OHRYA PRIVACY POLICY

1. INTRODUCTION

1.1 OHRYA Foundation, Inc. ("OHRYA," "we," "us," "our") operates the OHRYA platform at www.ohrya.org (the "Platform").

1.2 This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Platform.

1.3 By using the Platform, you consent to the data practices described in this Privacy Policy.

1.4 This Privacy Policy is incorporated into and subject to the OHRYA Terms of Service.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

  • Account Information: Full legal name, Email address, Password (encrypted), Phone number (optional), Mailing address

  • Contribution Information: Payment card details (tokenized by processor; we do NOT store full card numbers), Billing address, Contribution amount and date, Campaign selection, Pledge or donation confirmation

  • Voting & Advocacy Information: Nonprofit voting preferences, Social Impact Score (SIS) activity, Referral links and conversions, Social media connections (if you link accounts), Advocacy content you create or share

  • Communications: Messages sent to hello@ohrya.org , Support requests, Feedback and survey responses, Newsletter subscriptions

  • Alternative Method of Entry (AMOE): Information submitted via mail or web form for free participation

2.2 Information We Collect Automatically

  • Usage Data: Pages viewed and features used, Time spent on Platform, Click patterns and navigation paths, Campaign pages visited, Referral sources (how you found OHRYA)

  • Device & Technical Information: IP address, Browser type and version, Operating system, Device identifiers (mobile device ID, advertising ID), Screen resolution, Time zone and language settings

  • Cookies & Tracking Technologies: Session cookies (essential for Platform function), Analytics cookies (Google Analytics, if used), Preference cookies (remember your settings), See Section 9 for detailed cookie information

2.3 Information from Third Parties

  • Payment Processors (Stripe, PayPal, etc.): Transaction confirmations, Payment success/failure status, Processor-assigned transaction IDs, We do NOT receive your full payment card numbers

  • Social Media Platforms: If you connect Facebook, Twitter, Instagram, or other accounts to track SIS, We receive: username, follower count, public post data, engagement metrics, We do NOT post on your behalf without explicit permission

  • Data Verification Services: Email verification services (to prevent fraud), IP geolocation services (to verify eligibility), Identity verification (for high-value contributions, if required by law)

3. HOW WE USE YOUR INFORMATION

3.1 Core Platform Operations

  • To Process Contributions: Charge pledges or donations, Issue tax-deductible receipts, Process refunds (if campaign threshold not met), Maintain contribution records for IRS compliance

  • To Manage Campaigns: Display nonprofit options, Count and certify votes, Calculate Social Impact Scores (SIS), Determine Luminary recognition, Disburse grants to winning nonprofits

  • To Enable Advocacy: Track referral conversions, Measure social media engagement, Calculate SIS using FairFluence algorithm, Display leaderboards (anonymized or identified, per your settings)

3.2 Communications

  • Transactional Emails (you CANNOT opt out): Contribution confirmations and tax receipts, Voting confirmations, Campaign results and grant disbursements, AMOE entry confirmations, Refund notifications, Account security alerts

  • Marketing Emails (you CAN opt out): New campaign announcements, Campaign updates and milestones, SIS leaderboard updates, Luminary recognition announcements, Platform news and feature updates

3.3 Platform Improvement & Analytics

  • Analyze usage patterns to improve Platform, Identify and fix technical issues, A/B test new features, Optimize campaign performance, Research user behavior and preferences

3.4 Legal & Security

  • Compliance: Comply with IRS reporting requirements (Form 990), Meet state charitable solicitation registration obligations, Respond to legal requests (subpoenas, court orders), Maintain records for audits

  • Fraud Prevention & Security: Detect and prevent fraudulent contributions, Identify bot activity and SIS manipulation, Enforce Terms of Service, Protect Platform integrity, Monitor for unauthorized access

4. BLOCKCHAIN TRANSPARENCY

4.1 What We Publish to Algorand Blockchain

  • OHRYA publishes anonymized campaign data to the Algorand blockchain for public transparency: Published Data: Campaign ID and threshold amount, Total contributions (aggregate, not individual), Nonprofit vote tallies, Winning nonprofit name, Grant amount and disbursement date, SIS leaderboards (User-ID hashes only, NOT names)

4.2 What is NOT Published

  • Never published to blockchain: Your full name or real identity, Email address or contact information, Individual contribution amounts, Payment card information, Physical address, Any personally identifiable information (PII)

4.3 Anonymization Method

  • Blockchain data uses cryptographic hashes (e.g., User-12abc3def456) instead of real names.

  • Only you and OHRYA can link your User-ID hash to your real identity. The public cannot.

4.4 Blockchain Immutability

  • Critical Notice: Once data is published to the Algorand blockchain, it cannot be modified or deleted.

  • This ensures: Permanent public record of campaign results, Protection against data manipulation, Verifiable transparency

  • Implication for privacy rights: Blockchain data is NOT subject to deletion requests under GDPR "right to be forgotten" or similar laws, because:

    1. It contains no personal information (only hashes)
    2. Deletion is technically impossible (blockchain immutability)
    3. Public transparency serves legitimate public interest

5. HOW WE SHARE YOUR INFORMATION

5.1 We Do NOT Sell Your Data

  • OHRYA does not sell, rent, or trade your personal information to third parties for marketing purposes.

5.2 Sharing with Nonprofits

  • If your chosen nonprofit wins the campaign, we share with them: Your name, Contribution amount, Email address (if you consent), Date of contribution

  • Purpose: So they can thank you, issue their own acknowledgment, and include you in their donor records.

  • Your control: You may opt out of nonprofit data sharing during the contribution process.

5.3 Service Providers

  • We share information with trusted vendors who help us operate the Platform:

    Payment Processors (Stripe, PayPal, etc.): Name, email, payment details, They process payments on our behalf, Subject to their own privacy policies

  • Cloud Hosting (AWS, Google Cloud, etc.): All Platform data stored on secure cloud servers, Subject to industry-standard security (encryption, access controls)

  • Email Service Providers (SendGrid, Mailchimp, etc.): Email addresses, names, campaign preferences, To send transactional and marketing emails

  • Analytics Providers (Google Analytics, etc.): Anonymized usage data, To measure Platform performance

  • Blockchain Infrastructure (Algorand): Anonymized campaign data only, Published to public blockchain

  • Identity Verification (if required for high-value contributions): Name, address, date of birth (as required by law), To comply with anti-money laundering (AML) regulations

    All service providers are contractually required to: Use data only for specified purposes, Maintain confidentiality and security, Not sell or misuse data

5.4 Legal Requirements

  • We may disclose your information to: Comply with legal obligations (tax reporting, IRS audits), Respond to subpoenas, court orders, or government requests, Investigate fraud or suspected illegal activity, Protect OHRYA's rights, property, or safety, Enforce our Terms of Service

5.5 Business Transfers

  • If OHRYA is involved in a merger, acquisition, asset sale, or bankruptcy: Your information may be transferred as part of that transaction, We will notify you via email and Platform notice, The acquiring entity will be bound by this Privacy Policy

6. YOUR PRIVACY RIGHTS & CHOICES

6.1 Access Your Data

  • You may request a copy of all personal information we hold about you.

    How: Email hello@ohrya.org with subject "Data Access Request"

    Response time: Within 30 days

    Format: Provided as PDF or CSV file

6.2 Correct Your Data

  • You may update or correct inaccurate information.

    How: Log into your account and edit profile, OR email hello@ohrya.org

    Limitations: You cannot change contribution history (IRS records must be accurate)

6.3 Delete Your Data

  • You may request deletion of your account and personal information.

  • How: Email hello@ohrya.org with subject "Account Deletion Request"

    What we delete: Account credentials, Contact information, Non-essential usage data

  • What we CANNOT delete: Contribution records (IRS requires 7-year retention), Blockchain data (technically impossible to delete), Records required for legal compliance or dispute resolution

  • Timeline: Account deactivated within 5 business days; full deletion within 30 days (except retained records)

6.4 Opt Out of Marketing Emails

  • How: Click "Unsubscribe" at the bottom of any marketing email, Log into your account → Settings → Email Preferences, Email hello@ohrya.org with "Unsubscribe" request

  • Effect: You will stop receiving marketing emails but will continue to receive transactional emails (receipts, voting confirmations, etc.)

6.5 Opt Out of Nonprofit Data Sharing

  • During the contribution process, you can check a box to opt out of having your information shared with the winning nonprofit.

  • Effect: Nonprofit will not receive your name, email, or contribution details.

  • Note: You will still receive a tax receipt from OHRYA Foundation.

6.6 Manage Cookies

  • See Section 9 for how to control cookies through your browser settings.

7. DATA SECURITY

7.1 Security Measures We Use

  • Encryption: TLS 1.3 encryption for all data in transit (HTTPS), AES-256 encryption for sensitive data at rest, Payment card data tokenized (we never see full card numbers)

  • Access Controls: Multi-factor authentication for OHRYA staff, Role-based access (staff only see data they need), Regular access audits

  • Infrastructure Security: Secure cloud hosting (AWS, Google Cloud), Firewall protection, Intrusion detection systems, Regular security updates and patches

  • Monitoring: 24/7 automated security monitoring, Alert systems for suspicious activity, Regular penetration testing

7.2 Your Responsibilities

  • To keep your account secure: Use a strong, unique password, Do not share your password with anyone, Log out on shared devices, Enable two-factor authentication (if available), Report suspicious activity immediately to hello@ohrya.org

7.3 No Guarantee of Absolute Security

  • While we implement industry-standard security, no system is 100% secure.

  • We cannot guarantee: That unauthorized access will never occur, That data breaches are impossible, That third-party services (payment processors, cloud providers) are perfectly secure

  • In the event of a data breach, we will: Notify affected users within 72 hours (or as required by law), Report to relevant authorities (FTC, state AGs), Take immediate action to contain and remedy the breach

8. DATA RETENTION

8.1 How Long We Keep Your Data

  • Active Accounts: Retained for as long as your account is active

    After Account Deletion: Most data deleted within 30 days, Exceptions: see below

    Contribution Records: Retained for 7 years after contribution (IRS requirement), Includes: name, amount, date, campaign, tax receipt

    Legal & Compliance Records: Retained as required by law (tax, charitable solicitation, anti-fraud), Typical retention: 7 years

  • Blockchain Data: Permanent (cannot be deleted due to blockchain immutability), Only anonymized data is published (see Section 4)

    Dispute Resolution: Records related to disputes, legal claims, or Terms violations retained until resolved

8.2 After Retention Period

  • Once the required retention period expires: Data is securely deleted or anonymized, Backups are purged, Exceptions: blockchain data (permanent), aggregate anonymous statistics (may be retained indefinitely)

9. COOKIES & TRACKING TECHNOLOGIES

9.1 What Are Cookies?

  • Cookies are small text files stored on your device by your browser. They help us recognize you, remember your preferences, and improve your experience.

9.2 Types of Cookies We Use

  • Essential Cookies (cannot be disabled): Session management (keeps you logged in), Security (protects against CSRF attacks), Load balancing (distributes server load)

  • Analytics Cookies (can be disabled): Google Analytics (if used), Tracks page views, bounce rates, user flows, Helps us improve Platform

  • Preference Cookies (can be disabled): Remember your language, time zone, display settings, Improve your user experience

  • Advertising Cookies (if we ever use ads): Currently NOT used, If used in future, we will update this Policy and request consent

9.3 How to Control Cookies

  • Browser Settings: Most browsers let you refuse cookies or delete existing cookies, Chrome: Settings → Privacy & Security → Cookies, Safari: Preferences → Privacy → Cookies, Firefox: Options → Privacy & Security → Cookies

  • Effect of Disabling Cookies: Platform may not function properly, You may need to re-enter login credentials, Preferences will not be saved

  • Do Not Track (DNT): Some browsers offer "Do Not Track" signals, OHRYA currently does not respond to DNT signals, We treat all users' data the same regardless of DNT settings

9.4 Third-Party Cookies

10. CHILDREN’S PRIVACY

10.1 Age Restriction

  • The Platform is NOT intended for individuals under 18 years of age.

10.2 No Knowing Collection from Children

  • We do not knowingly collect personal information from children under 13.

  • If we discover we have collected information from a child under 13 without verifiable parental consent, we will delete that information immediately.

10.3 Parental Rights

  • If you believe your child has provided information to OHRYA without your consent: Contact us immediately at hello@ohrya.org , We will verify the situation and delete the information

11. CALIFORNIA PRIVACY RIGHTS (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

11.1 Right to Know

  • You may request disclosure of: Categories of personal information collected, Specific pieces of personal information we hold, Sources of personal information, Purposes for collecting or sharing information, Categories of third parties with whom we share information

11.2 Right to Delete

  • You may request deletion of your personal information, subject to exceptions: Legal obligations (IRS 7-year retention), Fraud prevention and security, Blockchain immutability (see Section 4.4)

11.3 Right to Opt-Out of Sale

  • We do NOT sell personal information. This right does not apply to OHRYA.

11.4 Right to Non-Discrimination

  • We will not discriminate against you for exercising your CCPA rights: Same prices and services for all, No denial of goods or services, No different quality of service

11.5 How to Exercise Your Rights

  • Contact us: hello@ohrya.org

    Subject line: “CCPA Request”

    Include: Your name, email, specific request (access, delete, etc.)

    Verification: We will verify your identity before processing requests (to prevent fraud)

    Response time: Within 45 days (may extend 45 additional days if complex)

11.6 Authorized Agents

  • You may designate an authorized agent to make CCPA requests on your behalf.

    Requirements: Written authorization from you, Proof of agent’s identity, We may still require direct verification from you

12. EUROPEAN UNION PRIVACY RIGHTS (GDPR)

If you are in the European Union, European Economic Area, or United Kingdom, you have rights under the General Data Protection Regulation (GDPR):

12.1 Legal Basis for Processing

We process your personal data based on:

  • Consent: You provided explicit consent (e.g., marketing emails)

  • Contract: Processing is necessary to fulfill our services (contributions, voting, SIS)

    Legitimate Interests: Fraud prevention, Platform security and integrity, Analytics and improvement

  • Legal Obligation: IRS reporting, Anti-money laundering compliance, Response to legal requests

12.2 Your GDPR Rights

  • Right to Access: Request a copy of your data

  • Right to Rectification: Correct inaccurate data

  • Right to Erasure ("Right to be Forgotten"): Request deletion, subject to exceptions (IRS retention, blockchain immutability)

  • Right to Restrict Processing: Limit how we use your data (while verifying accuracy, etc.)

  • Right to Data Portability: Receive your data in machine-readable format (CSV, JSON)

  • Right to Object: Object to processing based on legitimate interests, We will stop unless we have compelling legitimate grounds

  • Right to Withdraw Consent: For consent-based processing (marketing emails), Does not affect past processing

  • Right to Lodge a Complaint: With your local data protection authority (DPA)

12.3 How to Exercise Your Rights

  • Contact: hello@ohrya.org

    Subject: "GDPR Request"

    Include: Your name, email, specific right you wish to exercise

    Response time: Within 30 days

12.4 Data Transfers

  • OHRYA is based in the United States. If you are in the EU/EEA/UK: Your data may be transferred to and processed in the U.S., U.S. privacy laws may differ from EU laws, By using the Platform, you consent to this transfer

  • Safeguards: We use standard contractual clauses (SCCs) with service providers, We implement adequate security measures

12.5 Data Protection Officer

13. INTERNATIONAL USERS & DATA TRANSFERS

13.1 U.S.-Based Operations

  • OHRYA is headquartered in Florida, USA. All Platform operations and data processing occur in the United States.

13.2 Cross-Border Data Transfers

  • If you access the Platform from outside the United States: Your information will be transferred to, stored, and processed in the U.S., U.S. data protection laws may differ from your country’s laws, By using the Platform, you consent to this transfer

13.3 Adequate Protection

  • We implement appropriate safeguards for international data transfers: Standard contractual clauses (SCCs), Encryption and security measures, Compliance with applicable data protection laws

14. THIRD-PARTY LINKS & SERVICES

14.1 External Links

  • The Platform may contain links to third-party websites, services, or social media platforms.

    We are NOT responsible for: Content or practices of third-party sites, Privacy policies of external services, Security of third-party platforms

  • Recommendation: Review the privacy policies of any third-party sites you visit.

14.2 Social Media Integrations

  • If you connect social media accounts (Facebook, Twitter, Instagram) to track SIS: You authorize us to access certain public data (followers, posts, engagement), Subject to that platform's privacy policy and terms, You can disconnect social accounts at any time

15. CHANGES TO THIS PRIVACY POLICY

15.1 Right to Modify

  • OHRYA reserves the right to update this Privacy Policy at any time.

15.2 Notice of Changes

  • Material changes will be communicated via: Prominent notice on the Platform (banner or pop-up), Email notification to registered users, Updated "Last Updated" date at the top of this Policy

15.3 Acceptance of Changes

  • Your continued use of the Platform after changes are posted constitutes acceptance of the revised Privacy Policy.

  • If you do not agree to changes, you must stop using the Platform and may request account deletion.

15.4 Version History

  • Previous versions of this Privacy Policy may be requested by emailing hello@ohrya.org .

16. CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or your personal information:

  • OHRYA Foundation, Inc.

    401 E. Las Olas Blvd., Suite 130-319

    Fort Lauderdale, FL 33301

    hello@ohrya.org

    +1 (954) 400-0687

For Specific Requests:

  • Data Access: Subject line "Data Access Request"

    Data Deletion: Subject line "Account Deletion Request"

    Opt-Out: Subject line "Unsubscribe" or click link in emails

    CCPA Requests: Subject line "CCPA Request"

    GDPR Requests: Subject line "GDPR Request"

    Security Issues: Subject line "URGENT: Security Issue"

17. EFFECTIVE DATE

  • This Privacy Policy is effective as of February 24, 2026

  • By using the OHRYA Platform on or after this date, you acknowledge that you have read, understood, and agree to this Privacy Policy.