Privacy & GDPR
GreekManage stores personal data on members and donors. This page summarizes what's stored, how it's protected, and the rights you have.
What's stored
About members
- Identity: name, email, phone (optional)
- Profile: bio, hometown, major, graduation year, photo, social links
- Org context: chapter, region, role, status
- Custom fields configured by your org
- Activity: forum posts, recognitions, election ballot timestamps (not contents), invoices, course progress
- Audit trail: sign-ins, profile changes, admin actions
About donors
- Identity, address, payment method tokens (no card numbers)
- Donation history (amounts, dates, campaigns)
- Tags and custom notes set by org admins
About admins
Same as members, plus their admin role and any sensitive actions they take (logged).
How it's protected
- Encryption in transit: TLS 1.2+ for all connections
- Encryption at rest: AES-256 for the database; storage providers encrypt at rest
- Access controls: row-level security per tenant; permissions enforced at API and UI layers
- Audit logs: every action logged
- Backups: encrypted, retained per policy
- Penetration testing: annually by independent assessors
- Vulnerability scanning: continuous
Your rights
Right to access
Export everything about yourself: Account settings → Privacy → Data export. Format: JSON or PDF. Sent to your registered email within 24 hours.
Right to rectification
Update your profile fields directly. For fields you can't edit (status, role), ask an officer or org admin.
Right to erasure ("right to be forgotten")
Account settings → Privacy → Delete account. 30-day grace period; permanent after.
After deletion:
- Profile fields wiped
- Posts replaced with "[deleted user]"
- Invoices anonymized but retained for tax/legal compliance
- Audit log entries you took as admin remain (anonymized)
Right to restriction of processing
Pause processing without full deletion: Account settings → Disable account. Sign-ins blocked; data preserved.
Right to data portability
Same as access — JSON export is portable.
Right to object
You can opt out of:
- Marketing emails (in Notifications)
- Profile inclusion in directories (in Privacy → Profile visibility)
- AI chatbot logging (org admin must enable individual opt-out, ask them)
Right to withdraw consent
For consent templates you accepted, you can withdraw via Account settings → Privacy → Consents. Some withdrawals trigger access restrictions (e.g., withdrawing the membership agreement may end your membership).
Children's data
GreekManage is not directed at users under 13. If we learn we've collected data from a user under 13 without parental consent, we delete it.
International transfers
GreekManage may store and process data in:
- The United States (primary)
- The EU (where required by customer contract)
- The customer's chosen storage region for files
For EU customers, GreekManage signs Standard Contractual Clauses (SCCs) to authorize US transfers.
Data retention
| Data type | Retention |
|---|---|
| Profile data | Active membership + per-policy after deletion |
| Forum posts | Indefinite (replaced with "[deleted]" if user deletes) |
| Invoices and payment records | 7 years (tax law) |
| Audit logs | 2 years standard, 7 years for financial actions |
| Backups | 30 days standard, 1 year for weekly snapshots |
| Email logs | 30 days |
| Session data | 90 days |
Org admins can configure retention within these limits; platform admins set platform-wide defaults.
Subprocessors
GreekManage uses these subprocessors (full list at greekmanage.com/legal/subprocessors):
- AWS / cloud infrastructure
- Stripe / payment processing
- SendGrid / email delivery (if your platform uses it)
- AI providers (Anthropic, OpenAI, Google) for the AI chatbot, only when AI Services is enabled
- Each subprocessor has a Data Processing Addendum (DPA) in place
Security incidents
In the event of a security incident affecting personal data:
- GreekManage notifies platform and org admins within 72 hours of confirmation
- Affected users are notified per applicable law
- Public security advisories are posted at greekmanage.com/security
DPO (Data Protection Officer)
Contact: privacy@greekmanage.com
For EU-specific inquiries: eu-privacy@greekmanage.com
Filing a complaint
You can file a complaint with:
- Your country's data protection authority (DPA)
- The U.S. Federal Trade Commission for U.S. users
- Your state attorney general (varies by state)
GreekManage cooperates fully with regulator inquiries.