provided during a donation
- Donation amount and date
- Payment method type (card or bank transfer) and last four digits — full payment details are handled by Stripe and never touch our servers
- IP address and standard server logs (browser type, pages visited, referrer)
From Meta (Facebook and Instagram)
When an organization connects their Facebook or Instagram account, we collect and store:
- The organization’s Facebook Page IDs and Instagram account IDs
- Access tokens that authorize Potluck to post on the organization’s behalf (stored encrypted)
- Engagement data (reach, reactions, comments count) pulled from the Meta API for display in the organization’s dashboard
We do not collect personal data about Facebook users who interact with an organization’s posts. We do not collect Facebook friend lists, personal profile information, or any data beyond what is needed to post content and display basic engagement metrics.
4. How We Use Your Information
| Information | How We Use It |
|---|---|
| Organization admin email | Account management, billing notices, service updates, support |
| Donor name and email | Sending donation receipt emails on behalf of the organization |
| Donor payment data | Processed by Stripe; we store only metadata (amount, date, method type) |
| Meta access tokens | Posting approved social media content on the organization’s behalf |
| Engagement data from Meta | Displaying analytics to the organization in their dashboard |
| IP addresses and server logs | Security monitoring, fraud detection, platform improvement |
| Uploaded images and content | Displaying your organization’s public website |
We do not use donor data for advertising purposes.
We do not sell any data — ever — to any third party.
5. Facebook and Instagram Data — Meta-Specific Disclosures
Potluck accesses Facebook and Instagram data solely to operate the social media features that organizations have authorized. Specifically:
- We access Facebook Pages and Instagram accounts only after an organization administrator explicitly grants permission through Meta’s authorization process.
- We post content to Facebook Pages and Instagram only after the organization administrator has reviewed and explicitly approved that content within the Potluck dashboard. We never post automatically.
- We retrieve engagement data (reach, reactions, comment counts) from the Meta API to display performance information to the organization.
- We do not use Facebook or Instagram data to build advertising audiences, target individuals, or for any purpose other than operating the features the organization authorized.
- We do not share Facebook or Instagram data with any third party other than as required to operate the service (e.g., hosting infrastructure).
- We do not retain Facebook or Instagram data beyond the period necessary to provide the service. When an organization disconnects their Meta account, we delete their stored access tokens.
Requesting deletion of your Facebook/Instagram data stored by Potluck:
Visit usepotluck.org/privacy/meta-data-deletion for instructions, or email privacy@usepotluck.org. We will process deletion requests within 30 days.
6. Third-Party Services That Process Your Data
Potluck uses the following third-party services, each of which may receive data as necessary to operate:
| Service | What They Receive | Privacy Policy |
|---|---|---|
| Stripe, Inc. | Payment information, billing details, Stripe Connect account data | stripe.com/privacy |
| Anthropic, PBC | Draft social post text generated from your event descriptions (no donor PII is sent) | anthropic.com/privacy |
| Meta Platforms, Inc. | Access tokens; content submitted for posting to Facebook/Instagram | facebook.com/privacy |
| Resend, Inc. | Organization email addresses for transactional email delivery | resend.com/privacy |
| Amazon Web Services | All platform data (hosting and storage infrastructure) | aws.amazon.com/privacy |
| DNSimple, Inc. | Domain name information for organizations that register a custom domain | dnsimple.com/privacy |
| Cloudflare, Inc. | IP addresses and request data processed through Cloudflare’s network | cloudflare.com/privacypolicy |
We do not authorize these services to use your data for their own marketing or advertising purposes.
7. Payment Data and PCI Compliance
Potluck does not store, transmit, or process payment card data. All payment information is collected and processed directly by Stripe, which is certified as a PCI DSS Level 1 Service Provider — the highest level of payment security certification. We store only non-sensitive transaction metadata: donation amount, date, payment method type, and last four digits.
8. Data Retention
| Data | Retention Period |
|---|---|
| Organization account data | Retained while account is active; deleted 90 days after account cancellation |
| Donor records | Retained while the organization’s account is active; deleted with the account after the 90-day cancellation window |
| Meta access tokens | Deleted when the organization disconnects their Meta account |
| Server logs | 30 days |
| Billing records | Retained as required by law and our agreement with Stripe |
Before cancelling your account, export your donor list from the dashboard. After the 90-day window, we cannot recover deleted data.
9. Cookies
Potluck uses a session cookie to keep you logged in to your dashboard. This cookie is strictly necessary for the service to function and does not track you across other websites.
We do not use advertising cookies, retargeting pixels, or third-party tracking cookies on the Potluck platform. Cloudflare may set a cookie as part of its security and performance services.
10. Children’s Privacy
Potluck is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a child’s information has been submitted to Potluck, contact us at privacy@usepotluck.org.
11. California Residents — CCPA
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know — You may request a copy of the personal information we hold about you
- Right to delete — You may request deletion of your personal information, subject to legal retention requirements
- Right to opt out of sale — We do not sell personal information. There is nothing to opt out of.
- Right to non-discrimination — We will not discriminate against you for exercising these rights
To submit a request, email privacy@usepotluck.org. We will respond within 45 days.
12. Security
We take reasonable technical and organizational measures to protect your information, including:
- All data transmitted to and from Potluck is encrypted via HTTPS (TLS)
- Meta access tokens are stored encrypted using AES-256
- Payment data is processed by Stripe (PCI DSS Level 1 compliant) — we never handle raw card data
- Sensitive documents (such as KYB verification documents submitted to Stripe) are stored in private cloud storage with no public access and short-expiry signed URLs
- Access to production systems is restricted to authorized personnel
No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we will notify you promptly if a breach affects your data.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify organization administrators by email before the changes take effect. The updated policy will always be available at usepotluck.org/privacy.
14. Contact Us
For privacy questions, data requests, or concerns:
Email: privacy@usepotluck.orgMail: SolutionBox, LLC — 8166 Ohara Drive, Davison, MI 48423
For Meta data deletion requests specifically, visit: usepotluck.org/privacy/meta-data-deletion
Potluck is a product of SolutionBox, LLC.