Privacy Policy

1. Introduction & Scope

Redeema ("we," "us," or "our") provides a "Community Operating System" designed to manage dues, fundraising, and retail engagement. This Privacy Policy governs all data collection across our mobile applications and web portals in Puerto Rico and the United States. We adhere to the principle of Privacy by Design, ensuring that data collection is minimized to what is strictly necessary for platform functionality.

2. How Do We Handle Your Social Logins?

If you choose to register or log in using a third-party social media account (such as Apple ID or Google), we receive certain profile information about you.

• Information Received: This typically includes your name, email address, and profile picture.
• Usage: We use this information solely to create and authenticate your Redeema account.
• Control: We do not post to your social media accounts; you can revoke access at any time through your Google or Apple security settings.
• Apple "Hide My Email": We fully support Apple's private relay service; if used, we will only see the masked email provided by Apple.

For a complete and up-to-date list of all authorized third parties that process data on our behalf, please visit our Data Subprocessor List at redeema.io/subprocessors.

3. Data Collection Methods & OCR Processing

• OCR & Receipt Validation: When using "Global Scan," images are processed via Optical Character Recognition (OCR) to extract specific transaction data (Merchant Name, Date, and Total Amount).
• Financial Privacy: Our system is designed to automatically ignore or redact sensitive information found on receipts, such as partial credit card numbers, bank identifiers, or personal signatures.
• Image Retention & Deletion: Original receipt images are cached temporarily for validation and fraud prevention. Once validation is complete, the original image is permanently purged from our active servers.
• Data Normalization & Analytics: Following deletion of the image, Redeema retains extracted transactional metadata in an anonymized and aggregated format used for analytics and business intelligence — no PII is linked to these datasets.
• Organizational Data: We act as a Data Processor for Organizations (Leagues, Schools). Information regarding minors (limited to initials and group affiliation) is provided by authorized administrators who represent they have obtained verifiable parental consent.
• Automated Collection: We collect IP addresses, device identifiers, and log data to prevent bot activity and ensure the integrity of our Hash Chaining audit log.

4. Cookies and Tracking Technologies

We use essential cookies and tracking pixels (such as AWS CloudWatch and Google Analytics) to:

• Maintain active sessions and authentication.
• Analyze platform performance and stability.
• Protect against fraudulent or automated entries in sweepstakes.

Note: We do not use third-party advertising cookies that track your activity across unrelated websites.

5. Data Retention & Deletion

• Account Data: Retained as long as your account remains active.
• Transactional Data: Financial records are kept for up to 7 years to comply with tax and audit regulations (Stripe/Internal Audit).
• Participation Records: To maintain the integrity of our Tamper-Evident system, participation logs are archived in an append-only format and are only deleted upon a verified legal request or platform-wide data purging cycles.

Redeema reserves the right to decline requests for data deletion that are unreasonable, excessive, or prohibited by applicable law — particularly where such data is required to maintain the integrity of our Tamper-Evident audit chain.

6. Third-Party Service Providers

We share information with trusted partners strictly to operate the platform:

• Infrastructure: Amazon Web Services (AWS) for secure, encrypted cloud hosting.
• Payments: Stripe for PCI-compliant transaction processing.
• OCR/AI: Specialized providers for receipt data extraction and normalization.

These partners are contractually prohibited from using your data for any purpose other than providing services to Redeema.

7. Your Privacy Rights (CCPA / GDPR / COPPA)

Regardless of residency, Redeema provides the following rights to all users:

• Right to Correction: Update your personal information via the Member Portal.
• Right to Deletion: Request account closure and data erasure via legal@redeema.io.
• California Privacy Rights: Redeema does not 'sell' or 'share' your personal information for cross-context behavioral advertising or monetary consideration.
• Communications Preferences: You may opt-out of promotional communications at any time. This does not apply to mandatory service communications such as payment confirmations or critical security updates.

8. Children's Privacy (COPPA Compliance)

Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information directly from children under 13. If you are under 13, please do not use the Redeema App or submit any personal data. Any data regarding minors processed on behalf of an Organization is limited to non-identifying information (such as initials) and must be provided by authorized administrators who have secured explicit, verifiable parental consent. If we learn we have collected personal information directly from a child under 13 without verifiable consent, we will delete that information immediately.

9. Changes to This Policy

We may update this policy to reflect changes in our service or legal requirements. We will notify you of significant changes via the application interface or registered email.