TeamworkNation Inc. – Privacy Policy

Effective date: August, 2025

Last reviewed/updated: September 12, 2025

1) Who we are and scope of this Policy

TeamworkNation Inc. ("TeamworkNation," "we," "us," or "our") provides after‑school enrichment programs, mentoring, educational content, and related websites and applications (collectively, the "Services"). Our Programs include participation by high‑school mentors/interns who support younger participants.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you access or use the Services, visit our websites (including teamworknation.org and app.teamworknation.org), contact us, or otherwise interact with us. This Policy applies to individual users and to organizations using our Services.

If you are an organization (e.g., a school, district, company, or nonprofit) that uses our Services for end users, our processing of end‑user information may also be governed by a separate agreement with you (e.g., a Data Processing Addendum). In the event of conflict, that agreement will control for end‑user data we process on your behalf.

Geographic focus. The Services are intended for use in the United States. See Section 4 for our EEA/UK notice and future expansion language.

2) Personal information we collect

We collect information from you directly, automatically when you use the Services, and from third parties.

A. Information you provide to us

  • Identifiers and contact information – name, email address (personal or school‑issued), phone number, postal address, school/organization affiliation, role/title.
  • Account and profile data – username, organization details, preferences, settings, and communications with us.
  • Commercial information – purchases, subscriptions, donations (see "Donations and payments" below), transaction dates and amounts.
  • Content you submit – messages, support requests, files, feedback, survey responses.
  • Mentor/intern eligibility & safety – age self‑attestation (13+), parent/guardian name and contact (if provided or required by program policy), training acknowledgments, and Code‑of‑Conduct acceptance. We avoid storing full dates of birth unless necessary; where possible we store a boolean flag (e.g., is_over_13).

B. Donations and payments

We use third‑party payment processors (e.g., Stripe) to process payments and donations. We do not collect or store full payment card numbers. We receive limited payment metadata (e.g., billing address, contact info, date/amount, and donation purpose) needed for receipts, reconciliation, and legal requirements. See the payment processor's privacy policy: Stripe privacy policy.

C. Information collected automatically

When you use the Services, we and our providers automatically collect:

  • Device and usage data – IP address, device identifiers, browser type, pages viewed, referring/exit pages, date/time stamps, crash and performance data, and interaction data.
  • Cookies and similar technologies – see "Cookies & tracking technologies."

D. Information from third parties

We receive information about you from partners and service providers such as identity providers (e.g., Google for single sign‑on), analytics providers, event/webinar platforms, social networks, lead generation vendors, and data enrichment services, consistent with applicable law.

3) How we use personal information (purposes)

We use personal information to:

  • Provide and secure the Services – create and manage accounts, authenticate users (including via SSO), prevent fraud, and protect the integrity of the Services.
  • Operate, maintain, and improve the Services, including analytics, research, and troubleshooting.
  • Communicate with you – respond to inquiries, send transactional messages, program updates, schedules, reminders, and newsletters (you can opt out of non‑essential emails at any time).
  • Support mentor/youth safety – enforce program rules (e.g., Code of Conduct), enable reporting tools, and investigate misuse consistent with applicable law and our agreements.
  • Personalize content and features.
  • Comply with law and enforce agreements, including legal claims, audits, and regulatory requirements.

Notice at collection (U.S. state laws): We collect the categories described above for the purposes listed here. We retain personal information as described in Section 7.

4) EEA/UK notice and future expansion

We do not direct or offer the Services to individuals in the European Economic Area (EEA) or the United Kingdom and do not intend to monitor their behavior. If you are located in the EEA or UK, please do not use the Services. If we inadvertently process your personal information, contact us at privacy@teamworknation.org and we will delete or restrict processing as required by law.

Future international partnerships. If we later expand or partner with organizations that involve users in the EEA/UK (e.g., global affiliates), we will update this Policy before onboarding those users to include applicable GDPR/UK GDPR disclosures (e.g., legal bases, data subject rights, EU/UK representative details) and implement appropriate transfer safeguards (e.g., SCCs).

5) How we share information

We do not sell your personal information. We also do not share (as that term is defined under California law) minors' personal information for cross‑context behavioral advertising. We share personal information as follows:

  • Service providers/processors – e.g., hosting, cloud infrastructure, authentication (such as Auth0/Google SSO), analytics, email delivery, support tools, payments (Stripe), and security. These providers are contractually bound to process data on our instructions and protect it.
  • Organizational customers – If you use the Services through an organization (e.g., a school or employer), we may share data with that organization and its administrators consistent with our contract.
  • Legal and safety – to comply with law, legal process, or enforceable governmental requests; to protect the rights, property, or safety of TeamworkNation, our users, or others.
  • Business transfers – in connection with a merger, financing, acquisition, or dissolution transaction involving all or part of our business, subject to appropriate protections.

We may share aggregated or de‑identified information that cannot reasonably be used to identify you.

6) Cookies, Authentication, and Tracking Technologies

We and our service providers use cookies, local storage, and similar technologies to enable secure access, protect accounts, and deliver core functionality of the Services.

Types of Cookies We Use

  • Essential authentication cookies – We set short-lived cookies (e.g., access_token) that store JSON Web Tokens (JWTs) required to identify and authenticate your account. These are used to verify your session with our servers when you log in, whether via our legacy login system or through third-party single sign-on (SSO) providers such as Google. Without these cookies, the Services cannot function.
  • PKCE session state cookies – When you log in with Auth0 or another SSO provider, we generate a random "state" value and securely store it along with a one-time code verifier. This ensures the login process cannot be intercepted or replayed by malicious actors. These values are temporary (typically expiring within minutes) and are only used to complete your login flow.
  • Security and fraud-prevention cookies – We may use cookies to detect unusual login attempts, prevent credential-stuffing, and protect against cross-site request forgery (CSRF).
  • Preference and functional cookies (if enabled) – We may remember your selected language, accessibility preferences, or interface settings. These are optional and not required for account security.
  • Analytics cookies – Where permitted by law and your settings, we may use third-party analytics tools to understand usage patterns. These do not contain authentication data.

You can manage cookies in your browser settings. Disabling essential cookies may prevent you from logging into or using the Services.

Authentication & Access Control

  • Legacy login system – If you register with an email and password, we create and store hashed passwords and issue access tokens (JWTs) as secure cookies. These tokens include a user identifier and expiration timestamp. Refresh tokens may also be issued for longer sessions.
  • Auth0 and Single Sign-On (SSO) – If you sign in with Google or another identity provider, we rely on Auth0 to issue secure access tokens. These tokens are stored in cookies during your session and validated when you interact with our Services.
  • Role-based access control (RBAC) – User roles (e.g., student, mentor, admin) are stored in our system and enforced by our servers. Roles determine what content and features you may access (for example, mentors may have different permissions than students). Role information may be encoded in tokens or retrieved from our database when your session is validated.

Cookie Duration

  • Authentication cookies (JWTs) typically expire within hours unless refreshed.
  • PKCE and state cookies expire within minutes and are automatically cleared once the login process is complete.
  • Other cookies (preferences, analytics) may last longer, subject to your settings and browser controls.

We do not use cookies to track your browsing across third-party sites, nor do we sell cookie data for targeted advertising.

7) Data security and retention

We implement administrative, technical, and physical safeguards designed to protect personal information. No security program is perfect, but we continuously improve our safeguards.

Retention: We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, including to meet legal, tax, accounting, or reporting requirements. Typical retention periods include:

  • Account data – for the life of the account and up to 12–24 months after closure, unless longer retention is required.
  • Transaction/donation records – for at least 7 years to meet legal and audit obligations.
  • Analytics/log data – typically 12–24 months.
  • Mentor/youth communications (within our platforms) – retained for safety and audit for up to 12–18 months, unless a longer retention is required by law or an investigation.

We delete or de-identify information when it is no longer needed.

8) Students, youth participants, and high‑school mentors

We do not knowingly collect personal information from children under 13 without verifiable parental consent or as permitted by law. If we learn we have collected such information without appropriate consent, we will delete it.

High‑school mentors/interns (13–17). Mentor accounts are available to individuals 13+. Certain programs may require a parent/guardian acknowledgment or consent for participants under 18. We avoid collecting more data than necessary (e.g., we may store a flag that a user is 13+ rather than full date of birth).

K–12 contexts (SOPIPA/FERPA). When we act as a K–12 operator for schools or districts, we will not use student data for targeted advertising, profile students beyond authorized educational purposes, or sell student data. We process student data only on behalf of and under the direction of the educational institution (as a "school official" where FERPA applies), implement reasonable security, and delete student data upon school request, consistent with law and our agreements.

Communications. We may use email addresses (personal or school‑issued) to deliver program communications. We recommend using program‑managed channels for youth safety and auditability. Where users communicate by personal email accounts, those communications are subject to our Code of Conduct; we do not routinely monitor personal email systems we do not control.

Parental rights (COPPA). Parents can review, delete, and refuse further collection of their child's information. Contact privacy@teamworknation.org to exercise these rights.

9) Your privacy rights

Your rights depend on your location and applicable law. Subject to verification, you may:

  • Access/know the personal information we hold about you;
  • Correct inaccurate information;
  • Delete your information;
  • Opt out of marketing communications (click "unsubscribe" or contact us);
  • Opt out of sale/sharing of personal information and limit use of sensitive personal information where applicable (U.S. state privacy laws). We do not sell personal information and do not share minors' personal information for targeted advertising.

To exercise rights, email privacy@teamworknation.org or use our Contact Us page. We will verify your request and respond within the time required by law. You may designate an authorized agent where permitted. If we deny your request, you may appeal by replying to our decision; if your state law provides an appeals process, we will explain how to submit an appeal.

10) International data transfers

We may transfer, store, and process information in countries other than where you live (including the United States). When we transfer personal information from the EEA/UK or other regions with data transfer restrictions, we use appropriate safeguards such as the European Commission's Standard Contractual Clauses.

11) Do Not Track and preference signals

Some browsers transmit "Do Not Track" signals. There is no industry consensus on how to respond; however, where required by law, we honor recognized opt-out preference signals (e.g., GPC) for sale/sharing.

12) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date. If changes are material, we will provide additional notice as required by law.

13) Contact us

TeamworkNation Inc.

Email: privacy@teamworknation.org or info@teamworknation.org

Website: https://teamworknation.org/contact