Skip to main content
HomePrivacy Policy
● DATA · GDPR · CCPA · HIPAA-CONSCIOUSEFFECTIVE · 01 JAN 2026

Privacy Policy.

How INC-USA collects, uses, stores, and protects your personal information across the website, member portal, Iwere Care telehealth platform, the Iwere Academy learning platform, donor records, and everything in between. Short version: we take the minimum, we keep it briefly, we never sell it, and we fight a subpoena before we comply with one.

EFFECTIVE · JAN 01 · 2026LAST REVISED · APR 15 · 2026DPO · privacy@itsekirinationalcongress.orgVERSION · 4.0
§ 01 · Scope

What this policy covers.

This Privacy Policy describes how Itsekiri National Congress USA, Inc. (“INC-USA,” “we,” “us”), a 501(c)(3) nonprofit incorporated in the District of Columbia, collects and processes personal data across:

  • The public website at itsekirinationalcongress.org.
  • The authenticated member portal (/member) and admin tools.
  • The Iwere Care telehealth platform for patients, caregivers, and volunteer physicians.
  • The Iwere Academy learning platform for students and instructors.
  • Donation, event registration, membership, and Convention 2026 checkout flows.
  • Our emails, newsletters, WhatsApp groups, and in-person Heritage events.
§ 02 · What we collect

Three buckets of data.

CategoryExamplesHow it arrives
IdentityName, email, phone, mailing address, Region selection, role (member, donor, volunteer, patient)You provide it
TransactionalDonation amount, dues status, event RSVPs, program enrollments, last-four card digits (not full PAN)Stripe · Zeffy · Members-portal
BehavioralPages visited, referrer, device, coarse geolocation (country/region only), cookie consent stateAuto-collected, aggregated
Protected Health (Iwere Care only)Consult notes, provider-patient messages, demographics limited to clinical necessityWithin the HIPAA-covered subsystem
User contentStory submissions, photos, Academy essays, forum posts, bereavement notesYou submit it

We do not collect Social Security Numbers, passport numbers, immigration status, or full payment card numbers. Full card numbers are handled directly by Stripe / Zeffy and never touch our servers.

§ 03 · How we use it

Run the Congress. Nothing more.

  • Operate programs. Route telehealth consults, enroll Academy cohorts, organize Heritage Trips, issue Convention tickets.
  • Communicate. Send member newsletters, dues reminders, event confirmations, and bereavement notices.
  • Fundraise responsibly. Thank donors, issue receipts, report aggregated (never individual) giving in financials.
  • Govern. Maintain voter rolls for elections, count quorum, run audits.
  • Improve. Aggregate analytics (never individual profiling) to improve site and program performance.
  • Comply. Meet IRS reporting (Form 990 Schedule B), state charity registrations, and HIPAA where applicable.

We do not sell your data. We do not trade donor lists. We do not run ad retargeting.

§ 05 · Sharing

Who else sees the data.

We share personal data only with the following categories, and only as strictly necessary:

  • Subprocessors listed in § 06 (payments, hosting, email, video, ticketing).
  • Professional advisors — our auditor, tax preparer, counsel, insurance broker — under confidentiality.
  • Clinical partners for Iwere Care (the Warri, Koko, Ugbokodo health stations) operating under Business Associate Agreements where HIPAA applies.
  • Government — only when legally compelled (tax filings, valid subpoenas). We fight overbroad requests.
  • Successor entity if INC-USA ever merged or restructured. Members would be notified.
§ NeverWe never sell personal data, rent donor lists, or participate in programmatic advertising. Our Form 990 Schedule B (donor schedule) is redacted from public copies by default, in line with IRS guidance.
§ 06 · Subprocessors

Named vendors. Auditable list.

VendorRoleRegion
VercelSite hosting · CDNGlobal
SupabaseAuthentication · member databaseUS-East
Stripe · ZeffyDonation processingUS
ResendTransactional emailUS · EU
Amazon S3Image storageUS-East-1
Doxy / Zoom for HealthcareTelehealth video (HIPAA BAA)US
Google Analytics 4 (privacy-safe mode)Aggregate trafficUS

A current subprocessor list is maintained by the DPO and updated within 30 days of any change.

§ 07 · Cookies

The smallest cookie bar we can get away with.

  • Strictly necessary — session, auth, CSRF. No opt-out; the site cannot run without them.
  • Preferences — cookie consent state, dark-mode toggle, selected Region.
  • Analytics — aggregate page views. IP anonymized, no cross-site tracking.
  • No advertising cookies. Ever.

EU / UK / California visitors see a banner on first visit and can change preferences any time via the footer link.

§ 08 · Security

Encrypted in transit. Encrypted at rest.

  • TLS 1.2+ in transit for all traffic; HSTS enforced.
  • AES-256 at rest (Supabase-managed); HIPAA-grade encryption for Iwere Care subsystems.
  • Role-based access; two-factor authentication required for admin, volunteer-doctor, and instructor roles.
  • Quarterly access audits by the Auditor; annual penetration testing by an external firm.
  • Breach notification within 72 hours (GDPR) or 60 days (HIPAA) as required, regardless of jurisdiction.
§ 09 · Retention

We keep it as briefly as law allows.

  • Active member records — for the duration of membership and seven (7) years after, to meet IRS and charity-registration obligations.
  • Donor records — seven (7) years from gift date for tax substantiation.
  • Clinical records (Iwere Care) — the longer of six (6) years or state retention requirements.
  • Session logs — 90 days.
  • Support tickets — 2 years unless there is an open matter.
  • Newsletter opt-outs — retained indefinitely so we do not re-mail you.
§ 10 · International transfers

US primary. EU · Nigeria secondary.

INC-USA is based in the United States; most data is stored in US data centers. When we transfer personal data out of the EEA or UK, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards. Members and patients in Nigeria access the Iwere Care platform through partner clinics under written agreements that mirror our obligations.

§ 11 · Your rights · GDPR

EU · UK. Your rights.

  • Access — get a copy of your data.
  • Rectification — correct inaccurate data.
  • Erasure — the “right to be forgotten,” subject to tax-retention exceptions.
  • Restriction — pause processing pending resolution.
  • Portability — receive your data in a structured format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — any time, without affecting lawfulness of prior processing.
  • Complain — lodge a complaint with your supervisory authority.

Requests: privacy@itsekirinationalcongress.org. We respond within 30 days.

§ 12 · Your rights · CCPA

California. Your rights.

  • Know — what personal information we have collected about you in the preceding 12 months.
  • Delete — subject to tax and charity law exceptions.
  • Correct — inaccurate personal information.
  • Opt-out of sale — we do not sell personal data. This right is automatically honored.
  • Limit sensitive-data use — we do not process sensitive data for inferring characteristics.
  • Non-discrimination — we do not deny service, charge different prices, or provide lesser service for exercising rights.

California requests via the same DPO channel; authorized agents accepted with signed authorization.

§ 13 · Children

Under 13. Not directly.

The site is not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent. Iwere Academy youth programs are conducted through a parent/guardian member; youth cultural circles enroll the adult, not the child directly.

§ 14 · Telehealth · HIPAA

Iwere Care. HIPAA-covered subsystem.

The Iwere Care telehealth platform handles Protected Health Information (PHI). It operates as a HIPAA-covered subsystem with:

  • Business Associate Agreements with every subprocessor touching PHI (video, storage, messaging).
  • Encrypted-at-rest PHI with key rotation; role-based access limited to the treating physician, supervising Medical Director, and the patient.
  • Audit logs for every record access, retained for six (6) years.
  • Breach notification under 45 CFR § 164.404, within 60 days of discovery.
  • A separate Notice of Privacy Practices provided at first visit.
§ 15 · Changes

We revise this periodically.

We may update this Privacy Policy from time to time. Material changes will be announced via email to members and on the site with at least thirty (30) days’ notice. The date at the top of this page shows the last revision.

§ 16 · Contact

Data Protection Officer. Write in.

For privacy questions, data requests, or to exercise a right listed above, write to:

DPO · Itsekiri National Congress USA
1717 N Street NW, STE 1
Washington, DC 20036
privacy@itsekirinationalcongress.org
+1 (779) 771-6151

We reply within 30 days — usually within a week.

Short version? We take the minimum.

We keep it briefly, we never sell it, and we fight a subpoena before we comply with one. If that isn’t enough, we’ll talk — write the DPO any time.

Terms of Service →Bylaws · Articles I–IXContact