Skip to main content
RippleVMS

Privacy Policy

RippleVMS - Volunteer Management System

Last Updated: February 13, 2026

Introduction

RippleVMS ("we," "us," or "our") operates a volunteer management system (the "VMS" or "Service"), a digital platform designed to coordinate volunteer activities. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using the VMS, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use the Service.

Information We Collect

Information You Provide Directly

Volunteer Account Information

When your account is created (via coordinator invitation), we collect:

  • Contact Information: Preferred name (display name you choose), email address, phone number, and/or Signal ID
  • Language Preferences: Primary language and additional languages spoken
  • Zone Preferences: Geographic zones where you prefer to volunteer

Volunteer Activity Information

As you use the Service, we collect:

  • Shift Participation: Shifts you RSVP to and your confirmation status
  • Training Records: Training sessions attended and qualifications earned (as configured by your organization)

Information Collected Automatically

Device and Usage Information

When you access the VMS, we may automatically collect:

  • Browser and Device Information: Browser type and operating system
  • Access Logs: Date and time of access, pages visited, and actions taken within the Service
  • Session Information: Authentication tokens stored in secure, HTTP-only cookies

Cookies & Tracking Technologies

We use strictly necessary cookies and similar technologies to keep you signed in, secure your session, and remember preferences such as language and zone filters. These cookies are first-party, short-lived, and are not shared with advertisers. We do not run third-party behavioral advertising or analytics scripts inside the VMS. You can control cookies through your browser settings, but disabling essential cookies may prevent certain features from working.

How We Use Your Information

We use the information we collect to:

Operate and Improve the Service

  • Create and manage your volunteer account
  • Coordinate volunteer shift scheduling and assignments
  • Track training completion and qualifications
  • Match volunteers with appropriate shifts based on zone assignments

Communications

  • Send email notifications about shifts, training sessions, and schedule changes
  • Provide important updates about the Service or your volunteer activities
  • Send password reset emails when requested

Administrative Purposes

  • Maintain accurate records of volunteer participation
  • Generate reports on volunteer activity and program effectiveness
  • Improve the Service based on usage patterns

Information Sharing and Disclosure

Within the Organization

Your information may be accessed by:

  • Coordinators: To manage volunteer assignments, view contact information, and track participation
  • Dispatchers: To view shift schedules and coordinate activities
  • Administrators: To manage system settings and oversee operations

With Third-Party Service Providers

We use the following third-party services to operate the VMS (this list represents our primary processors and may be updated as our infrastructure evolves):

ServicePurposeData Shared
Neon (PostgreSQL)Database hostingAll stored data (encrypted at rest by Neon; sensitive PII fields are additionally encrypted at the application level before storage)
VercelApplication hostingApplication data
Amazon SESEmail deliveryEmail addresses and notification content
Google MapsZone boundary displayZone boundary coordinates (public)
Amazon S3File storageUploaded documents, training materials, and media files (encrypted at rest with AES-256 server-side encryption)
Upstash RedisRate limitingIP addresses (temporary, for abuse prevention; hashed before any persistent storage)

Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

Data Security

We implement layered technical and organizational safeguards to keep personal information confidential, including encryption, network and application controls, and monitoring. While the specifics of our controls evolve as risks change, the principles below remain constant.

Technical Safeguards

  • All traffic to the VMS is protected with modern HTTPS/TLS encryption. Our database provider encrypts all stored data at rest, and we apply an additional layer of application-level AES-256-GCM encryption to sensitive personal information (names, email addresses, phone numbers, emergency contacts, and Signal handles) before it reaches the database. Uploaded files and documents are stored with AES-256 server-side encryption at rest.
  • To enable secure lookups on encrypted fields, we maintain HMAC-SHA256 blind indexes of email addresses and names. These one-way hashes allow authentication and search without exposing or decrypting the underlying values.
  • User passwords are hashed with bcrypt before storage. Verification and password-reset tokens are hashed with SHA-256 and expire automatically.
  • Multi-factor authentication (MFA) is available via time-based one-time passwords (TOTP). When enabled, login requires a six-digit code from an authenticator app. Ten single-use backup codes are provided in case you lose access to your authenticator; each backup code is individually bcrypt-hashed before storage.
  • Role-based access control ensures volunteers, coordinators, dispatchers, and administrators only see the information required for their duties.
  • We validate and sanitize user input, enforce per-endpoint sliding-window rate limits (e.g., login attempts, password resets, signups), use anti-CSRF tokens on state-changing requests, and apply standard security headers to reduce the risk of common web attacks.

Operational Safeguards

  • Production infrastructure is hosted with providers that maintain independent security certifications (including SOC 2 Type II), and environments are isolated so test data never mingles with production.
  • Access to infrastructure and keys is limited to authorized personnel and protected through secrets management and audit logging.
  • We review unusual sign-in attempts, track administrative changes, and follow an incident response process that includes notifying affected users when required by law.
  • Dependencies and platform components are patched regularly to address known vulnerabilities.

Data Retention

We retain your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

  • Volunteer Accounts: Account information is retained while your account is active and for up to 24 months after inactivity unless we are legally required to keep it longer.
  • Shift and Training Records: Participation records are retained for at least 36 months to support operational reporting and safety reviews, after which they may be archived or anonymized.
  • Aggregate Analytics: We generate nightly aggregate statistics (e.g., total volunteer hours, attendance rates, engagement counts) from shift and membership data. These snapshots contain no personally identifiable information and are retained for up to 12 months to support organizational trend reporting.
  • System and Audit Logs: Operational logs (access events, administrative changes, system health checks) are retained for 7 to 30 days depending on category, then automatically deleted.

To request deletion of your data, please contact us using the information provided below.

Your Rights and Choices

Access and Correction

You can access and update your profile information at any time through the VMS dashboard. This includes:

  • Contact information
  • Language preferences
  • Zone preferences

Data Deletion

You may request deletion of your personal data by contacting us. Please note that:

  • We may retain certain information as required by law or for legitimate business purposes
  • Some information may be retained in anonymized form for statistical purposes
  • Deletion of your account will remove your ability to participate as a volunteer

Additional Privacy Rights

Depending on where you live, you may be entitled to additional rights such as data portability, objection or restriction of processing, the right to opt out of certain disclosures, or the right to lodge a complaint with your local supervisory authority. We will honor applicable requests when they are submitted through the contact information below and may need to verify your identity before fulfilling them.

Email Communications

You can manage your email notification preferences through your profile settings. You may unsubscribe from non-essential communications while still receiving important operational emails.

Children's Privacy

The VMS is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us so we can take appropriate action.

Geographic Scope

The Service is hosted in the United States, and all data is processed and stored within the United States.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Posting the new Privacy Policy on the VMS
  • Updating the "Last Updated" date at the top of this policy
  • Sending an email notification for significant changes

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

RippleVMS
Email: RippleVMS@honeybadgerapps.com
Website: ripple-vms.com

Acknowledgment

By using the RippleVMS Volunteer Management System, you acknowledge that you have read and understood this Privacy Policy and agree to be bound by its terms.