Privacy Policy

1) What This Privacy Policy Covers

This Privacy Policy covers personal data that identifies, relates to, describes, or can reasonably be linked to an individual ("Personal Information") collected through DormHealth-operated websites, enrollment/checkout pages, support channels, and service operations.

This Privacy Policy does not apply to third-party websites, applications, or services, even if linked through DormHealth. Please review those third-party privacy policies directly.

2) Categories of Personal Information We Collect

We may collect the following categories of Personal Information, depending on how you interact with the services:

• Identifiers and Contact Data: Name, email address, resident identifier, account identifiers, and communication preferences.
• Enrollment and Service Data: Enrollment status, service selections, add-ons (e.g., Daily Towel Upgrade, Linen Loss Protection), exchange activity history, service usage logs, and account/service eligibility status.
• Billing and Transaction Data: Transaction confirmations, payment status, refunds, and fee records (including Unreturned Item Fees and Damage Fees where applicable). DormHealth does not collect or store payment card numbers, billing addresses, or other financial account details. Where payment is processed directly through DormHealth, it is handled by Stripe. For institutionally managed enrollment models, billing is handled by the institution.
• Contact Form and Inquiry Data: Name, email, organization, role, and message content submitted through our contact form.
• Support and Communications Data: Messages, tickets, email correspondence, and related support metadata.
• Device, Network, and Usage Data: IP address, browser type, OS, device identifiers, timestamps, page interactions, referral URLs, and similar log/analytics data if active.
• Security and Authentication Data: Authentication-related events, multi-factor authentication enrollment data, abuse-prevention signals, and risk flags used to protect users, institutions, and DormHealth systems.
• Institutional/Operational Data: Data received from or shared with housing, property management, or institutional partners as necessary to administer service logistics, eligibility, and operational support.

DormHealth applies data minimization principles. Service eligibility and activity are recorded using a DormHealth-issued, property-assigned, or institutionally issued identifier (e.g., a university student ID, resident barcode, or property-assigned credential) and related entitlements. Institutionally issued identifiers remain subject to the respective institution's or property's terms.

Please do not provide government identifiers, full payment card numbers, medical records, or other sensitive information unless specifically requested and legally required for a defined service purpose.

3) Sources of Personal Information

We may collect Personal Information from the following sources:

• Directly from you: When you enroll (or are enrolled by your institution), submit payment, contact support, complete forms, authenticate through your account, or otherwise interact with DormHealth channels.
• Automatically from your use of services: Through cookies, analytics tools (if used), technical logs, and similar technologies.
• From service providers/processors: For example, payment processors, communications vendors, hosting/security vendors, and related operational providers.
• From institutional partners: For example, housing, property management, or program administrators, where needed for service eligibility, logistics, and support.

4) How We Use Your Information

We may use Personal Information for business and operational purposes, including to:

• Provide and administer DormHealth services, enrollment, exchanges, and support;
• Manage account eligibility, service access, and service-related records;
• Process and reconcile payments, refunds, and contractual charges (including applicable Unreturned Item Fees and Damage Fees);
• Communicate service notices, reminders, operational updates, and support responses;
• Track email delivery status (delivery confirmations, bounces) to ensure service communications reach enrollees;
• Maintain security, detect/prevent fraud or abuse, and enforce Terms of Service;
• Operate, maintain, troubleshoot, and improve the website and service operations;
• Comply with legal, regulatory, contractual, and institutional obligations;
• Prepare for, support, or execute corporate transactions (e.g., financing, merger, acquisition, sale of assets), as permitted by our Terms of Service and by law.

DormHealth does not use automated decision-making that produces legal or similarly significant effects on users.

5) Sharing Your Information

DormHealth does not sell Personal Information and does not share Personal Information for cross-context behavioral advertising.

We may disclose Personal Information to:

• Service providers/processors that perform services on DormHealth's behalf, including:
  • Stripe — payment processing, enrollment, and billing (where payment is processed directly through DormHealth)
  • Transactional email provider — email delivery and delivery status tracking
  • Database and authentication provider — data storage and user authentication (US-hosted infrastructure)
  • Application hosting provider — web hosting, serverless functions, and scheduled tasks (US regions)
  • Error monitoring provider — diagnostics and application performance (optional, consent-gated; all personal information is scrubbed before transmission)

  These providers are subject to terms that restrict the use of Personal Information to purposes related to providing services to DormHealth, except as required or permitted by law.

• Institutional partners (e.g., housing, property management, or program teams) when needed for service delivery, logistics, issue resolution, or billing-channel coordination;
• Commercial laundry vendors who receive linen inventory levels and refill needs to coordinate service delivery. Vendors do not receive resident Personal Information as part of standard service operations;
• Professional advisors and transaction counterparties in connection with financing, merger, acquisition, reorganization, sale, or similar corporate events;
• Law enforcement, regulators, courts, and other authorized parties when required or permitted by law, legal process, or safety/risk needs;
• Other parties with your direction or consent.

DormHealth may disclose limited data necessary to collect or reconcile amounts owed under applicable service terms, where permitted by law.

6) Cookies and Tracking Technologies

DormHealth uses cookies and similar technologies for functionality, authentication/session continuity, security, performance analytics (if used), and service improvement.

• Essential cookies (always active): Authentication session cookies are required for login sessions. These cannot be disabled.
• Cookie consent preference: Your consent choice is stored in a 1-year essential cookie so we do not ask again.
• Accessibility preferences: Your accessibility settings (high contrast, large text, focus indicators, reduced motion, dyslexia-friendly font) are stored in your browser's local storage and are never sent to our servers.
• Optional error monitoring (with consent): With your consent, we may use error monitoring tools that set cookies to help us identify and fix issues. Session recordings capture only error states with all text and input fields masked. These are only active if you select "Accept All" on our cookie consent banner.

You may adjust cookie settings through your browser controls, though some features may not function properly if cookies are disabled. DormHealth does not use cookies to sell Personal Information or for cross-context behavioral advertising. DormHealth does not currently respond to browser "Do Not Track" signals.

7) Third-Party Links

DormHealth channels may link to or embed third-party websites/content. DormHealth is not responsible for third-party privacy or security practices. Review third-party policies before sharing information with those services.

8) Children's Privacy

DormHealth's Services are designed for individuals who are at least eighteen (18) years of age. Eligible residents who are eighteen (18) or older may enroll directly. A parent or legal guardian may enroll an eligible resident who is under eighteen (18), where permitted by applicable law and program rules.

DormHealth may process Personal Information relating to a minor enrollee only in connection with parent/guardian enrollment and for the service administration, support, security, billing, and legal compliance purposes described in this Privacy Policy.

If DormHealth learns that a minor has independently enrolled without required parent/guardian involvement, DormHealth may, at its discretion, take appropriate action including requesting parental consent, suspending the enrollment, or deleting information as appropriate, unless retention is required by law.

Parents or legal guardians may contact privacy@dormhealth.org regarding a minor enrollee's Personal Information, including requests to access, correct, or delete information, subject to applicable law, proof of legal authority, and reasonable verification requirements.

9) Data Security and Retention

We use industry-standard security measures to protect your information, including encryption in transit and at rest, administrative authentication safeguards, access controls, and per-user data isolation.

DormHealth stores and processes Personal Information primarily in the United States. Primary application hosting and database infrastructure are located in US regions. DormHealth does not intentionally transfer Personal Information outside the United States; however, some service providers may process data in multiple regions as part of their standard operations. No system is 100% secure.

Retention: We retain operational records only as long as needed for service delivery, accounting, and legal compliance:

• Account/eligibility records (unique identifier + entitlements): Active term + up to 60 days for reconciliation.
• Service activity records: Active term + up to 60 days for reconciliation.
• Backups: Automated backups are maintained on a rolling schedule.
• Audit logs: Retained for the active service term to support security and dispute resolution.

At the end of these periods, operational data is deleted or de-identified in accordance with our standard data management practices, unless longer retention is required or permitted by law, contract, institutional directive, dispute preservation needs, fraud prevention, chargeback handling, tax/accounting obligations, maintenance of active enrollments, or enforcement of contractual rights.

Security Incidents: We investigate and respond to security incidents and will provide any notices required by applicable law.

10) Your Rights and Choices

Depending on your jurisdiction and applicable law, you may have rights to:

• Access certain Personal Information we hold about you;
• Request correction of inaccurate Personal Information;
• Request deletion of Personal Information (subject to legal exceptions);
• Request portability (where applicable);
• Object to or limit certain processing, where applicable;
• Withdraw consent where processing is based on consent.

To submit a request, contact privacy@dormhealth.org with sufficient detail for verification and response routing. DormHealth may take reasonable steps to verify identity/authority before fulfilling requests and may deny or limit requests where permitted by law. Deletion requests do not extinguish outstanding financial obligations or DormHealth's right to retain records necessary to enforce such obligations under the Terms of Service.

11) California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights:

• Right to Know: You may request details about the personal information we have collected about you over the past 12 months.
• Right to Delete: You may request we delete your data, subject to certain exemptions.
• Right to Correct: You may request we update incorrect personal information.
• Right to Non-Discrimination: You will not be penalized for exercising these rights.
• Right to Opt-Out: DormHealth does not sell or share data for cross-context behavioral advertising.

To make a request under CCPA/CPRA, email privacy@dormhealth.org with the subject "CCPA Request." We will verify your identity through reasonable verification procedures before processing your request. You may use an authorized agent with written permission and identity verification.

12) International Users

DormHealth is based in the United States and operates under U.S. legal and operational frameworks. If you access DormHealth from outside the United States, you understand that your information may be processed in the United States, subject to applicable law.

13) Usage of Artificial Intelligence

DormHealth does not currently use artificial intelligence or machine learning systems to make automated decisions that produce legal or similarly significant effects regarding service eligibility or comparable outcomes. If DormHealth materially changes these practices, DormHealth will update this Privacy Policy as required by law.

14) Institutional Data Ownership

For institution-affiliated or property-affiliated programs, some data elements may be governed by institutional policies, contractual terms, or applicable property rules. DormHealth processes program data as necessary to deliver services and fulfill contractual obligations with institutional and property partners.

DormHealth's role is defined by applicable service agreements and does not, by itself, create an agency relationship with an institution.

15) Changes to This Policy

DormHealth may update this Privacy Policy from time to time. When updates are made, DormHealth will revise the Effective Date and Last Updated date above. For material changes, DormHealth will provide additional notice where required by law (e.g., website notice, account notice, and/or email).

Changes apply prospectively from the stated effective date, unless otherwise required by law.

16) Relationship to Terms of Service

This Privacy Policy addresses how DormHealth handles Personal Information. DormHealth's Terms of Service govern service eligibility, operations, contractual fees, dispute resolution, and related commercial terms. If a conflict arises between non-privacy commercial language and this Privacy Policy, the Terms of Service govern those non-privacy commercial terms, and this Privacy Policy governs Personal Information handling to the extent required by applicable law.

17) Contact Us

If you have questions or requests regarding this Privacy Policy or DormHealth privacy practices, contact: