Privacy Policy

How Rally4One collects, uses, and protects your information

Introduction

Rally4One ("we," "our," or "us") operates a digital fundraising platform that helps schools, teams, and community organizations raise funds through personal outreach. This Privacy Policy explains how we collect, use, share, and protect your information when you use our website, platform, mobile applications, and related services (collectively, the "Services").

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

The terms used in this Privacy Policy have the same meanings as in our Terms of Service, unless otherwise defined in this Privacy Policy.

Effective Date: March 10, 2026

1. Information We Collect

1.1 Information You Provide

We collect information you voluntarily provide, including:

• Account Information: Name, email address, and phone number when you create an account
• Advocate Information: Name, email, phone number, and optional story for your fundraising campaign
• Beneficiary Information: Name and optional photo of the student, athlete, or individual being supported (provided by advocates)
• Contact Information: Names, email addresses, and/or phone numbers of friends, family, and community members personally known to the advocate who may receive invitations to support the fundraiser
• Sponsor Information: Name, email, and phone number of organizational sponsors
• Organization Information: Organization name, address, and logo for schools, teams, or community groups
• Donation Information: Donor name, email, and donation amount
• Communications: Messages, feedback, and support inquiries you send us

1.2 Information Collected Automatically

When you use our Services, we automatically collect:

• Device Information: Browser type, operating system, device identifiers, and mobile network information
• Usage Data: Pages visited, features used, time spent, click patterns, and referring URLs
• Location Data: General geographic location based on IP address (we do not collect precise GPS location)
• Log Data: IP addresses, access times, and system activity

1.3 Information from Third Parties

We may receive information from:

• Payment Processors: Transaction confirmation and fraud prevention data (we do not receive or store full payment card numbers)
• OAuth Providers: Basic profile information when you connect accounts (e.g., Google, Microsoft) for contact import
• Organizations: Information provided by sponsors or schools when setting up fundraising events

2. How We Use Your Information

2.1 Providing and Improving Services

• Processing donations and transactions
• Facilitating communication between advocates, contacts, and donors
• Personalizing your experience and campaign recommendations
• Analyzing usage patterns to improve platform functionality
• Providing customer support

2.2 Communications

• Sending transactional emails (donation receipts, account notifications)
• Delivering campaign updates and fundraising communications (with consent)
• Sending SMS messages for fundraising outreach (with explicit consent)
• Responding to inquiries and support requests

2.3 Safety and Compliance

• Detecting and preventing fraud, abuse, and security incidents
• Enforcing our Terms of Service
• Complying with legal obligations and regulatory requirements

3. Payment Processing and Security

All payment card transactions are processed by PCI DSS Level 1 certified payment processors.

We partner with industry-leading payment processors (Authorize.Net and PayPal) that maintain PCI DSS Level 1 certification — the highest level of payment security standards. This means:

• We do not store, process, or transmit credit card numbers on our servers
• All payment data is handled directly by our certified payment partners
• Payment information is encrypted using industry-standard TLS encryption

Your financial information is never accessible to Rally4One staff. Donation receipts and transaction records contain only non-sensitive reference information.

4. Data Security

We implement security practices aligned with industry standards to protect your information.

4.1 Security Measures

We employ technical and organizational safeguards, including:

• Encryption: TLS/SSL encryption for all data in transit; encryption at rest for sensitive data
• Access Controls: Role-based access limiting data visibility to authorized personnel only
• Infrastructure Security: Hosted on secure cloud infrastructure with monitoring
• Authentication: Secure password hashing and support for multi-factor authentication
• Security Reviews: Ongoing security assessments and improvements

4.2 Our Commitment

Rally4One maintains PCI-DSS compliance through Authorize.Net's Accept.js tokenization — payment credentials are captured directly by Authorize.Net and never touch Rally4One servers. Our platform is hosted on Microsoft Azure, which maintains SOC 1/2/3, ISO 27001, and FedRAMP certifications. We continuously evaluate and improve our security posture as the platform and regulatory landscape evolve.

4.3 Breach Notification

In the event of a confirmed data breach involving personal information, Rally4One will notify affected parties within 30 days of determining that a breach has occurred. For Client Organizations that are government entities or public school districts, we will also notify the organization's designated privacy or security contact within the same timeframe. Notifications will include a description of the incident, the types of information involved, and the steps being taken to address and mitigate the breach.

4.4 Security Limitations

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

5. Education Records and Student Privacy

We follow data-handling practices designed to protect student and family information.

Because Rally4One serves schools, students, and parent-managed fundraising, we are committed to responsible data stewardship:

• We do not sell student or family data to third parties for marketing purposes
• We do not market directly to students
• We limit personally identifiable information (PII) access based on user roles
• We minimize data collection to only what is necessary for fundraising purposes
• We honor data deletion requests from schools and families

Schools and districts maintain control over their organizational data and can request data export or deletion at any time.

6. Email and SMS Communications

All outreach is permission-based. We follow CAN-SPAM and TCPA requirements.

6.1 Email Communications

In accordance with CAN-SPAM requirements:

• All marketing and fundraising emails include clear sender identification
• Every email contains a visible and functional unsubscribe link
• Opt-out requests are honored within 10 business days
• We do not use deceptive subject lines or false header information

6.2 SMS/Text Communications

In accordance with TCPA requirements:

• SMS messaging is optional — advocates choose whether to use it
• All SMS recipients are personally known contacts added by advocates
• Advocates attest that contacts have consented to receive messages
• Every SMS includes clear opt-out instructions (reply STOP)
• We honor opt-out requests immediately
• We do not purchase contact lists or send unsolicited messages to unknown recipients
• Message frequency is limited and clearly disclosed

7. Information Sharing

We do not sell your personal information.

We may share your information only in the following circumstances:

7.1 Service Providers

We share information with trusted third-party vendors who assist in operating our platform, including:

• Payment processors (for donation transactions)
• Email delivery services (for transactional and campaign communications)
• SMS providers (for text message delivery)
• Cloud hosting and infrastructure providers
• Analytics services (in anonymized/aggregated form)

All service providers are contractually obligated to protect your information and use it only for specified purposes.

7.2 Within Fundraising Campaigns

• Donors may choose to share their name with campaign advocates
• Advocates can view contact and donation information for their campaigns
• Sponsors/organizations can access aggregate campaign data

7.3 Legal Requirements

We may disclose information when required by law, legal process, government request, or to:

• Comply with applicable laws, regulations, or legal proceedings
• Protect the rights, property, or safety of Rally4One, our users, or others
• Detect, prevent, or address fraud, security, or technical issues

7.4 Business Transfers

If Rally4One is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

7.5 With Your Consent

We may share information with third parties when you explicitly consent or direct us to do so.

8. Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences and settings
• Analyze platform usage and performance
• Improve our Services

8.1 Types of Cookies

• Essential Cookies: Required for platform functionality (cannot be disabled)
• Analytics Cookies: Help us understand usage patterns (can be disabled)
• Preference Cookies: Remember your settings and choices

8.2 Managing Cookies

You can control cookies through your browser settings. Disabling certain cookies may affect platform functionality.

We do not use cookies for third-party advertising or cross-site tracking.

9. Data Retention

We retain personal information only as long as necessary to:

• Provide our Services and maintain your account
• Comply with legal, tax, and accounting requirements
• Resolve disputes and enforce agreements
• Maintain records for legitimate business purposes

When information is no longer needed, we securely delete or anonymize it. General retention guidelines:

• Account Data: Retained while account is active; deleted upon verified request (subject to legal requirements)
• Transaction Records: Retained as required for tax and legal compliance
• Communication Logs: Retained for support and compliance purposes
• Analytics Data: Aggregated/anonymized data may be retained indefinitely

10. Your Privacy Rights

10.1 Rights for All Users

Regardless of your location, you may:

• Access your personal information
• Correct inaccurate or incomplete information
• Delete your account and associated data (subject to legal retention requirements)
• Opt out of promotional communications
• Export your data in a portable format

10.2 California Residents

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). We honor these rights:

• Right to Know: Request details about the categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale: We do not sell personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact us at privacy@rally4one.com. We will respond to verifiable requests within 45 days.

10.3 International Users

While Rally4One primarily serves users in the United States, we extend the following practices to all users:

• Data Minimization: We collect only information necessary for our Services
• Purpose Limitation: We use information only for disclosed purposes
• Right to Erasure: You may request deletion of your personal data
• Data Portability: You may request an export of your data
• Transparency: We clearly disclose our data practices

11. Children's Privacy

Our Services are not directed to children under 13 years of age. We do not knowingly collect personal information directly from children under 13.

• Fundraising beneficiaries may include minors, but their information is provided and managed by parent advocates or authorized school personnel
• We rely on advocates and organizations to ensure appropriate consent for any minor's information
• If we become aware that we have collected personal information from a child under 13 without proper consent, we will promptly delete it

If you believe we have inadvertently collected information from a child under 13, please contact us immediately at privacy@rally4one.com.

12. Third-Party Links and Services

Our platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you access.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this page
• We may notify you via email or platform notification for significant changes
• Continued use of our Services after changes constitutes acceptance of the updated policy

We encourage you to review this Privacy Policy periodically.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: privacy@rally4one.com
• Support: support@rally4one.com
• Website: rally4one.com/get-started
• Address: Rally4One, LLC — 10612 Van Gordon Way, Broomfield, CO 80021, United States

For privacy inquiries or to exercise your privacy rights, email privacy@rally4one.com with the subject line "Privacy Request."

15. Our Commitments

Rally4One is a secure fundraising platform built for schools and community organizations. We use industry-leading payment processors, implement security best practices, and follow responsible data-handling principles to protect families, donors, and organizations.

Last updated: March 2026