01Overview

This Privacy Policy describes how Healthy Basement Society ("HBS," "we," "us," or "our"), a non-commercial research organization, collects, uses, discloses, and safeguards information in connection with the website located at healthybasementsociety.org (the "Site"), our research surveys, and related communications (collectively, the "Services"). This policy applies to all visitors, research participants, partners, and members of the public who interact with the Services.

HBS is committed to a zero-PII research framework. Information collected through study surveys is anonymized and aggregated before any public display. Information collected via the Site is limited to what is necessary to operate it and respond to your inquiries.

02Scope & Definitions

For purposes of this policy:

• "Personal Information" (or "PII") means information that identifies, relates to, or could reasonably be linked with a particular individual or household, as defined under applicable law including the California Consumer Privacy Act, as amended ("CCPA / CPRA").
• "Aggregate Information" means information that has been combined across many individuals such that it can no longer reasonably be associated with any single person or household.
• "Anonymized Information" means information from which all direct and indirect identifiers have been removed in accordance with our published methodology.
• "Sensitive Personal Information" has the meaning given in the CCPA / CPRA. HBS does not knowingly collect Sensitive Personal Information through the Site.

This policy does not govern the practices of third-party websites linked from our Site. Their practices are governed by their own privacy policies.

03Information We Collect

A. Information You Provide

We collect information that you choose to provide directly:

• Contact form submissions: name, email address, organization (optional), inquiry type, and the contents of your message.
• Research participation: verbal responses to survey questions during voluntary phone-based interviews. Direct identifiers are not retained on public infrastructure; see Data Ethics & IRB Statement.
• Privacy and rights requests: contact information necessary to verify and respond to a request, plus the substance of the request itself.
• Press, partnership, and data-access requests: name, email, role, organization, and request details.

B. Information Collected Automatically

When you visit the Site, our infrastructure may automatically log a limited set of technical information:

• IP address (truncated to /24 within 24 hours);
• browser type and version, operating system, screen size;
• referring URL and pages visited on the Site;
• timestamps of requests.

This information is used to operate, secure, and improve the Site. It is not associated with named individuals and is retained on a short rolling window (see Section 7).

C. Information We Do Not Collect

HBS does not collect, on this public Site:

• government-issued identifiers (Social Security, driver's license, passport);
• financial account or payment-card information;
• health, biometric, genetic, or precise geolocation data;
• protected-class information (race, religion, sexual orientation) except where you voluntarily disclose it in correspondence;
• data about children under 13 (see Section 10).

04How We Use Information

We use the information described above for the following purposes:

• Operating the Services: rendering pages, securing the Site against abuse, and maintaining performance.
• Responding to inquiries: routing your message to the appropriate team and replying.
• Conducting research: producing aggregate, anonymized statistical summaries for publication; see Methodology.
• Compliance: meeting legal obligations under TCPA, CAN-SPAM, CCPA / CPRA, COPPA, and applicable state laws.
• Improvement: understanding aggregate Site usage to improve clarity and accessibility. We do not use this information for behavioral advertising.

We do not sell Personal Information. We do not "share" Personal Information for cross-context behavioral advertising as defined under CPRA.

05Legal Bases for Processing

Where applicable law requires a specific legal basis, HBS relies on the following:

• Consent — for research survey participation and for any communications you opt into.
• Legitimate interests — for Site security, fraud prevention, and aggregated analytics, balanced against your rights and freedoms.
• Legal obligation — to respond to lawful requests, retain records required by law, and meet TCPA / CCPA obligations.
• Performance of a task in the public interest — for the publication of aggregated research findings.

06Sharing & Disclosure

We share information only as described below.

• Service providers. A small set of vetted vendors host the Site, deliver email, and provide infrastructure security. They process information solely on our instructions and under written contracts that prohibit independent use.
• Advisory board and external counsel. Aggregated, anonymized research outputs and operational metadata are reviewed by our advisory board and privacy counsel. Reviewers do not receive raw individual responses.
• Legal compliance. We may disclose information if required by valid legal process, to enforce our terms, or to protect rights, property, or safety.
• Business transfers. HBS is a non-commercial research organization. In the unlikely event of a merger, dissolution, or transfer of assets, this policy will continue to govern the information held at that time, or successors will provide notice and meaningful choice.

We do not sell or rent Personal Information to advertisers, data brokers, or marketing services. We do not provide research participants' contact information to commercial third parties.

07Retention & Deletion

We retain Personal Information only as long as necessary for the purpose for which it was collected, plus any period required by law:

• Contact form submissions: 90 days in active inboxes, then archived for one (1) year and securely deleted, unless an active matter requires longer retention.
• Server access logs: 30 days for security analysis; truncated IP fields retained no longer than 90 days.
• Survey raw responses: stripped of direct identifiers within 24 hours of collection. Anonymized response codes are retained for the duration of the longitudinal study.
• Privacy-rights requests: retained for two (2) years to demonstrate compliance, then deleted.

When information is no longer needed, it is securely deleted using documented procedures or, where deletion is not technically feasible, isolated from further processing and protected from access.

08Security Measures

HBS implements administrative, technical, and physical safeguards designed to protect information against loss, misuse, and unauthorized access:

• encryption in transit (TLS 1.2+) for all Site traffic;
• encryption at rest for backup archives;
• least-privilege access controls and quarterly access reviews;
• multi-factor authentication on all administrative accounts;
• annual independent security assessment;
• documented incident-response plan with statutory breach-notification timelines.

No system can be guaranteed perfectly secure. If we become aware of a data incident affecting Personal Information, we will notify affected individuals and regulators as required by applicable law.

09Your Rights Under California Law

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA, regardless of whether you have a business relationship with HBS:

• Right to know the categories and specific pieces of Personal Information we have collected about you, the sources, the purposes, and the categories of recipients.
• Right to delete Personal Information we have collected, subject to limited exceptions (e.g., legal recordkeeping).
• Right to correct inaccurate Personal Information.
• Right to opt out of sale or sharing. HBS does not sell or share Personal Information for cross-context behavioral advertising; this right is preserved as a matter of law.
• Right to limit use of Sensitive Personal Information. HBS does not knowingly collect Sensitive Personal Information through the Site.
• Right to non-discrimination for exercising these rights.

How to exercise your rights. Submit a request to [email protected] or via the form on our contact page. We may need to verify your identity using information you have previously provided. Authorized agents may submit on your behalf with documented authority. We respond to verifiable consumer requests within 45 days, with one 45-day extension where reasonably necessary and disclosed.

If you are a resident of another state with comparable privacy law (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and Delaware), HBS will honor analogous rights consistent with applicable law.

10Children's Privacy & COPPA

The Site is intended for adults. HBS does not knowingly collect Personal Information from children under thirteen (13) in violation of the Children's Online Privacy Protection Act ("COPPA"). Research survey participation is restricted to consenting adult householders. If we learn that we have inadvertently collected Personal Information from a child under 13 without verifiable parental consent, we will delete it promptly. Parents and guardians who believe their child has provided Personal Information to HBS may contact us at [email protected].

11Cookies & Tracking Technologies

The Site uses a minimum of cookies necessary to operate. We do not use third-party advertising trackers, retargeting pixels, or behavioral profiling.

• Strictly necessary cookies support security and basic functionality (e.g., load balancing, CSRF protection). These cannot be disabled without impairing the Site.
• Aggregate analytics are collected through privacy-respecting, server-side methods that do not set persistent identifiers in your browser. Outputs are reported only at the aggregate level.

We honor Global Privacy Control ("GPC") signals where required by law. Most browsers allow you to refuse or delete cookies through their settings.

12Third-Party Services & Links

The Site may link to third-party resources (e.g., academic publications, government datasets) for reference. We are not responsible for the privacy practices or content of those external sites. Review their privacy policies before providing them with information.

Hosting and email delivery are provided by reputable infrastructure vendors under written data-processing agreements. A current list of subprocessors is available on request to [email protected].

13International Visitors

HBS operates from the United States. If you access the Site from outside the United States, you understand that your information will be processed in the United States, where data-protection laws may differ from those in your jurisdiction. Where applicable law requires, we rely on appropriate transfer mechanisms (such as standard contractual clauses) and implement supplementary measures.

Residents of the European Economic Area, the United Kingdom, and other jurisdictions with comprehensive data-protection laws may have additional rights, including the right to lodge a complaint with a supervisory authority.

14Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or applicable law. The "Effective" and "Last reviewed" dates at the top of this policy indicate when changes take effect. Material changes will be highlighted on the Site for at least 30 days and, where required by law, individuals will receive direct notice. We encourage you to review this policy periodically.

15Contact & Requests

For questions about this policy, to exercise rights, or to lodge a complaint about our privacy practices:

• Privacy email: [email protected]
• Mailing address: Healthy Basement Society, Attn: Privacy, 212 W Wayne St, Suite 305, Fort Wayne, IN 46802
• Phone: (260) 555-0140

If you are not satisfied with our response, you may have the right to contact your local data-protection authority or the California Privacy Protection Agency.