Privacy Policy
- Effective:
- June 1, 2026
MySummitKeep LLC (“we,” “us,” or “our”) operates the MySummitKeep platform and website at www.mysummitkeep.com (the “Service”). This Privacy Policy describes how we collect, use, disclose, and protect your information.
1. Notice at Collection
At or before the point of collection, we collect the categories of personal information described in Section 2 for the purposes described in Section 3. We retain personal information for the periods described in Section 6. We do not sell your personal information and we do not “share” your personal information for cross-context behavioral advertising as those terms are defined under California law. This notice satisfies the “Notice at Collection” requirement under California Civil Code § 1798.100(b).
2. Information We Collect
2.1 Information You Provide
| Category (CCPA §1798.140) | Examples |
|---|---|
| Identifiers | Name, email, phone, mailing address, BSA member ID, account password |
| Customer records (Cal. Civ. Code § 1798.80(e)) | Billing name and address, payment-card tokens (we do not store full card numbers); and, if a unit treasurer connects a bank account, financial-account information obtained through Plaid (account and routing details, balances, transactions) |
| Protected classifications | Date of birth (used for age-based program eligibility) |
| Commercial information | Subscription tier, transaction history |
| Internet activity | Pages viewed, links clicked, feature usage within the Service |
| Geolocation | Approximate location derived from IP address; no precise geolocation |
| Sensory data | Photos and files you upload to the Service (e.g., permission slips) |
| Professional / employment-related | Unit role (Scoutmaster, Committee Chair, parent/guardian) |
| Education-related (non-FERPA) | Rank advancement, merit badge progress, camping nights, service hours |
| Inferences | None drawn for profiling or behavioral advertising |
| Sensitive personal information (see Section 9) | Account log-in credentials |
The Service does not currently collect health information, biometric data, or precise geolocation. If and when health-record functionality is added, this Privacy Policy will be updated and parents/guardians will be notified before any health information is collected.
2.2 Information Collected Automatically
Device and usage information (IP address, browser type and version, operating system, device identifiers, pages viewed, links clicked, timestamps); log data; cookies and similar technologies. See our Cookie Policy.
2.3 Information from Third Parties
We may receive information from identity-verification services, payment processors, financial-data providers (such as Plaid, when a unit treasurer connects a bank account for financial reconciliation), and Scouting America-affiliated organizations, where authorized by you.
3. How We Use Your Information
- Provide, maintain, and improve the Service.
- Create and manage your account and authenticate your identity.
- Process transactions and send billing-related communications.
- Facilitate troop management (advancement, events, communication).
- Respond to inquiries and support requests.
- Send administrative notifications (service updates, security alerts, policy changes).
- Detect, prevent, and address fraud, abuse, and security threats.
- Comply with legal obligations and enforce our terms.
- Generate aggregated, de-identified analytics to improve the Service.
We do not use your personal information for cross-context behavioral advertising, profiling that produces legal or similarly significant effects, or training third-party generative AI models.
4. How We Share Your Information
We do not sell, rent, trade, or “share” (as that term is defined in the California CPRA) your personal information for cross-context behavioral advertising. We disclose information only as follows:
| Recipient category | Purpose |
|---|---|
| Cloud hosting (Microsoft Azure, U.S. regions) | Storage and compute |
| Transactional email provider | Account and event email |
| SMS provider (Microsoft Azure Communication Services) | SMS delivery |
| Payment processor (Stripe) | Subscription billing |
| Financial-data provider (Plaid) | Bank-account verification and transaction retrieval for unit financial reconciliation, when a treasurer links an account |
| Analytics & session replay (Google Analytics 4, Microsoft Clarity) | Public marketing site only; with consent |
| Within your organization | Authorized Users within your troop or unit, per role-based access controls |
| Legal authorities | When required by law, legal process, or government request |
| Acquirers | In a merger, acquisition, bankruptcy, or asset sale, with notice |
Each recipient operates under contractual obligations that restrict use of personal information to the disclosed purpose.
5. Data Security
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based access controls reflecting the Scouting America organizational hierarchy.
- Regular security assessments and vulnerability testing.
- Secure, access-controlled data centers located within the United States.
- A written information security program reviewed at least annually.
No method of transmission or electronic storage is 100% secure.
6. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Service. We may retain certain information to comply with legal obligations, resolve disputes, enforce our agreements, and for other legitimate business purposes. Aggregated, de-identified data may be retained indefinitely.
| Category | Retention period |
|---|---|
| Account information | Active account + 30-day export window + up to 60 days for deletion from active systems |
| Children’s personal information | Until parental request to delete, or 30 days after a Scout becomes inactive in the unit |
| Financial / billing records | 7 years (tax and audit) |
| Security and audit logs | 12 months |
| TCPA / SMS consent records | At least 4 years |
| Backups | Up to 90 days, then overwritten |
Upon account termination you may export your data for thirty (30) days. Thereafter, data is deleted from active systems within sixty (60) days, subject to backup retention schedules and legal holds.
7. Your Rights and Choices
You may exercise the following rights by contacting privacy@mysummitkeep.com or using the in-app Settings → Privacy & Data portal:
- Access — request a copy of the personal information we hold about you.
- Correct — request correction of inaccurate personal information.
- Delete — request deletion of your personal information.
- Portability — receive your personal information in a structured, commonly used, machine-readable format.
- Opt out of marketing — unsubscribe via any marketing email or in Settings → Notifications.
- Appeal — appeal any denial of a privacy request by replying to our response.
We respond to verifiable requests within forty-five (45) days, extendable by an additional forty-five (45) days with notice.
We will not discriminate against you for exercising any of these rights.
8. U.S. State Privacy Rights
Depending on your state of residence, you may have additional rights under state privacy laws, including but not limited to: California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCPA), Iowa (ICDPA), Tennessee (TIPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Minnesota (MCDPA), Maryland (MDPA), Kentucky (KCDPA), Indiana (ICDPA), Rhode Island (RIDTPPA), and Florida (FDBR). We grant the union of these rights to all U.S. consumers regardless of state of residence.
To exercise your rights:
- Online: https://www.mysummitkeep.com/privacy-request
- Email: privacy@mysummitkeep.com
- In-app: Settings → Privacy & Data
We will verify your identity using reasonable means proportionate to the sensitivity of the request. We will respond within forty-five (45) days. You have the right to appeal any denial and, in some states, to lodge a complaint with your state Attorney General.
We do not “sell” or “share” personal information as those terms are defined in California or other state law. We do not process personal information for targeted advertising, profiling that produces legal or similarly significant effects, or sale.
9. Sensitive Personal Information
We currently collect the following categories of “sensitive personal information” as defined under the CPRA and similar state laws:
- Account log-in credentials.
- Financial-account information, when a unit treasurer connects a bank account via Plaid — including access credentials that permit retrieval of account information (account/routing details, balances, and transactions).
We use sensitive personal information only for the purposes permitted under Cal. Civ. Code § 1798.121(a)(1)–(7) (providing the Service you requested, security, anti-fraud, and similar purposes). You have the right to limit our use of sensitive personal information; submit a request at https://www.mysummitkeep.com/privacy-request or via Settings → Privacy & Data.
The Service does not currently process health information. If health-record functionality is added, we will update this section and provide notice to affected users.
10. Global Privacy Control (GPC)
We honor Global Privacy Control browser signals as a valid opt-out-of-sale/share request for U.S. consumers. Because we do not sell or share personal information, receipt of a GPC signal does not change our processing in practice, but we will not override a GPC signal with any contrary consent banner choice. To verify, see the GPC project at https://globalprivacycontrol.org.
11. Children’s Privacy
Our Service collects information about children under the age of thirteen (13) as part of troop management functionality. We comply with the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506, and the implementing regulations at 16 CFR Part 312 (as amended effective August 25, 2025). MySummitKeep LLC is the COPPA “operator” with respect to personal information collected from children under thirteen.
For full details, including parental rights, the categories of recipients to whom we disclose children’s information, and our written retention policy for children’s information, see our Children’s Privacy Policy.
12. International Users
The Service is hosted and operated in the United States and is intended for U.S. users. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. We do not intentionally market the Service to data subjects located in the European Economic Area, the United Kingdom, or Switzerland. If you are located in any of those jurisdictions, please contact us before creating an account.
13. Third-Party Links
Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of such third parties. Review the privacy policies of any third-party sites you visit.
14. Mobile / SMS Information
We collect mobile phone numbers when you opt in to SMS notifications. We use these numbers solely to send the messages you have opted in to receive. We do not sell, lease, or share your mobile phone number for marketing purposes with any third party. Phone numbers shared with our SMS service provider, Microsoft Azure Communication Services, are used solely for message delivery.
Opt out at any time by replying STOP or disabling SMS in Settings → Notifications. See our SMS Notifications page for full details.
15. Financial Information and Bank Connections (Plaid)
A unit treasurer (or another authorized administrator with payment-management permission) may choose to connect the unit’s bank account to MySummitKeep using Plaid, a third-party financial-data service, to help verify payments and reconcile the unit’s finances. In plain terms:
- It is optional and treasurer-initiated. No bank account is connected unless an authorized treasurer chooses to link one. Regular members and youth cannot connect, view, or manage a bank connection.
- What is accessed. When an account is linked, we receive — through Plaid — financial-account information for that account, such as the institution name, a masked account number, account and routing details, balances, and transactions, used only to verify payments and reconcile your unit’s finances.
- What we do not do. We do not receive or store your online-banking username or password (Plaid handles that authentication), we do not store full payment-card numbers, and we do not sell or share this information or use it for advertising.
- How to disconnect. A treasurer can disconnect the bank account at any time from Settings → Billing, which revokes our access through Plaid and stops any further retrieval of account information.
- Who handles the data. Plaid is listed on our sub-processor page and in Annex C of our Data Processing Addendum. Plaid’s own handling of the data it collects is governed by Plaid’s end-user privacy policy.
This information is treated as sensitive personal information (see Section 9), and you may limit its use as described in Sections 7 and 9.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by posting the updated policy with a revised effective date. For material changes affecting children’s personal information or processing of sensitive personal information, we will obtain affirmative consent before the change takes effect.
This Privacy Policy is reviewed at least once every twelve (12) months.
17. Contact Us
MySummitKeep LLC Attn: Privacy Officer 5005 W Laurel St, Ste 100 #3250 Tampa, FL 33607 Phone: (813) 418-6800 Privacy: privacy@mysummitkeep.com Genera