Legal

Privacy Policy

Last updated: July 11, 2026

1. Who We Are

Ollegacy ("we", "our", "us") is a software platform that enables organisations and communities — including alumni associations, churches, nonprofits, schools, and professional networks — to build and manage private member portals. Our principal place of business is registered in the United States.

For the purposes of applicable data protection law, Ollegacy acts as a data controller for personal data it collects directly (e.g. account creation, billing). Ollegacy acts as a data processor on behalf of the organisations ("tenants") that use our platform to manage their member communities.

2. Data We Collect

Account data: When you register as an organisation admin, we collect your name, email address, and hashed password. We do not store plain-text passwords.

Community member data: When members join a community through Ollegacy, their profile information (name, email, photo, location, biography, and any custom fields the organisation has enabled) is stored on our platform on behalf of the organisation.

Usage data: We collect standard server logs (IP addresses, user-agent strings, request timestamps) for security and operational purposes. These are retained for a maximum of 30 days.

Payment data: Billing information for platform subscriptions is processed and stored by Stripe. We receive only high-level subscription status and anonymised card metadata (last 4 digits, brand). We never store full card numbers.

Donation data: Donation transactions processed through community campaigns are handled by Stripe. Donation amounts and donor names may be stored in our database as required for campaign reporting.

3. How We Use Your Data

We use your personal data to:

  • Create and manage your account and community portal
  • Deliver the platform features you have subscribed to
  • Send transactional emails (invitations, approvals, password resets, billing notifications)
  • Process subscription payments and donation transactions
  • Comply with legal obligations and resolve disputes
  • Improve platform security and performance

We do not sell personal data to third parties. We do not use member data for advertising purposes.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

  • Contract performance: Processing necessary to provide the service you have signed up for
  • Legitimate interests: Security monitoring, fraud prevention, platform analytics
  • Legal obligation: Compliance with applicable laws (e.g. financial record retention)
  • Consent: Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

5. Data Sharing & Sub-processors

We share personal data with the following categories of third-party service providers ("sub-processors") strictly as necessary to operate the platform:

  • Stripe, Inc. — Payment processing (subscriptions and donations). Stripe Privacy Policy
  • Resend — Transactional email delivery
  • Backblaze B2 — Cloud object storage for profile images and media uploads
  • Railway — Cloud infrastructure (API hosting and database)
  • Vercel — Frontend hosting and CDN

All sub-processors are required to maintain appropriate technical and organisational security measures.

6. Data Retention

Active accounts: Data is retained for as long as your account remains active.

Deleted accounts: Upon account deletion, personal data is permanently deleted within 30 days, except where retention is required by law (e.g. financial records, which are retained for 7 years as required by applicable tax law).

Member data: Community member data is controlled by the organisation (tenant). Members should contact their community administrator to request deletion or modification of their profile.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure ("right to be forgotten"): Request deletion of your personal data
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing in certain circumstances

To exercise any of these rights, email us at privacy@ollegacy.com. We will respond within 30 days.

8. Cookies

Ollegacy uses the following cookies:

  • Authentication cookies (ol_refresh, ol_member_refresh, ol_platform_refresh): HttpOnly, Secure, SameSite=Lax. Required for session management. Cannot be disabled without losing access to the platform.
  • Session indicator (ol_session): Non-HttpOnly indicator used by public pages to detect active sessions. Cleared on logout.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Security

We take security seriously. Passwords are stored using industry-standard hashing (bcrypt). All data in transit is encrypted via TLS. Access to production systems is restricted to authorised personnel only. For details, see our Security page.

10. Children

Ollegacy is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify active users of material changes via email or in-platform notice at least 14 days before the change takes effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

12. Contact

For privacy-related questions or to exercise your rights, contact us at:

Ollegacy

Email: privacy@ollegacy.com