Privacy Policy
Last updated: June 7, 2025
1. About This Policy
This policy describes how Kindred Labs Foundation ("we," "us," or "the Foundation") collects, uses, and protects information when you use kindredlabsfoundation.org (the "Site"). The Foundation is in the process of incorporating as a Delaware nonprofit corporation.
We designed this policy to say what it means. If you have questions, contact us at privacy@kindredlabsfoundation.org.
2. What We Collect
2.1 Account Registration
When you create an account, we collect your name, email address, and a hashed password. We also log email verification status, account creation date, and login history for security purposes.
2.2 CDRP Applications
If you apply to serve on the Community Data Review Panel, we collect the information you submit in the application form, including professional background, perspectives, areas of expertise, and any conflict-of-interest disclosures. Application data is encrypted at rest.
2.3 Contact Form Submissions
If you contact us through the Site, we collect your name, email address, and the content of your message. We route messages to the appropriate team based on inquiry type.
2.4 Analytics
We use Plausible Analytics, a privacy-respecting analytics service, to understand how visitors use the Site. Plausible collects no personally identifiable information, uses no cookies, and does not track users across sites or sessions. Aggregate usage data (page views, referrers, browser type) is used solely to improve the Site.
2.5 Cookies
The Site uses a single cookie to remember your language preference (English or Spanish). This cookie contains no personal information and is not used for tracking or advertising.
3. How We Use Your Information
We use the information we collect to:
- Operate and secure your account
- Process and administer CDRP applications
- Respond to contact form inquiries
- Send transactional emails (account confirmation, security notices, application status updates)
- Understand aggregate Site usage through anonymized analytics
We do not use your information for advertising. We do not sell your data. We do not share your data with third parties except as described in Section 5.
4. Legal Basis for Processing
Where applicable, we process your information on the following grounds:
- Contract: Processing necessary to provide services you have requested (account management, CDRP application processing).
- Legitimate interests: Security logging, fraud prevention, and anonymized analytics used to improve the Site.
- Legal obligation: Retention of records required by law.
5. Third-Party Services
We use a limited set of third-party services to operate the Site:
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting | Account, application, and submission data |
| Postmark | Transactional email | Email address, email content |
| Plausible Analytics | Anonymized site analytics | None (no personal data collected) |
| Google Cloud Run | Application hosting | None (infrastructure only) |
All third-party providers are contractually bound to process data only as directed and to maintain appropriate security standards.
6. Data Retention
We retain data as follows:
- Account data: For the life of the account, plus 90 days after deletion request
- CDRP application data: For the duration of any applicable panel term, plus 3 years
- Contact form submissions: 2 years from date of submission
- Security and login logs: 1 year on a rolling basis
- Anonymized analytics: Indefinitely (no personal data retained)
7. Security
We use industry-standard measures to protect your data, including encrypted storage of application data, HTTPS for all connections, hashed passwords, and multi-factor authentication support. No security measure is absolute. If you have reason to believe your account has been compromised, contact us immediately.
8. Your Rights
You may, at any time:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your account and associated data
- Export your account data
- Withdraw consent where processing is consent-based
To exercise any of these rights, use the account management tools in your dashboard or contact us at privacy@kindredlabsfoundation.org. We will respond within 30 days.
If you are located in the European Economic Area or the United Kingdom, you may also have the right to lodge a complaint with your local data protection authority.
9. Children
The Site is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn we have done so, we will delete it promptly.
10. Changes to This Policy
We may update this policy as the Site and its services evolve. Material changes will be communicated by updating the "Last updated" date and, where appropriate, by email notification to registered users. Continued use of the Site after any change constitutes acceptance of the updated policy.
11. Contact
Kindred Labs Foundation