Skip to content

Privacy Policy

Last updated: March 24, 2026  ·  Version 2026.03.2

1. Introduction

Mixed Race Community ("MRC," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at mixedracecommunity.com and use our platform services. By using our services, you agree to the collection and use of information as described in this policy.

2. Information We Collect

We collect information you provide directly, including your display name, email address, username, profile picture, banner image, bio/description, gender, location, and heritage information. We also collect content you create such as posts, comments, and connections you make on the platform.

Automatically collected information includes your IP address, browser type, device information, pages visited, time spent on pages, and cookies or similar tracking technologies used to enhance your experience.

3. How We Use Your Information

We use your information to provide and maintain our platform services, personalize your experience and content feed, facilitate connections between community members, send you verification emails, welcome messages, and important account notifications, improve our platform through analytics and user feedback, protect against unauthorized access and ensure platform safety, and comply with legal obligations.

4. Sharing Your Information

We do not sell your personal information. We may share information with trusted third-party service providers who help us operate our platform (such as Vercel for hosting, Resend for email delivery, and Supabase for file storage). These providers are contractually obligated to protect your data. We may also disclose information if required by law, to protect our rights, or to ensure user safety.

5. Cookies and Tracking

We use essential cookies to maintain your session and keep you logged in (via our mrc_session cookie). We may use analytics cookies to understand how our platform is used. You can control cookies through your browser settings, though disabling essential cookies may prevent you from using certain features.

6. Data Security

We implement industry-standard security measures to protect your personal information, including encrypted data transmission (HTTPS), secure password hashing (bcrypt), HTTP-only session cookies, and secure cloud infrastructure. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. Your Rights

You have comprehensive rights over your personal data. These rights apply regardless of where you are located, and we will respond to all requests within 30 days.

Right to Access: You may request a full copy of the personal data we hold about you, including a structured data export (JSON format) via your account settings under Privacy & Consent.

Right to Rectification: You may correct inaccurate or incomplete personal data at any time by editing your profile in account settings.

Right to Erasure: You may delete your account and all associated personal data at any time. Heritage data is deleted immediately upon consent withdrawal. Account deletion is permanent and irreversible.

Right to Restrict Processing: You may pause heritage-related features (blend visualization, community matching) at any time via account settings. Your data is retained but not actively processed for these features.

Right to Data Portability: You may export your data in a structured, machine-readable JSON format via account settings → Privacy & Consent → Export My Data.

Right to Object: You may opt out of analytics cookies and marketing communications at any time via account settings or by contacting us at privacy@mixedracecommunity.com.

Right to Withdraw Consent: You may withdraw any consent you have given (including consent to process heritage data) at any time without affecting the lawfulness of processing prior to withdrawal. Go to Account Settings → Privacy & Consent.

Right to Lodge a Complaint: If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local supervisory authority. For EU residents, this is your national Data Protection Authority. For UK residents, this is the Information Commissioner's Office (ico.org.uk). For California residents, this is the California Privacy Protection Agency (cppa.ca.gov).

8. Children's Privacy

Minimum Age: Our platform is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we discover that we have collected such information, we will promptly delete it.

Users aged 13–17 (Minors): Users between 13 and 17 years of age must obtain verifiable parental or guardian consent before creating an account. Minors are subject to additional protections: direct messaging (DMs) is disabled, precise location sharing is disabled, and profiles are set to restricted visibility by default.

Parental Rights: Parents or legal guardians of minor users have the right to review their child's account data, restrict specific features, or request deletion of their child's account and all associated data. Contact us at privacy@mixedracecommunity.com to exercise these rights.

Age Verification: We use date-of-birth verification during registration. Accounts suspected of misrepresenting age will be suspended pending verification.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email and via an in-app banner. The updated policy will be posted on this page with a revised "Last updated" date. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

10. Lawful Basis for Processing (GDPR Art. 6)

We process your personal data only where we have a lawful basis to do so. The following table summarises the bases we rely on:

Consent (Art. 6(1)(a)): Heritage data (racial/ethnic origin selections), marketing and promotional emails, and analytics/tracking cookies. You may withdraw consent at any time via Account Settings → Privacy & Consent.

Contract (Art. 6(1)(b)): Account creation and authentication, delivery of platform services, and transactional communications (e.g. password reset, email verification).

Legitimate Interests (Art. 6(1)(f)): Security monitoring and fraud prevention, content moderation and platform integrity, and abuse detection. We have conducted and documented legitimate-interest assessments for each of these purposes.

Legal Obligation (Art. 6(1)(c)): Age verification obligations, responding to lawful requests from law enforcement or regulatory authorities, and retaining records required by applicable law.

11. Special Category Data (GDPR Art. 9)

What We Collect: Heritage selections submitted by users constitute racial and ethnic origin data, which is classified as special category data under GDPR Article 9 and equivalent legislation worldwide.

Lawful Basis: We process this data solely on the basis of your explicit consent (Art. 9(2)(a)). You provide this consent during onboarding by actively selecting your heritage and confirming the consent prompt.

Purposes: Heritage data is used exclusively to generate your personalised heritage blend visualisation and to facilitate community matching with users who share similar backgrounds.

Withdrawal: You may withdraw consent at any time by navigating to Account Settings → Privacy & Consent → Manage Heritage Data. Withdrawal does not affect processing that occurred prior to withdrawal.

Consequence of Withdrawal: If you withdraw consent for heritage data processing, your blend visualisation and heritage-based matching features will be disabled and all stored heritage selections will be permanently deleted within 72 hours.

12. Data Retention Schedule

We retain personal data only for as long as necessary for the purposes described in this policy or as required by law.

Account Data: Retained until you request account deletion.

Posts and Comments: Retained until deleted by you or upon account deletion.

Direct Messages: Retained until deleted by you or upon account deletion.

Session Data: Retained for 30 days from the last activity.

Audit Logs: Retained for 2–7 years depending on the type of event and applicable legal requirements.

Moderation Records: Retained for 7 years to support appeals and regulatory compliance.

Consent Records: Retained for the lifetime of your account plus 7 years after account deletion, to demonstrate compliance with applicable law.

13. International Data Transfers

Data Processing Location: Your personal data is processed primarily in the United States, where our core infrastructure is hosted.

Transfer Mechanism: Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to a country not deemed to provide an adequate level of data protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent mechanisms under UK GDPR.

Sub-Processors: All third-party processors listed in the 'Third-Party Services' section of this policy are bound by Data Processing Agreements that include appropriate transfer safeguards.

14. Third-Party Services

We use the following third-party service providers to operate the platform. Each is bound by a Data Processing Agreement and their own privacy policy.

Vercel — Hosting and CDN. Your data passes through Vercel's global edge network. Privacy Policy: vercel.com/legal/privacy-policy

Neon Postgres — Primary database. All user account data, posts, messages, and platform content are stored here. Privacy Policy: neon.tech/privacy

Supabase — File and image storage (profile pictures, banner images). Privacy Policy: supabase.com/privacy

Resend — Transactional email delivery (verification emails, notifications). Privacy Policy: resend.com/legal/privacy-policy

Upstash Redis — Rate limiting and session caching. Minimal data (IP addresses, session tokens) stored transiently. Privacy Policy: upstash.com/trust/privacy.pdf

Cloudflare Turnstile — Bot protection on forms and authentication flows. Privacy Policy: cloudflare.com/privacypolicy

Google — OAuth sign-in. If you choose to sign in with Google, your Google account information is shared with us per Google's OAuth flow. Privacy Policy: policies.google.com/privacy

Sentry — Error monitoring and performance tracing. May capture sanitised stack traces and request metadata. Privacy Policy: sentry.io/privacy

Shopify — Payment processing for the MRC shop (when available). MRC does not receive or store payment card data. Privacy Policy: shopify.com/legal/privacy

Printify — Print-on-demand fulfilment. Your shipping address is shared with Printify only when you place an order. Privacy Policy: printify.com/privacy-policy

15. Payment Processing

MRC does not store, process, or transmit credit or debit card data. All purchase transactions are handled directly by Shopify, a PCI DSS Level 1 certified payment processor.

Print-on-demand order fulfilment is managed by Printify. Your shipping address is transmitted to Printify solely for the purpose of fulfilling your order.

MRC's payment compliance scope is PCI SAQ-A, meaning we have no contact with cardholder data at any point in the transaction flow.

16. Data Protection Officer & Contact

Privacy enquiries and data subject rights requests: privacy@mixedracecommunity.com

Security vulnerabilities and incident reports: security@mixedracecommunity.com

General enquiries: community@mixedracecommunity.com

We aim to respond to all data rights requests within 30 days. Complex requests may take up to 90 days, in which case we will notify you of the extension.

17. Policy Version

Version: 2026.03.2

Last updated: March 24, 2026

Material changes to this policy will be communicated via email to registered users and via an in-app notification banner. The previous version of this policy is available upon request.

18. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section describes your rights and how to exercise them.

Categories of Personal Information Collected: Identifiers (name, email address, username), internet or other electronic network activity information (browsing history, posts, interactions), and protected classification characteristics under California or federal law (heritage/ethnic origin data).

Sources of Collection: We collect personal information directly from you when you create an account, fill out your profile, or interact with the platform. We also collect information automatically via cookies and similar technologies when you use our services.

Business Purposes for Collection: We use your personal information to provide community features and platform services, personalise your experience (including heritage blend visualisation and community matching), maintain the security and integrity of our platform, and comply with legal obligations.

We Do Not Sell Personal Information: MRC does not sell, rent, or trade your personal information to third parties for monetary or other valuable consideration. We also do not share your personal information for cross-context behavioural advertising.

Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collection, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of your personal information. You can delete your account and all associated data at any time via Account Settings, or by contacting us.

Right to Opt-Out: You have the right to opt out of the sale or sharing of your personal information. Since we do not sell or share personal information for advertising purposes, no opt-out mechanism is required. You may still opt out of analytics cookies via your account settings.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, quality of service, or access to features for exercising your rights.

How to Exercise Your Rights: You can exercise your California privacy rights through your Account Settings (Privacy & Consent section), or by emailing us at security@mixedracecommunity.com. We will verify your identity before processing your request and respond within 45 days.

19. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@mixedracecommunity.com or visit our Contact Us page.

For security matters, contact security@mixedracecommunity.com.