AI in nonprofits and charities: fundraising, profiling and limited resources

Short answer: Charities and nonprofit organisations use AI for fundraising, donor profiling and deploying scarce resources more efficiently. Important to know: nonprofit status grants no exemption from the GDPR or the AI Act. The same rules apply as for commercial organisations — and precisely with limited resources, that deserves attention.

No exemption for the good cause

A common misconception is that a social mission or the absence of a profit motive grants an exemption. That is not so. The GDPR applies to any processing of personal data, regardless of the nature of the organisation. The AI Act is risk-based and looks at the application, not the type of organisation.

For most nonprofits this means: their AI use is usually low-risk, but data protection applies in full. See also the broader state of AI regulation.

Fundraising and donor profiling

AI helps predict which donors are likely to give, how much and when. That is profiling of personal data and falls under the GDPR. Required are: a valid legal basis, transparency towards the donor and respect for the rights of access and objection.

Be restrained with sensitive data. Inferring, say, health, religion or political preference from donation behaviour touches on special categories of personal data, for which stricter rules apply. Building extensive profiles without a clear legal basis is a real risk, even with good intentions.

Limited resources, the same responsibility

Nonprofits often work with small teams and borrowed or free tools. That raises two risks: people use external AI services without arranging data-processing agreements, and they have little capacity for oversight.

The good news: most obligations are proportionate and achievable. A simple register of AI applications, a legal basis per processing operation and clear arrangements with suppliers get you a long way. Avoid prohibited AI practices such as manipulative techniques that exploit vulnerabilities — in fundraising among vulnerable groups this is a material point of attention.

What to do

• Let go of the nonprofit myth: the GDPR and AI Act apply in full.
• Secure a legal basis for every processing of donor or beneficiary data.
• Be careful with profiling: avoid inferring sensitive characteristics.
• Arrange data-processing agreements with external AI and mailing tools.
• Keep it proportionate: a simple register and clear arrangements suffice for low-risk applications.

With limited resources, responsible AI use is mainly a matter of good basic hygiene. The same proportionality recurs in AI in hospitality and tourism, where the GDPR is likewise decisive.