Privacy

Privacy Policy

Plain language about what we collect, how we use it, and the choices you have.

Effective June 15, 2026

A quick summary

Xceptional Heroes (“XH”, “we”, “us”) is a Michigan 501(c)(3) nonprofit (EIN 87-3448617). We run social, recreational, and life-skills programs for young adults with intellectual and developmental disabilities.

When you sign up a Hero, apply to volunteer, donate, or send us a message, we collect the information we need to do that — nothing more. We don’t sell your information. We share it only with the service providers that help us run the programs and with funders for required, aggregate reporting.

This page explains the details. If anything is unclear, please write to info@xceptionalheroes.org .

What we collect

Information you give us

  • Hero application: name, date of birth, address, emergency contacts, brief medical and communication notes, demographic information used for grant reporting, image-release decision, and an electronic signature on the participation waiver.
  • Volunteer application: name, address, date of birth, government-issued ID number (for the required background check), demographic information, and your acknowledgment of our code of conduct, image release, and liability waiver.
  • Account credentials: email address and a password (stored hashed — we never see the plaintext) for the Hero/family/volunteer portal.
  • Newsletter signup: name, email address, and your topic, frequency, and audience preferences.
  • Contact form: name, email address, and the message you send.
  • Donations and memberships: the amount, frequency, and your name and email address. Card details are entered on Stripe’s checkout page and stored by Stripe — they never reach our servers.
  • Tribute gifts: if you make a gift in memory or honor of someone, the name you provide and the related dedication.

Information collected automatically

  • Standard server log information from our hosting provider (Amazon CloudFront and Amazon S3) — IP address, browser type, the pages you requested, and timestamps — used to keep the site running and secure.
  • For the staff portal: an internal audit log of administrative actions (who viewed or changed what, with timestamp and IP) to protect the data we hold.
  • Analytics and advertising information collected by the Google services described in the “Cookies, analytics & advertising” section below.

How we use and share information

How we use it

  • Run our programs — register Heroes, schedule activities, process waivers, check people in at events, and reach out about upcoming activities.
  • Send transactional email (account invitations, password resets, application updates, donation receipts, and waiver renewals).
  • Send the newsletter you signed up for, with the topics and frequency you chose.
  • Process donations and memberships and issue tax receipts.
  • Produce aggregated, anonymized reports for grant funders (counts and demographic breakdowns — never individual names or contact information).
  • Keep the site and the portal secure and prevent abuse.
  • Meet our legal and tax-reporting obligations.

How we share it

We do not sell, rent, or trade your personal information. We share it only with the categories of service providers and partners listed below, and only the minimum each one needs:

  • Payment processing — a secure third-party payment processor handles donations, memberships, and (once live) event and shop charges. Card details are entered on the processor’s checkout page and are never seen or stored by XH.
  • Hosting and infrastructure — providers that host the public website, the staff/family portal, the database, and the application servers.
  • Email delivery — providers that send our transactional email (invitations, password resets, donation receipts, waiver reminders) and forward email sent to our @xceptionalheroes.org addresses.
  • Analytics and advertising — providers that help us understand how visitors find and use the site, and measure the effectiveness of any paid ads we run. See the “Cookies, analytics & advertising” section below for details.
  • Grant funders — only aggregated, anonymized program metrics. Individual identifying information is never shared.
  • Authorities — only if required by law (subpoena, court order, or to protect someone’s safety).

Every provider we work with is contractually bound to handle your information consistently with this policy and to use it only on our behalf. We change providers from time to time as our needs evolve; the categories above describe the kinds of services we use, not specific brands.

How we protect it & how long we keep it

  • All traffic to this site is served over HTTPS.
  • Passwords are stored hashed using bcrypt — even our administrators cannot read them.
  • Government-ID numbers and other sensitive PII are restricted to administrators with a documented need to view them, and access is recorded in our audit log.
  • We keep Hero, family, and volunteer records while the relationship is active and for a reasonable period afterward (typically up to seven years) to support grant reporting and historical recordkeeping. Donation records are kept for the period required by tax law.
  • If you ask us to delete your information, we will, unless we are required to keep it (for example, donation records for tax purposes).

Your rights and choices

You can ask us to:

  • Show you the information we have about you or about a Hero you’re a guardian for.
  • Correct anything that’s wrong.
  • Delete information we are not legally required to keep.
  • Stop sending you newsletter or marketing email. Every newsletter includes a one-click unsubscribe link, and a self-serve preference page is linked from the footer.
  • Withdraw your image-release consent (the consent is recorded at registration and renewed each year with the participation waiver — see the next section).

Reach us at info@xceptionalheroes.org for any of these requests.

Photos, image releases & media consent

  • Every Hero application and volunteer application includes an explicit image release that the participant (or their guardian, where applicable) chooses to grant or decline.
  • The image release covers photos and video taken at our activities, used on our website, social media, and printed materials to share what we do.
  • We maintain a “do not photograph” list. If you decline the image release, or change your mind later, our staff and activity leaders are notified.
  • If you spot a photo of yourself or a Hero you’re a guardian for that you’d like removed, email info@xceptionalheroes.org and we will remove it.

Young adults and minors

Our programs are designed for young adults age 17 and up. When a Hero is under 18, we require a parent or legal guardian to complete the application and sign all consents on their behalf, including the image release and participation waiver. We do not knowingly collect information from a child under 13 on the public website.

Cookies, analytics & advertising

Cookies set by XH

  • The accessibility toolbar (text size, contrast, dyslexia font, reduced motion) saves your preferences locally in your browser so they’re applied the next time you visit. Nothing is sent to us.
  • The Hero/family/volunteer portal uses a session cookie or token to keep you signed in.

Google Analytics

We use Google Analytics 4 to understand how visitors find and use the site. Google sets cookies in your browser and collects, on our behalf, information such as the pages you view, the time you spend, the site or search term you came from, your general location (approximate city, derived from your IP address), and basic device and browser information. We do not provide Google with your name, email address, donation amount, or anything you submit on a form.

You can opt out of Google Analytics by installing the Google Analytics opt-out browser add-on, or by using your browser’s privacy controls to block third-party cookies.

Google Ads

We may run paid ads on Google to invite people to learn about Xceptional Heroes, sign up a Hero, volunteer, or donate. When you arrive at the site from one of those ads, Google Ads conversion tracking sets a cookie so we can measure which ads brought people to actions like visiting our sign-up pages or completing a donation. We see the aggregate result (for example, “100 visitors from this ad signed up to volunteer”), not anything that personally identifies you. You can manage ad personalization in your Google Ad Settings.

More about Google’s practices

For more on how Google uses information from sites and apps that use its services, see Google’s page on how it uses information from sites or apps that use its services.

Third-party links

Our website may link to outside organizations (for example, on the Helpful Links page). We are not responsible for those sites’ privacy practices.

Changes to this policy

We will post any updates to this page with a new effective date. If we change something material about how we use your information, we will let registered Heroes, families, and volunteers know by email.

Questions about privacy?

We’re happy to walk you through anything on this page — or anything we have on file about you or a Hero you support.

info@xceptionalheroes.org