Alumnite

Privacy Policy

Last updated · 2026-05-16

Alumnite Ltd. ("Alumnite", "we") respects your privacy. This Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have. It applies to the Alumnite web and mobile apps and to alumnite.com and its subdomains.

1. Who is the controller

Alumnite Ltd. is the data controller for personal information you provide directly when creating an account. For organization-scoped content you submit inside a circle (posts, RSVPs, messages, custom profile fields requested by an admin), the organization is a joint controller for that data alongside Alumnite. Contact privacy@alumnite.com.

2. What we collect

2.1 You give us

  • account info — full name, email, password hash, optional avatar, optional bio, location, LinkedIn URL;
  • per-organization info — your membership status, role, year-range, custom fields the admin defines;
  • content — posts, comments, reactions, RSVPs, event submissions, job posts, shop deals, articles, direct messages;
  • support requests you send us.

2.2 We collect automatically

  • device + network info — IP address, user-agent, locale, app version, build profile;
  • session metadata — login time, last-active time, device label, refresh-token rotation;
  • auth events — success/failure of login, 2FA, password reset, OAuth attempts (kept for security review);
  • admin action audit log — what an admin did inside their organization (approve/reject members, edit org settings, scan attendance) — visible to that org's admins for transparency;
  • crash reports — anonymized stack traces via Sentry, with personal identifiers stripped before send.

2.3 From third parties

  • OAuth providers (Google, Apple) — the email + name you authorize them to share when you "Continue with Google/Apple";
  • open-graph fetchers — when you paste a link, we fetch its public metadata to render a preview (no cookies attached).

3. How we use it

  • to operate the Service — auth, content delivery, push notifications, search;
  • to keep the Service secure — abuse detection, RLS enforcement, rate limiting, audit logs;
  • to communicate transactional messages — verification, password reset, 2FA codes, membership approvals;
  • to improve the Service — anonymous, aggregate usage trends;
  • to comply with law and respond to lawful requests.

We do not sell your personal information. We do not run ad networks. We do not profile you for advertising purposes.

4. Who can see your information

  • Other members of the same organization — your name, avatar, role, and the content you post in that organization;
  • Organization administrators — additionally your membership status, the custom fields you fill in, your attendance history (if scanned), and your audit-log presence as a target of admin actions;
  • Direct-message recipients — only the people you message;
  • The public — only what you set as public on your profile (e.g. badge visibility is opt-in per organization);
  • Service providers we use — DigitalOcean (hosting), Gmail / Twilio (transactional email and 2FA), Sentry (crash reporting), Google Cloud (maps), Apple / Google Wallet (membership passes). Each operates under a data-processing agreement and only sees what it needs.

5. Cookies & similar technologies

See our Cookie Policy for the full list. We use first-party cookies for authentication, CSRF protection, and locale preference. We do not use third-party advertising or analytics cookies.

6. How long we keep your data

  • account + content — for as long as your account exists; deletion is honored within 30 days;
  • audit + security logs — retained for 12 months for incident review;
  • backups — rotated within 90 days of deletion;
  • legally-required records — kept for the period the law requires (e.g. tax records).

7. Your rights

Depending on where you live, you have rights to access, correct, delete, export, restrict, or object to processing of your personal data, and to lodge a complaint with a supervisory authority. You can exercise the first four directly in-app:

  • access + correct — Profile → Edit;
  • export — request via privacy@alumnite.com;
  • delete — Profile → Settings → Delete account.

For restrict / object / complaint, email privacy@alumnite.com. We respond within 30 days.

8. International transfers

Our primary infrastructure is hosted in the EU (DigitalOcean Amsterdam region). When data must move to other regions (e.g. for crash reporting), we use Standard Contractual Clauses or equivalent safeguards.

9. Security

We use encryption in transit (TLS), at-rest encryption for backups, hashed passwords (bcrypt), short-lived access tokens with rotation, row-level security in the database, and admin-action audit logs. No system is perfectly secure; report vulnerabilities to security@alumnite.com.

10. Children

Alumnite accounts are restricted to users 18 years and older. We don't knowingly collect data from anyone under that age. If you believe a child has created an account, email privacy@alumnite.com and we will delete it. See our Child Safety Standards for how we prevent and respond to child sexual abuse and exploitation.

11. Changes

When this Policy changes materially we will notify you in-app and request re-acknowledgement before continued use.

12. Contact

Alumnite Ltd. — privacy questions at privacy@alumnite.com; security at security@alumnite.com; legal at legal@alumnite.com.