Privacy Policy

fratOS ("we," "our," or "us") operates a software platform that helps fraternities, sororities, and similar organizations manage alumni directories, recruitment (rush) programs, communications, donations, and billing. This Privacy Policy explains what personal information we collect, how we use it, how we store and protect it, who owns it, and your rights with respect to that information.

By using fratOS, you agree to the collection and use of information in accordance with this policy. If you do not agree, please discontinue use of the platform.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account, fill out a form, or interact with the platform, you may provide:

• Full name (first and last)
• Email address
• Phone number (mobile)
• University enrollment status and graduation information
• High school name and city/state
• Employer, job title, industry, and company information (for alumni directories)
• Geographic location (city and state)
• LinkedIn profile URL
• Profile photo or headshot
• Pledge class or graduation year
• Notes, referrals, ratings, tags, or other information entered by organization administrators
• Payment information (processed securely through Stripe — we never store full card numbers)
• Donation amounts and donor contact information

1.2 Information Collected Automatically

When you access the platform, we automatically collect:

• IP address and browser type/version at login
• Device type and operating system
• Session authentication tokens (managed by Supabase)
• Timestamps of logins, profile updates, and system events
• Pages visited and features used within the platform

1.3 SMS Communication Data

When an authorized organization administrator sends an SMS blast through our platform (powered by Twilio), we log the following:

• The message content sent
• The phone numbers messaged
• Delivery success/failure status
• The name and identifier of the administrator who sent the message
• The date and time of the send
• Inbound SMS replies (e.g., STOP, HELP, or other responses)

1.4 Email Communication Data

When organization administrators send email blasts through the platform (powered by Resend), we log:

• The email subject and content sent
• Recipient email addresses
• Delivery success/failure counts
• The administrator who initiated the send
• The date and time of the send

1.5 Payment and Billing Data

When organizations set up billing or donors make contributions, we collect:

• Organization billing status and subscription details
• Card type and last four digits (for display purposes only — full card details are handled exclusively by Stripe)
• Donation amounts, donor names, and donor email addresses
• Transaction history and payment status

2. How We Use Your Information

We use the information we collect for the following purposes only:

• Platform functionality: To operate alumni directories, rush management dashboards, event management, donation campaigns, billing, and related features for verified organizations.
• Authentication and security: To verify your identity, manage sessions, enforce role-based access controls, and protect against unauthorized access.
• SMS and email communications: To deliver transactional and informational messages sent by authorized organization administrators to consenting members, alumni, and rushees. These messages are strictly organization-related and are never used for commercial marketing by fratOS.
• Payment processing: To process subscription payments, one-time fees, and donations through our payment processor (Stripe).
• Donation receipts: To send automated receipts and notifications related to donations.
• Internal analytics: To understand platform usage, improve features, and diagnose technical issues.
• Support: To respond to inquiries, troubleshoot issues, and communicate important platform updates.

We do not use your personal information for marketing, advertising, or any commercial purpose beyond operating the fratOS platform for your organization.

3. Data Ownership

4. How We Store and Protect Data

4.1 Infrastructure and Hosting

• All data is stored in a PostgreSQL database hosted by Supabase, a SOC 2 Type II compliant infrastructure provider.
• The application is hosted on Vercel, which provides globally distributed, enterprise-grade hosting infrastructure.
• All data is encrypted in transit using TLS 1.2+ (HTTPS) for every connection between your browser and our servers.
• Data at rest is encrypted by our infrastructure providers using AES-256 encryption.

4.2 Access Controls

• Database access is protected by row-level security (RLS) policies enforced by Supabase, ensuring that queries only return data the requesting user is authorized to see.
• Authentication is handled via Supabase Auth with secure, encrypted session tokens (JWTs).
• Administrative actions require verified, approved accounts with role-based access controls. Only users with the "admin" role and explicit approval can access sensitive features like communications, billing, and member management.
• API routes validate authorization on every request using bearer token authentication and server-side role verification.

4.3 Third-Party Service Security

• Stripe (payment processing): PCI DSS Level 1 certified. We never store, process, or transmit full credit card numbers — all payment data flows directly to Stripe's secure servers.
• Twilio (SMS delivery): SOC 2 Type II compliant. API credentials are stored exclusively in server-side environment variables and never exposed to client-side code.
• Resend (email delivery): Used for transactional emails (donation receipts, campaign announcements, communication blasts). API credentials are server-side only.

4.4 Credential Security

• User passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords.
• All third-party API keys and secrets are stored in server-side environment variables and are never exposed in client-side code or browser requests.
• Service role keys used for administrative database operations are restricted to server-side API routes only.

While we implement industry-standard security measures, no system is completely secure. We encourage you to use strong, unique passwords and to contact us immediately at zohairrk5@gmail.com if you suspect unauthorized access to your account.

5. SMS Messaging Program

fratOS enables authorized organization administrators to send SMS messages to rushees, members, and alumni who have provided their phone numbers through official forms. The following terms apply to all SMS communications:

• Messages are sent only to individuals who have voluntarily submitted their phone number to a participating organization.
• Message content is limited to organization-related information such as event details, scheduling, recruitment updates, and announcements.
• Phone numbers collected through fratOS are never sold, rented, or shared with third-party marketers.
• SMS delivery is powered by Twilio. Twilio's messaging policies and privacy practices also apply.
• Inbound SMS replies (including opt-out requests) are logged and processed to maintain compliance.

To opt out of SMS messages at any time, reply STOP to any message. For help, reply HELP. Message and data rates may apply.

6. Sharing of Information

We do not sell, trade, rent, or share your personal information with third parties for marketing or advertising purposes. Period.

We may share information only in the following limited circumstances:

• Service providers: We use Supabase (database and authentication), Twilio (SMS delivery), Resend (email delivery), Stripe (payment processing), and Vercel (hosting) to operate the platform. These providers process data strictly on our behalf under contractual obligations and are prohibited from using your data for their own purposes.
• Within your organization: Information you enter may be visible to other authorized administrators and approved members within the same organization on fratOS, according to the role-based access controls configured for that organization.
• Legal compliance: We may disclose information if required by law, court order, subpoena, or governmental request, or to protect the rights, safety, and property of users, the public, or fratOS.
• Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of the transaction. We will notify affected organizations prior to any such transfer and ensure the receiving party is bound by equivalent privacy protections.

7. Data Retention

• Active accounts: Profile and directory data is retained for as long as your organization maintains an active account on fratOS.
• Rush records: Rushee information, notes, tags, and stage history are retained for the duration of the rush cycle and up to two years thereafter, or until the organization requests deletion.
• Communication logs: SMS and email blast logs are retained for up to two years for compliance and audit purposes.
• Payment records: Billing and donation transaction records are retained as required for accounting, tax, and legal compliance purposes (typically 7 years for financial records).
• Account termination: Upon account termination, we will provide a data export upon request and delete or anonymize personal data within 90 days, unless retention is required by law.

8. Your Rights

Depending on your location and applicable law, you may have the right to:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that inaccurate or incomplete data be corrected.
• Deletion: Request that your personal data be deleted, subject to legal retention requirements and your organization's data management policies.
• Opt-out of SMS: Reply STOP to any SMS message at any time to stop receiving messages.
• Data portability: Request your data in a standard, machine-readable format.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Objection: Object to certain types of data processing where applicable under law.

To exercise any of these rights, please contact us at zohairrk5@gmail.com. We will respond to requests within 30 days.

Note for organization members: Because your organization owns its data on fratOS, some requests (such as deletion of your alumni record) may need to be approved or processed by your organization's administrator. We will work with both you and your organization to fulfill such requests.

9. Cookies and Local Storage

fratOS uses session cookies and browser local storage solely to maintain your authenticated session and to remember user preferences (such as "remember me" login preferences). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Supabase may set authentication-related cookies as part of the login flow. Stripe may set cookies necessary for secure payment processing.

10. Children's Privacy

fratOS is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will delete it promptly. If you believe a child under 13 has provided personal information to us, please contact us at zohairrk5@gmail.com.

11. State-Specific Privacy Rights

California Residents (CCPA/CPRA)

If you are a California resident, you have the right to: (a) know what personal information we collect and how it is used; (b) request deletion of your personal information; (c) opt out of the sale of your personal information (note: we do not sell personal information); and (d) not be discriminated against for exercising your privacy rights.

Other States

Residents of Virginia, Colorado, Connecticut, Utah, and other states with consumer privacy laws may have additional rights. Please contact us at zohairrk5@gmail.com to exercise any applicable rights.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will make reasonable efforts to notify affected users (such as via email or a prominent notice on the platform). Continued use of the platform after any changes constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your data, please contact us: