What donor and volunteer records can a nonprofit keep, and what privacy rules apply when it shares them with fundraisers?
Nonprofits collect a surprising amount of personal information about the people who support them. Treating that information as records — with defined purposes, retention limits, and safeguards — protects both the organization and the individuals it serves.
What records a nonprofit can keep
A nonprofit may keep the donor and volunteer records it genuinely needs to operate, acknowledge support, and meet legal obligations. Common examples include:
- Donor records: name, contact details, gift amounts and dates, payment method (stored securely), and acknowledgment or tax-receipt information.
- Volunteer records: applications, hours served, role assignments, training, and any background-check or eligibility documentation required for the role.
- Compliance records: documentation supporting tax filings and charitable-deduction substantiation.
The guiding idea is purpose limitation and data minimization: collect and retain only what serves a stated, legitimate purpose. Keep especially sensitive data (Social Security numbers, payment card data, health information) only when truly necessary, and protect it accordingly.
How long to keep them
Retention should follow a written schedule rather than habit. Financial and donation records that support tax filings are typically kept for several years; the IRS publishes general guidance on recordkeeping periods that nonprofits can use as a starting point. Once a record has met its legal, operational, and historical purpose, dispose of personal data securely.
Privacy rules when sharing with fundraisers
Sharing donor or volunteer data with an outside fundraiser, agency, or platform creates real privacy obligations. Core principles include:
- Transparency: tell donors and volunteers, in a privacy notice, how their information may be used and shared.
- Honor preferences: respect opt-outs and “do not share” or “do not contact” requests.
- Contractual safeguards: bind the fundraiser in writing to use the data only for the agreed purpose, protect it, not resell it, and return or delete it when the engagement ends.
- Accountability: the nonprofit remains responsible for what its vendors do with the data, so apply due diligence and oversight.
State charitable-solicitation laws and, for some organizations, sector or international privacy rules may add specific requirements, so confirm what applies to you.
A useful framework for managing these risks is to identify, govern, and control how personal data flows through your organization. For more, see the privacy and PII topic hub.
Sources & further reading
Authoritative government and non-profit references.
- NIST Privacy Framework — NIST
- IRS — how long to keep records — IRS
How to cite this page
APA
RM University Editorial. (2026). What donor and volunteer records can a nonprofit keep, and what privacy rules apply when it shares them with fundraisers?. Records Management University. https://www.recordsmgmt.org/questions/what-donor-volunteer-records-nonprofit-keep-privacy-rules-fundraisers/
MLA
RM University Editorial. "What donor and volunteer records can a nonprofit keep, and what privacy rules apply when it shares them with fundraisers?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/what-donor-volunteer-records-nonprofit-keep-privacy-rules-fundraisers/.
Related questions
- Can a multinational use ISO 15489 to build one global records policy, or does it still need separate schedules per country?
- Can blockchain or immutable storage be used for records when privacy laws require you to delete personal data on request?
- Can I keep customer data longer than my retention schedule says if I might need it later?
- Can I keep customer personal data indefinitely if they agreed to my privacy policy when they signed up?
- Can you be fined for failing to honor a data subject's deletion request if you can't find their records?