Privacy Policy

1. Introduction

This Privacy Policy describes how Mindvana, Inc., doing business as Chipmail ("Chipmail," "we," "us," or "our"), collects, uses, and protects information through our website at chipmail.org and all related services (collectively, the "Service").

Mindvana, Inc. is a Wyoming corporation located at 30 N Gould St, Ste R, Sheridan, WY 82801.

We understand that Chipmail serves recovery and addiction support communities, and we take the elevated sensitivity of member data seriously. This policy explains in plain language what data we collect, why, how it is stored, and what control you have over it.

By using the Service, you acknowledge that you have read and understand this Privacy Policy. Please also review our Terms of Use.

2. Information We Collect

2a. Information Provided by Group Administrators

When a group administrator creates an account, we collect:

• Organization name
• Administrator name and email address
• Account password (stored only as a one-way SHA-256 hash — we cannot retrieve the original password)
• Custom settings such as anniversary label, preferred send time, timezone, and optional quote source URL

2b. Information Provided About Group Members

Group administrators may upload or enter member information, which includes:

• First name and last initial (we do not collect full last names)
• Email address
• Phone number (optional)
• Anniversary or milestone date

Members may be added by an administrator without the member's direct initial opt-in. However, every email sent by Chipmail includes a clearly visible unsubscribe link, and members may opt out at any time.

2c. Information Members Provide Directly

Members may interact with Chipmail through:

• QR code join forms: First name, last initial, email, phone (optional), and anniversary date
• "Update your info" links: Included in anniversary emails, allowing members to update their own details

2d. Information Collected Automatically

We are committed to minimal data collection:

• We do not use cookies, tracking pixels, or analytics tools on chipmail.org
• We do not collect IP addresses, browser fingerprints, or device information
• Standard server logs maintained by our hosting provider (Vercel) may temporarily record IP addresses as part of normal web infrastructure; we do not access or retain these logs

2e. Payment Information

All payment processing is handled entirely by Stripe, Inc. We never see, store, or have access to credit card numbers, bank account details, or other financial account information. From Stripe, we receive only: a Stripe Customer ID, subscription status, plan type, and payment success or failure status.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To send daily automated anniversary announcement emails to group members
• To calculate and display anniversary milestones
• To manage group memberships (add, update, remove members)
• To process subscription payments and manage billing
• To send account-related notifications (trial reminders, payment confirmations, billing issues)
• To respond to support requests

We do not use your data for advertising, marketing to third parties, behavioral profiling, or sale to data brokers. Your data exists solely to power the Chipmail service for your group.

4. Sensitive Data & Recovery Community Protections

We recognize that membership in a recovery group is sensitive personal information. Chipmail is built with specific protections for this community:

• Data minimization: We collect only first names and last initials — never full last names
• No cross-group profiling: Member data is never used to identify individuals as members of recovery programs outside of the specific group they belong to
• No behavioral analytics: We do not create user profiles or aggregate data across groups
• Logical data separation: Each group's data is logically separated; administrator access is limited strictly to their own group
• No third-party disclosure: We will never disclose membership status to any third party except as required by law or valid legal process
• Anonymity-first design: Anniversary emails are sent to the entire group and identify the celebrating member only by first name and last initial

5. How We Share Information

We do not sell, rent, or trade personal information. We have not sold personal information in the preceding 12 months, and we have no plans to do so.

We share data only with the following third-party service providers who process data on our behalf to deliver the Service:

• Google (Google Sheets): Stores group and member data (names, emails, phone numbers, anniversary dates, email delivery logs) on Google Cloud infrastructure
• Resend, Inc.: Transactional email delivery — receives recipient email addresses and email content to deliver anniversary emails
• Stripe, Inc.: Payment processing — receives administrator billing information for subscription management
• Vercel, Inc.: Website hosting — may process standard web request data (IP addresses) in server logs
• n8n GmbH (N8N Cloud): Workflow automation — processes member data to generate and trigger daily emails

Each third-party provider is bound by their own privacy policies and applicable data protection obligations.

We may also disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect safety, prevent fraud, or enforce our Terms of Use.

6. Data Storage & Security

We implement reasonable security measures to protect your information:

• Password protection: Administrator passwords are hashed using SHA-256; plaintext passwords are never stored
• Secure unsubscribe links: Use HMAC-SHA256 cryptographic signatures to prevent unauthorized modifications
• Encrypted connections: All data is transmitted over HTTPS with SSL/TLS encryption
• Security headers: Our website implements X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection headers
• Session security: Administrator dashboard sessions expire after 2 hours of inactivity

Data is stored using Google Sheets, hosted on Google's cloud infrastructure. While we implement reasonable security measures appropriate to the data we handle, no system is 100% secure. We are committed to continually improving our infrastructure as the service grows.

7. Data Retention

• Active groups: Group and member data is retained for as long as the group maintains an active subscription
• Unsubscribed members: When a member unsubscribes, their status is updated to "unsubscribed" but their record is retained to prevent them from being re-added inadvertently. Administrators may permanently delete member records from the dashboard at any time.
• Deactivated or canceled groups: Data is retained for 90 days after deactivation to allow easy reactivation, after which it may be deleted
• Email logs: Retained for operational and support purposes
• Payment records: Retained as required for tax and accounting obligations

You may request deletion of your data at any time by contacting support@chipmail.org.

8. Your Rights & Choices

For Group Members

• Unsubscribe from emails at any time using the one-click unsubscribe link included in every email
• Request your group administrator to update or delete your information
• Contact us directly at support@chipmail.org to request access to or deletion of your data

For Group Administrators

• Access, edit, or delete member data through the admin dashboard
• Cancel your subscription and request full data deletion
• Update your organization settings at any time

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know: You may request what personal information we have collected about you
• Right to delete: You may request deletion of your personal information
• Right to opt out of sale: We do not sell personal information
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, contact support@chipmail.org. We will respond to verified requests within 45 days.

9. CAN-SPAM Compliance

All emails sent through Chipmail comply with the CAN-SPAM Act:

• Every email identifies the sending organization and Chipmail as the delivery service
• Every email includes a clear, functional unsubscribe link
• Unsubscribe requests are processed immediately
• We do not use deceptive subject lines or misleading header information
• Emails include a valid physical postal address: 30 N Gould St, Ste R, Sheridan, WY 82801

10. Children's Privacy

Chipmail is not directed at children under 13 years of age. We do not knowingly collect personal information from children under 13. Group administrators are responsible for ensuring that they do not submit information for individuals under 13.

If we learn that we have inadvertently collected information from a child under 13, we will delete it promptly. If you believe a child's information has been submitted, please contact us at support@chipmail.org.

11. International Users

Chipmail is based in the United States, and all data is processed and stored in the United States. By using the Service, you consent to the transfer and processing of your data in the United States.

We do not currently target users in the European Economic Area (EEA) or the United Kingdom. If you are located in these regions, please be aware that U.S. data protection laws may differ from those in your jurisdiction.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will update the "Last Updated" date at the top of this page. For material changes, we will notify group administrators via email.

Continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at support@chipmail.org.

Please also review our Terms of Use for the complete terms governing your use of Chipmail.