Privacy Policy

1. Introduction

Unity Palo Alto (“Unity Palo Alto,” “we,” “us,” or “our”) is a 501(c)(3) nonprofit religious organization committed to protecting your privacy and handling your personal information with transparency and care. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you access or use our member portal and church management system, and related services (collectively, the “Service”).

This Policy applies to all users of the Service, including members, donors, household members, and visitors to our website. By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described herein.

This Privacy Policy is intended to comply with applicable federal privacy laws and, specifically, the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”), the California Online Privacy Protection Act (“CalOPPA”), and other applicable California privacy regulations.

2. Information We Collect

We collect the following categories of personal information in connection with the Service:

2.1 Information You Provide Directly

• Account Registration: Name, email address, and password.
• Profile Information: Preferred name, pronouns, salutation, date of birth, and profile photo.
• Household Information: Household name, greeting, mailing address, and the names and basic details of household members you add to your record.
• Membership Information: Membership type and associated dates.
• Giving Records: Donation amounts, dates, designations (fund categories), payment method type, check numbers, and optional notes.
• Communications: Messages, support requests, feedback, and other content you submit to us.
• Payment Information: Credit or debit card details and billing address processed by Stripe, our PCI-DSS–compliant payment processor. We do not store raw card data.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent, and navigation paths within the Service.
• Device & Technical Data: IP address, browser type and version, operating system, and screen resolution.
• Log Data: Server logs including access times, error logs, and referring URLs.
• Cookies & Tracking Technologies: We use cookies as described in Section 7 below.

2.3 Sensitive Personal Information (California Residents)

Under the CPRA, certain categories of information are classified as “Sensitive Personal Information.” We may collect the following to the extent necessary for the Service:

• Account login credentials (email and password).
• Financial account information for billing purposes, processed by Stripe.

We do not use sensitive personal information for purposes beyond those specified under Cal. Civ. Code § 1798.121 without your explicit consent.

3. How We Use Your Information

3.1 Providing and Improving the Service

• To create and maintain your account and deliver the core functionality of the Service.
• To process donations and send related confirmations, receipts, and annual giving statements.
• To maintain accurate membership and household records.
• To improve the quality and security of the Service.

3.2 Communications

• To respond to your inquiries and requests.
• To send administrative notices, account setup emails, security alerts, and giving statements.
• To send pastoral and community communications relevant to your membership (subject to your communication preferences).

3.3 Legal, Compliance, and Security

• To comply with applicable laws, regulations, and legal processes, including IRS charitable-contribution reporting requirements.
• To detect, investigate, and prevent fraudulent or unauthorized activity and security incidents.
• To protect the rights, property, and safety of Unity Palo Alto, our members, and the public.

3.4 Internal Operations

• To perform analytics and reporting for internal nonprofit governance purposes.
• To maintain accurate records required for our 501(c)(3) tax-exempt status.

4. Legal Basis for Processing

We process personal information on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service pursuant to your agreement with us.
• Legitimate Interests: Processing necessary for our legitimate organizational interests, provided those interests are not overridden by your rights and interests.
• Legal Obligation: Processing necessary to comply with applicable law.
• Consent: Where we rely on your consent, you may withdraw it at any time by contacting us as described in Section 11.

5. Disclosure of Information

We never sell, rent, or share your personal information for commercial purposes. Period.

We may share your information only in the following limited circumstances:

5.1 Service Providers

We engage third-party vendors who perform functions on our behalf, such as cloud hosting (Supabase), payment processing (Stripe), and email delivery (Resend). These providers are contractually bound to use your information only for the purpose of providing services to us and to maintain appropriate security standards.

5.2 Legal and Regulatory Disclosures

We may disclose your information when required by applicable law, subpoena, court order, regulatory authority, or government request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 With Your Consent

We may share your information for any other purpose with your explicit consent.

5.4 California-Specific Disclosure Summary

The following summarizes the categories of personal information we have collected in the past 12 months and the categories of third parties with whom we share such information:

6. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. The criteria we use to determine retention periods include:

• The duration of your active membership or relationship with us.
• Legal obligations requiring us to retain certain data for minimum periods (e.g., IRS charitable-contribution records).
• Statutes of limitations that may apply to potential legal claims.
• Our legitimate interests in maintaining records for dispute resolution and organizational governance.

When personal information is no longer required, we securely delete or anonymize it.

7. Cookies and Tracking Technologies

We use cookies and similar technologies to support the operation of the Service and analyze usage patterns. We do not use advertising or targeting cookies.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Required for the Service to function, including authentication session cookies. These cannot be disabled.
• Performance / Analytics Cookies: Collect aggregated usage data to help us improve the Service. No personal information is shared with analytics providers for advertising purposes.

7.2 Your Cookie Choices

You may control cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from signing in to the Service. California residents have additional rights under the CPRA (see Section 9).

8. Data Security

We implement and maintain commercially reasonable administrative, technical, and physical security measures designed to protect your personal information from unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher.
• Encryption of data at rest.
• Role-based access controls and multi-factor authentication for administrative access.
• Incident response and data breach notification procedures compliant with applicable law.

Despite our efforts, no security measure is perfect or impenetrable. You are responsible for maintaining the confidentiality of your account credentials.

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

9.1 Right to Know

You have the right to request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

9.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., information necessary to comply with a legal obligation or maintain charitable-contribution records required by the IRS).

9.3 Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you. Members may update most of their own information directly via the member portal.

9.4 Right to Opt-Out of Sale or Sharing

We do not sell your personal information for monetary consideration, and we do not share it for cross-context behavioral advertising. There is nothing to opt out of with respect to the sale or sharing of your personal information.

We honor Global Privacy Control (GPC) signals as required by the CPRA.

9.5 Right to Limit Use of Sensitive Personal Information

You have the right to direct us to limit the use and disclosure of your sensitive personal information to purposes necessary for providing the Service and as otherwise permitted by the CPRA.

9.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. We will not deny you services, charge different prices, or provide a different level of service based solely on your exercise of privacy rights.

9.7 Authorized Agents

California residents may designate an authorized agent to submit requests on their behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly with us.

9.8 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information regarding disclosure of personal information to third parties for those third parties’ direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

9.9 Response Timeframes

We will respond to verifiable consumer requests within 45 days of receipt. If we require more time (up to 90 days total), we will inform you of the reason and extension period in writing. We will not charge a fee for processing your request unless it is excessive, repetitive, or manifestly unfounded.

10. Children’s Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16 without verifiable parental consent. Minor household members may be added to a household record by an adult account holder; in such cases the adult account holder is responsible for authorizing that entry.

If you believe we may have collected information from a child under 16 without appropriate consent, please contact us immediately at privacy@unitypaloalto.org.

In compliance with the CPRA, we do not sell or share the personal information of consumers we know to be under 16 years of age.

11. How to Exercise Your Rights and Contact Us

To exercise your rights under this Policy or applicable law, or if you have questions about our privacy practices, please contact us:

We will take reasonable steps to verify your identity before processing your request. Verification may include confirming your email address or other information on file. We will not retain verification information beyond what is necessary to process your request.

12. Third-Party Links and Services

The Service may contain links to third-party websites or services not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices of third parties.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the “Last Updated” date at the top of this Policy.
• Notify you by email (using the address associated with your account) or by posting a prominent notice in the Service.
• Where required by applicable law, seek your consent to material changes.

Your continued use of the Service after the effective date of any revision constitutes your acceptance of the updated Policy. We encourage you to review this Policy periodically.

14. Governing Law

This Privacy Policy is governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions, and applicable federal law.