Draft — pending attorney review. This summary is informational and not yet a binding agreement.
1. Parties
Controller: the organization that signs up on Shareathon (school district, PTO, church, nonprofit, etc.). Processor: Hog Wild Fundraising LLC, doing business as Shareathon.
2. Scope
This DPA covers personal data that the Controller submits to or generates on Shareathon as part of running campaigns: admin and student accounts, donor records, campaign content, share activity, and related metadata.
3. Purpose of processing
We process this data only to: (a) operate the Shareathon service; (b) provide support; (c) prevent fraud and abuse; (d) meet legal obligations. We never sell personal data and never use it to train third-party AI models.
4. Subprocessors
Our current subprocessor list is published at /trust/subprocessors. We'll notify the Controller of material changes via the Controller's designated admin email before they take effect.
5. Security measures
See /trust/security for a plain summary. Highlights: TLS 1.2+ in transit, encryption at rest, row-level security in the database, least-privilege staff access, daily backups.
6. Incident response
If we discover a security incident affecting the Controller's data, we notify the Controller's designated contact without undue delay, and in any case within 72 hours of confirming the incident, with the facts we know and what we're doing about it.
7. Data subject rights
We help the Controller respond to requests from data subjects (access, correction, deletion). Requests directed straight to Shareathon are routed back to the Controller unless the law requires us to act directly.
8. Children's data
For programs involving students under 13, the Controller is responsible for obtaining and documenting parental consent under the applicable framework (COPPA, school-authorized consent, etc.). See /coppa.
9. International transfers
Shareathon stores production data in the United States. If the Controller is outside the U.S., the Controller authorizes the transfer of personal data to the U.S. for the purpose of operating the service.
10. Return or deletion
On request after termination of the Controller's account, we delete or return the Controller's personal data within 90 days, except where retention is required by law (e.g., financial records).
Get the executable version
Email legal@shareathon.com with your organization name and your designated data-protection contact, and we'll send a signable DPA. Back to the Trust Center.
