Privacy Policy
This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Services. By using our Services, you agree to the collection and use of information in accordance with this policy.
1. Information We Collect
1.1 Account Information
When you create an account, we collect:
- Email address and/or phone number (at least one is required)
- Password (stored as an irreversible cryptographic hash; we never store your password in plain text)
- Username (chosen by you)
- Region and chapter (optional, chosen by you)
- Locale/language preference
1.2 Social Login Information
If you choose to sign in using a third-party service (Google, Facebook, Apple, or Microsoft), we receive your name, email address, and a unique identifier from that provider. We do not receive or store your password from any social login provider.
1.3 Event and Program Application Data
When you submit an application to participate in events, programs, or activities, we may collect personal details, contact information, travel and identity documents, family and emergency contacts, health and medical information, organizational background, athletic and physical information, logistical preferences, social media profiles, and any other information relevant to the event or program.
The specific data collected varies by event and is clearly indicated on each application form. Not all categories apply to every event.
1.4 Information from Children
Our programs serve youth and minors. When a minor's information is submitted:
- A parent or legal guardian must provide their contact information as part of the application
- Sensitive information (medical, identity documents) is collected with parental awareness through the application process
- We comply with the Children's Online Privacy Protection Act (COPPA) for users under 13 in the United States
1.5 Automatically Collected Information
When you use our Services, we automatically collect:
- Device information — device type, operating system, browser type, user agent string
- Network information — IP address, approximate geographic location (country level, derived from IP address)
- Usage information — pages visited, time spent, referring URL
- Device fingerprint — a hash generated from your device characteristics for security purposes
- Cookies and similar technologies — see Section 5
1.6 Mobile App Information
When you use our mobile application, we additionally collect a push notification token (a unique identifier for delivering push notifications), your device platform (iOS or Android), and app version.
We do not collect your device's precise geographic location. The app does not request or use GPS, Bluetooth, or Wi-Fi-based location permissions.
1.7 Photos, Videos, and Media at Events
When you attend or participate in any event, program, or activity organized by Homenetmen, we (or our designated photographers, videographers, staff, and volunteers) may capture photographs, videos, audio recordings, and other media ("Event Media") that include your name, likeness, image, voice, and/or appearance.
For minors: Event Media may include images and recordings of participants under 18. By submitting an event application for a minor, the parent or legal guardian consents to the collection and use of Event Media as described in this policy and in our Terms of Service (Section 4.5).
2. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Create and manage your account | Performance of service / Consent |
| Authenticate your identity and secure your account | Legitimate interest (security) |
| Process event applications and registrations | Performance of service / Consent |
| Ensure participant safety during events | Vital interest / Legitimate interest |
| Send push notifications about updates and announcements | Consent |
| Send email or SMS verification codes | Performance of service |
| Detect and prevent fraud, abuse, and unauthorized access | Legitimate interest (security) |
| Communicate with you about your account or applications | Performance of service |
| Analyze usage patterns to improve our Services | Legitimate interest (improvement) |
| Publish Event Media for organizational purposes | Consent (via application) / Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not sell your personal information to third parties.
We do not use your personal information for automated decision-making or profiling.
4. Data Storage and Security
4.1 Where We Store Data
Your personal information is stored on servers located in the United States. If you are accessing our Services from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States.
For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with data transfer restrictions: the transfer of your data to the United States is conducted under the EU-U.S. Data Privacy Framework or, where applicable, Standard Contractual Clauses approved by the European Commission.
4.2 Security Measures
We implement industry-standard security measures to protect your information:
- Encryption in transit — all data is encrypted using TLS (HTTPS)
- Password security — passwords are hashed using Argon2ID; we never store plaintext passwords
- Token security — authentication tokens are signed and keys are encrypted at rest
- Session security — server-side validation; sessions can be remotely invalidated
- Access controls — database access is restricted per-service; sensitive columns are not accessible to public-facing services
- Rate limiting — login, registration, and API endpoints are rate-limited
- Account lockout — accounts are temporarily locked after repeated failed login attempts
- Audit logging — security-relevant events are logged for incident investigation
- Cookie security — authentication cookies are HttpOnly, Secure, and SameSite-protected
No method of electronic storage or transmission is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.
4.3 Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected individuals within 72 hours of becoming aware of the breach (as required by GDPR for EEA users)
- Notify relevant supervisory authorities as required by applicable law
- Provide details about the nature of the breach and steps being taken
5. Cookies and Tracking Technologies
5.1 Cookies We Use
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
_auth_token | Essential | Authentication | Session / up to 5 hours |
_csrf_* | Essential | Cross-site request forgery protection | 10 minutes |
| Session cookies | Essential | Server-side session management | Up to session lifetime |
| Google Analytics | Analytics | Website usage measurement | Up to 2 years |
| Facebook Pixel | Marketing | Audience measurement and attribution | Up to 90 days |
| Other tracking pixels | Marketing | Audience measurement | Varies by provider |
5.2 Cookie Choices
When you first visit our website, a cookie consent popup allows you to:
- Accept all cookies — enables all cookie categories
- Essential only — enables only cookies required for the site to function
- Customize — choose which optional cookie categories to enable or disable
You can change your cookie preferences at any time by clicking the cookie settings link in the website footer. You can also control cookies through your browser settings. Note that disabling essential cookies may prevent you from logging in or using core features.
5.3 Do Not Track
Our Services do not currently respond to "Do Not Track" (DNT) browser signals. However, you can control tracking through our cookie consent tool and your browser settings.
6. Your Rights and Choices
6.1 All Users
Regardless of where you are located, you have the right to:
- Access your personal information by logging into your account
- Update your profile information through your account settings
- Delete your account by contacting us at security@homenetmen.org
- Opt out of push notifications through your device settings
- Opt out of marketing emails by using the unsubscribe link
- Control cookies through our cookie consent tool and your browser settings
6.2 EEA, UK, and Swiss Users (GDPR)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you additionally have the right to:
- Right of access (Article 15) — request a copy of the personal data we hold about you
- Right to rectification (Article 16) — request correction of inaccurate personal data
- Right to erasure (Article 17) — request deletion of your personal data
- Right to restrict processing (Article 18) — request that we limit how we use your data
- Right to data portability (Article 20) — request your data in a machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests
- Right to withdraw consent — withdraw consent at any time
- Right to lodge a complaint — file a complaint with your local data protection authority
To exercise these rights, contact us at privacy@homenetmen.org. We will respond within 30 days.
6.3 California Users (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose
- Delete your personal information
- Opt out of the "sale" or "sharing" of personal information (we do not sell personal information; pixels and analytics may constitute "sharing" under CPRA)
- Non-discrimination — we will not discriminate against you for exercising your rights
To opt out of third-party tracking, use our cookie consent tool and select "Essential only."
7. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account, then anonymized |
| Event application data | 3 years after the event concludes, or as required for organizational records |
| Sensitive information (medical, identity documents) | Deleted within 90 days after the event concludes |
| Event Media (photos, videos) | Indefinitely — retained as part of organizational archives. Removal requests honored where feasible (see Section 3.2) |
| Audit and security logs | 2 years |
| Push notification tokens | Until the device is unregistered or the token becomes invalid |
| Analytics data | As determined by the third-party provider |
When you delete your account, we anonymize your personal data. Some information may be retained in backups for a limited period or as required by law.
8. International Data Transfers
Our servers are located in the United States. If you access our Services from outside the US, your information is transferred internationally. We ensure appropriate safeguards are in place:
- EU-U.S. Data Privacy Framework — our hosting infrastructure participates in the DPF
- Standard Contractual Clauses — where the DPF does not apply, we rely on SCCs approved by the European Commission
- Consent — by using our Services, you consent to the transfer of your information to the United States
9. Third-Party Links
Our Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party services you visit.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes:
- We will update the "Last Updated" date at the top of this policy
- We will notify you via email or through a notice on our Services
- For material changes affecting how we process sensitive data, we will seek renewed consent where required
Your continued use of our Services after changes become effective constitutes acceptance of the revised policy.
11. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights:
Homenetmen
Email: privacy@homenetmen.org
For data protection inquiries from EEA/UK residents:
privacy@homenetmen.org
12. Supplemental Notice for Mobile App Users
The MyHomenetmen mobile application is a companion to our website. In addition to the information described above:
- The app displays our website content within a native wrapper
- The app registers your device for push notifications via Firebase Cloud Messaging
- The app stores your authentication token securely on your device (iOS Keychain / Android Keystore)
- The app does not access your contacts, camera, microphone, calendar, or location
- Push notification permissions can be revoked at any time through your device's settings
iOS: Settings → Notifications → MyHomenetmen → toggle off
Android: Settings → Apps → MyHomenetmen → Notifications → toggle off