Ethics Series — Your Nonprofit Needs a Data Use Policy. Here's Why and How to Start.
This is the sixth post in the Nonprofit AI Studio Ethics Series, an honest, ongoing conversation about the questions nonprofit leaders are asking about AI.
I started Nonprofit AI Studio two-ish months ago after witnessing a tough couple of years for nonprofits and social justice in general. While watching the rise of AI, I knew that it had enormous potential to aid nonprofits, who are often tremendously overburdened by admin, content creation and staffing challenges. And in fact, TechSoup, a nonprofit tech clearinghouse completed a study in 2025 that showed that 74% of nonprofits use AI in some way. That’s the good news. What I hope to do with this platform is to help nonprofits use it safely and strategically.
If you’re reading this, you know that working for a nonprofit is akin to drinking from a fire house. There are constant, often life-altering tasks that need completing. Strategy and safety procedures often fall to the wayside. You know you need them, the time to dedicate them is hard to find.
Thus far, I have been writing this blog and social media posts with tips, and ethics series and prompts. But this week I started with my first client, a fantastic organization call DreamED Collective, that provides tech training to refugee women in Seattle. The ED is a former co-worker of mine and she is smart and tech-saavy. She is also in start-up mode, running this new organization on her own. I was thrilled when she agreed to let me take her on as a pro bono client.
In our first meeting, I found that she was heavily using AI already. Not surprising. When I asked her what her honest gut reaction was about AI, she didn't hesitate.
Privacy. Especially with her participants. Especially in the times we are living in.
She was right to name it. Immigrant and refugee women are among the most vulnerable populations when it comes to data exposure. Immigration status. Case notes. Personal histories. Contact information that, in the wrong hands, could put someone at risk.
This founder is doing everything right — on her own, she knows what to put in and what not to put into AI. But, as she grows and adds staff, she needs to trust that everyone follows her same standards. She needs an AI data use policy.
The Gap Is Urgent
Although nearly three-quarters of nonprofits are using AI, 80% have no acceptable data use policy (TechSoup, 2025).
What that means is that eight out of ten nonprofits are using powerful AI tools — tools that process, store, and in some cases learn from the information you put into them — without a clear organizational framework for what should and shouldn't go in.
For most nonprofits this isn't negligence. Nonprofits are some of the most integrity-focused bodies that exist. It's capacity. Nobody has time to write a policy document when you're also teaching classes, writing grants, providing crisis services, running volunteer activities, and managing a board. The policy keeps getting pushed to "when I have time" — which, in nonprofit world, often means never.
So, I set on out on a journey to help and here’s what I've learned from building data use policies with small nonprofits: it doesn't have to be complicated. It doesn't have to be long. And with AI, it doesn't have to take very long at all.
What a Data Use Policy Actually Is
A data use policy for AI is not a legal document full of jargon that your board needs a lawyer to interpret. For a small or midsize nonprofit it should be two pages maximum, written in plain language, and designed to answer four simple questions:
What information is safe to use with AI tools? What information should never go into any AI tool? How do we talk to clients and funders about the fact that we use AI? What do staff need to know to use AI responsibly?
That's it. Four questions. Two pages. Plain language.
What Should Never Go Into an AI Tool
This is the heart of it, and this is where the immigrant and refugee population that DreamED serves makes the stakes viscerally clear.
Client names should never go into a public AI tool. Full stop. Not in a grant narrative, not in a thank you email, not in a program description. You can write "a participant in our program" without ever typing her name into a system you don't control.
Immigration status, case notes, medical information, legal status, housing situation — none of it. Ever. These are categories of information that can cause direct harm if exposed. The AI tool you're using may be storing your queries. Its terms of service may allow your data to be used for training. You may not fully understand what happens to what you type. The answer is simply not to type it.
Financial information about individual donors or clients. Personal contact details beyond what you would publish publicly. Anything that would cause harm to a real person if it were exposed.
What Is Safe
This is the good news, and there's a lot of it.
Here’s a list of what is safe:
mission statement
program descriptions
general impact statistics
draft communications that don't reference specific individuals
meeting notes that discuss organizational decisions rather than individual cases
grant narrative language that describes your work in general terms
The vast majority of what nonprofits use AI for every day — the prompts in our library, the tips in our series, the communications work we talk about constantly — is completely safe when handled thoughtfully. The data use policy isn't about restricting AI use. It's about making that use conscious and consistent across your whole organization.
The Disclosure Question
One of the questions nonprofits ask most is whether they need to tell clients and funders that they use AI.
The answer is: it depends, and it's evolving.
There is no universal legal requirement in most contexts right now, though that is changing as AI regulation develops. What there is, is a values question. And for organizations serving communities that have historically been harmed by systems they didn't know were operating on their data, the answer to that values question should probably be yes.
For DreamED, we're building disclosure language into the policy itself, a simple, plain-language statement that participants can understand in their own language that says: we use AI tools to help us do our work. Here's what that means. Here's what we never put into those tools.
That kind of transparency builds trust. And for immigrant and refugee women who have learned through hard experience not to trust institutions that make decisions about their lives without telling them, trust is everything.
How to Build Your Policy
Here's the practical path.
Start with a simple intake survey: a set of questions about your organization's data practices that gives you the raw material for the policy. What kinds of information do you collect from participants? What AI tools does your staff currently use? Has any sensitive information already gone into those tools? Do your clients know you use AI?
Then use AI to help you draft the policy itself from your survey answers. The prompt looks something like this:
"Using the following information about our organization and our data practices, please draft a plain-language AI data use policy. It should cover: what data is safe to use with AI tools, what data should never go into AI tools, disclosure language for clients and funders, and basic staff guidance. Maximum two pages. Plain language throughout."
Then bring the draft to your board for review and adoption. The board conversation is itself an important step and one we'll cover in a future post.
Why This Matters for DreamED and for Every Nonprofit
The founder I sat down with in Seattle is building something remarkable. Free digital literacy training for immigrant and refugee women. Programs that teach computer skills, career pathways, and entrepreneurship to women who are rebuilding their lives in a new country.
She is using AI to do more with less, to be the staff she can't yet afford to hire, to write the grants and emails and curriculum that would otherwise not get written. And she is doing it thoughtfully, with her participants' safety at the center of every decision.
A data use policy gives that thoughtfulness a structure as she grows. It protects her participants and her organization. It gives her something she can hand to a funder, a board member, or a participant and say, this is how we use technology. This is what we protect. This is who we are.
Every nonprofit using AI deserves that clarity.
Follow us on LinkedIn and Instagram @nonprofitAIstudio so you never miss a post. Visit nonprofitaistudio.org to access our free Prompt Library.