Privacy Policy
Effective Date: June 1, 2026
The Short Version
We collect as little as possible. We don’t sell your data, track you, or use it for advertising. This page explains exactly what we do and why — in plain language, no legalese.
Questions? contact@studygrc.org · (512) 487-1632 · 5900 Balcones Dr #22989, Austin, TX 78731-4200
See also: Terms of Service · DMCA / Copyright Notice · Code of Conduct
What We Don’t Do
- We don’t sell your personal information — ever
- We don’t run analytics, advertising pixels, or behavioral tracking on this website
- We don’t set our own tracking or advertising cookies
- We don’t use your data for anything beyond running this organization
The only browser storage we use is localStorage for your light/dark mode preference. It stays on your device. It’s never sent to us.
Our hosting provider (Cloudflare) and member platform (NeonOne) may set essential cookies for security and login. Those are covered by their own privacy policies — not ours.
What We Collect and Why
When you email us
Your name, email address, and whatever you include in your message. Used only to respond.
When you browse our site
Cloudflare processes standard technical data (IP address, browser type) to keep the site running. We don’t access or store those logs.
When you create an account or sign up through NeonOne
NeonOne is our member and community platform — it handles membership, volunteer applications, event registration, donations, and mass communications. When you register, NeonOne collects the information you submit (name, email, and optionally your address, phone, date of birth, website, or other account details). This is used for your account, event registrations, and opt-in communications (email, text, or mail). We don’t share this data for any other purpose.
When you book a 1:1 session
Our booking forms run through Fillout (opens in new tab) at forms.studygrc.org. Fillout receives what you submit so we can schedule your session.
When you buy from our merch store
Our store is handled by Fourthwall (opens in new tab) at merch.studygrc.org. Fourthwall processes your order and payment — including your shipping address and any optional information you provide (such as phone number for delivery updates). We don’t store your payment details. Fourthwall has its own privacy policy and terms .
When you join our Discord
We see your username or display name. Discord is an independent controller for your account data — their privacy policy applies to your Discord account.
When you submit a resume for review
Resumes can contain a lot of personal information. We use it only to provide your review. Please redact your phone number, home address, employers, date of birth, and other Identifying information before sending. Send to contact@studygrc.org .
Who We Share With
We don’t sell or rent your data. We only share it when a service provider needs it to help us operate — and only under written agreements that restrict them to that purpose.
| Service | What they handle |
|---|---|
| Cloudflare, Inc. | Website hosting and security |
| NeonOne, Inc. | Membership, events, volunteers, donations, mass communications |
| Fillout | Booking forms at forms.studygrc.org |
| Fourthwall, Inc. | Merch store and order fulfillment |
| Discord, Inc. | Community platform (independent controller) |
We may also share your data if required by law, or with your explicit permission.
How Long We Keep It
Most data is only kept for the extent necessary for operations.
| Data | How long |
|---|---|
| NeonOne Account | Until deleted, separate platform |
| Emails and form submissions | Reviewed and purged quarterly; kept no longer than 2 years unless required for ongoing service |
| Resumes | Deleted after feedback, unless you ask us to keep them |
| Donation records | 7 years (IRS recordkeeping requirement) |
| Cloudflare logs | Per Cloudflare’s schedule — we don’t access them |
How We Protect Your Data
- Multi-factor authentication enabled for all accounts when and where possible as a minimum best practice
- Data encrypted in transit and at rest by our providers
- Access limited to volunteers who need it for their role
- Regular data protection guidance for board members and volunteers
No system is perfectly secure — but we take reasonable steps and take incidents seriously.
Your Rights
These rights apply to everyone globally — not just California or EU residents.
- Access — Ask what we hold about you
- Correction — Ask us to fix inaccurate information
- Deletion — Ask us to delete your information. Privacy requests are honored when required by law or feasible. Content you’ve contributed to community spaces may be subject to the content license in our Terms of Service — we’ll redact your personal information from our records but the community content itself may remain accessible under that license. Requests are always welcome regardless.
- Restriction — Limit how we process your data in certain situations
- Portability — Get a copy of your data in a structured format (CSV or JSON)
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Pull back any consent you’ve given, at any time
We respond within 30 days. It’s free. We may verify your identity first.
To submit a request, see our Data Request page for the right subject line and instructions.
If you’re not satisfied with our response, you can contact your local data protection authority. UK: the Information Commissioner’s Office (ICO). EU/EEA: edpb.europa.eu (opens in new tab) .
California Residents
We extend core rights to everyone, but California residents have additional rights under the CCPA/CPRA:
- Right to Know what we collect, use, and disclose
- Right to Delete your personal information
- Right to Correct inaccurate information
- Right to Opt-Out — We don’t sell or share data, so there’s nothing to opt out of. See our Do Not Sell page
- Right to Non-Discrimination — We’ll never treat you differently for exercising your rights
- Right to Limit Sensitive PI — We don’t collect or process sensitive personal information for the purpose of inferring characteristics. No action is needed to exercise this right.
Other Privacy Matters
Browser privacy signals. We honor GPC and DNT signals. Since we don’t sell or share data, these signals don’t change our processing — but we never discriminate against users who send them.
Sensitive data. We don’t intentionally collect sensitive personal information (health data, race, religion, precise location). If you’ve accidentally sent us any, email us and we’ll delete it.
Children. Our site isn’t directed at children under 13. We don’t knowingly collect data from anyone under 13 (COPPA). Parents or guardians who believe a child under 13 has provided personal information should email contact@studygrc.org . We’ll delete the information promptly.
International visitors. We’re based in the U.S. Your data may be processed here or where our providers operate. For EEA/UK transfers, we rely on appropriate safeguards including EU Standard Contractual Clauses and the UK Addendum/IDTA where applicable.
Video platforms. Videos on our site may be hosted by PeerTube (self-hosted at videos.studygrc.org), YouTube (Google LLC), or Odysee (LBRY, Inc.). Each platform may collect viewing data under their own policies. Our self-hosted PeerTube instance processes minimal technical data for video delivery only.
Automated decisions. We don’t use your data for automated decision-making or profiling.
Changes to This Policy
We may update this policy. For material changes, we’ll give at least 30 days’ notice through our website, Discord, or email. Non-material changes (formatting, clarifications) take effect when posted.
We review this policy annually. Last reviewed: June 1, 2026. Next review: June 2027.
Contact
Privacy questions: contact@studygrc.org Security reports: security@studygrc.org Abuse reports: abuse@studygrc.org
Need this in an alternative format? Email contact@studygrc.org .