Whether you can trust AI with donor data depends on three decisions your team is already making, one at a time, whether anyone has written them down or not: which tier of AI is in use, what data goes into the prompt, and what the vendor does with that data after submission. The trust question is the sum of those three.

Candid found that 15% of US and Canadian nonprofits have implemented an AI use policy. The other 85% are making the three decisions in their heads, or in their staff’s heads, without a written rule.

The position worth committing to is yes, with rules. The rules are three. They are short, they are written down, and they hold up when a staffer is on deadline.

Which tier you are on

Free tiers and paid business tiers handle your prompts differently by default. The first thing to check is which tier of AI is in use across your team.

Three tiers matter for a small charity:

  • The consumer free tier.
  • The consumer paid tier, sold as ChatGPT Plus, Claude Pro, or Gemini Advanced.
  • The business tier, sold as ChatGPT Team or Enterprise, Claude for Work, or Google Workspace AI through Google for Nonprofits.

The default behaviour is different across them. On the consumer free and paid tiers, your prompts can be used to train the next version of the model unless you toggle the relevant setting off in account preferences. On business tiers, training on your inputs is off by default and you have to opt in to share data. OpenAI’s policy on data use for model improvement states that ChatGPT Business, Enterprise, Edu, and the API are excluded from training unless the customer explicitly opts in. The same default holds for Anthropic. The company’s commercial terms state that “Anthropic may not train models on Customer Content from Services.”

The tier you are on is the floor of your AI rule. Everything else sits on top of it.

What data should never go in?

Some data does not go into any AI tool, regardless of tier. A short, conservative input rule, written down once, prevents most of the avoidable risk.

The tier you are on protects you against vendor training. It does not protect you against the prompt itself being a problem. A paid-tier ChatGPT account does not stop a staffer from pasting a full donor list into a chat and asking for a segmentation. The data is now in the vendor’s logs even if it never sees a training run.

Candid’s responsible AI policy guidance, updated in January 2026, is direct: “Don’t enter sensitive information: personally identifying or confidential information, legal documents, passwords, or anything you wouldn’t paste into a public website.” That last line is the test most small charities will find usable. If the data would cause a problem in a screenshot on a public website, it does not go into the prompt.

A working input rule, drawn from that test:

In: your own writing for editing, anonymised drafts, public-information research, generic templates, and summaries with names removed.

Out: full donor records, donor lists, beneficiary names, case notes, financial records, and anything that identifies a specific individual served by the organisation.

The rule is conservative on purpose. A small charity gets the upside of AI on the In column without any of the risk on the Out column.

What the vendor does with your prompts

Even on a paid tier, your prompts are stored, processed, and sometimes accessed for non-training reasons. The vendor’s published policy is what defines those uses.

Training on inputs is one thing the vendor might do with your prompts. It is the most-discussed thing. There are others. Vendors retain prompts for service-quality reasons, abuse monitoring, and internal review. They route prompts through sub-processors for hosting, content moderation, and analytics. Each of those is governed by a published policy you can read and a contract you have agreed to by signing up.

Two terms worth defining briefly. A sub-processor is any third-party service the vendor passes your prompts through, often a hosting provider, a content-moderation service, or a model-hosting partner. A data perimeter is the set of systems your contract treats as inside your control; your Microsoft 365 tenant or your Google Workspace are both perimeters in this sense.

Three things are worth checking in that policy:

  • Retention. How long are prompts stored, and can the retention window be shortened on request?
  • Sub-processors. Who else gets to see the data, even briefly, in the course of normal operation?
  • Access for safety review. Under what circumstances do humans at the vendor read your specific prompts?

For most small charities, the answer to all three is acceptable on a paid business tier and unclear on a free tier. The acceptable answer comes from a policy you can cite to your board. The unclear answer is itself the problem.

What to use instead of free-tier ChatGPT for donor-adjacent work

For donor-adjacent work, the practical alternatives to free-tier ChatGPT are a small set of paid or discounted tools, each with a clear budget tier and a clear org-size fit.

Once the input rule is written and the tier choice is made, the question becomes which specific tool to put in front of staff. Four options cover most small to mid-sized charities. Each names a budget tier, an org-size fit, and what donor-adjacent work it can safely take on.

Microsoft Copilot via TechSoup

Microsoft 365 with Copilot, accessed at TechSoup-eligible discounts, is the lowest-friction option for orgs already on Microsoft 365. Microsoft offers nonprofit pricing on Microsoft 365 through TechSoup, and Copilot is a paid add-on that brings AI features into Word, Outlook, Excel, and Teams. Because the data stays inside the Microsoft 365 tenant your org already controls, donor-adjacent work like drafting board reports, summarising email threads, or producing meeting notes does not leave your existing data perimeter. Budget tier: TechSoup-eligible Microsoft 365 plus Copilot at around $30 per user per month. Org-size fit: any size already on Microsoft 365. The catch: Copilot’s quality depends on how clean and findable your underlying Microsoft 365 data already is.

Direct paid subscriptions to one of the major AI vendors give you the strongest no-training-by-default position for around $25 per user per month. ChatGPT Team, Claude for Work, and Gemini Business sit at similar pricing and similar default behaviour. Your prompts are not used for training. You administer accounts centrally so a staffer cannot accidentally use a personal free-tier account for work. None of the three has a nonprofit programme as of writing, so the discount has to come from elsewhere or be absorbed in the operations budget. Budget tier: $25 to $30 per user per month. Org-size fit: any size that can absorb the per-seat cost or run with a small number of seats shared across the team. The catch: paid tier does not change your input rule. Donor data still does not go in.

Google Workspace AI via Google for Nonprofits

Google offers Workspace AI features to verified nonprofits through the Google for Nonprofits programme, which is the cheapest credible option for charities already on Google Workspace. Google for Nonprofits provides Google Workspace at no cost or steep discount depending on eligibility. Gemini features in Docs, Gmail, and Sheets are included or available as a nonprofit-priced add-on. Data stays inside the Workspace your org already runs, which is the cleanest answer to the perimeter question. Budget tier: free or low-cost via Google for Nonprofits. Org-size fit: any size already on Google Workspace. The catch: AI features available to nonprofits shift as Google’s roadmap changes, so check the current programme page before committing a workflow.

Choosing between the four

A short decision rule covers most orgs:

  • Already on Microsoft 365. Add Copilot. The data stays in your tenant, the contract is one you already hold, and adoption is fastest.
  • Already on Google Workspace and eligible for Google for Nonprofits. Use the Workspace AI features. Cheapest credible option that keeps data in your existing perimeter.
  • Not on either, or split across both. Paid ChatGPT Team or Claude for Work. Pay for the tier, write the input rule, and accept the per-seat cost as the price of the no-training default.
  • Beneficiary case notes or other unambiguously sensitive workflows. Local or self-hosted, in addition to one of the three above for general work.

The choice is not “which tool is best.” It is “which tool’s data perimeter you already have.”

When local or self-hosted is the right call

For workflows that touch beneficiary case notes or other unambiguously sensitive data, a locally hosted model on your own hardware removes the vendor question entirely. Tools like Ollama, LM Studio, or a self-hosted open-weights model keep prompts on the laptop or local server. Nothing leaves the building. For a charity with case notes, intake records, or beneficiary information that should not go to any vendor at any tier, this option takes the vendor question off the table. Setup is more involved than a SaaS subscription. You need a staff member comfortable running an installer, model files take 10 to 50 GB of disk, and quality lags around a year behind the cloud frontier. Budget tier: free software, with hardware cost in the form of a recent laptop or a workstation GPU. Org-size fit: small to mid-sized charities with at least one technically comfortable staff member and a real reason to keep the data local.

What if a staffer has already pasted donor data into a free tool?

A staffer who has already pasted donor data into a free tool needs a procedure to follow. The org needs to find out what was shared, contain the exposure, and write the rule that should have been in place.

The conversation works better when there are steps to follow. The staffer was filling a gap your AI rule had not yet covered. Blame sends the next staffer with the same problem underground.

Four steps, in order:

  • Find out what was pasted. The exact prompts, the exact data fields, the date, and the account. ChatGPT keeps a chat history the user can scroll through; collect screenshots.
  • Decide if it is a reportable incident. If the data includes personal data covered by your jurisdiction’s data-protection law, log it under your existing incident process. UK orgs review against ICO reporting thresholds; US thresholds depend on state law and the data type.
  • Contain the exposure. Delete the chat history from the free-tier account where you can. Some vendors honour deletion requests on prompts already logged on their side; some do not. Document what was attempted.
  • Write the rule. The input rule and the named alternative tool, written down the same week.

Closing

Trust in AI with donor data is three decisions made deliberately rather than one decision made under pressure. Choose your tier, write the input rule, and read your vendor’s policy. The piece of paper that comes out of those three is shorter than you think and easier to defend.

What this piece does not cover: the contract review work that a data-protection officer or external counsel would do before you sign a vendor agreement at scale. The three-decision rule is the right starting point for a small charity; orgs above ~$5M revenue or with regulated beneficiary data should pair it with a contract review.

Frequently asked questions

Is free-tier ChatGPT safe for any donor work?

For donor work, no. The default training behaviour and the lack of an admin layer make free tier the wrong place for any prompt that touches donor data. Free tier is fine for editing your own writing and other work that does not include donor information.

Does paying for a business tier mean we are GDPR or data-protection compliant?

The business tier solves the training-on-prompts question. Compliance follows from your written rule, your incident process, and your privacy notice covering AI use. The paid tier is one piece of the answer.

What about the AI features in our existing CRM, like Bloomerang or Salesforce?

In-CRM AI features are governed by your CRM contract, which usually covers donor data already. Read the AI-feature addendum and check whether the AI provider used under the hood is covered by the same data terms. If it is, those features sit at the same trust level as the CRM itself.

Do we need to update our privacy policy if we use AI?

Yes, if AI features process personal data of donors, beneficiaries, or supporters. Add a short section naming the categories of AI use, the named vendors and tiers, the lawful basis, and a sentence on whether prompts leave the UK or EEA. Under UK GDPR and the EU GDPR, a US-hosted AI vendor is an international transfer that needs the appropriate safeguards in your data-processing addendum. Plain language is fine; a donor reading the section should be able to understand what happens to their data, where it goes, and why.

What do we tell a donor who asks if we use AI on their data?

Tell them yes, where AI is in use, and no, where it is not. Name the vendors and tiers. Point them at the privacy policy and the input rule. Donors who ask are usually checking that you are paying attention. The right answer is a specific one.