Privacy notice

Last updated: 2026-05-14

What we collect

• When you make a donation: your name (optional), email, donation amount, donation date, and an optional message. Card details are handled entirely by Stripe and never reach our servers.
• When you create an account: your email and a password (stored as a one-way bcrypt hash, never plaintext). Optionally a name and a public pen name.
• When you RSVP to an event: your name, email, headcount, and any note you add.
• When you subscribe to the newsletter: your email and (optional) name + language preference, with a record of your double opt-in confirmation.
• When you contact us: your name, email, and message body.
• Technical metadata: IP address (used only for spam protection and audit logging), browser user agent, and referring page.

What we do with it

• Send you the receipt, confirmation, or reply you asked for.
• Maintain accurate accounting of donations for nonprofit reporting.
• Notify you about events you RSVP'd to, or newsletters you subscribed to. Nothing else.
• Detect and stop abuse (CAPTCHA + rate limits + audit logs).

What we don't do with it

• We do not sell your data.
• We do not share it with advertising networks.
• We do not use third-party tracking cookies.
• We do not have access to your card information. Donations go through Stripe, who is PCI DSS Level 1 certified.

Who processes your data on our behalf

• Stripe — donation processing.
• Resend — transactional emails.
• Cloudflare — CDN, DDoS protection, CAPTCHA, object storage.
• Vercel — application hosting.
• Neon — PostgreSQL database.

Each is bound by its own privacy policy and data-processing agreement.

How long we keep it

• Donation records: indefinitely (legal accounting requirement).
• Account data: until you delete the account.
• Newsletter list: until you unsubscribe (one-click link in every email).
• Contact form submissions: 1 year.
• Audit logs (privileged actions): 7 years.

Your rights

You can request access, correction, or deletion of your personal data by emailing [email protected]. We respond within 30 days.

Security

See our SECURITY.md for the full technical posture: encrypted-in-transit, HTTPS-only, RBAC, signed webhooks, rate-limited public endpoints, immutable donation ledger.

Contact

IRSA.info · 34th Ave, Queens, NY 11106 · [email protected]