Privacy Policy

Last updated: April 21, 2026

Understanding Your Data

Sodalo is membership management software built for the organizations that bring communities together. This privacy policy explains how we handle data and who is responsible for what.

Important distinction: Your organization controls member data. Sodalo provides the software platform and is responsible for protecting the infrastructure, but your organization makes decisions about member information.

Data Controller vs. Data Processor

account_balance

Your Organization (Data Controller)

Your civic organization is the data controller. You decide:

  • check What member data to collect
  • check How long to retain member records
  • check Who has access to member information
  • check How to respond to member data requests
cloud

Sodalo (Data Processor)

Sodalo is the data processor. We provide:

  • check Secure software infrastructure
  • check Data hosting and backups
  • check Tools to manage member data
  • check Technical security measures

What this means: If your members have GDPR data access or deletion requests, they should contact your organization's officers, not Sodalo. Your organization controls the data; Sodalo just provides the platform to manage it.

What Sodalo IS Responsible For

1. Administrative Account Information

We collect and control data about organization administrators who use Sodalo:

  • Email address and name
  • Organization name and setup details
  • Login credentials (passwords are encrypted)
  • Account creation date and last login

2. Billing Information

For paid plans, we store:

  • Stripe customer ID and subscription status
  • Plan type and billing history
  • Payment method details (stored by Stripe, not by Sodalo)

Note: Credit card numbers are never stored on Sodalo's servers. All payment processing is handled by Stripe, our PCI-compliant payment processor.

3. Usage Data & Analytics

We collect anonymous usage data to improve the platform:

  • Feature usage patterns (which features are used most)
  • Page views and navigation flows
  • Error logs and performance metrics
  • Browser type, device type, and general location (city/state level)

This data is aggregated and anonymized. We use it to identify bugs, improve performance, and prioritize new features.

4. Data Security & Infrastructure

Sodalo implements industry-standard security practices:

  • 256-bit SSL/TLS encryption for all data in transit
  • Encrypted database storage (AES-256)
  • Regular automated backups (stored encrypted)
  • Access controls and role-based permissions
  • Regular security audits and monitoring
  • Two-factor authentication available for admin accounts

5. Data Breach Notification

In the unlikely event of a data security breach affecting your organization's data:

  • We will notify affected organization administrators within 72 hours
  • We will provide details about what data was affected
  • We will explain what actions we're taking to remediate
  • Your organization is responsible for notifying your members as required by applicable laws

Subprocessors & Third-Party Services

Sodalo uses the following trusted third-party services to operate the platform. These companies process data on our behalf and are bound by contractual obligations to protect it:

email

Amazon Web Services (AWS) SES

Purpose: Transactional email delivery (event reminders, password resets, dues notifications)

Location: United States

payments

Stripe

Purpose: Payment processing for Sodalo subscription billing and member dues payments

Location: United States (PCI-DSS Level 1 compliant)

dns

Railway

Purpose: Application hosting and infrastructure

Location: United States (SOC 2 Type II certified)

cloud_upload

Amazon S3

Purpose: File storage (organization logos, event attachments, document uploads)

Location: United States (us-east-1 region)

All subprocessors are required to maintain security standards equivalent to or better than Sodalo's own practices. We conduct due diligence before adding any new subprocessor.

Data Retention Policy

Member Data (Controlled by Your Organization)

Your organization controls how long member data is retained. We provide the tools; you make the decisions. Member data remains in your account until:

  • You delete a member record manually
  • You export and delete your entire organization
  • Your organization's account is closed and the 30-day grace period expires

Administrative Account Data

Sodalo retains administrative user accounts according to the following schedule:

  • Active accounts: Retained indefinitely while the organization subscription is active
  • Canceled accounts: Soft-deleted immediately; hard-deleted after 30 days
  • Inactive accounts: Accounts inactive for 2+ years may be archived after notice

Billing & Financial Records

We retain billing records for 7 years to comply with tax and accounting regulations. This includes:

  • Invoices and payment receipts
  • Subscription history
  • Tax documentation

Usage Logs & Analytics

Aggregated, anonymized usage data is retained for up to 2 years for product improvement purposes. Server logs containing IP addresses are retained for 90 days for security monitoring.

How Organizations Can Export and Delete Data

Data Export

All organizations (including free plan users) can export their complete data at any time:

  • From your organization dashboard, go to Settings → Data Export
  • Click "Download Complete Data Archive"
  • You'll receive a ZIP file containing all member data, events, emails, dues records, and documents in JSON format
  • Member roster can be exported as CSV from the Members page

There are no limits on how often you can export your data. We recommend exporting backups regularly.

Organization Deletion

To delete your organization and all associated data:

  1. Export your data (optional but recommended)
  2. Go to Settings → Danger Zone
  3. Click "Delete Organization" and confirm by typing your organization name
  4. Your organization is immediately soft-deleted (no longer accessible)
  5. After 30 days, all data is permanently purged from our systems

During the 30-day grace period, you can contact us to restore your organization if deleted by accident.

Privacy Requests & Contact

For Organization Administrators

If you have questions about your administrative account, billing data, or how Sodalo processes your organization's data, contact us at:

[email protected]

We respond to privacy requests within 48 hours (24 hours for paid subscribers, typically faster during business hours).

For Members of Civic Organizations

If you are a member of a civic organization using Sodalo and have questions about your personal data (GDPR access requests, deletion requests, data corrections, etc.):

Contact your organization's officers directly. Your organization controls your member data, not Sodalo. We cannot access, modify, or delete member data without authorization from your organization's administrators.

Cookies & Tracking

Essential Cookies

Sodalo uses the following essential cookies required for the platform to function:

  • sessionid: Maintains your login session
  • csrftoken: Security token to prevent cross-site request forgery attacks
  • active_org: Remembers which organization you're currently viewing

Analytics Cookies

Sodalo uses Google Analytics to understand how users interact with the platform and improve our service. Analytics cookies are only set after you explicitly consent through our cookie consent banner.

If you accept analytics cookies, we track:

  • Page views and navigation patterns
  • Feature usage and click tracking
  • Device type, browser, and general location

This data is anonymized and aggregated. Google Analytics uses cookies that may persist for up to 2 years.

Changing your preference: You can change your cookie consent at any time by clicking "Cookie Settings" in the footer of any page. If you reject analytics cookies, Google Analytics will not load and no tracking will occur.

Compliance with Privacy Regulations

GDPR (General Data Protection Regulation)

For organizations operating in the European Union:

  • Your organization is the data controller for member data
  • Sodalo acts as a data processor under GDPR Article 28
  • Data processing agreement available upon request
  • Member data export and deletion tools provided
  • 72-hour breach notification commitment

CCPA (California Consumer Privacy Act)

California organizations and residents have the right to:

  • Know what personal information is collected
  • Request deletion of personal information
  • Opt-out of data sales (note: Sodalo does not sell any data)
  • Non-discrimination for exercising privacy rights

Illinois BIPA (Biometric Information Privacy Act)

Not applicable. Sodalo does not collect, store, or process any biometric data (fingerprints, facial recognition, retina scans, voiceprints, etc.). Illinois BIPA requirements do not apply to our platform.

Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes:

  • We will update the "Last updated" date at the top of this page
  • We will notify organization administrators via email at least 30 days in advance
  • We will display a notice in your dashboard

Continued use of Sodalo after changes take effect constitutes acceptance of the updated privacy policy.

Contact Information

For privacy-related questions, data processing agreements, or to exercise your data rights:

Email: [email protected]

Support: [email protected]

Company: Spatula Labs LLC

Response time: 48 hours for general requests, 24 hours for paid subscribers (typically faster)

This privacy policy applies to Sodalo's platform and services. Your organization may have its own privacy policy for how it handles member data. If you're a member of an organization using Sodalo, check with your organization's officers for their specific privacy practices.

For information about your rights and obligations when using Sodalo, see our Terms of Service.