VeriServe
ContactSign in →

Legal

Privacy Policy

Effective March 1, 2026

Our Commitment

VeriServe is built for schools, students, and nonprofits. We handle data — including data about minors — with care and restraint. We collect only what we need to operate the platform, we do not sell personal data, and we give institutions meaningful control over their records.

1. What Data We Collect

We collect the following categories of data:

Account Information

  • Name, email address, and role (student, supervisor, org admin, school admin)
  • Password (stored as a hashed value — never in plain text)
  • Phone number (optional, if provided)
  • Avatar or profile photo (optional)

Student Academic Information

  • School name, grade level, and expected graduation year
  • Student ID number (as assigned by the school)
  • School enrollment records (which school(s) the student is enrolled in)

Service Hour Records

  • Service dates, hours, and activity descriptions submitted by students
  • Organization and opportunity associated with each submission
  • Approval status and reviewer notes
  • Cryptographic signature hashes (for ledger integrity — not personally identifying)

Organization Information

  • Organization name, website, address, and contact information
  • EIN / tax registration number (for verification purposes)
  • Mission statement and cause area
  • Supervisor names and emails

Usage and Technical Data

  • IP address (logged in audit events for security purposes)
  • Browser and device type (from user agent string)
  • Pages accessed and actions taken (audit log)

2. How We Use Your Data

We use collected data to:

  • Provide the core platform (service hour submission, verification, transcript generation)
  • Send transactional emails (hour approvals, rejections, status updates)
  • Enable schools and organizations to review relevant records
  • Maintain an immutable audit trail of all platform actions
  • Detect and prevent fraud or misuse
  • Improve the platform during the pilot phase

We do not use your data for advertising, profiling, or marketing to third parties. We do not sell personal data.

3. Who Can See Your Data

VeriServe uses role-based access controls. Data visibility is limited to those with a legitimate need:

RoleWhat they see
StudentTheir own profile, applications, hour claims, and transcript only
SupervisorHour claims submitted to them; student names relevant to their queue
Org AdminTheir organization's opportunities, applications, and submitted hours
School AdminEnrolled students' service records within their school
District AdminAll records within their district; organization approval queue
Platform AdminSystem-wide audit log and flagged submissions (anonymized where possible)

4. Student Data and FERPA

VeriServe is used in school settings and may process data that falls under the Family Educational Rights and Privacy Act (FERPA) or similar state-level student privacy laws.

  • Student service records are treated as education records and are accessible only to authorized school personnel, the student themselves, and their parent/guardian if the student is under 18.
  • Schools that use VeriServe are responsible for ensuring they have appropriate authority to share student records with the platform under FERPA's "school officials" exception or equivalent.
  • We do not share student data with third parties except as required to operate the service (e.g., email delivery via Resend).

5. Data Retention

  • Active accounts are retained as long as the account is in use
  • Approved ledger entries are retained indefinitely — they are immutable by design
  • Unapproved draft or pending submissions may be purged after 12 months of inactivity
  • Accounts may be deleted by contacting privacy@veriserve.org. Note: deleting an account does not remove sealed ledger entries, as those are part of the institutional audit record.

6. Data Security

  • All data is encrypted at rest and in transit (TLS)
  • Passwords are hashed and never stored in plain text
  • Row-Level Security (RLS) is enforced at the database layer — users can only access records they are authorized to see
  • Ledger entries are cryptographically signed to prevent tampering
  • Access to production systems is limited to authorized personnel

While we take security seriously, no system is 100% secure. We encourage users to use strong, unique passwords and to report any suspected security issues to support@veriserve.org.

7. Third-Party Services

VeriServe uses the following third-party providers:

  • Supabase — database, authentication, and storage (EU/US regions)
  • Vercel — hosting and edge network
  • Resend — transactional email delivery

Each of these providers processes data on our behalf under data processing agreements. We do not use analytics, advertising, or tracking third parties.

8. Your Rights

You have the right to:

  • Access a copy of the personal data we hold about you
  • Request correction of inaccurate personal data
  • Request deletion of your account and associated personal data (subject to the ledger retention note above)
  • Object to processing in certain circumstances

To exercise any of these rights, email privacy@veriserve.org. We will respond within 30 days.

9. Changes to This Policy

We may update this Privacy Policy as the platform evolves. Material changes will be communicated via email to registered users. The effective date at the top of this page reflects the most recent revision.

10. Contact

Privacy questions or requests: privacy@veriserve.org