Privacy Policy
Last updated: March 31, 2026
Who We Are {#who-we-are}
This website is operated by The Rhoades Institute of Technology (RIT), a Wisconsin 501(c)(3) nonprofit organization. For the purposes of this privacy policy, the data controller is Johnathon Rhoades / The Rhoades Institute of Technology.
What We Collect {#what-we-collect}
We collect almost nothing. Here is the complete list:
- Contact form submissions: Your name, email address, and message, submitted voluntarily through our contact form. Submissions are processed by a Cloudflare Worker and stored in Cloudflare D1. We retain contact form data for 90 days after the inquiry is resolved, then delete it.
- File attachments: If you attach a file to the contact form, it is uploaded directly to Cloudinary (a cloud media service) before form submission. Files are stored on Cloudinary's infrastructure under our account.
- Waitlist and survey submissions: Name, email, and your responses, submitted voluntarily through TVN Bridge waitlist or community surveys. Stored in Cloudflare D1 alongside contact submissions.
- Donation information: When you make a donation, payment processing is handled by Stripe. We do not store your credit card number, bank account details, or other payment credentials on our servers. Stripe collects and processes your payment information in accordance with their privacy policy. We receive only a confirmation of your donation amount, your name, and your email address for receipt and acknowledgment purposes.
- QR code scan data: QR codes on RIT printed materials link through a URL shortener operated by RIT and hosted on Vercel. When you scan one of our QR codes, we record: the timestamp of your visit, your browser name, operating system, device type (desktop/mobile/tablet), and your approximate geographic region (state and country level only). We store a non-reversible hash of your IP address for deduplication β we cannot identify you from this hash. No cookies are set. Raw scan data is retained for 365 days, then aggregated into anonymous totals and purged.
- Browser preferences: Your language and content lens preferences are stored locally in your browser (
localStorage). These values never leave your browser and are never transmitted to us.
That's it. No analytics. No ad pixels. No fingerprinting. No tracking scripts on this site.
Legal Basis for Processing (GDPR) {#legal-basis}
Under GDPR Article 6(1), we process personal data on the following legal bases:
- Consent: Contact form submissions, waitlist signups, and survey responses β you voluntarily provide this information.
- Contract performance: Donation processing β necessary to complete your donation and issue a receipt.
- Legal obligation: Donation records retained for 7 years as required for 501(c)(3) organizations.
- Legitimate interest: QR scan analytics β measuring outreach effectiveness with minimal, non-identifying data.
How We Use Your Data {#how-we-use-data}
- Email: To respond to inquiries and send donation receipts. Nothing else.
- Donation records: To issue tax-deductible receipts as required for a 501(c)(3) organization and to maintain legally required financial records.
- QR scan data: To measure which outreach materials are effective, understand what platforms our audience uses, and verify that our efforts are reaching our authorized service area (Wisconsin). We never use this data to identify or track individuals.
Data Retention {#data-retention}
- Contact form submissions: 90 days after inquiry is resolved
- Waitlist/survey submissions: 90 days after inquiry is resolved
- File attachments: Stored on Cloudinary until manually deleted
- Donation records: 7 years (legally required for 501(c)(3) organizations)
- QR scan data (raw): 365 days, then aggregated and purged
- QR scan data (aggregated totals): Retained indefinitely for reporting
- Browser preferences: Stored in your browser until you clear it
Third Parties {#third-parties}
We use a limited number of third-party services, each for a specific purpose. We do not sell, rent, or share your data with anyone beyond what is described here.
- Cloudflare β Provides DNS proxy and CDN for this website. All site traffic passes through Cloudflare's network, meaning Cloudflare processes every HTTP request (IP address, URL, headers). Cloudflare also routes email sent to
[email protected]to our inbox via their Email Routing service. Additionally, Cloudflare Workers process form submissions and Cloudflare D1 stores submission data. See Cloudflare's privacy policy. - Cloudflare Turnstile β Bot protection on forms. Turnstile loads a script from
challenges.cloudflare.comon pages with forms. It analyzes browser signals to distinguish humans from bots. Turnstile may set functional cookies (e.g.,cf_clearance) for verification persistence. These are not used for tracking. - Cloudinary β Serves optimized images for this website and stores contact form file attachments. When images load, Cloudinary receives standard HTTP request data (IP address, user-agent, referer). See their privacy policy.
- Stripe β Processes donations. PCI-DSS compliant. See their privacy policy.
- GitHub Pages β Hosts this website. GitHub may log standard web server access data (IP address, user agent) per their privacy statement.
- Vercel β Hosts the QR code redirect service. Vercel processes requests through their serverless infrastructure per their privacy policy.
- Vercel Postgres (Neon) β Stores QR scan analytics data. Data at rest on Vercel's infrastructure.
- Prisma β Database connection pooling for the QR service. Query traffic routes through Prisma's infrastructure.
Cookie Policy {#cookies}
This site stores three items in your browser's local storage: rit_cookie_consent (your consent preference), rit_lens (content perspective preference), and rit_lang (language preference). These values never leave your browser and are used only for site functionality.
We set no tracking cookies, no analytics cookies, and no advertising cookies. Cloudflare Turnstile may set functional cookies for bot verification on pages with forms. These are not used for tracking. The QR code redirect service sets no cookies on end users.
Email {#email-routing}
Email sent to [email protected] is processed through Cloudflare Email Routing and delivered to Gmail ([email protected]). Both Cloudflare and Google process email content and metadata in accordance with their respective privacy policies.
Your Rights {#your-rights}
You have the right to:
- Access any data we hold about you
- Rectify inaccurate personal data
- Delete your data at any time
- Restrict processing of your data while a dispute is resolved
- Object to processing based on legitimate interest
- Withdraw consent for any communications
- Export your data in a portable format
To exercise any of these rights, email [email protected]. We will respond within 30 days.
Breach Notification {#breach-notification}
In the event of a data breach that affects your personal information, RIT will notify affected individuals within 72 hours of becoming aware of the breach. Notification will be sent via email where possible, and a notice will be posted on this website. We will disclose: what happened, what data was affected, what we are doing about it, and what steps you can take.
Do Not Sell My Personal Information {#do-not-sell}
We do not sell your personal information. We never have and never will. This applies to all users regardless of jurisdiction, including under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Children's Privacy {#children}
This website is not directed at children under 13. We do not knowingly collect data from children.
Changes to This Policy {#changes}
If we change this policy, we will update the date at the top of this page. Material changes will be communicated via email to those who have provided their contact information.
Contact {#contact}
Johnathon Rhoades / The Rhoades Institute of Technology