Contact Records and CRM
The operating manual for contact records, mailing lists, donor and member records, press contacts, consent, unsubscribes, segmentation, retention, CRM hygiene, and privacy. Spiralism should know who it is responsible to without treating people as leads to be harvested.
Spiralism will gather names, emails, testimony interests, donor records, chapter attendance, press contacts, partner leads, volunteer roles, and program registrations. That information is useful. It is also power.
The institution should handle contact records as trust infrastructure, not as a growth hack.
The Rule
A contact record is a promise, not a target.
Every contact record should have:
- a source;
- a purpose;
- consent or legitimate relationship basis;
- communication preferences;
- access limit;
- update path;
- deletion or suppression path;
- retention rule.
If the institution cannot explain why it has a record, it should not keep the record.
CRM Owner
During the founding period, appoint a CRM Owner. After incorporation, CRM ownership should sit between Communications, Development, Privacy, and Finance.
The CRM Owner maintains contact schema, field definitions, import rules, export rules, access roles, unsubscribe and suppression list, duplicate review, data-quality checks, retention schedule, incident escalation, vendor review notes, and quarterly CRM audit.
The CRM Owner should not be the only person with access, but no one else should be able to casually redefine the system.
Contact Classes
Separate contact classes clearly.
| Class | Examples | Default Use | Extra Care |
|---|---|---|---|
| Newsletter Subscriber | email, name, interests | public updates | unsubscribe integrity |
| Member / Attendee | chapter, attendance, track | onboarding and chapter care | no pressure follow-up |
| Volunteer / Guild | role, hours, mentor, work log | coordination and recognition | labor boundaries |
| Donor / Patron | gifts, restrictions, recognition | receipts and stewardship | financial privacy |
| Testimony Contact | testimony interest, consent status | scheduling and archive care | heightened privacy |
| Press Contact | outlet, deadline, topic | media response | attribution clarity |
| Partner Contact | organization, MOU, role | program coordination | partner boundaries |
| Sensitive Contact | safeguarding, incident, crisis | restricted response | separate from CRM when possible |
Sensitive incident, safeguarding, crisis, and highly restricted testimony notes should not live in an ordinary CRM.
Minimum Fields
Keep the first CRM simple.
Minimum fields:
- name or preferred name;
- email;
- contact class;
- source;
- date added;
- consent or relationship basis;
- communication preference;
- chapter or location if volunteered;
- interests;
- owner;
- last meaningful contact;
- next step;
- unsubscribe/suppression status;
- privacy notes.
Do not collect demographic, psychological, family, employment, health, or financial detail unless a specific policy requires it.
Consent and Source Rules
Allowed sources:
- person signs up for newsletter;
- person registers for a program;
- person asks to be contacted;
- person gives a donation;
- person volunteers;
- person submits testimony interest;
- journalist contacts press inbox;
- partner representative exchanges institutional contact details.
Not allowed:
- scraped social media lists;
- purchased email lists;
- attendee lists imported from another organization without permission;
- private contact sharing between members;
- adding critics to monitoring lists;
- collecting vulnerable people’s contacts from testimony subjects without direct consent.
Do not confuse access to an email address with permission to use it.
Email Compliance
For newsletters, program announcements, fundraising messages, and promotional emails:
- use accurate sender information;
- use truthful subject lines;
- include a valid physical mailing address when required;
- include a clear unsubscribe link;
- process opt-outs promptly;
- keep the unsubscribe mechanism working;
- do not require extra steps beyond the opt-out mechanism;
- maintain a suppression list so unsubscribed people are not reimported.
FTC CAN-SPAM guidance distinguishes commercial messages from transactional or relationship messages. Spiralism should apply the stricter habit where feasible: make opt-out easy, even when the message may be relational.
Segmentation
Segment to reduce noise, not to manipulate.
Useful segments:
- newsletter;
- chapter city;
- program attendee;
- technologist transition;
- archive/testimony interest;
- Guild track;
- donor/patron;
- press;
- partner;
- volunteer role.
Do not segment for fear, grief, crisis, sexual history, mental-health status, political vulnerability, or pressure potential.
Donor Records
Donor records should include gift date, amount, payment processor ID, restriction, receipt status, recognition preference, anonymity preference, communication preference, donor intent notes, and conflict or influence concern.
Do not store full payment-card data in the CRM. Use trusted payment processors. Keep donor privacy aligned with Development and Patronage, Finance and Controls, and Privacy and Data Stewardship.
Press and Partner Records
Press records should include journalist, outlet, topic, deadline, attribution status, spokesperson, response sent, and source documents shared.
Partner records should include organization, contact role, project, MOU or agreement status, public-language constraints, data-sharing constraints, and next review date.
Do not let partner or press records become informal reputation files.
Imports and Exports
Before importing:
- confirm source;
- confirm consent or relationship basis;
- remove unnecessary fields;
- deduplicate;
- tag import date;
- check suppression list.
Before exporting:
- name purpose;
- name recipient;
- remove unnecessary fields;
- exclude suppressed contacts;
- avoid sensitive fields;
- set deletion expectation;
- log export.
Exports are where many privacy promises fail.
Retention
Default retention:
| Record | Default |
|---|---|
| Active newsletter subscriber | until unsubscribe or inactivity review |
| Unsubscribed email | suppression only, indefinitely or as required |
| Program attendee | 3 years unless converted to member/donor record |
| Volunteer role record | 7 years where labor or reimbursement may matter |
| Donor financial record | follow finance retention schedule |
| Press inquiry | 3 years |
| Partner contact | life of relationship plus 3 years |
| Testimony scheduling note | until consent record replaces it or request ends |
Retention should match Privacy and Data Stewardship, Finance and Controls, and legal requirements. When in doubt, keep less ordinary contact detail and preserve more formal financial, consent, and governance records.
Access Roles
Minimum roles:
- CRM Owner: full configuration.
- Communications: newsletter and public-program contacts.
- Development: donor and patron records.
- Chapter Host: local attendee and member contact records only.
- Archive: testimony-interest scheduling fields only.
- Finance: gift and receipt records.
- Read-only Reviewer: audit and governance review.
No volunteer should receive full CRM access merely because they are useful.
Data Hygiene
Quarterly:
- deduplicate records;
- review unsubscribes;
- review bounced emails;
- check stale next steps;
- review role access;
- remove unused fields;
- sample consent/source fields;
- test export controls;
- check whether any sensitive notes are in ordinary records.
Data quality is not clerical fussiness. It is how the institution avoids inventing false relationships with people.
Incident Triggers
Escalate to Digital Infrastructure, Privacy and Data, Incident Protocol, or Safeguarding when:
- CRM export sent to wrong person;
- donor data exposed;
- testimony contact exposed;
- unsubscribe ignored;
- sensitive note entered into ordinary CRM;
- press contact used for harassment;
- chapter exports local list to personal account;
- payment data stored improperly;
- account access persists after role exit;
- CRM vendor breach notice arrives.
Anti-Patterns
- Importing every acquaintance into the newsletter.
- Treating unsubscribes as disloyalty.
- Recording private vulnerability as engagement intelligence.
- Letting chapter hosts keep the only copy of local contacts.
- Using donor wealth estimates to shape spiritual attention.
- Adding press critics to informal watchlists.
- Keeping “just in case” data forever.
- Hiding consent status in free-text notes.
- Exporting the whole CRM when ten rows would do.
- Letting the founder’s personal address book become institutional memory.
First-Year CRM Targets
- Choose a simple CRM or mailing-list platform.
- Define contact classes and minimum fields.
- Create newsletter signup consent language.
- Establish unsubscribe and suppression process.
- Create donor privacy fields.
- Create chapter contact import template.
- Create press and partner contact template.
- Run first duplicate cleanup.
- Run first access review.
- Add CRM audit note to annual report.
Sources Checked
- Federal Trade Commission, CAN-SPAM Act: A Compliance Guide for Business, accessed May 2026.
- National Council of Nonprofits, Earning trust: the imperative of data privacy for nonprofits, accessed May 2026.
- National Council of Nonprofits, Cybersecurity for Nonprofits, accessed May 2026.
- National Council of Nonprofits, Ethical Fundraising, accessed May 2026.
- National Council of Nonprofits, Document Retention Policies for Nonprofits, accessed May 2026.