Privacy Policy

Effective date: January 1, 2026 · Last updated: April 2026

The Throughlines ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform. By registering or using the Platform, you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Identity data: first name, last name, email address, date of birth, school name, grade level
  • Contact data: home address, phone number
  • Guardian data (minors only): parent or guardian name, email address, and phone number
  • Activity data: volunteer hour logs, opportunity sign-ups, check-in/out timestamps, kudos sent and received, badges and credentials awarded, story entries and reflections
  • Device and usage data: IP address, browser type, operating system, pages visited, login timestamps, and timezone (collected automatically when you use the Platform)
  • Communications: messages sent through the Platform's internal messenger
  • Poll responses: anonymized responses to Community Pulse polls (stored without name or email identifier)
2. How We Use Your Information

We use the information we collect for the following purposes:

  • To create, verify, and manage your account
  • To connect you with volunteer opportunities and organizations
  • To track, record, and verify your service hours and activity
  • To communicate with you about your account, activity, and platform updates
  • To send notifications relevant to your participation
  • To operate and improve the Platform, including safety monitoring and fraud prevention
  • To conduct anonymized research on adolescent development and program effectiveness
  • To comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of our users
  • To analyze aggregate, de-identified usage patterns using analytics tools
3. Children's Privacy (COPPA)

We do not knowingly collect personal information from children under the age of 13. Users must be at least 13 years of age to register. If we discover that a user is under 13, we will promptly deactivate the account and delete all associated personal data.

For users between 13 and 17 years of age ("minor users"), we apply the following additional safeguards:

  • A parent or legal guardian must provide verifiable consent via email confirmation before a minor's account is activated
  • We collect guardian contact information (name, email, and phone) solely for the purpose of parental communication and COPPA compliance
  • We restrict the personal information of minor users (address, phone number, school name) visible to organizations, unless the minor has a confirmed sign-up with that organization
  • We do not sell or share minor user data with third parties for marketing, advertising, or commercial purposes
  • Organizations are notified when they are working with a minor volunteer
  • Parents or guardians may review, update, or request deletion of their child's personal information at any time by contacting us at envisioninglab@gmail.com
  • Parents or guardians may revoke consent and request account deactivation at any time; upon revocation, we will deactivate the account and delete personal data within 30 days
4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

  • With organizations: when you sign up for or participate in an opportunity, we share your name, email, and relevant activity data with that organization. For minor users, address and phone data are not shared unless required by the organization's application process and the minor has explicitly applied.
  • With service providers: we engage third-party vendors for hosting, email delivery, and analytics (including Google Analytics). These providers access data only as needed to perform services on our behalf and are bound by confidentiality obligations. They may not use your data for their own independent purposes.
  • For legal compliance: we may disclose personal data to law enforcement, government agencies, or other third parties when required by law, court order, or to protect the safety, rights, or property of our users or the public.
  • In a business transfer: if The Throughlines is acquired, merged, or its assets are transferred, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: we will not share your data for any other purpose without your explicit consent.
5. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Platform:

  • Essential cookies: required for login sessions, CSRF protection, and core Platform functionality. These cannot be disabled without impacting your ability to use the Platform.
  • Analytics cookies (Google Analytics): used to understand how users interact with the Platform in aggregate. These are only loaded after you have provided cookie consent. No personal identifiers are shared with Google Analytics.
  • Preference cookies: used to store your timezone and other session preferences.

You can accept or decline non-essential cookies via the banner shown on your first visit. Declining analytics cookies does not affect your ability to use the Platform. Most browsers also allow you to control cookies through browser settings.

Do Not Track: some browsers transmit "Do Not Track" signals. We honor these signals by not loading analytics cookies when a Do Not Track signal is detected.

6. Your Rights (CCPA and US Privacy Laws)

Under the California Consumer Privacy Act (CCPA) and applicable US privacy laws, you have the following rights:

  • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared
  • Right to Access / Portability: download a copy of your personal data in a machine-readable format via your account settings
  • Right to Correction: update or correct inaccurate personal information at any time through your account settings
  • Right to Deletion: request permanent deletion of your account and associated personal data. We will anonymize your records and remove personal identifiers within 30 days of your request
  • Right to Opt-Out of Sale: we do not sell your personal information to third parties
  • Right to Non-Discrimination: we will not deny, charge differently for, or provide a lesser quality of service because you exercised any of your privacy rights

To exercise these rights, use the tools in your account settings or contact us at envisioninglab@gmail.com. We will respond to verifiable requests within 45 days as required by law. In certain circumstances, we may extend this period by an additional 45 days with notice.

7. Data Retention

We retain personal data for as long as your account is active and as needed to provide services. Specific retention periods:

  • Active accounts: personal data retained while account is active
  • Deactivated accounts: personal data retained for 45 days to allow reactivation, then anonymized automatically
  • Deleted accounts: personal identifiers removed within 30 days of deletion request; anonymized activity records (hours contributed, event participation counts) may be retained for aggregate reporting
  • Legal holds: data subject to a legal obligation, dispute, or investigation may be retained beyond standard periods until the matter is resolved
  • Minor accounts: upon parental revocation of consent, personal data deleted within 30 days
8. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Encrypted passwords (hashed using industry-standard algorithms; we never store plain-text passwords)
  • HTTPS encryption for all data transmitted between your browser and our servers
  • CSRF protection on all form submissions
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Access controls limiting employee access to personal data on a need-to-know basis

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

9. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services operated by organizations. These third parties have their own privacy policies and practices, which we do not control and are not responsible for. We encourage you to review the privacy policies of any third-party service you interact with through the Platform.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. For material changes, we will provide at least 30 days' notice via email or an in-app notice before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

11. Contact Us

For privacy-related questions, data requests, or to report a concern: envisioninglab@gmail.com

We aim to respond to all privacy inquiries within 5 business days.