STEMania Foundation — STEM for All

Privacy Policy

Last updated: April 21, 2026

Draft. This document is a reasonable starting point for a 501(c)(3) nonprofit collecting donations via Stripe and sending transactional email via Resend. It has not been reviewed by counsel. Before the Foundation begins public solicitation, a Florida-licensed attorney must redline this policy.

The STEMania Foundation ("STEMania Foundation," "we," "our," or "us") is a Florida nonprofit corporation. This Privacy Policy explains what information we collect when you visit stemania.org or donate to us, how we use that information, and the choices you have. It applies to the Foundation only and not to the commercial STEMania platform at stemania.com.

1. Information we collect

Information you give us. When you make a donation or contact us, you may provide your name, email address, postal address, employer (for matching-gift lookups), a dedication (in honor or memory of), and a message. You do not need to create an account to donate.

Payment information. Card numbers and bank details are entered directly into Stripe's hosted checkout and never transit or rest on our servers. We receive only a tokenized transaction record (amount, currency, last four digits, brand, and a Stripe charge ID).

Information collected automatically. Our hosting provider logs standard web request data (IP address, user-agent, timestamps, pages requested) for security, abuse prevention, and rate-limiting. We use strictly necessary cookies required for the donation flow. We do not use third-party advertising cookies.

Role-gated apps. If you sign in to an internal Foundation app (Foundation Admin, Board, or Franchise) at *.stemania.org, we additionally collect your account email, hashed password (or Google OAuth identity), role assignments, and franchise association. These apps are access-restricted and not publicly available.

2. How we use your information

  • To process your donation and deliver a tax receipt
  • To send you the contemporaneous written acknowledgment required by IRS Publication 1771
  • To maintain the donor ledger required by Florida Statute Ch. 496 (Solicitation of Contributions Act) and IRS Form 990
  • To follow up on matching-gift claims with your employer, if you asked us to
  • To authenticate staff, board members, and franchise users of our role-gated apps and grant role-appropriate access
  • To respond to questions you send us
  • To detect, prevent, and investigate fraud or abuse
  • To comply with legal and regulatory obligations

3. Who we share it with

We do not sell, rent, or trade donor information. We share information only with service providers who help us operate the Foundation, and only to the extent they need it to do their job:

  • Stripe, Inc. — payment processing and PCI-compliant card handling
  • Resend — transactional email delivery (receipts, acknowledgments, donor correspondence)
  • Supabase — hosted database for donor and donation records
  • Vercel — hosting for the site and API routes
  • Upstash — rate limiting
  • Sentry — error monitoring

We may disclose information if required by law, subpoena, or court order, or to protect the rights, property, or safety of the Foundation, our donors, or the public.

4. Public acknowledgment

Unless you ask us not to, we may list donor names (without amounts) in annual reports, impact publications, and on donor walls. You can remain anonymous by checking the anonymous option when you give, or by emailing us at curtis@stemania.org.

5. Data retention

Donation records are retained for at least seven years to satisfy IRS and FDACS recordkeeping requirements. Server logs are retained for up to 90 days. Email correspondence is retained for as long as reasonably needed to respond and to document the relationship. Account data for staff, board members, and franchise users of role-gated apps is retained while the account is active and for a reasonable period after deactivation to preserve audit trails.

6. Your choices

You can ask us to access, correct, or delete your personal information by emailing curtis@stemania.org. Some information must be retained to comply with tax, audit, and charitable-solicitation regulations, so we cannot delete records of completed donations, but we can stop sending you future communications at any time.

7. Grant applicants

When you submit a grant application at /grants, we collect the information you provide (organization name, contact name and email, phone, website, organization type, requested amount, funding focus, proposed timeline, and any attachments you upload). Attachments are stored in a service-role-only Supabase Storage bucket and are only accessible to Foundation staff through authenticated server-side routes — they are never served publicly. We use this information solely to evaluate and respond to your application and to maintain our internal records of funding-partnership outreach. We retain grant-application records for at least seven years to support audit and financial-reporting obligations; attachments are retained for the same period alongside the application row. We do not share grant-application data with third parties except the operational processors listed in §3 (Supabase for storage, Resend for email). If you withdraw an application, email us and we will mark the record withdrawn and cease processing.

8. Donor portal (magic-link sign-in)

When you sign in to the donor portal at /account, we use Supabase Auth to verify your email via a one-time magic link — no password. We issue a session cookie that lets you view your giving history, download or re-print tax receipts, and update your donor information. The session cookie is scoped to the Foundation domain, is marked HttpOnly, and expires according to Supabase Auth's defaults.

The portal reads from the same foundation_donors row that was created when you made your first donation; signing in links your authenticated session to that row by matching your email address. If you have more than one donor record (for example, because you gave under two slightly different email addresses), signing in will only surface the giving history associated with the specific email you used to authenticate. Email us at curtis@stemania.org and we will merge records on request.

You can request that we sever the sign-in linkage to your donor record at any time from the portal ("Sign out and delete this sign-in" on /account). This deletes the Supabase Auth account used for sign-in but preserves the underlying donation records, which we are required to retain under IRS Pub 1771 and Florida Statute §496. A full PII scrub (name, address, email) is a separate operation — email us if you need that done.

9. Google Sign-In (role-gated apps)

When you sign in with Google on a role-gated Foundation app, we access your Google email, profile name, and profile picture. We use them only to create or link your Foundation account and display your identity in the app. We do not share Google user data with third parties and do not use it for marketing or advertising.

10. Children's privacy

The STEMania Foundation website is intended for adults who wish to support STEM education. We do not knowingly collect personal information from children under 13. Our sponsorship programs fund classes that include children, but we do not collect personally identifiable information about individual students through this website; students referenced in impact reports are anonymized.

11. Security

We use industry-standard safeguards — TLS for all network traffic, encrypted-at-rest databases, least-privilege access, and rate-limiting on public APIs — to protect donor information. Foundation database tables use service-role-only Row Level Security; all access is mediated by server-side API routes that enforce role and franchise scoping. No system is perfectly secure; if you believe your information may have been compromised, please contact us immediately.

12. Charitable solicitation disclosure

Florida (FDACS). A COPY OF THE OFFICIAL REGISTRATION AND FINANCIAL INFORMATION MAY BE OBTAINED FROM THE DIVISION OF CONSUMER SERVICES BY CALLING TOLL-FREE WITHIN THE STATE (1-800-HELP-FLA) OR VIA WWW.FDACS.GOV. REGISTRATION DOES NOT IMPLY ENDORSEMENT, APPROVAL, OR RECOMMENDATION BY THE STATE.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top. Material changes will be highlighted on this page for at least 30 days.

14. Contact

Questions about this policy? Email curtis@stemania.org or write to us at:

STEMania Foundation 7727A Holiday Drive, Sarasota, FL 34231