H
The Hub

Privacy Policy

The Hub — operated by MelaVaci LLC Last Updated: April 2026

This Privacy Policy describes how MelaVaci LLC ("we," "us," or "our") collects, uses, stores, and protects information when you use The Hub, our AI-powered nonprofit intelligence platform ("the Service"). By using the Service, you agree to the practices described in this policy.

We built The Hub for nonprofit leaders. We respect the sensitivity of your organizational data and are committed to protecting it.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Your name
  • Your email address
  • Your organization name
  • A password (stored as a cryptographic hash by Firebase Authentication — we never see or store your actual password)
  • Your subscription tier selection (Free, Starter, or Professional)

1.2 Organization Data

When you use the Service, you provide organizational information that forms your "Organizational Hub." This may include:

  • Mission statement, vision statement, and organizational purpose
  • Program descriptions, goals, outcomes, and success indicators
  • Target audience profiles (demographics, challenges, motivations)
  • Organizational tone, philosophy, and key terminology
  • Evaluation data (domain scores, assessment results)
  • Financial planning information
  • Marketing strategy data (funnel stages, audience awareness levels, messaging)
  • Organizational logic models and frameworks

1.3 Uploaded Documents

You may upload files to the Service, including:

  • PDF documents (evidence reports, surveys, case studies)
  • Other organizational documents used for AI-assisted analysis

We enforce file type restrictions and size limits on all uploads.

1.4 AI-Generated Content

When you use the Service to generate content (prompts, narratives, reports, communications), we store:

  • The prompts assembled from your organizational data
  • AI-generated output (for Starter tier users)
  • Prompt history (task type, audience, associated program, timestamp)

1.5 Usage Data

We automatically collect limited technical data:

  • Login timestamps and session duration
  • Features used and pages visited within the Service
  • AI token usage (for Starter tier accounts)
  • Browser type and general device information
  • Error logs generated during your use of the Service

We do not use third-party advertising trackers, social media pixels, or behavioral advertising tools.

1.6 Payment Information

When you subscribe to a paid plan, your payment is processed by Stripe. We do not store your credit card number, bank account details, or other payment credentials on our servers. Stripe handles all payment data in accordance with PCI-DSS standards. We receive from Stripe only:

  • Confirmation of payment status
  • Subscription plan and billing cycle
  • A Stripe customer identifier

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Store your organizational data, assemble prompts, generate AI-powered content, and deliver outputs based on your subscription tier.
  • Maintain your account: Authenticate your identity, manage your subscription, and enforce usage limits.
  • Improve the Service: Analyze aggregated, anonymized usage patterns to identify bugs, improve features, and understand which capabilities are most valuable. We do not analyze the content of your organizational data for this purpose.
  • Communicate with you: Send transactional emails (account confirmations, billing receipts, password resets, service announcements). We will never send marketing emails without your explicit opt-in.
  • Enforce our policies: Detect and prevent abuse, fraud, and violations of our Terms of Service and Acceptable Use Policy.

What We Do NOT Do With Your Data

  • We do not sell your data. Not to advertisers, data brokers, or anyone else. Period.
  • We do not use your organizational data to train AI models. Your data is sent to Anthropic's Claude API solely to generate the specific output you requested. It is not used to improve or train any AI model. See Section 3.1 for more detail.
  • We do not share your data with other organizations using the Service. Each organization's data is isolated and inaccessible to other tenants.

3. Third-Party Service Providers

We use a limited number of third-party services to operate The Hub. Each receives only the data necessary to perform its function.

3.1 Anthropic (Claude API) — AI Processing

When you generate content through the Service, your organizational data is sent to Anthropic's Claude API to produce the requested output. This includes relevant portions of your mission statement, program descriptions, audience profiles, and other data you have entered into your Organizational Hub.

Anthropic processes this data under their own usage policies. As of the date of this policy, Anthropic states that data sent through their API is not used to train their models. We encourage you to review Anthropic's privacy policy and usage policy at anthropic.com for the most current terms.

We send only the data relevant to your specific request — not your entire organizational profile — and we do not send your account credentials, payment information, or usage analytics to Anthropic.

3.2 Google Firebase — Data Storage and Authentication

Your organizational data is stored in Google Cloud Firestore. Your uploaded documents are stored in Google Cloud Storage. Your account authentication is managed by Firebase Authentication. All data is encrypted in transit (TLS) and at rest. Google operates these services under their Cloud Data Processing terms.

3.3 Stripe — Payment Processing

Stripe processes all subscription payments. Stripe is PCI-DSS Level 1 certified. We do not have access to your full payment card details. See Stripe's privacy policy at stripe.com/privacy.

3.4 Vercel — Hosting

The Hub's web application is hosted on Vercel. Vercel processes HTTP requests and may collect standard server logs (IP address, request timestamp, browser type). See Vercel's privacy policy at vercel.com/legal/privacy-policy.

3.5 No Other Third Parties

We do not use:

  • Third-party advertising networks
  • Social media tracking pixels
  • Analytics platforms that track individual behavior across websites
  • Data brokers or data resellers

4. Cookies and Tracking

The Hub uses minimal cookies and local storage:

  • Authentication session cookie: Managed by Firebase Authentication. Required for you to stay logged in. This is a functional cookie, not a tracking cookie.
  • Stripe session data: Used during the checkout process to complete payment securely.

We do not use cookies for advertising, cross-site tracking, or behavioral profiling. We do not participate in any ad networks.

5. Data Security

We implement the following security measures:

  • All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
  • All data stored in Firestore and Cloud Storage is encrypted at rest by Google.
  • Firebase Authentication uses industry-standard hashing for passwords.
  • Firestore security rules enforce strict tenant isolation — one organization cannot access another organization's data under any circumstances.
  • All API endpoints require authenticated requests with valid Firebase Auth tokens.
  • File uploads are validated for type and size before processing.
  • Rate limiting is applied to AI generation endpoints to prevent abuse.
  • The Anthropic API key is stored as a server-side environment variable and is never exposed to the client.

No system is perfectly secure. If we become aware of a security breach that affects your data, we will notify you by email within 72 hours of confirming the breach, along with a description of what data was affected and what steps we are taking.

6. Data Retention and Deletion

Please see our separate Data Retention and Deletion Policy for full details. In summary:

  • Your organizational data is retained for as long as your account is active.
  • When you cancel your account, you have a 30-day grace period to export your data or reactivate.
  • After the 30-day grace period, all your data — including Firestore documents, uploaded files in Cloud Storage, and your authentication record — is permanently deleted.
  • You may request a full data export at any time while your account is active.
  • You may request deletion of your account and all associated data at any time by contacting us.

7. Your Rights

Regardless of where you are located, you have the right to:

  • Access your data: You may view all organizational data you have entered into the Service at any time through the platform interface.
  • Export your data: You may request a complete export of your organizational data in a standard format (JSON) at any time.
  • Correct your data: You may edit any information in your organizational profile at any time through the platform.
  • Delete your data: You may request deletion of your account and all associated data by contacting us at the address below.
  • Cancel your subscription: You may cancel your paid subscription at any time. Cancellation takes effect at the end of your current billing period.

For California Residents (CCPA)

Under the California Consumer Privacy Act, you have additional rights including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact us at the address below.

For European Economic Area Residents (GDPR)

If you are located in the EEA, our legal basis for processing your personal data is:

  • Performance of a contract: We process your data to provide the Service you have subscribed to.
  • Legitimate interest: We process limited usage analytics to maintain and improve the Service.
  • Consent: Where required, we obtain your consent before processing (for example, for optional communications).

You have the right to access, rectify, erase, restrict processing, data portability, and to object to processing. You also have the right to lodge a complaint with your local data protection authority. To exercise these rights, contact us at the address below.

8. Children's Privacy

The Hub is designed for nonprofit organizational leaders and their authorized staff. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. If we make material changes that affect how we handle your data, we will notify you by email at least 30 days before the changes take effect.

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy, want to exercise any of your data rights, or have concerns about how your information is handled:

MelaVaci LLC Email: privacy@melavaci.com Subject line: "The Hub — Privacy Inquiry"

We will respond to all privacy-related inquiries within 30 days.