Privacy Policy | Oasis of Change, Inc.

1. Information we collect

We collect only the information you choose to provide, plus the minimum technical data needed to operate and protect the site.

Information you submit through the contact form. When you reach out through our contact form, you may share your first and last name, email address, phone number (optional), organization details (such as name, type, role, website, or LinkedIn), and any message you write. Depending on the type of inquiry you select — for example, volunteer, partnership, media, speaking, Web-Ready, WRA Platform, Sustainable Technology Week, VCASSE, tree planting, donation, or general — the form may also collect a small set of inquiry-specific fields such as areas of interest, availability, event details, or your organization's mission. Required fields are clearly marked; everything else is optional.

Optional file attachments. You can attach one document (PDF, DOC, or DOCX) or image (JPG, PNG, or WebP) up to 4 MB to a contact submission. Image attachments are automatically re-encoded on upload, which strips embedded metadata such as EXIF, GPS coordinates, thumbnails, and color profiles before the file is stored.

Newsletter opt-in. The contact form includes an optional checkbox if you would like to receive occasional updates from Oasis of Change. The checkbox is unchecked by default; you are added only if you choose to opt in.

Technical information. Like most websites, our server receives standard request data each time a page or API endpoint loads, including IP address, user agent (browser and device type), referrer, and the page or endpoint requested. We use this only to operate the site, enforce rate limits, and diagnose problems.

2. How we use information

We use the information you submit to:

Respond to your inquiry and follow up where appropriate.
Process volunteer, partnership, media, speaking, donation, and program-related requests.
Send occasional updates, if you opted in to the newsletter.
Prevent abuse of the site through rate limiting, bot challenges, and duplicate-submission detection.
Improve our website, content, and programs.

We do not use your information for advertising, behavioural profiling, or sale to third parties.

3. Cookies and local storage

We use the minimum browser storage needed to keep the site working. We do not set advertising or tracking cookies, and we do not use third-party tracking pixels.

Language preference. When you choose a language (English, French, or Spanish), your choice is saved in your browser's local storage under the key ooc-lang so the site loads in your preferred language on return visits.
Contact form draft. While you fill out the contact form, your in-progress entries are saved to your browser's local storage under cf_draft so a refresh or lost connection does not erase your message. Drafts auto-expire after 7 days, and are cleared when you successfully submit or click "discard".
Google Translate. If you switch to French or Spanish, the Google Translate widget is loaded and a googtrans cookie is set so the translation persists across pages. Switching back to English clears it.
Session preferences. A small amount of sessionStorage may be used to coordinate the language-change disclaimer within a single browsing session.

You can clear cookies and local storage for this site at any time through your browser settings.

4. Third-party services

We rely on a small set of third-party providers to operate the site. Information is only sent to them when needed for the function described.

Vercel — hosts the website and serverless functions. Standard server logs (including IP address and request data) are processed by Vercel as part of hosting. Optional file attachments you upload through the contact form are stored in Vercel Blob storage.
Slack — contact-form submissions are delivered to a private Slack channel through an incoming webhook so our team can review and respond to your message.
Cloudflare Turnstile — a privacy-respecting alternative to traditional CAPTCHAs, used on the contact form to confirm submissions come from a person rather than a bot.
Upstash Redis — used briefly to enforce per-IP rate limits and to detect accidental duplicate submissions. Rate-limit records expire automatically within an hour.
Google Translate — loaded only when you select French or Spanish. While translation is active, page text may be sent to Google for translation. The widget is not loaded when the site is in English.
YouTube (privacy-enhanced mode) — videos on the site, such as the TEDx talk, are embedded via youtube-nocookie.com, which does not set tracking cookies unless you start playback.

Each provider has its own privacy practices that govern any data they receive from you.

5. Analytics and tracking

We do not use Google Analytics, Meta Pixel, or any other third-party analytics or advertising tracker on this website. We do not run remarketing, behavioural profiling, fingerprinting tools, or embedded social-media trackers, and we do not share visitor data with advertisers or data brokers.

The site also signals that we do not participate in Google's interest-cohort (FLoC) advertising program by sending a Permissions-Policy: interest-cohort=() header on every page.

6. How we protect your information

We take a security-first approach to how the site is built and operated:

All traffic is served over HTTPS, with HSTS preload to require encrypted connections.
A Content Security Policy and additional security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Cross-Origin-Resource-Policy, and others) are applied at the edge.
The contact form is protected by an optional Cloudflare Turnstile challenge, server-side rate limits, an origin allow-list, and a hidden honeypot field.
File uploads are validated by both declared content type and magic-byte inspection, and have size limits. Image attachments are re-encoded server-side to strip EXIF and other embedded metadata before storage.
Permissions-Policy disables sensitive browser features (camera, microphone, geolocation, USB, payment, sensors) sitewide.

These measures reduce risk, but no method of internet transmission or electronic storage is ever completely secure. We cannot guarantee absolute security.

7. Sharing of information

We do not sell, rent, or trade personal information submitted through this website. We share information only:

With the service providers listed in Section 4, and only as needed to operate the site;
When you direct us to (for example, by initiating a referral or partnership conversation);
To comply with legal obligations or valid legal process, or to protect the rights, safety, and property of Oasis of Change, our community, or the public.

8. Your choices and rights

You always have the choice not to submit a form. You can also:

Skip optional fields such as phone number, organization details, or attachments.
Leave the newsletter checkbox unchecked.
Clear cookies and local storage for this site through your browser settings at any time.
Contact us to ask what information we hold about you, to request a correction, or to ask that we delete it, subject to any legal obligations we have to retain it.

Depending on where you live, you may have additional rights under local privacy law. To exercise any of these rights, please reach out through our contact page.

9. Children's privacy

This website is not directed at children, and we do not knowingly collect personal information from children. If you believe a child has submitted information through our site, please contact us so we can remove it.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our website, practices, or legal obligations. Any updates will be posted on this page. Continued use of the site after an update means you accept the revised policy.

11. Contact

If you have any questions about this Privacy Policy or how information is handled through this website, please reach out through our contact page.