Privacy Policy

1. Who This Applies To

This privacy policy covers:

• School administrators who create accounts
• Parents/supporters who make purchases or receive campaign emails
• Anyone who visits our website

2. What Information We Collect

From School Administrators (You)

When you create an account:

• Name and email address
• School/organization name
• Phone number (optional)
• Billing information (processed by Stripe, not stored by us)

From Parent/Supporter Contacts (Your Uploaded Lists)

When you upload or collect contact information:

• Parent/supporter names
• Email addresses
• Phone numbers
• Student name (optional, for recognition/prizes)
• Grade level (optional)

From Website Visitors

• Basic analytics (page views, referral source)
• Session cookies (to keep you logged in)
• IP address (for security)

From Purchases (When Parents Buy)

• Billing name and address
• Payment card info (handled by Stripe, never stored by us)
• Purchase history (for receipts and tax records)
• Shipping address (for product delivery)

3. How We Collect This Information

You Provide It Directly

• Account signup forms
• Contact list uploads (CSV, Excel, Gmail import)
• Campaign creation wizard
• Checkout forms

Automatically Collected

• Login times (for security)
• Page views (for analytics)
• Email opens/clicks (to track campaign performance)

We Do NOT Collect

• Student grades, test scores, or academic records
• Student health information
• Social Security numbers
• Credit card numbers (Stripe handles these)
• Student photos (unless parent uploads for custom product)

4. How We Use This Information

For School Administrators

• Create and manage your account
• Send campaign emails and texts on your behalf
• Process orders and payments
• Generate reports and dashboards
• Provide customer support

For Parents/Supporters

• Send fundraising campaign information
• Process their purchases
• Send order confirmations and receipts
• Track delivery status

For Website Visitors

• Improve our website
• Understand how people find us
• Fix technical issues

What We DON'T Do

• Sell your data to anyone, ever
• Use parent contacts for our own marketing
• Share contact lists with other schools or organizations
• Show ads based on your data
• Track you across the internet

5. How We Share Information (Spoiler: We Don't, Except...)

With Service Providers (Only When Necessary)

• Stripe: To process credit card payments (PCI DSS certified)
• Cloudinary: To host blanket design images (GDPR compliant)
• GoHighLevel: To provide CRM software (SOC 2 certified)
• Email/SMS providers: To deliver your campaign messages

When Required by Law

• Valid subpoena or court order
• Law enforcement request (with proper documentation)
• Protect our legal rights or prevent fraud

We do NOT:

• Sell data to advertisers
• Share with data brokers
• Give data to other schools
• Provide data to anyone else for any reason

6. How We Protect Your Information

Encryption

• In transit: Bank-level TLS 1.3 encryption (same as your online banking)
• At rest: Military-grade AES-256 encryption
• Payment data: Never stored—Stripe handles it directly

Access Controls

• Multi-factor authentication available
• Role-based permissions (limit who sees what)
• Automatic logout after 30 minutes of inactivity
• Password requirements (8+ characters, complexity rules)

Infrastructure Security

• SOC 2 Type II certified servers (GoHighLevel)
• Daily automated backups
• Intrusion detection systems
• 24/7 security monitoring
• Annual third-party security audits

Incident Response

• Cyber liability insurance
• 72-hour breach notification
• Dedicated incident response team

7. How Long We Keep Information

School Administrator Data

• Active accounts: Kept as long as your account is open
• Closed accounts: Deleted within 30 days

Parent/Supporter Contact Data

You choose the retention period:

• 30 days after campaign ends
• 90 days after campaign ends (recommended)
• Keep indefinitely (for year-round sales)

Purchase Records

• Order details: 7 years (tax law requirement)
• Contact info: Follows your chosen retention period
• We separate contact info from order totals—we keep "Campaign raised $5,000" but delete "[email protected] bought 2 blankets"

Website Analytics

• Anonymous page views: 90 days
• Session logs: 30 days

8. Your Rights and Choices

As a School Administrator

• Access: Export all your data anytime (CSV download)
• Correction: Edit any contact information in your admin panel
• Deletion: Delete individual contacts or entire campaigns
• Portability: Download data in standard format
• Close account: Request account deletion anytime

As a Parent/Supporter

• Opt-out: Click "Unsubscribe" in any email (automatic)
• Text opt-out: Reply STOP to any text message
• Access: Request your contact information from the school
• Deletion: Ask the school to remove you (they control the list)
• Correction: Update your info during checkout

Marketing Communications

If we send YOU (the administrator) marketing emails about our service:

• Every email has an unsubscribe link
• We honor opt-outs within 48 hours
• We never send marketing to parent contacts (only campaign-related messages)

9. Cookies and Tracking

What Cookies We Use

• Essential cookies: Keep you logged in, remember your preferences (required)
• Analytics cookies: Count page views, see popular features (optional)

What We Don't Use

• Advertising cookies
• Third-party tracking pixels
• Cross-site tracking
• Social media tracking

10. Children's Privacy (COPPA Compliance)

Our Position

We do NOT knowingly collect information from children under 13.

Our service is designed for adults (school administrators and parents). If we discover we've accidentally collected data from a child under 13, we delete it immediately.

Student Names Are Optional

When parents make purchases, they can optionally enter their child's name (for prize recognition). This is:

• Provided by the parent (not the child)
• Optional (not required to complete purchase)
• Used only for that specific campaign
• Deleted according to your retention schedule

11. School Privacy Laws

FERPA (Family Educational Rights and Privacy Act)

Does NOT apply to our service.

FERPA protects "education records" maintained by schools. Fundraising contact information (parent emails and phone numbers) is:

• Voluntary commercial data (not education records)
• Provided by parents for purchasing (not maintained by school for educational purposes)
• Not subject to FERPA restrictions

State Privacy Laws

We comply with:

• CCPA (California Consumer Privacy Act)
• VCDPA (Virginia Consumer Data Protection Act)
• CPA (Colorado Privacy Act)
• CTDPA (Connecticut Data Privacy Act)
• Other state privacy laws as enacted

Residents of these states have additional rights—contact us at [email protected] to exercise them.

12. International Data Transfers

Where Your Data Lives

Our servers (via GoHighLevel) are located in the United States.

If you're outside the US:

• Your data will be transferred to US servers
• We provide equivalent protections to GDPR standards
• EU residents: Contact us to request a Data Transfer Agreement

13. Changes to This Privacy Policy

How We Update It

• We'll post changes to this page with a new "Last Updated" date
• Material changes: We'll email you 30 days in advance
• You can reject changes by closing your account (with full data export)

Version History

We maintain a public changelog showing all updates.

14. Contact Us

Privacy Questions

• Email: [email protected]
• Phone: +1 866-657-2333
• Mail: 4539 N 22nd St, STE A, Phoenix, AZ 85016

Data Subject Requests

To exercise your privacy rights (access, delete, correct):

• School administrators: Use your admin panel or email [email protected]
• Parents/supporters: Contact the school directly (they control your data)

15. Your Acceptance

By using our service, you acknowledge that you've read and understood this Privacy Policy.

If you don't agree, please don't use our service.

Appendix: Privacy Quick Reference

Data Collection

Data Sharing

Your Rights