Your data, your control.

Kindness Counts is a verified volunteer hours platform operated by afternode, a brand of Alanis Holdings LLC, a Delaware limited liability company (“afternode,” “Kindness Counts,” “we,” “us”). Our principal place of business is Santa Ana, California.

This Privacy Policy describes how we collect, use, and protect information when you use the platform. We currently make the platform available to residents of California and Arizona only. If you are accessing the platform from outside these states or outside the United States, you understand that your information will be transferred to and processed in California and that additional protections under your local law may not apply.

Kindness Counts uses three categories to describe the information that flows through the platform. Understanding the difference helps clarify what you control, what we own, and what rights you have.

Customer Content (you own this)

Information you actively provide: name, email address, phone number, password, date of birth, profile photo (or photo from Google sign-in), and any optional demographic fields you choose to fill in (such as gender, birthday, location preferences, or other demographic attributes we may offer in the future). You own your Customer Content. You grant us a non-exclusive, worldwide license to use, store, and process it solely to operate the Platform for you.

Service Generated Data (we own this)

Information the Platform creates, derives, or computes during operation: GPS coordinates captured at check-in and check-out, TOTP timestamps, cryptographic verification records and SHA-256 hashes, confidence scores, witness associations, system logs, audit trails, fraud detection signals, performance metrics, and related operational data. These records are owned by the Provider (afternode) because they represent the operation of our verification system. You retain CCPA/CPRA rights over the personal information contained within these records, including rights to access, correct, and delete, even though the records themselves are ours.

Aggregated Data (de-identified)

Customer Content and Service Generated Data combined and stripped of identifiers so that it cannot reasonably identify you, your organization, or any specific event. Aggregated Data is no longer “personal information” under California or Arizona law.

How Aggregated Data is used. We and our partners use Aggregated Data for purposes including:

• Platform improvement, fraud research, security, and performance monitoring.
• Training, evaluation, and improvement of artificial intelligence and machine learning systems we develop or license, including those that power our verification, fraud detection, confidence-scoring, and Verified Impact Intelligence systems.
• Industry benchmarks, sector research, white papers, and public reports about volunteerism and verified impact.
• Future analytics products. Aggregated analytics, dashboards, benchmarking reports, and insights products that we may develop and license, sell, or otherwise make available to corporate, philanthropic, academic, government, and other partners over time. These may include aggregated benchmarks and white-label reporting offered to partner organizations.

Aggregated Data is never used to identify or target you individually.

Re-identification commitment. We commit not to attempt to re-identify Aggregated Data, and we require every recipient of Aggregated Data (including service providers, partners, and customers of our analytics products) to make the same contractual commitment, consistent with California Civil Code § 1798.140(h). We use technical safeguards (including k-anonymity techniques, suppression of small-cell results, and minimum-cohort thresholds) and contractual safeguards to make re-identification infeasible.

Categories of sources

We collect personal information from these sources only:

• Directly from you (account creation, profile updates, event registrations, check-in/check-out).
• From your device (GPS coordinates at the moment of check-in/check-out, device and browser metadata for session security).
• From identity providers you choose to use (Google sign-in, when you elect that path).
• Generated by the Platform (verification records, confidence scores, witness associations, audit logs).
• From host organizations you volunteer with (event roster confirmations, organizer notes related to your attendance).

We do not buy personal information from data brokers and do not ingest information from third-party data sets.

Categories of recipients

We disclose personal information only to:

• Sub-processorswho provide infrastructure to run the Platform (see Section 8). These parties are designated as “Service Providers” or “Contractors” under California Civil Code § 1798.140 and are contractually limited to processing the information solely for the business purposes we specify. Disclosures to Service Providers and Contractors are not “sales” or “sharing” under California law.
• Host organizations for events you attend (limited to your name, verified hours, confidence indicator, and event-related context, see Section 8).
• Government, regulatory, or judicial bodies when we are legally required to respond to a valid legal process.
• An acquirer or successor in connection with a merger, acquisition, financing, or sale of assets, in which case we will provide notice and successor obligations to honor this Policy.

Account information

When you create an account, we collect: email address, first and last name, date of birth (used solely to verify you are 18 or older), phone number (optional), and a profile photo if you sign in with Google.

Optional demographic information

We may add optional demographic fields over time, for example: gender, more granular location, or other attributes that help nonprofits report demographic outcomes to grant funders. Any such fields will be: opt-in, clearly labeled as optional, separate from required account fields, and never used to gate access to the platform. You may decline any demographic field and use the platform fully. Today, the only demographic information we require is date of birth (for the 18+ check); all other demographic fields, if introduced, will be optional.

Location information

When you check in to or out of an event, we collect your device's GPS coordinates at that exact moment. We use these coordinates to compute the distance from the event location and to generate your verification record. We do not track your location continuously, before events, during events between check-in and check-out, or after events. We do not use location data for advertising, profiling, or any purpose other than verifying that you were physically at the event.

Volunteer activity

Events you register for, hours you log, verified check-in records, confidence scores, witness associations (other verified volunteers who were at the same event at the same time), and post-event surveys.

Technical data

IP address, browser type, device type, and basic usage logs. Collected by our hosting infrastructure (Vercel) for security and rate limiting. Not used for tracking or advertising.

Background check information (only when a host organization requires it)

Some host organizations require a background check for volunteers in roles involving vulnerable populations (such as youth, elderly, or disability programs). When a role requires this and you elect to apply, you will be presented with a separate, standalone authorization and disclosure that complies with the federal Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.) and, for California residents, the Investigative Consumer Reporting Agencies Act (Cal. Civ. Code § 1786 et seq.) before any check is initiated. Information collected for a background check (which may include date of birth, current and former addresses, partial Social Security number, and government-issued ID information) is described in detail in Section 10 of this Policy. We do not collect this information for general use of the Platform.

California law (CPRA) defines certain categories of information as “Sensitive Personal Information” (SPI). We want to be explicit about what SPI we collect and why:

• Precise geolocation (within 1,850 feet). We collect your GPS coordinates only at the moment of check-in and check-out, exclusively to verify your physical presence at an event. We use this data only for that verification purpose; we do not infer demographics, behaviors, or other characteristics from it; we do not share it with third parties for advertising or any other purpose.
• Account authentication credentials (email address combined with password, where applicable). Used only to sign you in.
• Criminal history information (only when a host organization requires a background check for a specific volunteer role and you separately authorize that check, see Section 10). We do not collect criminal history information for general use of the Platform. When collected, it is used solely to confirm your eligibility for the role with that host organization.

California residents have the right to limit our use and disclosure of Sensitive Personal Information to what is necessary to perform requested services and to comply with applicable law. We already limit our use of SPI to those purposes by default. We do not use it for any secondary purpose, and we do not engage in cross-context behavioral advertising. If you wish to formalize this limit, email privacy@kindnesscounts.io.

• Continuous location data. GPS is captured only at the moment of check-in and check-out.
• Background data when you're not actively using the platform.
• Health, medical, financial, biometric, genetic, or government-ID information.
• Demographic information that you have not voluntarily provided. See Section 3. Any future demographic fields will be opt-in.
• Information from data brokers or third-party data sets.

• To provide the verification platform and your dashboard.
• To compute confidence scores and generate cryptographic verification records.
• To send transactional emails (signup confirmations, event reminders, post-event thank-yous, weekly waitlist digest).
• To prevent fraud and abuse (such as detecting impossible movement patterns between check-ins).
• To produce reports for nonprofits about volunteers who attended their events.
• To respond to legal requests we are required to honor.

Automated decision-making. Our verification confidence score is computed automatically from the four factors described in our Terms (GPS, TOTP, witness, history). The score does not by itself produce legal effects on you. You can request a human review of any verification record by emailing privacy@kindnesscounts.io.

Kindness Counts does not sell or “share” (as those terms are defined in California Civil Code § 1798.140 and analogous provisions of other applicable law) your personal information. We do not engage in cross-context behavioral advertising. We have not sold or shared personal information in the past twelve (12) months and have no plans to do so.

Important distinction.Aggregated Data and de-identified information that does not identify and cannot reasonably be linked to you (as defined in California Civil Code § 1798.140(h)) is not personal information. We may license, sell, or otherwise commercialize Aggregated Data, including in the form of analytics, benchmarks, dashboards, and insights products that we may develop and offer to corporate, philanthropic, academic, government, and other partners. These commercial uses of Aggregated Data are not “sales” or “sharing” of personal information under California law because Aggregated Data is not personal information. Section 2 describes the technical and contractual safeguards we apply to ensure Aggregated Data cannot be re-identified.

If we ever change this practice and begin to sell or share actual personal information, we will update this Policy, notify you, and provide a clear “Do Not Sell or Share My Personal Information” link and opt-out mechanism as required by California law before any such activity begins.

We rely on the following sub-processors to operate the platform. Each is contractually obligated to use your information only as needed to provide their service to us, and not for their own purposes.

• Firebase (Google LLC): authentication and account sign-in. Privacy: firebase.google.com/support/privacy
• Neon: managed PostgreSQL database hosting.
• Vercel: application hosting, blob storage for uploaded images, security and rate limiting.
• Resend: transactional email delivery.
• Stripe: subscription billing and payment processing for paid organization tiers. Stripe receives organization billing data only. Stripe never receives volunteer personal information.
• Checkr (forthcoming, conditional): a licensed consumer reporting agency we plan to integrate to provide background checks for volunteer roles that require them. Information will be transmitted to Checkr only when a host organization requires a background check for a specific role and you separately authorize that check under the standalone disclosure described in Section 10. Checkr will be contractually bound to handle the information solely to return a consumer report to the host organization that requested it.

A current public list of all sub-processors, including their purpose, hosting region, and a link to their privacy practices, is available at kindnesscounts.io/sub-processors.

We may add or change sub-processors over time. Material changes will be reflected in this Policy, and we will notify you when required by applicable law.

Organizations you volunteer with

When you register for or attend an event, the host organization can see: your name, your verified hours, your confidence score, and basic event-related information. They cannot see your date of birth, your phone number unless you provide it during check-in recovery, or any data unrelated to the event you attended.

Future analytics and advertising providers

We may add analytics or advertising-related providers in the future. Examples we may consider include Google Analytics, Vercel Analytics, Google Ads, Meta, TikTok, and LinkedIn. We will update this policy and request appropriate consent before activating any such tracking, and we will provide an opt-out mechanism that complies with applicable California and Arizona law.

Our verification system relies on the corroboration of other volunteers who were physically present at the same event at the same time. When you check in to an event, the platform records the identifiers of other verified volunteers nearby as “witnesses” on your record. Reciprocally, your identifier may appear as a witness on theirs.

This is necessary for the verification mechanism. If you delete your account, your name and identifying information are removed from your own records and from the witness lists on others' records.

We may offer host organizations the ability to require a background check for volunteers in specific roles, particularly roles involving vulnerable populations. We plan to provide this capability through a licensed consumer reporting agency (currently planned: Checker). This Section describes how background-check information is handled if and when this feature is enabled for a role you apply to.

Standalone disclosure and consent. Before any background check is initiated, you will be presented with a separate, standalone disclosure and authorization document that complies with the federal Fair Credit Reporting Act (15 U.S.C. § 1681b(b)(2)) and, for California residents, the Investigative Consumer Reporting Agencies Act (Cal. Civ. Code § 1786.16). No check will be initiated without your express written or electronic authorization. You may decline a background check; if you decline, you may not be eligible for the specific role that required it, but your account and ability to use the Platform for other purposes are unaffected.

What is collected and who collects it. The consumer reporting agency, not Kindness Counts, performs the check. Information you provide for a check may include date of birth, current and former addresses, partial Social Security number, and government-issued identification information. Kindness Counts transmits this information to the consumer reporting agency and stores only the result of the check (eligibility status, plus the date the check was completed) on your account. We do not retain the underlying source data (criminal records, court records, etc.) longer than necessary to complete the check.

Who sees the result. The host organization that requested the check sees the eligibility status. Kindness Counts stores the status to confirm your role eligibility. We do not share background-check results with any other host organization or any third party except as required by law.

Your FCRA and ICRAA rights. You have the right to (a) receive a copy of any consumer report obtained about you; (b) dispute inaccurate information directly with the consumer reporting agency; (c) receive notice if information in a consumer report leads to an adverse decision (such as ineligibility for a role), including the name and contact information of the agency that provided the report and a summary of your rights under the FCRA. California residents have additional rights under ICRAA, including the right to request a free copy of any investigative consumer report obtained about you within the past two years.

Permissible purpose. The host organization requesting a check certifies to the consumer reporting agency that the report will be used for a permissible purpose under the Fair Credit Reporting Act (15 U.S.C. § 1681b), specifically the evaluation of you for a volunteer position involving a duty of care to vulnerable persons. The report will not be used for any other purpose, including marketing, profiling, or sale.

Lookback limits. Federal and California law limit how far back consumer reporting agencies may report certain information. Under the FCRA (15 U.S.C. § 1681c) and California Civil Code § 1786.18, non-conviction items (arrests not resulting in conviction, civil suits, paid tax liens, accounts placed for collection, and other adverse information) generally may not appear on a report after seven (7) years; convictions may be reported indefinitely under the FCRA but California Civil Code § 1786.18(a)(7) limits convictions on California reports to a seven-year lookback. The consumer reporting agency, not Kindness Counts, applies these limits to the report it produces.

Multi-state compliance. Background-check law varies by state and by the type of role being filled. Some jurisdictions impose additional restrictions (for example, ban-the-box laws, marijuana-conviction limits, or industry-specific requirements). The host organization is responsible for ensuring the role and the check comply with applicable state and local law in the location where you will serve. If you believe a check obtained about you violates applicable law, you may dispute it with the consumer reporting agency and notify us at privacy@kindnesscounts.io.

Cost. Background-check fees are paid by the host organization that requires the check. Kindness Counts does not charge volunteers for background checks.

While your account is active: we retain your personal information for as long as you maintain your account and use the platform.

If you delete your account: we delete your personal information (name, email, date of birth, phone number, raw GPS coordinates, profile photo) within thirty (30) days.

Anonymized verified-hour records: we may retain records of verified volunteer hours indefinitely in anonymized form. Anonymized records cannot be used to re-identify you. We retain these records because nonprofits may need to verify volunteer hours years after the fact for grant audit purposes. Your deletion should not invalidate the legitimate records of organizations you volunteered with.

Anonymized records contain only: event identifier, date, hours logged, GPS-verified flag (true/false), TOTP-verified flag, and aggregate confidence metrics. They do not contain your name, email, GPS coordinates, or any other identifier.

Backups and security logs. We may retain backup copies of personal information for up to ninety (90) days for disaster recovery, and security or audit logs (e.g. authentication events) for up to twelve (12) months.

Background check results.The eligibility status returned from a background check (see Section 10) is retained for as long as the underlying volunteer role requires it, plus a period required by applicable record-retention law. The consumer reporting agency's retention of underlying source data is governed by its own policies and applicable law.

You have the right to:

• Know what personal information we have collected, used, disclosed, or sold (we have not sold) about you. By default, this right covers the preceding 12 months; California residents may also request information from beyond the 12-month period to the extent required by Cal. Civ. Code § 1798.130(a)(2)(B), and we will provide it unless doing so proves impossible or would involve disproportionate effort.
• Access a copy of the personal information we hold about you.
• Correct inaccurate personal information.
• Delete your personal information (subject to the anonymized-records retention described above and the limitations in Section 12(c) below).
• Receive a portable copy of the personal information you have provided to us, in a structured, commonly-used, machine-readable format (such as JSON or CSV), and to transmit that information to another service of your choice.
• Limit our use and disclosure of Sensitive Personal Information (see Section 4).
• Opt outof any future “sale” or “sharing” (we currently do neither).
• Non-discrimination. We will not deny you service, charge you a different price, or provide you a different level of service because you exercised any of these rights.
• Opt out of non-transactional communications at any time using the link in any email we send you.

To exercise any of these rights, email privacy@kindnesscounts.io. We will acknowledge your request within ten (10) business days and respond within forty-five (45) days. We may extend this period by an additional forty-five (45) days when reasonably necessary, and we will inform you of any extension and the reason for it.

Identity verification.Before fulfilling a request to know, access, correct, delete, or port your personal information, we will verify your identity to a degree of certainty appropriate to the sensitivity of the information and the risk of harm to you from improper disclosure, consistent with the California Consumer Privacy Act regulations (Cal. Code Regs., tit. 11, §§ 7060–7062). For most requests we will ask you to verify ownership of the email address associated with your account. For higher-risk requests (deletion, broad data export) we may ask for additional verification, such as confirming recent account activity.

Authorized agents.You may designate an authorized agent to make a request on your behalf. We will require (a) written permission signed by you authorizing the agent, or a power of attorney under California Probate Code § 4000 et seq.; and (b) verification of the agent's identity. We may also contact you directly to confirm the agent's authority.

Right to appeal. If we deny your request in whole or in part, we will explain our reasons in writing. You may appeal that decision by replying to our denial within sixty (60) days. We will respond to an appeal within forty-five (45) days. If we still deny the appeal, you may submit a complaint to the California Privacy Protection Agency (cppa.ca.gov), the California Attorney General (oag.ca.gov), or the Arizona Attorney General (azag.gov), as applicable to your residency.

12(c). Limits on these rights. Your CCPA/CPRA rights apply to your personal information. They do not apply to: (i) Aggregated Data and de-identified information, which is no longer personal information (see Sections 2 and 7); (ii) information we are required to retain under applicable law; (iii) Service Generated Data (such as cryptographic hashes, audit trails, and verification records) that we retain in anonymized form for the legitimate operation of the verification system, as described in Section 11; or (iv) information necessary to detect, investigate, or prevent fraud or abuse on the Platform.

Categories of personal information collected. We collect identifiers (name, email, phone), commercial information (volunteer activity), internet/network activity (sign-in logs), precise geolocation, and inferences (verification confidence scores). We do not collect biometric, health, or financial information.

Categories disclosed for a business purpose (per Cal. Civ. Code § 1798.130(a)(5)(C)(i)). In the preceding 12 months we have disclosed the following categories of personal information for a business purpose: identifiers (name, email, phone), commercial information (volunteer activity), internet or network activity (sign-in logs), precise geolocation, and inferences (verification confidence scores). The categories of recipients are: our Service Providers and Contractors (the sub-processors listed in Section 8) and the host organizations for events you attended (limited to the data described in Section 8). The business purposes are operating the Platform, producing verified records, verifying check-ins, generating reports for nonprofits, fraud prevention, and security.

Sources of personal information. Directly from you, from your device at check-in/check-out, from identity providers you use, generated by the Platform during operation, and from host organizations for events you attended (see Section 2 for detail).

Categories of personal information sold or shared. None. We have not sold or “shared” (as those terms are defined in Cal. Civ. Code § 1798.140) any personal information in the preceding twelve (12) months.

Commercialization of Aggregated Data. As described in Sections 2, 7, and 19, we may license and commercialize Aggregated Data (de-identified data that is no longer personal information under Cal. Civ. Code § 1798.140(h)) in the form of analytics, benchmarks, dashboards, and insights products we may develop. These activities do not constitute the sale or sharing of personal information.

Shine the Light (Cal. Civ. Code § 1798.83). California residents may request a list of third parties to whom we disclosed personal information for direct marketing in the preceding calendar year. We do not disclose personal information for any direct marketing purpose, but you may submit such a request by emailing the address above.

Right of action. California residents whose unencrypted personal information is exposed in a data breach may have a right of action under Cal. Civ. Code § 1798.150.

Arizona residents have rights under the Arizona Consumer Fraud Act (Ariz. Rev. Stat. § 44-1521 et seq.) and Arizona's data breach notification law (Ariz. Rev. Stat. § 18-552).

Breach notification. If we determine that unencrypted and unredacted personal information of an Arizona resident has been acquired by an unauthorized person as a result of a security incident, we will notify affected residents within forty-five (45) days of determination, as required by Arizona law. If the incident affects more than 1,000 Arizona residents, we will also notify the three nationwide consumer reporting agencies and the Arizona Attorney General.

We currently use only essential cookies necessary for authentication and session management. We do not use analytics or advertising cookies at this time.

No tracking pixels, SDKs, or fingerprinting. We do not embed third-party tracking pixels (Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, etc.), advertising SDKs, session replay tools, or device fingerprinting libraries on the Platform. We do not participate in cross-site tracking, and we do not allow third parties to do so through our Platform.

If we add analytics or advertising technologies in the future, we will update this policy and provide a consent mechanism that lets you opt in or out by category. We honor the Global Privacy Control (GPC) signal as a valid opt-out request under California Civil Code § 1798.135(b) and the CPPA regulations (Cal. Code Regs., tit. 11, § 7025). When a browser or device transmits a GPC signal to the Platform, we treat it as a request to opt out of any future “sale” or “sharing” of personal information, and we apply the opt-out automatically and without requiring you to take any further action. If you are signed in when we receive a GPC signal, we apply the opt-out to your account so the preference persists across devices.

When you provide your phone number, you consent to receive transactional messages from Kindness Counts related to your account, events you register for, and verification activity. We do not use your phone number for marketing or send promotional SMS. You can opt out of any non-essential messaging at any time. If we ever introduce SMS-based marketing, we will obtain separate express written consent in compliance with the Telephone Consumer Protection Act (TCPA).

Kindness Counts is for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18, and we do not direct the platform to children. If you become aware that a child under 18 has provided us with personal information, please contact us and we will delete it immediately. We do not have actual knowledge of selling or sharing the personal information of consumers under 16 years of age, and we would not do so without affirmative authorization as required by California law.

We use industry-standard security measures to protect your information, including:

• Transport-layer encryption (TLS/HTTPS) for all data in transit
• Encryption at rest for our databases and blob storage
• Cryptographic hashing of verification records (SHA-256) for tamper evidence
• Rate limiting and abuse detection
• Access controls limiting which employees can view personal data, with audit logging
• Regular review of access privileges
• Secure authentication via Firebase with optional Google OAuth

No system is perfectly secure. If we ever experience a data breach affecting your personal information, we will notify you in accordance with California law (Cal. Civ. Code § 1798.82) and Arizona law (Ariz. Rev. Stat. § 18-552), within applicable time frames.

Customer Content (your individual data). We do not use your Customer Content to train any artificial intelligence model, large language model, or machine learning system, and we do not sell, license, or otherwise transfer your Customer Content to any third-party AI provider for that purpose.

Aggregated Data (de-identified data). We do use Aggregated Data, as defined in Section 2, to develop, train, evaluate, fine-tune, and improve artificial intelligence and machine learning systems, including:

• Our internal systems for verification, fraud detection, anomaly detection, and confidence scoring.
• Models that may power future analytics, dashboard, benchmarking, and insights products we develop for corporate, philanthropic, academic, government, and other partners.
• Research and development of new features and products.

Because Aggregated Data is not personal information under California law, this use does not implicate your CCPA/CPRA rights. We commit not to attempt to re-identify Aggregated Data and to require any vendor, partner, or customer that receives Aggregated Data to make the same commitment, as described in Section 2.

If we ever change this practice and begin using your identifiable Customer Content for AI/ML training in any form, we will update this Policy, notify you, and obtain any consent required by applicable law before doing so.

The Platform may include links to third-party websites or services (for example, a host organization's website, an identity provider sign-in page, or a sub-processor's privacy page). We are not responsible for the privacy practices of any third party. When you follow such a link, the destination site's privacy policy and terms govern your interaction with it. We encourage you to read those policies before sharing information.

The Platform is offered only to residents of California and Arizona. Our personnel, infrastructure, and processing operations are located in the United States. By using the Platform, you understand that your information will be processed in the United States.

The Platform is not directed at residents of the European Economic Area, the United Kingdom, or any other jurisdiction outside the United States, and we do not offer rights under the EU/UK General Data Protection Regulation, the Brazilian LGPD, or any other non-U.S. data protection law. If you access the Platform from outside the United States, you do so at your own initiative and are responsible for compliance with any local law that may apply to your access.

We may update this policy. If we make material changes, we will notify you by email at least thirty (30) days before the changes take effect, and we will update the effective date at the top of this page. Your continued use of the platform after such notice constitutes acceptance of the updated policy. If you do not accept the updated policy, you may delete your account.

For privacy questions or to exercise your rights, email privacy@kindnesscounts.io. For general support, email hello@kindnesscounts.io. You may also write to us at: afternode (Alanis Holdings LLC), Attn: Privacy, Santa Ana, California.