Security Update: How Raisely is Protecting Donor Data in URLs and Login Links

We're making two important updates to how Raisely handles donor data in links. These changes are part of our commitment to SOC 2 compliance and keeping your donors' information safe.

This article explains what's changing, why it matters, and the steps you may need to take.

Why is this happening?

Currently, some Raisely links include personal donor information (like a first name or email address) directly in the URL. For example: yoursite.com/donate?email=donor@email.com.

While this makes form pre-filling convenient, it creates data protection risks:

  • Exposure: Personal information in URLs can appear in browser histories, server logs, and analytics tools like Google Analytics.
  • Compliance: Including personal data in URLs does not meet SOC 2 security standards.
  • Privacy: It puts your donors' sensitive information at unnecessary risk.

At the same time, login links (magic links) in Raisely emails currently never expire. If an old email is ever accessed by someone else, that link still grants full account access.

The update:

We're moving personalisation to session-based authentication using short-lived access tokens. Your donors still get the same personalised experience, but the data now travels through a secure session instead of a visible URL. And login links will expire after 48 hours to prevent unauthorised access.

What is changing?

1. Personal information will be removed from URLs

Starting April 7th, Raisely will block you from saving email templates that include personal donor information (name, email) in a URL. You'll see a message in the editor:

"It looks like this URL includes personal donor information. To keep donor data safe, please remove it before saving."

Personalisation still works. Instead of pulling data from the URL, Raisely now pulls it from the donor's authenticated session. The donor experience stays the same.

What to update: Replace URL-based merge fields with session-based ones:

  • query.firstName becomes user.firstName
  • query.lastName becomes user.lastName
  • query.email becomes user.email

This applies to both email templates and campaign pages that display personalised content.

Here is an example of what old merge fields may look like:

Here is what it should look like when using Access Token:

2. Login links (magic links) will expire after 48 hours

Starting April 7th, every magic link in a Raisely email will expire 48 hours after the email is sent. Each email will contain a unique, single-use token.

When a supporter requests a new link after accessing an expired one, this is an example of what they might see:

Important: All existing magic links in previously sent emails will stop working on April 7th. When a donor clicks an expired link, they'll see a friendly page where they can:

  • Request a new magic link sent to their email (takes just a few seconds)
  • Log in with a password if they have one

The donor gets a fresh link, logs in right away, and picks up where they left off.

The 48-hour window is based on email engagement data: the vast majority of clicks happen within the first two days. This gives donors plenty of time while keeping their accounts safe.

What you need to do before April 7th

Review and update your email templates

Look for any URLs in your email templates that include query.firstName, query.lastName, or query.email.

Replace them with the session-based versions: user.firstName, user.lastName, or user.email.

Review your campaign pages

If any of your live campaign pages display personalised content based on URL parameters (e.g., "Hi {{query.firstName}}"), update them to use user.firstName instead.

Prepare your team for the magic link change

Old magic links in previously sent emails will stop working on April 7th. If donors reach out about broken links, they can request a new one from the expired link page. Let your team know so they can help donors through the process.

What is NOT changing?

These updates do not affect:

  • Personalised page content: "Hi [Name]" will still appear for donors who are logged in.
  • Tracking and analytics: UTM parameters, fbclid, and other campaign tracking data work exactly as before.
  • Non-personal URL parameters: Things like donation amounts (?amount=50) or frequency (?frequency=month) are not affected.
  • Form pre-filling for logged-in donors: Forms will still pre-fill using the donor's session data.

Need help?

Our support team is here to help you through the transition. If you have questions about specific merge fields or need a hand updating your templates, reach out to us at support@raisely.com.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.