Skip to main content

Privacy Policy

Last updated: February 12, 2026

This Privacy Policy explains how Madrona, LLC ("Madrona," "we," "us," or "our") collects, uses, and shares information in connection with our website at madrona.app (the "Website") and our cloud-hosted platform (the "Service"). This policy applies to two categories of individuals:

  • Website visitors who browse our marketing site.
  • Platform users - staff at customer organizations who access the Service under a subscription.

1. Information We Collect

1.1 Account Information

When a customer organization subscribes to the Service, we collect information about authorized users, including names, email addresses, job titles, and roles. This information is provided by the customer's administrator or by users during account setup.

1.2 Customer Content

Customers upload, import, and create content within the Service, including collection records, media assets (images, documents, video, audio), metadata, and related data ("Customer Content"). We process Customer Content solely to provide the Service. Customer Content may include information about third parties (such as artists, donors, or depicted individuals); the customer is responsible for ensuring it has appropriate rights and permissions for this content.

1.3 Usage Data

We automatically collect information about how the Service is accessed and used, including:

  • Pages visited and features used.
  • Actions taken within the platform (for audit logging and service improvement).
  • Browser type, operating system, and device information.
  • IP address and approximate location (derived from IP).
  • Referring URLs and search terms (for the marketing website).

1.4 Cookies and Similar Technologies

We use cookies and similar technologies on our Website and within the Service. See Section 7 (Cookies) below for details.

1.5 Support Communications

When you contact us for support, we collect the content of your communications, including any files or screenshots you share, along with your name and contact information.

1.6 Contact and Inquiry Forms

If you submit a form on our Website (such as a demo request or contact form), we collect the information you provide, typically your name, email, organization, and message.

2. How We Use Information

We use the information we collect to:

  • Provide and operate the Service - hosting, processing, and delivering platform functionality.
  • Maintain security - detecting and preventing unauthorized access, fraud, or abuse.
  • Provide support - responding to inquiries and resolving issues.
  • Improve the Service - analyzing usage patterns to inform feature development and performance optimization.
  • Communicate - sending transactional messages (account notifications, security alerts) and, where permitted, product updates. You may opt out of non-essential communications.
  • Comply with legal obligations - responding to lawful requests and fulfilling regulatory requirements.

3. Legal Basis for Processing

Where applicable law requires a legal basis for processing personal information, we rely on:

  • Contractual necessity - processing required to perform our contract with the customer organization.
  • Legitimate interests - processing for service improvement, security, and communications, where those interests are not overridden by individual rights.
  • Consent - where we collect information based on your consent (such as optional cookies or marketing communications), which you may withdraw at any time.
  • Legal obligation - processing required to comply with applicable law.

4. How We Share Information

We do not sell personal information. We may share information with:

4.1 Service Providers and Subprocessors

We use third-party service providers to help operate the Service. These include:

  • Amazon Web Services (AWS) - cloud hosting, data storage, authentication, and infrastructure.
  • Plausible Analytics - privacy-focused, cookieless website analytics for the marketing site.
  • Amazon Simple Email Service (SES) - transactional email delivery.

We require service providers to process data only as directed by us and to maintain appropriate security measures. A list of subprocessors is available upon request.

4.2 Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request. Where permitted, we will notify the affected customer before making such a disclosure.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, information may be transferred as part of the transaction. We will provide notice and, where applicable, choices regarding such a transfer.

4.4 With Customer's Consent or Direction

We may share information as directed by the customer - for example, when a customer uses the public collection access feature to publish selected records via API, or when using integration features to send data to external systems.

5. Customer as Data Controller

For Customer Content processed through the Service, the customer organization acts as the data controller (or equivalent under applicable law), and Madrona acts as a data processor. This means:

  • The customer determines what data is collected, uploaded, and processed within the Service.
  • The customer is responsible for ensuring it has lawful grounds to process the data, including any personal information contained in collection records or media assets.
  • Madrona processes Customer Content only in accordance with the customer's instructions and the applicable subscription agreement.
  • Individual data subjects should direct requests regarding Customer Content to the relevant customer organization.

If required by your organization's data protection obligations, we can enter into a Data Processing Agreement. Contact us to request one.

6. Data Retention

We retain information for as long as reasonably necessary to provide the Service and fulfill the purposes described in this policy:

  • Account information is retained for the duration of the customer's subscription and a reasonable period afterward for record-keeping and legal compliance.
  • Customer Content is retained for the duration of the subscription. Upon termination, Customer Content is available for export for thirty (30) days, after which it may be deleted from production systems. Backup copies may persist for a limited additional period consistent with our backup schedule.
  • Usage data is retained in aggregate or anonymized form for service improvement purposes.
  • Support communications are retained for a reasonable period to provide ongoing support and maintain service quality.

Customer deletion requests are handled in accordance with the applicable subscription agreement.

7. Cookies

We use the following categories of cookies:

  • Essential cookies - required for the Service to function (authentication, session management, security). These cannot be disabled.
  • Analytics cookies - help us understand how visitors use our Website. These are used on the marketing site only and can be declined.
  • Preference cookies - remember your settings and choices across sessions.

We do not use cookies for advertising or behavioral targeting.

We use Plausible Analytics for website analytics, which does not use cookies or collect personal data. You can manage essential cookie preferences through your browser settings.

8. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect information from unauthorized access, alteration, disclosure, or destruction. These include:

  • Encryption of data in transit (TLS) and at rest (AES-256 via AWS-managed encryption).
  • Role-based access controls with field-level permissions.
  • Audit logging of data changes within the platform.
  • Automated backups with point-in-time recovery.

No method of electronic storage or transmission is completely secure. While we strive to protect information using commercially reasonable measures, we cannot guarantee absolute security.

9. International Transfers

The Service is hosted in the United States on Amazon Web Services. If you access the Service from outside the United States, your information may be transferred to and processed in the United States.

Where applicable law requires specific safeguards for international data transfers (such as transfers from the European Economic Area, United Kingdom, or Switzerland), we will use appropriate transfer mechanisms, which may include Standard Contractual Clauses or other mechanisms recognized under applicable law. Contact us for more information about specific transfer safeguards.

10. Children

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete that information promptly.

11. Your Rights

Depending on your jurisdiction, you may have rights regarding your personal information, including the right to access, correct, delete, or port your data, or to object to or restrict certain processing.

For platform users: Because Madrona processes Customer Content on behalf of customer organizations, requests regarding data within the Service should be directed to your organization's administrator. We will assist customer organizations in responding to such requests as required by our agreements and applicable law.

For website visitors: You may contact us directly using the information below to exercise any applicable rights regarding information we collect through the Website.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. For material changes, we will provide additional notice (such as email notification to customer administrators) at least thirty (30) days before the changes take effect.

13. Contact Information

Questions about this Privacy Policy or our data practices should be directed to:

Madrona, LLC
Vermont, United States
Email: info@madrona.app