Skip to content
ProjectsAboutContact
Login

Privacy Policy

Effective Date: February 23, 2026

Hromada is a platform connecting American donors with Ukrainian municipalities for civilian infrastructure rebuilding, with a focus on renewable energy.

For privacy-related inquiries, contact us at thomas@hromadaproject.org.

Account Information

When you create an account, we collect your name, email address, and optionally your organization name.

Contact and Inquiry Forms

If you submit a contact form, partnership inquiry, or newsletter signup, we collect the information you provide (name, email, message, and any additional fields on the form).

Technical Data

We collect IP addresses and user agent strings in connection with login attempts, form submissions, and security events. IP addresses are also checked (but not stored) for geographic access restrictions. We do not use tracking cookies or third-party analytics tools.

  • To create and maintain your account
  • To send transactional emails (account confirmations, status updates, password resets)
  • To respond to your inquiries and partnership requests
  • To comply with U.S. sanctions laws (OFAC) and anti-money laundering regulations
  • To detect and prevent fraud, unauthorized access, and other security threats
  • To send newsletter updates if you have subscribed (you may unsubscribe at any time)

We use two cookies, both essential for the platform to function:

  • hromada_session — An encrypted session token that keeps you logged in. Expires after 7 days. HttpOnly, secure, not accessible to JavaScript.

We do not use advertising cookies, tracking cookies, or third-party analytics cookies.

Service Providers

  • Supabase (database and file storage) — Hosts our database and project photo storage on AWS infrastructure.
  • Amazon SES (email delivery) — Processes transactional emails on our behalf. Receives recipient email addresses and email content.
  • Sentry (error monitoring) — Receives technical error data to help us identify and fix bugs. May capture limited session replay data when errors occur.
  • AWS Amplify (hosting) — Hosts the platform. Processes web requests including IP addresses.

We Do Not

  • Sell or rent your personal information to anyone
  • Share donor information with NGO verification partners (they verify projects, not donors)
  • Use your data for advertising or marketing purposes beyond our own newsletter

To protect Ukrainian infrastructure data, access to the platform is restricted from certain regions (currently Russia and Belarus). This check uses your IP address as provided by our hosting infrastructure. Blocked access attempts are logged for security monitoring but your IP address is not stored in our database for this purpose.

We implement the following security measures to protect your information:

  • Passwords are hashed using bcrypt and never stored in plain text
  • Sessions use encrypted JWT tokens with HMAC-SHA256 signing
  • All cookies are HttpOnly, secure, and SameSite protected
  • Rate limiting on all public endpoints to prevent abuse
  • Account lockout after repeated failed login attempts
  • Input validation and sanitization to prevent injection attacks
  • HTTPS enforced across the entire platform
  • Audit logging of all authentication and financial events

Account information is retained for as long as your account is active. Contact form submissions and partnership inquiries are retained until they are resolved. You may request deletion of your account by contacting us, subject to our legal retention obligations.

You may:

  • Request access to the personal data we hold about you
  • Request correction of inaccurate information
  • Request deletion of your account, subject to legal retention requirements
  • Unsubscribe from newsletter communications at any time
  • Contact us with any questions or concerns about your data

If you are located in the European Union or Ukraine, you may have additional rights under the General Data Protection Regulation (GDPR) or Ukrainian data protection law. Contact us to exercise these rights.

The platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated effective date. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

For questions about this Privacy Policy or your personal data, contact:
Thomas Protzman
thomas@hromadaproject.org

We Work With:

Ecoaction