Privacy Policy

Privacy Policy

Effective date: June 12, 2026

Internality ("Internality," "we," "us," or "our") is a Michigan nonprofit corporation organized under Section 501(c)(3) of the Internal Revenue Code. We operate the website internality.org (the "Site") and related programs and services. This Privacy Policy explains how we collect, use, share, and protect personal information, and the rights you have over that information.

This policy is written to meet the requirements of US privacy law and, where they apply, the EU General Data Protection Regulation (GDPR) and the UK GDPR / Data Protection Act 2018. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the section "Your rights in the EEA, UK, and Switzerland" applies to you.

1. Who is responsible for your information

Internality is the data controller for personal information processed through the Site. You can contact us about this policy or your personal information at hello@internality.org.

2. Information we collect

Information you provide directly. When you complete a contact or interest form, apply for membership, register for a program, or subscribe to communications, we collect the information you submit. This may include your name, email address, phone number, organization name, job title or role, organization type, your stated areas of interest, and the contents of any message you send us.

Information collected automatically. When you visit the Site, limited technical data is processed, including IP address, browser type and version, operating system, referring page, pages viewed, and the date and time of your visit. We use privacy-focused analytics for this. See our Cookie Policy for details on cookies and similar technologies and how consent works.

We do not intentionally collect special categories of personal data (such as health, religious, or political information), and we ask that you do not submit such data through the Site.

3. Why we use your information, and our lawful bases

Where the GDPR or UK GDPR applies, we rely on the following lawful bases (Article 6):

Respond to inquiries and requests: legitimate interests, or steps taken at your request prior to entering a relationship.

Administer membership, programs, and events: performance of a contract, and our legitimate interests in running the organization.

Send marketing and program communications: your consent, which you may withdraw at any time.

Operate, secure, and improve the Site, including analytics: our legitimate interests, balanced against your rights.

Comply with legal, tax, and regulatory obligations: compliance with a legal obligation.

Protect the rights, property, and safety of Internality, our members, and the public: our legitimate interests, or a legal obligation.

Where we rely on legitimate interests, we have weighed those interests against your rights and freedoms. You can ask us about this assessment using the contact details above.

4. How we share your information

We do not sell, rent, or trade your personal information.

We share personal information with service providers (processors) who perform functions on our behalf under written agreements that require them to protect your data and use it only on our instructions. Our principal processors are:

HubSpot, Inc. (US) for customer relationship management, forms, and email communications.

Render Services, Inc. (US) for website hosting and infrastructure.

Cloudflare, Inc. (US) for content delivery and file storage.

Plausible Analytics (EU) for privacy-focused, cookieless website analytics.

We may also disclose information where required by law, subpoena, court order, or governmental request; to establish, exercise, or defend legal claims; or to protect the rights, property, or safety of Internality, our members, or others. If Internality is involved in a merger, reorganization, or transfer of assets, personal information may be transferred as part of that transaction, subject to this policy.

5. International data transfers

Internality is based in the United States, and several of our processors are located in the United States. When personal information is transferred from the EEA, the UK, or Switzerland to the United States or another country outside those regions, we rely on lawful transfer mechanisms: the EU-US Data Privacy Framework (and its UK extension and the Swiss-US Data Privacy Framework) where the processor is certified, and the European Commission's Standard Contractual Clauses (with the UK Addendum where relevant) as an additional safeguard.

HubSpot, Render, and Cloudflare are each certified under the EU-US Data Privacy Framework and also offer Standard Contractual Clauses in their data processing agreements. Plausible processes analytics data within the EU. You can request more information about these safeguards using the contact details above.

6. How long we keep your information

We keep personal information only as long as necessary for the purposes described in this policy, then securely delete or anonymize it. In general: contact and inquiry submissions that do not lead to a relationship are kept up to 24 months; membership and program records are kept for the duration of the relationship plus a limited period required for legal, tax, and audit purposes; marketing subscriptions are kept until you withdraw consent or unsubscribe, after which we keep a minimal suppression record so we do not contact you again; and website analytics are aggregated and retained only as needed to understand Site trends.

7. Your rights in the EEA, UK, and Switzerland

If you are in the EEA, the UK, or Switzerland, you have the right to access the personal information we hold about you; to request rectification of inaccurate or incomplete information; to request erasure ("right to be forgotten"); to request restriction of processing in certain circumstances; to object to processing based on legitimate interests, and to object to direct marketing at any time; to request data portability where processing is based on consent or contract and carried out by automated means; and to withdraw consent at any time, without affecting processing carried out before withdrawal.

To exercise any of these rights, contact hello@internality.org. We will respond within one month, as required by law, and will not charge a fee except where permitted. We may need to verify your identity before acting on a request.

You also have the right to lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner's Office (ico.org.uk). In the EEA, it is the data protection authority in your country of residence, work, or where the issue arose. We would appreciate the chance to address your concern first.

8. Your rights in the United States

You may opt out of promotional emails at any time using the "unsubscribe" link in any message or by contacting us. Transactional messages related to your membership or program participation are not subject to opt-out. Residents of certain US states may have additional rights to access, correct, or delete personal information, or to opt out of certain processing. To exercise these rights, contact hello@internality.org.

9. Cookies and similar technologies

The Site uses a small number of cookies and similar technologies. Non-essential analytics and marketing technologies are only used where permitted under our consent model. Full details, including how to change your preferences, are in our Cookie Policy.

10. Data security

We maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. Our infrastructure providers maintain recognized security certifications. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

11. Children

The Site is directed to business and professional audiences and is not intended for children. We do not knowingly collect personal information from children under the age of 13, or under the higher minimum age that applies where you live. If you believe a child has provided us with personal information, contact us and we will take steps to delete it.

12. Third-party links

The Site may link to third-party websites and services we do not operate. We are not responsible for their privacy practices. Please review their policies before providing personal information.

13. Changes to this policy

We may update this policy to reflect changes in our practices or the law. We will post the updated version here with a revised effective date and, where appropriate, provide additional notice. Please review this page periodically.

14. Contact us

Questions, concerns, or requests about this policy or your personal information: Internality, hello@internality.org.