Privacy Policy

Effective date: January 1, 2026 · Last updated: May 2026

The Throughlines ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our platform. By registering or using the Platform, you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of personal information:

  • Identity data: first name, last name, email address, date of birth
  • Contact data: home address, phone number
  • Guardian data (minors only): parent or guardian name, email address, and phone number, collected solely for the verifiable parental consent process and parental communication
  • Optional biographical context: a member may choose to add a school name, grade, "currently into" interests, or other origin tiles to their own profile. These fields are optional, supplied by the member, and shown only on surfaces the member has chosen to publish
  • Activity data: service hour logs, opportunity sign-ups, check-in/out timestamps, kudos sent and received, badges and credentials awarded, story entries and reflections
  • Device and usage data: IP address, browser type, operating system, pages visited, login timestamps, and timezone (collected automatically when you use the Platform)
  • Communications: messages sent through the Platform's internal messenger
  • Poll responses: anonymized responses to Community Pulse polls (stored without name or email identifier)
2. How We Use Your Information

We use the information we collect for the following purposes:

  • To create, verify, and manage your account
  • To connect you with service opportunities and organizations
  • To track, record, and verify your service hours and activity
  • To communicate with you about your account, activity, and platform updates
  • To send notifications relevant to your participation
  • To operate and improve the Platform, including fraud prevention against fake accounts and falsified service activity
  • To conduct aggregate, de-identified research on program effectiveness
  • To comply with legal obligations, enforce our Terms of Service, and protect the rights and safety of our users
  • To analyze aggregate, de-identified traffic patterns (see Section 4)

What we do NOT do with reflective-writing content. The Platform includes surfaces where members write privately for their own self-knowledge , journal entries, story moments, training-module reflections. The Platform stores what the member writes (so they can come back to it) but does not scan, analyze, classify, monitor, or surveil the content of that writing. We do not run keyword detection, sentiment analysis, mental-health classification, or any other algorithmic interpretation on this text. We do not alert anyone based on what a member writes. We do not derive profiles, scores, or categories from this content. Reflective writing on the Platform is private to the member; staff access requires a documented reason and is logged.

3. Children's Privacy (COPPA)

We do not knowingly collect personal information from children under the age of 13. Users must be at least 13 years of age to register. If we discover that a user is under 13, we will promptly suspend the account pending age verification by our team. If the user is confirmed to be under 13, we will deactivate the account and delete all associated personal data.

Verifiable parental consent process: when a teen between 13 and 17 ("minor user") registers, we collect a parent or guardian email address and send a tokenized consent link to that email. The minor's account remains inactive until the parent clicks the link and confirms consent. The consent token is single-use and expires after 7 days; if it expires, the teen can request a fresh consent email from their account. We also support a teen-initiated path where the minor generates an invitation link from their profile and shares it with the parent, who then registers a parent account and confirms the link to the child. No other path can create a parent-child link , an adult cannot claim a teen by knowing their email address.

For users between 13 and 17 years of age ("minor users"), we apply the following additional safeguards:

  • A parent or legal guardian must provide verifiable consent via the process described above before a minor's account is activated
  • We collect guardian contact information (name, email, and phone) solely for the purpose of parental communication and COPPA compliance, and do not use it for marketing
  • We restrict the personal information of minor users (address, phone number, contact email) visible to organizations, unless the minor has a confirmed sign-up with that organization and has consented to share with them
  • On unauthenticated public surfaces (portfolio, recommendation forms, strength nomination forms), we display only a chosen handle, or first name and last initial, never the full legal name
  • We do not sell or share minor user data with third parties for marketing, advertising, or commercial purposes
  • We do not use minor user data to build behavioral profiles for advertising, derive biometric features, infer mental-health classifications for screening, scan or classify the content of reflective writing, or apply persistent cross-site advertising identifiers
  • Notifications to minor accounts are off by default and observe quiet hours (9pm-7am local) by default; opting in requires the minor's action and can be further restricted by a parent
  • Parents or guardians may review or request a copy of their child's personal information at any time by contacting us at envisioninglab@gmail.com
  • Parents or guardians may request correction of inaccurate information at any time
  • Parents or guardians may refuse further collection of personal information while keeping the account active: upon request we stop adding new personal data to the record, and the account continues to function with existing data only
  • Parents or guardians may revoke consent and request account deactivation at any time; upon revocation, we will deactivate the account and delete personal data within 30 days
4. Data Sharing and Disclosure

We do not sell your personal information. We may share your data only in the following circumstances:

  • With organizations: when you sign up for or participate in an opportunity, we share your name and relevant activity data with that organization. Email and phone data are not shared unless you explicitly consent at the time of signup. For minor users, address and phone are never shared with organizations, and other contact details require the minor's affirmative consent.
  • With service providers: we engage a small number of third-party vendors to operate the Platform. They access data only as needed to perform services on our behalf, are bound by confidentiality obligations, and may not use your data for their own independent purposes. Current categories:
    • Hosting and infrastructure (the cloud provider running the application and database)
    • Transactional email delivery (account confirmations, password resets, verification requests)
    • Aggregate traffic measurement (Google Analytics in Consent Mode v2 with all storage categories denied by default, IP anonymization on, Google Signals and ad-personalization disabled, no persistent client identifier set on any browser). Google receives consentless "pings" used only for aggregate, modeled traffic reports. No per-user tracking is performed, including for authenticated users.
    The Platform does not run third-party advertising, behavioral targeting, or cross-site identity tracking.
  • For legal compliance: we may disclose personal data to law enforcement, government agencies, or other third parties when required by law, court order, or to protect the safety, rights, or property of our users or the public.
  • In a business transfer: if The Throughlines is acquired, merged, or its assets are transferred, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: we will not share your data for any other purpose without your explicit consent.
5. Cookies and Tracking Technologies

We use only strictly necessary cookies. We do not apply persistent cross-site identifiers to your browser, and the Google Analytics integration we use is configured to not set its own tracking cookies (see Section 4).

  • Session cookie: required to keep you logged in. Set when you sign in and cleared when you sign out or the session expires.
  • CSRF cookie: required for form-submission security. Set automatically and cleared with the session.
  • Timezone cookie: stores your browser's IANA timezone so timestamps display correctly. Set on first visit.

These cookies are necessary for the Platform to function and do not require consent under most privacy frameworks. You can clear them at any time via your browser's settings, but the Platform may not work correctly afterwards until you sign in again.

6. Your Rights (CCPA and US Privacy Laws)

Under the California Consumer Privacy Act (CCPA) and applicable US privacy laws, you have the following rights:

  • Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you, the purposes for which it is used, and the categories of third parties with whom it is shared
  • Right to Access / Portability: download a copy of your personal data in a machine-readable format via your account settings
  • Right to Correction: update or correct inaccurate personal information at any time through your account settings
  • Right to Deletion: request permanent deletion of your account and associated personal data. We will anonymize your records and remove personal identifiers within 30 days of your request
  • Right to Opt-Out of Sale: we do not sell your personal information to third parties
  • Right to Non-Discrimination: we will not deny, charge differently for, or provide a lesser quality of service because you exercised any of your privacy rights

To exercise these rights, use the tools in your account settings or contact us at envisioninglab@gmail.com. We will respond to verifiable requests within 45 days as required by law. In certain circumstances, we may extend this period by an additional 45 days with notice.

7. Data Retention

We retain personal data for as long as your account is active and as needed to provide services. Specific retention periods:

  • Active accounts: personal data retained while account is active
  • Deactivated accounts: personal data retained for 45 days to allow reactivation, then anonymized automatically
  • Deleted accounts: personal identifiers removed within 30 days of deletion request; anonymized activity records (hours contributed, event participation counts) may be retained for aggregate reporting
  • Legal holds: data subject to a legal obligation, dispute, or investigation may be retained beyond standard periods until the matter is resolved
  • Minor accounts: upon parental revocation of consent, personal data deleted within 30 days
8. Data Security

We implement industry-standard security measures to protect your personal information, including:

  • Encrypted passwords (hashed using industry-standard algorithms; we never store plain-text passwords)
  • HTTPS encryption for all data transmitted between your browser and our servers
  • CSRF protection on all form submissions
  • Rate limiting on authentication endpoints to prevent brute-force attacks
  • Access controls limiting employee access to personal data on a need-to-know basis

However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

9. Third-Party Links and Services

The Platform may contain links to third-party websites, applications, or services operated by organizations. These third parties have their own privacy policies and practices, which we do not control and are not responsible for. We encourage you to review the privacy policies of any third-party service you interact with through the Platform.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features. For material changes, we will provide at least 30 days' notice via email or an in-app notice before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

11. Contact Us

For privacy-related questions, data requests, or to report a concern: envisioninglab@gmail.com

We aim to respond to all privacy inquiries within 5 business days.