Privacy policy

Effective date: January 29, 2026
Last updated: February 12, 2026

Summary

• We collect information you provide through our forms (for example: grant applications, volunteer signups, workshop interest, feedback, and governance nominations).
• We use privacy-friendly analytics (Vercel Analytics / Speed Insights) to understand website usage and improve performance.
• We use Cloudflare Turnstile (when enabled) to protect forms from spam/abuse.
• Donations are processed through third parties (such as Stripe and/or BTCPay Server). We do not store full payment card numbers.
• We do not sell your personal information.

1. Information we collect

Information you provide

When you submit a form, contact us, apply for a grant, volunteer, or register interest in programming, you may provide information such as:

• Name, email address, and optional phone number.
• Application details (for example: project descriptions, budgets, portfolio links, and uploaded PDFs).
• Bitcoin wallet addresses (for example: for grant disbursements).
• Donation-related information you provide (for example: email for receipts), depending on the donation method you choose.

Information collected automatically

When you visit the site, we (and our service providers) may collect limited technical information such as IP address, device/browser information, and basic usage data (for example: pages visited and performance metrics).

Cookies and similar technologies

We and our service providers may use cookies or similar technologies (for example, local storage) to operate the site and improve performance. Your browser may allow you to manage cookies and local storage settings. If you disable certain storage mechanisms, parts of the site may not function as intended (for example, saving a local draft).

Cookie preferences

You can control cookie and storage behavior at any time through your browser settings. Common options include:

• Clear site data: remove stored cookies and local storage for bitcoinforthearts.org.
• Block cookies: block all cookies, or block third-party cookies (if enabled).
• Private browsing: limit storage by using private/incognito mode.

If your browser supports Global Privacy Control (GPC) or “Do Not Track,” you can enable it in your browser. While not all systems interpret these signals the same way, we use them as a preference signal and do not use data for cross-context behavioral advertising.

Analytics

We use Vercel Analytics and Vercel Speed Insights to understand website usage and performance. These tools are intended to be privacy-friendly and focused on aggregated measurement rather than cross-site advertising. If you prefer, you can limit analytics by using browser controls that restrict cookies and site storage.

Local storage (your browser)

Some pages may store limited information locally in your browser (for example, saving a draft of a grant application). This information is stored on your device and is not uploaded until you submit the form.

Education content and third-party platforms

Our webinar and education pages link to presentations hosted on third-party platforms (for example, Google Slides and Gamma). When you click a webinar link, you leave our site. We do not collect any additional personal information through these links. The third-party platform’s privacy policy governs your use of their service. All BFTA education materials are published under Creative Commons Attribution 4.0 International (CC BY 4.0) unless otherwise noted.

Donations and on-chain activity

Bitcoin transactions are public by nature. If you donate using Bitcoin (or receive a BTC grant), the wallet address and transaction details may be visible on public block explorers. We do not control third-party block explorers.

Sensitive information

Please do not submit sensitive personal information (for example: government IDs, health information) through our forms unless it is necessary for your request. If you voluntarily include sensitive details in open-text fields, we will treat that information as part of your submission.

2. How we use your information

• Operate our programs: process grant applications, workshop interest, volunteer signups, governance nominations, and feedback.
• Communicate with you: respond to messages and send confirmations or updates (where configured).
• Operate and improve the site: diagnose errors, improve user experience, and monitor performance.
• Security and abuse prevention: rate limiting, spam prevention, and protection against fraud/abuse.
• Compliance: comply with applicable laws and recordkeeping requirements.

3. Legal bases for processing (EEA/UK users)

If you are located in the European Economic Area (EEA) or the United Kingdom, we process personal information only when we have a valid legal basis under applicable law. Depending on the context, these legal bases may include:

• Consent: when you choose to provide information to us or opt into certain communications.
• Contract: to provide services you request (for example, processing program participation).
• Legitimate interests: to operate, secure, and improve our website and services (for example, preventing fraud/abuse).
• Legal obligations: to comply with applicable laws and recordkeeping requirements.

4. How we share information

We may share information with service providers only as needed to operate the website and our programs, and only under appropriate safeguards. We may also disclose information if required by law or to protect rights, safety, and security.

We do not sell your personal information.

Service providers we may use

• Vercel (hosting and infrastructure) and Vercel Analytics / Speed Insights (website usage and performance measurement). Vercel privacy policy.
• MongoDB (database storage for program submissions and operational records; uploaded PDFs may be stored in database file storage). MongoDB privacy policy.
• Cloudflare (Turnstile anti-spam protection for forms, when enabled). Cloudflare privacy policy.
• Resend (email delivery, when configured). Resend privacy policy.
• SMTP email providers (sending program notifications and confirmations, when configured; for example, Zoho Mail). Zoho privacy policy.
• Stripe (card payments and subscription management). Stripe privacy policy.
• BTCPay Server (Bitcoin payment processing, depending on donation method). If we operate our own BTCPay Server instance, it processes invoice and payment details to complete your donation. If a third party operates the BTCPay Server instance, their privacy policy may also apply.
• Google (education content hosting). Some webinar presentations are hosted on Google Slides / Google Docs. When you open a webinar link, you leave our site and interact with Google’s services. We do not control data Google collects on its platforms. Google privacy policy.
• Gamma (presentation hosting). Some education content may be hosted on Gamma. When you open a Gamma-hosted presentation, you leave our site and interact with Gamma’s services. Gamma privacy policy.

5. Security

We use reasonable administrative, technical, and organizational measures designed to protect information. However, no method of transmission or storage is 100% secure.

6. Data retention

We retain information for as long as needed to operate our programs, comply with legal obligations, resolve disputes, and enforce agreements. Retention may vary by record type. As a US nonprofit based in New York, we generally follow recordkeeping practices appropriate for program administration and compliance.

Our current retention targets are:

• Grant applications and related records: generally retained for up to 7 years, then deleted.
• Contact submissions and program inquiries: retained until no longer needed for the purpose of the communication, or until you request deletion (subject to legal exceptions).
• Operational/security logs (where maintained): generally retained for up to 1 year.

Deletion may occur on a rolling basis (for example, periodic reviews) and may be delayed where needed for legal, security, or operational reasons (for example, fraud prevention, dispute resolution, or audit requirements).

7. Your rights and choices

• Access / correction / deletion: You can request access to, correction of, or deletion of your information by contacting us.
• Email preferences: If we send updates, you can opt out using unsubscribe links (when provided) or by contacting us.
• Cookies & local storage: You can control cookies through your browser settings. Note that some features (for example, saving drafts locally) may not work without local storage.

8. Submitting privacy requests (DSAR process)

To submit a privacy request, email privacy@bitcoinforthearts.org. To protect your privacy, we may need to verify your identity (for example, by confirming details related to your submission).

We generally respond within the timelines required by applicable law. For example, for certain US state privacy requests, we aim to respond within 45 days (and may extend where permitted).

9. Additional disclosures for California residents (CCPA/CPRA)

This section provides additional information for California residents about how we collect, use, and disclose personal information, as required by the California Consumer Privacy Act (CCPA) as amended by the CPRA.

Categories of personal information we collect

In the last 12 months, we may have collected the following categories of personal information (depending on how you use the site):

• Identifiers (for example: name, email address, IP address).
• Internet or other electronic network activity information (for example: interactions with pages and performance metrics).
• Professional or other information you provide (for example: portfolio links, project details, application materials).
• Donation/payment-related information (processed by third parties; we may receive limited records such as donation status or transaction identifiers).

Sources, purposes, and disclosures

We collect personal information from (a) you, (b) your browser/device automatically, and (c) service providers that help deliver payments or site functionality. We use and disclose personal information for the business and commercial purposes described above in this policy (program operations, communications, security, analytics/performance, and compliance).

Sensitive personal information

We do not intentionally collect “sensitive personal information” as defined by the CPRA. If you include sensitive information in open-text fields, we will treat it as part of your submission.

Sale and sharing

We do not sell personal information. We also do not “share” personal information for cross-context behavioral advertising.

Your California privacy rights

Subject to certain exceptions, you may have the right to request: (a) access to personal information we collected about you, (b) deletion, (c) correction, and (d) information about our collection, use, and disclosure practices. We will not discriminate against you for exercising your rights. You (or an authorized agent) can submit requests by emailing privacy@bitcoinforthearts.org.

10. International data transfers

We are based in the United States, and our service providers may process information in the United States and other countries. If you access the site from outside the United States, you understand that your information may be transferred to, stored, and processed in jurisdictions that may have different data protection laws than your home jurisdiction.

11. Children’s privacy

Our website is not directed to children under 13, and we do not knowingly collect personal information from children under 13.

12. Changes to this policy

We may update this policy from time to time. The version posted here is the current one.

13. Contact us

General questions can be sent to hello@bitcoinforthearts.org. Privacy requests should be sent to privacy@bitcoinforthearts.org.

Bitcoin for the Arts, Inc.
27 W 60th St. P.O. Box 20069
New York, NY 10023