Skip to content
Litegrants

Privacy Policy

Last updated: June 10, 2026 · Effective: June 10, 2026

Litegrants (“we,” “our,” or “us”) is a grant management platform operated from Sacramento County, California. This policy explains what personal information we collect, why we collect it, and how you can exercise your rights — including rights under the California Consumer Privacy Act (CCPA).

We wrote this to be readable, not to obscure anything. If something is unclear, email us at [email protected].

1. Information We Collect

Account data

When you create an account, we collect your name, email address, and password. Passwords are hashed using bcrypt before storage — we never store your password in plain text and cannot retrieve it.

Organization data

For each organization on the platform we collect the organization name, primary domain, organization type (foundation, government agency, nonprofit, etc.), and mailing address. We also store each user's role within their organization (admin, program officer, reviewer, etc.).

Grant application data (customer data)

Grantmaking organizations use Litegrants to collect applications from their own applicants. The information applicants submit through those forms — project descriptions, budgets, attachments, and anything else a grantmaking org includes in their application — belongs to the grantmaking organization, not to Litegrants. We store and process it on their behalf; we do not use it for our own purposes. If you are a grant applicant with questions about your submitted data, contact the organization that runs the grant program.

Usage and analytics data

We use PostHog to understand how the product is used. This includes page views, feature usage events, and session replays for debugging. PostHog data is tied to your account while your account is active and anonymized after deletion.

Device and browser data

Our servers and third-party infrastructure log IP addresses, user agent strings, and browser type. This data is used for security monitoring and is retained for up to 90 days in access logs.

Payment data

Subscription billing is handled entirely by Stripe. Litegrants never receives, stores, or processes credit card numbers, bank account numbers, or any other payment instrument. When you enter payment details, you are entering them directly into Stripe's infrastructure. We receive a Stripe customer ID and subscription status only.

2. How We Use Information

  • Operate the platform. Authenticate users, enforce permissions, serve pages, store and retrieve your data.
  • Process billing. Pass subscription data to Stripe to create and manage your subscription. We receive billing status back from Stripe to unlock or restrict platform features.
  • Send transactional email. Account confirmations, password resets, notifications about your grant programs, and billing receipts are sent via Postmark. We do not send marketing email without separate consent.
  • Improve the product. Aggregate and anonymized PostHog analytics help us understand which features are useful and where users get stuck. We review session data only when debugging a reported problem.
  • Security and fraud prevention. IP addresses and access logs are used to detect unusual activity, block abusive requests, and investigate suspected misuse.

3. Third-Party Processors

We share data with the following processors to operate the platform. We do not sell data to any of them or authorize them to use your data for their own marketing purposes.

Stripe

Payment processing. Receives your billing contact name, email, and payment instrument directly. Litegrants sends only subscription metadata (plan type, billing cycle). Stripe's privacy policy governs how they handle payment data.

Postmark (Wildbit)

Transactional email delivery. Receives the recipient email address and message content for emails we send on your behalf (account confirmations, notifications, receipts). Postmark does not use this data for advertising.

DigitalOcean

Infrastructure hosting via DigitalOcean App Platform and managed databases. All application data — database records, file uploads, backups — resides on DigitalOcean infrastructure in U.S. data centers. DigitalOcean does not have access to application-layer data.

Cloudflare

DNS, DDoS protection, and CDN. HTTP requests pass through Cloudflare before reaching our servers. Cloudflare logs IP addresses and request metadata for security purposes under its own privacy and data processing terms.

PostHog

Product analytics and session recording. Receives page event data, feature interaction events, and session replays. Data is linked to your account while active and anonymized after account deletion. PostHog is self-hosted or cloud-hosted; we use PostHog Cloud.

4. Data Retention

  • Active accounts. We retain your data for as long as your subscription is active.
  • After cancellation. You have 30 days to export your data after cancellation. After that window, your account and its data are scheduled for deletion from our primary database.
  • Backups. Automated database backups are retained for up to 14 days. Deleted data may persist in backups during that window before being permanently removed.
  • Analytics. Anonymized and aggregated product analytics data may be retained indefinitely for product improvement purposes. This data cannot be traced back to individual accounts after anonymization.
  • Access logs. Server and infrastructure access logs containing IP addresses are retained for up to 90 days.

5. Your Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act gives you the following rights:

  • Right to know. You can request a copy of the personal information we have collected about you, the categories of sources, the business purpose for collecting it, and any third parties we share it with.
  • Right to delete. You can request that we delete your personal information. Some data may be exempt from deletion if required for security, legal compliance, or to complete a transaction you initiated.
  • Right to opt out of sale. We do not sell, rent, or trade your personal information. There is nothing to opt out of, but we state this explicitly as required.
  • Right to non-discrimination. We will not deny service, charge you a different price, or provide a lower quality of service because you exercised any CCPA right.

To exercise any of these rights, email [email protected] from the address associated with your account. We will respond within 45 days as required by law.

6. Cookies

We use session cookies (set by Rails) to keep you logged in, and analytics cookies set by PostHog to track product usage. We do not use advertising or retargeting cookies.

For the full list of cookies, their purpose, and how to control them, see our Cookie Policy.

7. Children’s Privacy

Litegrants is a business-to-business platform intended for adults working at grantmaking organizations. It is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact us at [email protected] and we will delete it promptly.

8. Security

All data is encrypted in transit using TLS. Passwords are hashed with bcrypt before storage and are never recoverable by us. We use tenant isolation at the database layer to prevent data from one organization from being accessed by another.

For full details on our security practices, infrastructure, and how to report a vulnerability, see our Security page.

9. Changes to This Policy

We will notify you by email at least 30 days before making any material changes to this policy. Non-material changes (typos, clarifications that don’t affect your rights) may be made without notice. The “Last updated” date at the top of this page always reflects the most recent revision.

10. Contact

For privacy questions, CCPA requests, or concerns about how your data is handled:

Email: [email protected]
Mailing address: Litegrants, Sacramento County, California