Privacy Policy

Holon Gardens / Holon Foundation

Holon Gardens (operated by Holon Foundation, a 501(c)(3) non-profit organization based in Houston, Texas) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services, including the Holon Gardens steward portal.

1. Information We Collect

We collect information in the following ways:

Personal Information You Provide:

• Account Information: When you create a portal account, we collect your name, email address, and physical address.
• Garden Data: Through the Holon Gardens portal, we collect information about gardens you manage, including location, garden specifications, plant inventory, and stewardship records.
• Communication Data: When you contact us via email or the portal, we retain your messages and any information you provide.

What We Do NOT Collect: We do not collect or store financial information such as credit card numbers, bank account details, or payment information. Any payments to Holon Foundation are processed through secure third-party payment processors and are not stored on our systems.

Automatically Collected Information:

• Cookies: We use essential cookies only for authentication and session management. These cookies are necessary for the portal to function.
• Local Storage: We use browser localStorage as a fallback mechanism for maintaining authentication tokens when cookies are not available.
• Server Logs: Our servers automatically log IP addresses, browser type, access times, and pages visited for security and system administration purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

• Portal Services: To provide access to the Holon Gardens steward portal, manage your account, and track your garden data.
• Steward Applications: To process applications for garden stewardship and communicate with applicants.
• Communication: To respond to your inquiries, send important updates about the platform, and notify you of changes to our services.
• Service Improvement: To understand how our services are used and to improve functionality and user experience.
• Legal Compliance: To comply with applicable laws and regulations, and to protect our legal rights.
• Security: To detect, prevent, and address fraud, abuse, and other security concerns.

3. Third-Party Services

We use the following third-party services to operate our platform:

Supabase

We use Supabase for our database infrastructure and authentication services. Supabase hosts your garden data and manages user authentication. Your data is encrypted in transit and at rest. Supabase's privacy policy is available at supabase.com/privacy.

Formsubmit.co

We use Formsubmit.co to deliver email notifications from our contact forms and steward applications. This service processes your email address and message content for delivery purposes. Formsubmit.co's privacy policy is available at formsubmit.co.

4. Cookies and Local Storage

Essential Cookies

We use essential cookies only for authentication and to maintain your session in the portal. These cookies are required for the portal to function and cannot be disabled without losing access to your account.

Local Storage

We use browser localStorage as a fallback authentication mechanism. This allows you to remain logged in if cookies are blocked or unavailable. Local storage data is stored only on your device and is cleared when you log out.

No Tracking: We do not use tracking cookies, analytics cookies, or any non-essential cookies. We do not use third-party analytics services that track your behavior across the web.

5. Data Security

We implement comprehensive security measures to protect your information:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL (HTTPS).
• Database Security: Supabase implements encryption at rest for all stored data.
• Row-Level Security: We use Supabase's Row-Level Security (RLS) policies to ensure users can only access their own data.
• Password Security: Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plain text.
• Access Controls: We implement strict access controls and regularly audit who has access to user data.
• Incident Response: We have procedures in place to respond to and mitigate any data breaches.

Security Limitations: While we implement robust security measures, no system is completely secure. We cannot guarantee absolute security of your information. If you discover a security vulnerability, please contact us immediately at info@holonfoundation.org.

6. Your Privacy Rights

Portal Settings

You can manage your personal information and privacy preferences directly in the portal settings:

• Access: You can view your account information and garden data at any time.
• Export: You can request to export all your data in a portable format.
• Update: You can update your personal information at any time.
• Deletion: You can request deletion of your account and associated data through portal settings.

GDPR Rights (for EU residents)

If you are a resident of the European Union, you have the following rights under GDPR:

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

CCPA Rights (for California residents)

If you are a resident of California, you have the following rights under CCPA:

• Right to know what personal information is collected
• Right to know whether your personal information is sold or disclosed
• Right to say no to the sale of your personal information
• Right to access your personal information
• Right to deletion of personal information
• Right to non-discrimination for exercising your CCPA rights

TDPSA Rights (for Texas residents)

If you are a resident of Texas, you have the following rights under the Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024:

• Right to Access: You may confirm whether we are processing your personal data and access that data.
• Right to Correct: You may correct inaccuracies in your personal data.
• Right to Delete: You may request deletion of your personal data.
• Right to Portability: You may obtain a copy of your personal data in a portable, readily usable format.
• Right to Opt Out of Sale: You may opt out of the sale of your personal data. Note: Holon Gardens does not sell personal data.
• Right to Opt Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. Note: Holon Gardens does not engage in such profiling.

Sensitive Data We Collect

Under the TDPSA, the following categories of data we collect are classified as sensitive and require your affirmative consent:

• Precise Geolocation: Garden addresses and GPS coordinates collected during garden registration for conservation mapping, community verification, and ecological impact measurement.

We obtain explicit consent before collecting sensitive data. You may withdraw this consent at any time by deleting your garden, adjusting your privacy settings in the portal, or contacting us.

Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals as required by the TDPSA. If your browser sends a GPC signal, we automatically treat it as a valid opt-out request and limit data collection to essential cookies only.

Response Timeline

We will respond to all TDPSA data rights requests within 45 calendar days of receipt, as required by law. If we need additional time, we will notify you of the extension and the reasons for the delay.

To exercise any of these rights, please contact us at info@holonfoundation.org and include "Data Request" in the subject line. You may also submit requests through the Trust Portal under Account Settings → Privacy.

7. Children's Privacy

Holon Gardens is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information and terminate the child's account.

For children ages 13-17, parental consent is recommended before using our services. Parents or guardians who believe their child has provided information without proper consent should contact us immediately.

8. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by:

• Posting the updated Privacy Policy on our website with a new effective date
• Sending you an email notification if we have your email address on file
• Requesting your consent if required by applicable law

Your continued use of our services after any changes constitutes your acceptance of the updated Privacy Policy.

9. Contact Information