Privacy Policy

Braided River Consultancy Limited, trading as Benewell (we, us, our) complies with the New Zealand Privacy Act 2020 (the Act) when dealing with personal information. Personal information is information about an identifiable individual (a natural person).

This policy sets out how we collect, use, disclose, and protect your personal information when you use the Benewell platform at benewell.org (the Service).

This policy does not limit or exclude any of your rights under the Act. For more information on the Act, see www.privacy.org.nz.

By using the Service, you acknowledge that you have read and understood this policy.

We may update this policy at any time by uploading a revised version to benewell.org/privacy. The updated policy takes effect from the date it is uploaded. We will notify registered users of material changes by email.

This policy was last updated on 30 May 2026.

We collect personal information about you from the following sources:

• When you create an account on Benewell as a Donor or Organisation administrator
• When you make a donation through the Service
• When you complete your Organisation profile, upload content, or configure settings
• When you upload a donation receipt template
• When you contact us by email, through the platform, or otherwise
• When you register interest in paid subscription plans
• When you submit a support request or feedback

• Usage data including pages visited, features used, and time spent on the platform
• Device and browser information
• IP address and approximate location
• Cookies and similar tracking technologies (see section 10)

• Stripe — payment confirmation and transaction reference data (we do not receive your full card details)
• Charities register APIs — charity registration details when we verify your Organisation
• Publicly available sources — to verify Organisation details during the verification process

Where possible, we collect personal information directly from you.

• Full name and email address
• Donation history — amounts, dates, Organisations donated to, Journeys supported
• Receipt preferences — immediate or annual
• Payment transaction references (not card details — these are held by Stripe only)
• Koha (voluntary tip) history
• Following and engagement history on the platform
• IP address and device/browser information

• Full name and email address
• Organisation name, charity registration number, IRD number, and country
• Stripe Connect Account details (held and managed by Stripe)
• Organisation profile content including description, logo, cover images, and video
• Journey and Moment content including text, photos, videos, and documents
• Donation receipt template (Word document uploaded by the Organisation)
• Financial year end date and receipt sending preferences
• Donor data accessed through the Organisation's Tax and Receipts dashboard

• Account login credentials (passwords are stored in encrypted form — never in plain text)
• Communications with Benewell including support requests and feedback
• Usage data and analytics

We use your personal information for the following purposes:

• To create and manage your account
• To verify your identity and Organisation registration
• To process donations and payments via Stripe
• To generate and deliver donation receipts on behalf of Organisations
• To display Organisation profiles, Journeys, and Moments to Donors
• To enable Donors to view their giving history in the My Giving dashboard
• To provide Organisation administrators with donor and giving analytics

• To send transaction confirmation emails and receipt notifications
• To send donation acknowledgement emails
• To notify you of platform updates, changes to these policies, or security notices
• To respond to your support requests and enquiries
• To notify Organisations when they receive a new donation or follower

• To conduct anonymised statistical analysis and identify usage trends
• To develop new features and improve existing ones
• To monitor platform security and prevent fraud

• To maintain records required by applicable law
• To respond to lawful requests from regulatory authorities
• To enforce our Terms of Use and protect our legal rights

We will only use your personal information for purposes that are consistent with the purpose for which it was collected, or for a purpose you have authorised, or as otherwise permitted by the Act.

We may share your personal information with third-party service providers who help us operate the Service. These providers are required to handle your personal information securely and only for the purposes we specify:

If you are a Donor, the Organisation you donate to will receive your name, email address and donation details for the purpose of generating your receipt and managing their donor relationship with you. Organisations may only use your personal information for these purposes and must comply with their own privacy obligations.

We may also disclose your personal information to:

• a person or authority who can require us to supply it under New Zealand law or any applicable law (e.g. a regulatory authority, the IRD or a law enforcement agency);
• any other person authorised by the Act or another law; and
• any other person with your express consent.

If Benewell is sold, merged or its business is transferred, your personal information may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer.

Some of the service providers listed in section 6.1 are located outside New Zealand, including in the United States. Your personal information may be held and processed in those countries. We take reasonable steps to ensure that overseas providers handle your personal information in a manner consistent with the Act, including by relying on contractual protections where applicable.

7.1  Donor names and giving details are displayed to Organisation administrators in their Tax and Receipts dashboard solely for the purpose of receipting and donor relationship management.

7.2  Donor names are never shown publicly, in Discover page analytics, campaign views, or to other donors. This is clearly communicated on the platform.

7.3  Organisations act as data controllers in relation to their own donors and must comply with their obligations under the Privacy Act 2020 or equivalent legislation in their jurisdiction.

7.4  Benewell acts as a data processor on behalf of Organisations when processing donor personal information through the Service.

7.5  Organisations must not use donor personal information obtained through Benewell for any purpose other than receipting and donor relationship management without obtaining the donor's separate consent.

We take the security of your personal information seriously. We implement reasonable technical and organisational measures to protect your personal information from unauthorised access, use, disclosure, alteration or destruction. These measures include:

• Encrypted storage of passwords are never stored in plain text
• HTTPS encryption for all data transmitted through the Service
• Access controls so that only authorised personnel can access personal information
• Rate limiting on sensitive endpoints to prevent abuse
• Secure object storage for cached receipt PDFs

Despite these measures, no internet transmission or electronic storage is completely secure. We cannot guarantee absolute security of your personal information.

If we become aware of a notifiable privacy breach under the Act (a breach that is likely to cause serious harm to affected individuals), we will:

• notify the Office of the Privacy Commissioner as soon as practicable; and
• notify affected individuals where required by the Act.

Subject to certain grounds for refusal set out in the Act, you have the right to:

• access the personal information we hold about you; and
• request a correction to your personal information if it is inaccurate, incomplete or misleading.

To exercise these rights, please contact us at hello@benewell.org. We will ask you to verify your identity before we process your request.

If we consider the correction is reasonable and we can make it, we will. If we decide not to make the correction, we will note on your record that you requested it.

We may charge a reasonable fee for providing you access to your personal information.

You may request deletion of your Benewell account at any time by contacting hello@benewell.org. On deletion:

• your account and personal profile will be removed from the platform;
• donation history and receipt records may be retained for the period required by law (including for tax compliance purposes); and
• anonymised or aggregated data derived from your use of the Service may be retained.

We use cookies and similar technologies to operate and improve the Service. Cookies are small text files stored on your device when you visit a website.

• Essential cookies: required for the Service to function, including authentication and session management. These cannot be disabled.
• Analytics cookies: we use anonymised usage data to understand how the Service is used and to improve it.
• Preference cookies: to remember your settings and preferences on the platform.

You may disable cookies by changing your browser settings. However, disabling essential cookies will prevent you from using certain features of the Service, including logging in.

The Service is not directed at children under the age of 16. We do not knowingly collect personal information from children under 16. If you believe we have inadvertently collected personal information from a child under 16, please contact us at hello@benewell.org and we will delete it promptly.

The Service may contain links to third-party websites, including Organisation social media profiles and YouTube videos. We are not responsible for the privacy practices of those websites. We encourage you to review the privacy policy of any third-party site you visit.

While we take reasonable steps to maintain secure internet connections, if you provide us with personal information over the internet, you do so at your own risk.

If you have a complaint about how we have handled your personal information, please contact us first at hello@benewell.org. We will acknowledge your complaint within 5 working days and aim to resolve it within 20 working days.

If you are not satisfied with our response, you may lodge a complaint with the Office of the Privacy Commissioner:

If you have any questions about this policy or how we handle your personal information, please get in touch.