Privacy Policy

NW Peak Fundraising and Consulting (“NW Peak,” “we,” “us,” or “our”) operates the NW Peak Fundraising platform, a software-as-a-service solution that enables K–12 athletic programs to run online fundraising campaigns. We are committed to protecting the personal information of everyone who uses or is affected by our platform, including athletes, coaches, school administrators, and donors.

This Privacy Policy explains what information we collect, how we use and protect it, and your rights regarding that information. By accessing or using the platform, you agree to the practices described in this policy.

Owner & Data Controller: Branden Bailey, NW Peak Fundraising and Consulting
Email: bbailey@nwpeakfundraising.org
Governing law: State of Oregon, United States

We collect information in the following categories:

Account & Identity Data

• Full name (athletes, coaches, school administrators)
• Email address
• Phone number (athletes and coaches, when provided)
• Hashed password (stored by Supabase Auth; we never see plaintext passwords)
• Role assignment (athlete, coach, school admin, platform owner)

Campaign & Fundraising Data

• Campaign names, goals, start/end dates, and descriptions
• Donation amounts, timestamps, and campaign attribution
• Donor display names (shown on leaderboard with donor consent)
• Donor email addresses (collected by Stripe; stored server-side only — never exposed in public API responses)
• Athlete fundraising totals and donor counts

Athlete Contact Lists

• Names, email addresses, and phone numbers of contacts athletes add to their personal outreach lists
• Contact interaction history (contacted status, donation attribution)

AI Interaction Data

• Token counts, model used, and anonymized summaries of AI-generated fundraising scripts and coach communications
• No raw prompt text or AI responses are stored — only metadata for rate-limiting and cost attribution

Technical & Usage Data

• IP addresses (collected for webhook security and audit logging)
• Browser and device type (standard HTTP headers)
• Pages visited and actions taken within the platform (server logs)
• Terms-of-service acceptance timestamps and version numbers

We use collected information for the following purposes:

• Providing and improving the fundraising platform (campaign creation, athlete dashboards, donation processing)
• Generating AI-powered fundraising scripts and coach communications using anonymized athlete and campaign context
• Processing donations and calculating platform and Stripe fees
• Sending platform-related communications (invite links, operational notices)
• Enforcing rate limits on AI features and detecting abuse
• Maintaining security audit logs for compliance and fraud prevention
• Analyzing aggregate platform usage and performance (no individual tracking sold to third parties)
• Displaying donor names on public leaderboards when donors consent by providing their name

We do not sell personal information to third parties. We do not use personal information for targeted advertising.

We share data with the following service providers solely to operate the platform. Each provider has agreed to data processing terms consistent with their role:

Many athletes on our platform are minors enrolled in K–12 schools. We are committed to handling student data responsibly and in a manner consistent with the Family Educational Rights and Privacy Act (FERPA) and applicable state student-privacy laws.

Our Commitments

• Minimum necessary data: we collect only the information required to operate the fundraising campaign and AI features.
• No sale or commercial use: student data is never sold, rented, or used for commercial advertising purposes.
• School control: schools control which athletes are invited and can request deletion of any student data at any time.
• Segregated access: athlete contact lists are visible only to the individual athlete and platform operators — coaches cannot access a student's personal contact list.
• Limited AI input: athlete names and fundraising totals may be used in AI prompts for script generation. No sensitive educational records are processed.

School Responsibilities

Participating schools are responsible for obtaining any required parent or guardian consents before inviting minor athletes to the platform, in accordance with FERPA, COPPA, and any applicable state law. NW Peak provides the platform; schools are the educational agencies responsible for student consent.

Donor privacy is important to us. Here is how we handle donor information:

• Donor display names are shown on public campaign leaderboards only when the donor voluntarily provides their name during checkout.
• Anonymous donations are shown as "Anonymous" on all public-facing pages.
• Donor email addresses are collected by Stripe during checkout and stored server-side in our database. Donor emails are accessible only to platform owners and the receiving school administrator for payout reconciliation and dispute purposes.
• Donor emails are never returned in public API calls, leaderboard data, or any athlete- or coach-facing interface.
• Donor email data is retained for 3 years from the date of donation, after which it is deleted unless retention is required for an active financial dispute.

Depending on your location, you may have rights to access, correct, port, restrict, or delete your personal data. Oregon residents have rights under the Oregon Consumer Privacy Act (OCPA), including the right to know what data we hold and to request deletion.

To exercise any of these rights, email us at bbailey@nwpeakfundraising.org with your name, email address, and the nature of your request. We will respond within 30 days. For verified deletion requests, we will remove your personal data from active systems; data retained for legal or financial compliance (see Section 7) may be kept in archived form only.

Schools may also submit deletion requests on behalf of students. Deleting an athlete account will remove their contact list, AI interaction logs, and profile data while preserving anonymized donation totals required for financial records.

We implement industry-standard security controls including:

• Row Level Security (RLS) on all database tables — public access is restricted to leaderboard data for active campaigns
• Stripe webhook signature verification on every inbound payment event
• Server-side-only handling of donor email addresses — never exposed in client responses
• AI input sanitization: HTML stripping, length limits, and prompt-injection detection before any data reaches the Claude API
• Per-user daily rate limits on all AI features enforced at the API layer
• Security audit log recording all significant platform events with IP addresses and timestamps
• All data transmitted over HTTPS/TLS

No system is perfectly secure. If you believe you have discovered a security vulnerability, please report it responsibly to bbailey@nwpeakfundraising.org.

We use a single session cookie to maintain your authenticated state. This cookie is strictly necessary for the platform to function and cannot be disabled while you are logged in. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that track individuals across sites.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page and increment the policy version number. For material changes, we will notify users through the platform interface. Continued use of the platform after the effective date constitutes acceptance of the revised policy.

Questions, concerns, or requests regarding this Privacy Policy should be directed to: