IHNYC RC Platform Docs

Privacy Policy

8 min read

Effective date: January 1, 2026

This Privacy Policy explains what information we collect, why we collect it, and what choices you have when you use the IHNYC RC web properties and the calendar subscription system (the “Service”).

Quick Summary

  • Calendar subscriptions: if you subscribe, you give us your name and email so we can send a magic link and issue a calendar access token.
  • Token safety matters: calendar links are sensitive—anyone with your tokenized link may be able to access your calendar feed.
  • Security logs: like most services, we keep access/security logs and may use anti-abuse tools.
  • Analytics: we use Mixpanel (EU version, GDPR-compliant), but we do not send your raw email address to Mixpanel. Affective Technologies is the data controller; Mixpanel acts as a data processor.
  • Cookies: Mixpanel (EU version, GDPR-compliant) and Cloudflare (including Turnstile/Access, where enabled) may set cookies.
  • We don’t sell personal information.
  • Questions? Email admin@ihnyc-rc.org.

This summary is here to help. The full policy below is what controls.

Important relationship notice. Affective Technologies operates the website and technical backend supporting the Resident Council and is not affiliated with the Council, with International House NYC, or with AVI Foodsystems.

1. Who we are

The Service is operated by Affective Technologies LLC (“Affective Technologies,” “we,” “us,” or “our”).

2. What the Service includes

The Service includes IHNYC RC web properties such as ihnyc-rc.org (informational pages and public updates) and calendar.ihnyc-rc.org (the calendar subscription system and token-gated access to an .ics feed).

The Service also includes the operational tooling used to create and publish calendar events and updates, including automations and databases described below.

3. How the calendar subscription works (high level)

We designed the calendar subscription to be easy to use and reasonably private. At a high level, the system works like this:

  • Event creation. n8n automations ingest weekly “Happenings” emails and parse them using an OpenAI node, then write structured event content into Notion databases (the Resident Council’s primary knowledge base).
  • Calendar generation. Events are periodically fetched from Notion and written into an .ics calendar feed stored in Cloudflare R2.
  • Token-gated delivery. calendar.ihnyc-rc.org serves token-gated access to the .ics file using Cloudflare Pages/Workers plus a Cloudflare D1 database.
  • Email verification. Subscribing uses email-based magic link verification (transactional email via Resend), token minting, token expiry, token revocation, and last_seen/last_seen_at timestamps.
  • Anti-abuse. We may use Cloudflare Turnstile (where enabled), Cloudflare Access (admin panels where enabled), and rate limiting/cooldowns for repeated requests.

Important: calendar subscription links can be sensitive. If someone gets your tokenized calendar URL, they may be able to fetch your feed until the token expires or is revoked.

4. Information we collect

4.1 Information you provide

The informational website does not offer user accounts/logins. If you subscribe to the calendar, you may provide:

  • Name (optional/if requested by the subscription form)
  • Email address (required to send a magic link and manage your subscription)

If you use third-party services linked from the site (for example, external forms, documents, or resources hosted on other domains), those services may collect information under their own policies.

4.2 Subscription records and identifiers

To operate the calendar subscription system, we store certain records in our database (Cloudflare D1). These may include:

  • Subscriber records (name and email address, and subscription status)
  • Verification requests (for example, magic link request records)
  • Token hashes and verification code hashes (we store hashes of tokens/codes used for verification and access control)
  • Token lifecycle metadata (for example, expiry, revocation status, and last_seen/last_seen_at timestamps)

4.3 Technical, security, and access data

When you use the Service (including when your calendar app fetches the .ics feed), we and our infrastructure providers automatically receive technical and security information:

  • Hashed IP address (used for security logging and abuse prevention)
  • User agent (browser/device and often calendar-client identification)
  • Request path and timestamps (for example, what endpoint was requested and when, including last_seen_at)
  • Infrastructure/security metadata (for example, Cloudflare identifiers like CF-RAY)
  • Theme preference stored in your browser via localStorage (key: ihnyc-rc-theme)

4.4 Analytics data (Mixpanel)

We use Mixpanel (EU version, GDPR-compliant) to understand usage and improve the Service. We do not send your raw email address to Mixpanel. Affective Technologies is the data controller; Mixpanel acts as a data processor under GDPR.

Mixpanel analytics uses a distinct identifier (distinct_id) that is a SHA-256 hash derived from a normalized version of your email plus a server-side “pepper.” This means Mixpanel receives a stable identifier for analytics, but not your raw email.

Example events we may track include: magic link requested/sent/clicked/consumed, token minted, calendar fetched, invalid/expired/revoked token attempts, and “add to Google/Outlook/copy link” button clicks.

4.5 Event content stored in Notion

The Resident Council’s primary knowledge base is stored in Notion. n8n automations ingest weekly “Happenings” emails and parse them via an OpenAI node to extract structured event content, which is then stored in Notion databases.

This event content may include event titles, dates/times, locations, descriptions, and other details derived from the “Happenings” emails.

5. How we use information

We use the information we collect to:

  • Operate the informational site and the calendar subscription system
  • Verify subscriptions (magic links), mint/rotate/revoke tokens, and deliver the token-gated .ics feed
  • Secure the Service (fraud prevention, abuse prevention, debugging, auditing, and incident response)
  • Measure usage and improve the Service (analytics and performance monitoring)

6. Cookies and similar technologies

Depending on which parts of the Service you use, cookies and similar technologies may be set by us and/or by our providers. For example:

  • Mixpanel (EU version, GDPR-compliant) may set cookies or use similar identifiers for analytics.
  • Cloudflare may set cookies or use similar identifiers for security/performance features, and Cloudflare Turnstile and Cloudflare Access (where enabled) may set additional cookies to operate.

You can control cookies through your browser settings. Blocking cookies may impact some features.

7. Third-party services and processors

We use the following third-party services to operate the Service (these act as service providers/processors, depending on context):

ServicePurpose
CloudflarePages/Workers/D1/R2/Turnstile/Access
NotionEvent and content databases
OpenAIParsing “Happenings” emails via n8n
n8nAutomation workflows
ResendTransactional email delivery
MixpanelAnalytics (EU version, GDPR-compliant)

The Service may also link to third-party websites and resources (for example, Notion pages, Google Forms, Canva documents, and other external resources). If you follow those links, your interaction is governed by the third party’s policies.

Some pages may display embedded content or previews of third-party documents. When that happens, third parties may receive standard request data (such as IP address and user agent) as part of serving or rendering that embedded content.

8. How we share information

We may share information in the following circumstances:

  • Service providers. We share information with the vendors listed above to operate the Service (hosting, storage, security, email delivery, automations, analytics, and document/content platforms).
  • Legal and safety. We may disclose information if required by law, or if we believe disclosure is necessary to protect our rights, safety, users, or the integrity of the Service.

We do not sell personal information.

9. Data retention

We retain information for as long as reasonably necessary to operate the Service, maintain security, comply with legal obligations, resolve disputes, and enforce our policies. Retention periods may vary by data type, system configuration, and operational needs, and we may update them over time.

When information is no longer needed for these purposes, we take reasonable steps to delete it or de-identify it, unless we are required to keep it longer by law or for legitimate business and security needs.

Data TypeRetention
Subscriber records (name/email)Retained to provide the subscription and support requests
Verification requests and code hashesRetained according to operational settings for verification and abuse prevention
Token hashes and lifecycle metadataRetained to operate access control and for security/auditing
Calendar access logsRetained for security, abuse prevention, and troubleshooting
Analytics eventsRetained according to Mixpanel settings and operational needs
Notion event contentRetained according to Resident Council’s operational practices

10. Your choices and privacy requests

  • Cookies. You can manage cookies through your browser settings.
  • Theme preference. You can clear the theme preference by clearing site data in your browser (local storage).
  • Token safety. If you believe your tokenized calendar link has been shared or compromised, contact us so we can revoke it and issue a new one.
  • Privacy requests. You may request access, correction, deletion, or other help with your information by contacting us (see Section 14). We’ll respond consistent with applicable law and the needs of operating and securing the Service.

11. Data security

We use reasonable administrative, technical, and organizational measures to help protect the Service and the information we process. This includes measures like access controls (for example, Cloudflare Access where enabled), bot mitigation (for example, Cloudflare Turnstile where enabled), and rate limiting/cooldowns for repeated requests. No method of transmission or storage is perfectly secure.

12. International users

If you access the site from outside the United States, your information may be processed in the United States or other jurisdictions where our service providers operate. For users in the European Economic Area (EEA) and other jurisdictions with data protection laws, we comply with applicable requirements, including GDPR. We try to use GDPR-compliant service providers when possible (for example, Mixpanel EU version) and maintain appropriate data processing agreements where required.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If changes are significant, we will update the Effective date above. If you keep using the Service after the update takes effect, you’re agreeing to the updated policy.

14. Contact

For privacy questions or requests, contact: admin@ihnyc-rc.org

15. Intellectual property and platform notice

The technical backend and implementation details that operate the Service are intellectual property of Affective Technologies LLC. This Privacy Policy describes how data is handled by the Service; it does not grant any rights to the underlying technology.

Graph View

Backlinks