This Privacy Policy (the “Policy”) outlines the data collection, utilization, disclosure, and protection practices of the Creative Connections Arts Academy Parent Teacher Organization (CCAA PTO), a non-profit entity dedicated to enriching the educational experience through parent involvement, fundraising, and community building for the students and faculty of the Creative Connections Arts Academy (CCAA) located at 7201 Arutas Dr North Highlands, CA 95660. The effective date of this comprehensive Policy is November 22, 2025. Our commitment to privacy is absolute, recognizing that the trust placed in us by our families, donors, and volunteers is paramount to achieving our core mission: “Supporting creativity, fostering community, and empowering our students through the arts.” This Policy is designed not only to comply with relevant data protection principles but also to communicate clearly and transparently how we manage the personally identifiable information (PII) and non-personally identifiable information (non-PII) collected during the course of our operations, which primarily focus on supporting a specialized arts-integrated curriculum. We understand that in our capacity as a volunteer organization, we handle sensitive information relating to minors and their families, and we maintain stringent internal controls to protect this data against unauthorized access, disclosure, or misuse. This document details the entirety of our data stewardship practices, including the limited circumstances under which data may be shared, the comprehensive security measures we employ, and the robust rights afforded to all data subjects within our operational scope. We urge all members, volunteers, donors, and community partners to review this document in its entirety to understand their rights and our responsibilities as data custodians.

Applicability and Scope of this Policy

This Policy applies to all information collected by the CCAA PTO across every channel of interaction, encompassing, but not limited to: (a) data collected via our official website and any associated digital platforms (including online donation forms, volunteer sign-up portals, and e-newsletter subscription services); (b) information collected through physical paper forms (such as membership applications, event RSVP slips, or fundraising pledge cards); (c) data collected via direct digital communication (including email, text messaging, and dedicated messaging apps used for committee coordination); and (d) data voluntarily provided to the PTO for the purposes of facilitating its mission, even if not explicitly solicited through a formal channel. It is important to clarify that this Policy governs the data practices of the PTO specifically and not the operations of the Creative Connections Arts Academy itself, though the two entities often share aggregated and necessary information to fulfill joint educational and community goals, the processing of which is detailed herein. Where data is collected by the Academy, that processing is governed by the school’s separate privacy policies and procedures. Furthermore, this Policy explicitly details our responsibilities concerning the collection of data pertaining to minor students, which is handled with the highest degree of caution and is primarily sourced directly from the student’s parent or legal guardian. The scope extends to all past, present, and prospective members, donors, and volunteers whose information is retained in our secure records for ongoing operational and legal compliance purposes.

2. Data Controller and Contact Information

Identity and Legal Status of the Data Controller

The Data Controller responsible for the processing of personal information as described in this Policy is the Creative Connections Arts Academy Parent Teacher Organization (CCAA PTO). As an independently registered non-profit organization, the PTO determines the purposes and means of processing the personal data collected to support its mission, including fundraising, volunteer coordination, and communication. We operate under our official organizational name and are based at the address of the Academy, which serves as our principal mailing and physical operational location. We have established clear internal procedures for responding to data subject requests and privacy concerns, ensuring a transparent and accountable process managed by designated PTO board members.

Designated Contact for Privacy Concerns

All inquiries, requests for information access or erasure, complaints regarding data processing practices, or requests for clarification regarding this Privacy Policy should be directed to the PTO’s designated Privacy Contact. To ensure that your request is logged, prioritized, and addressed promptly by the appropriate volunteer officer (typically the Secretary or a designated Communications Committee member), all correspondence must be sent via our primary general inquiry email:

Primary General Inquiry Email: info@ccapt.site

Mailing Address: Creative Connections Arts Academy Parent Teacher Organization (CCAA PTO) 7201 Arutas Dr North Highlands, CA 95660

When submitting a privacy-related inquiry, we strongly request that you clearly identify the nature of your request in the subject line (e.g., “Data Access Request,” “Request for Data Deletion,” or “Privacy Policy Clarification”). This critical step allows our volunteer team to quickly route your correspondence to the appropriate officer and ensures that your statutory rights are addressed in a timely and professional manner, consistent with our internal governance standards and the principles outlined in this Policy.

3. Information We Collect

3.1. Categories of Personally Identifiable Information (PII)

The CCAA PTO collects various categories of PII necessary for the successful execution of our mission and operational needs. The collection of this data is always limited to what is adequate, relevant, and necessary in relation to the specific purposes for which it is processed. These categories include:

• Contact and Identification Data: This includes the full names, mailing addresses, primary telephone numbers, and email addresses of parents, guardians, and adult volunteers. This data is essential for communicating critical PTO news, event details, and volunteer assignments.
• Student Data (Provided by Parent/Guardian): This is limited and generally includes the student’s full name, grade level, and class assignment. This data is solely used for the purpose of identifying the appropriate classroom for teacher appreciation gifts, allocating funds equitably across grade levels, confirming student eligibility for PTO-funded scholarships or programs, and ensuring parent volunteer assignments are in proximity to their child’s age group. We strictly prohibit the collection of student PII directly from minors.
• Financial and Donation Data: This includes records of donations made to the PTO, the amount donated, the date of the transaction, and the associated tax-deductible receipt information. Please note that the PTO itself does not store complete payment card details (e.g., full credit card numbers). All online financial transactions are processed by secure, third-party PCI-compliant payment processors, and we only retain the transactional record provided by the processor (e.g., last four digits of the card, transaction ID).
• Volunteer and Skills Data: This includes records of volunteer sign-ups, committee membership, preferred volunteer roles, and voluntarily disclosed professional skills (e.g., “Grant Writing,” “Event Planning,” “Photography”) that parents offer to contribute to the PTO’s mission. This data is used solely for the purpose of matching volunteers to appropriate logistical or strategic tasks.

3.2. Source of Collection

We collect the PII outlined in the previous section from three primary sources:

• Directly from You (Voluntary Submission): This is the most common source of data. Information is provided when you: (i) complete a physical or online PTO Membership Form; (ii) make a donation via our website or mail a check; (iii) sign up for an event, rehearsal snack duty, or committee via a dedicated volunteer portal; (iv) subscribe to our e-newsletter; or (v) communicate directly with a PTO board member or committee chair via email.
• Automatically (Digital Interaction): When you interact with our website or digital communications, we automatically collect certain technical data using cookies and other tracking technologies. This non-PII data includes your IP address, browser type, operating system, pages viewed, time spent on the site, and referral source. This information is used for website maintenance, security, and aggregated analytical purposes to improve the user experience.
• From the Academy (Necessary Disclosure): In limited instances, the CCAA administration or faculty may share aggregated or de-identified data with the PTO (e.g., class rosters by student initials or grade-level counts) to facilitate PTO activities. For example, a faculty member may share the number of students in their class to ensure equitable distribution of PTO-funded supplies. In rare cases, and with the explicit authorization of the parent, we may receive PII (e.g., student name and grade) from the Academy solely for the specific, defined purpose of coordinating a PTO-funded activity, such as a specialized field trip roster or scholarship winner notification.

4. Purpose and Legal Basis for Processing

4.1. Fulfilling the Mission and Operational Necessity

The CCAA PTO processes personal data strictly to fulfill its stated mission and for purposes directly relevant to its non-profit, educational support operations. The primary purposes for processing include:

• Fundraising and Financial Stewardship: Processing donation data to record contributions, issue legally required tax receipts, manage fundraising campaigns (e.g., event ticketing), and ensure compliance with non-profit financial reporting standards. The legal basis for this is legitimate interest (to sustain the organization) and contractual necessity (to issue tax receipts).
• Volunteer Coordination and Management: Utilizing volunteer data to schedule shifts, coordinate event logistics (e.g., managing backstage crew for a performance), match skills to strategic needs (e.g., using a lawyer for bylaw review), and send essential communications related to assigned duties. The legal basis for this is legitimate interest (to execute our volunteer-driven mission) and consent (implied by the volunteer sign-up).
• Enrichment Program Facilitation: Using student-level data (provided by the parent) to ensure the logistical success of PTO-funded programs, such as creating accurate participant lists for an artist-in-residence workshop or allocating specific instruments purchased by the PTO to the appropriate music class. The legal basis for this processing is legitimate interest in supporting the educational goals of the Academy.

4.2. Communication and Engagement

Data is processed to maintain a high level of transparency and engagement within the CCAA community:

• General and Targeted Communications: Sending the weekly e-newsletter, event announcements, meeting minutes, and requests for specific volunteer assistance. Communication may be segmented based on grade level (e.g., sending high school parents information about the portfolio review workshop) or volunteer status. The legal basis for this communication is consent (for subscriptions) and legitimate interest (for operational updates critical to all members).
• Community Building Events: Processing RSVPs and attendee lists for PTO-sponsored community gatherings (e.g., Family Art Night) to manage capacity, ensure security protocols are followed, and coordinate logistics like catering or materials supply. The legal basis for this is legitimate interest in fostering a cohesive school community.

4.3. Legal Compliance and Security

We are required to process certain data to meet legal obligations:

• Regulatory Compliance: Retaining financial records, donation history, and volunteer background check verification statuses (not the checks themselves, but confirmation of completion) as required by non-profit governance standards, state and federal tax laws, and school volunteer policies. The legal basis is legal obligation.
• Security and Fraud Prevention: Utilizing automatically collected technical data (IP addresses) and login information for secure portals to detect and prevent malicious activity, including unauthorized access to donation systems or PTO databases. The legal basis is legitimate interest (to protect organizational assets and data) and legal obligation (to maintain secure financial processing).

5. Data Sharing and Disclosure

5.1. Sharing with the Creative Connections Arts Academy (CCAA)

The CCAA PTO is an independent organization but works in close, necessary partnership with the Creative Connections Arts Academy administration and faculty. Data sharing is strictly limited, defined by explicit purpose, and subject to non-disclosure agreements where appropriate.

• Operational Necessity: We share necessary logistical data with the Academy (e.g., the final attendee count for a PTO-funded field trip, the schedule of volunteers working in the school library, or the list of funded equipment purchased for a specific classroom). This is done solely to facilitate the operational success of PTO initiatives on school grounds.
• Teacher/Faculty Support: We may share the names of parents who have signed up to support a specific teacher’s classroom or to donate to a grade-level initiative, allowing the teacher to coordinate directly with the volunteer.
• Security: In the event of an emergency or security concern, the PTO will cooperate fully with the Academy’s administration, immediately providing any relevant volunteer or parental contact information required to ensure student safety or campus integrity.

5.2. Third-Party Service Providers and Processors

We rely on carefully vetted third-party companies to perform essential functions, and in doing so, we share only the minimal data required for them to perform their service under strict confidentiality obligations. These service providers act as data processors on our behalf.

• Payment Processors: Companies like Stripe or PayPal (depending on the platform used) process all online donations and event ticket purchases. They receive financial PII (name, address, payment details) directly from the donor and are responsible for securely handling that information under PCI compliance standards. The PTO retains only the transaction record.
• Email and Communication Platforms: We use professional services (e.g., Mailchimp or Constant Contact) to manage our e-newsletter distribution and bulk communications. We share subscriber names and email addresses with these processors to send you the communications you have consented to receive.
• Volunteer Management Systems: We utilize online platforms (e.g., Signup Genius or a dedicated school volunteer portal) to coordinate our hundreds of volunteer shifts. Volunteer names, phone numbers, and preferred roles are stored on these platforms solely for the purpose of scheduling and shift reminders.

5.3. Legal and Regulatory Requirements

We may disclose PII if required to do so by law or in the good faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, or governmental request (e.g., audit requests from the IRS regarding non-profit status).
• Protect and defend the rights or property of the CCAA PTO or the Creative Connections Arts Academy.
• Act in urgent circumstances to protect the personal safety of users, students, or the public.
• Protect against legal liability or fraud concerning our non-profit operations or financial donors.

6. Data Retention Policy

Criteria for Data Retention and Disposal

The CCAA PTO retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods vary depending on the nature of the data:

• Financial Records and Donation Data: Retained for a minimum of seven (7) years to comply with federal and state non-profit and tax auditing requirements. After this period, records are archived securely or securely disposed of.
• Volunteer and Membership Data (Active): Retained while the individual is an active CCAA family member or volunteer. This includes contact information and active committee assignments.
• Volunteer and Membership Data (Inactive): Contact details for families whose last child has graduated from CCAA are typically retained for a maximum period of two (2) academic years following graduation to allow for alumni-focused communications and to capture any late or final donations. After this two-year period, this data is securely and permanently deleted or anonymized unless the individual has affirmatively consented to remain on an alumni or non-PTO general mailing list.
• E-Newsletter Subscription Data: Retained until the user explicitly unsubscribes or if the email address is determined to be permanently inactive or invalid.
• Automated Technical Data (Non-PII): Website analytics and security logs are typically retained for a period ranging from 90 days to one year, depending on the volume and the need for historical analysis.

When personal data is no longer necessary for the purpose for which it was collected, we ensure its secure deletion or anonymization. Disposal methods include permanent digital erasure of electronic records and secure shredding of physical paper documents, preventing any unauthorized recovery of information.

7. Data Security Measures

Our Multi-Layered Approach to Protecting Your Information

The CCAA PTO takes the security of the personal information entrusted to us extremely seriously. We implement a multi-layered security program incorporating administrative, physical, and technical safeguards designed to protect personal data from accidental loss, unauthorized access, misuse, alteration, or disclosure. Given our reliance on volunteer effort, we emphasize training and policy adherence as critical components of our security posture.

• Administrative Safeguards: All PTO Board members and committee chairs who handle PII receive mandatory training on data handling protocols, confidentiality, and data minimization principles. Access to PII is strictly controlled on a “need-to-know” basis, meaning only the Volunteer Coordinator can access the full volunteer database, and only the Treasurer can access detailed financial records. Volunteers handling PII are required to sign confidentiality agreements.
• Physical Safeguards: All physical records, such as donation forms or membership sign-ups, are stored securely in locked cabinets within the Creative Connections Arts Academy campus (in the main office or a secure PTO storage area) when not actively being processed. Once digitized, physical copies are securely shredded.
• Technical Safeguards: We utilize secure, encrypted cloud storage solutions for all electronic PTO data, accessible only via multi-factor authentication and strong, unique passwords. Our website uses Secure Socket Layer (SSL) encryption to protect data transmitted during online forms or donation processing. As noted, we outsource all credit card processing to industry-leading, certified PCI-compliant vendors to avoid holding sensitive financial data on our internal systems. We maintain up-to-date antivirus and firewall protection on all devices used by PTO officers for data management.

Despite our vigorous efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. In the event of a data breach, we have established a mandatory incident response plan that includes immediate risk assessment, containment, notification of affected parties as required by law, and a transparent communication strategy detailing the steps taken to mitigate future occurrences.

8. Children’s Privacy (Student Data)

Special Protections for Data Pertaining to Minors

In recognition of legal standards such as the Children’s Online Privacy Protection Act (COPPA) and the educational nature of our supporting role (potentially involving Family Educational Rights and Privacy Act – FERPA considerations, as we work with the school), the CCAA PTO maintains stringent protocols regarding information about students (minors).

• No Direct Collection from Minors: The PTO does not knowingly solicit, collect, or process PII directly from children under the age of 18. All information pertaining to a student’s name, grade, or classroom is collected exclusively from their parent or legal guardian via PTO membership or program participation forms.
• Parental Control and Access: Parents and legal guardians retain the right to review, request deletion of, or refuse to permit the further collection or use of their child’s PII in connection with PTO activities. Any request concerning a student’s data should be submitted to the designated Privacy Contact (info@ccapt.site), and we will promptly comply with the parent’s instruction, provided it does not conflict with legal requirements binding on the Academy or the PTO.
• Limited Purpose Use: Student data is processed solely for logistical purposes that support the child’s educational experience (e.g., ensuring a student receives a PTO-funded book, coordinating a class celebration, or placing parent volunteers in the correct grade-level environment). We never use student PII for targeted marketing or unauthorized communication.

9. Your Comprehensive Data Rights

Exercising Your Rights as a Data Subject

The CCAA PTO respects the fundamental rights of all individuals regarding their personal data. Depending on your jurisdiction (e.g., if you are subject to the principles of GDPR or California CCPA), you may be entitled to the following rights concerning the personal data we hold about you. All requests to exercise these rights must be submitted in writing to our designated Privacy Contact at info@ccapt.site, and we commit to responding to verifiable requests within the legally required timeframe (typically 30 to 45 days).

9.1. Right of Access (Right to Know)

You have the right to request confirmation as to whether or not personal data concerning you is being processed by the PTO, and, where that is the case, access to the personal data and specific information regarding the categories of personal data collected, the sources of the data, the business or commercial purpose for collecting the data, and the categories of third parties with whom we share the data. Upon verification of your identity, we will provide you with a copy of the personal data we hold, subject to any necessary redactions to protect the privacy of others. We reserve the right to charge a reasonable administrative fee for requests that are manifestly unfounded, excessive, or repetitive.

9.2. Right to Rectification (Correction)

You have the right to request the immediate correction of inaccurate or incomplete personal data we hold about you. If you become aware that any PII we hold (such as a change in your email address or mailing address) is incorrect, please notify us promptly, and we will update our records immediately to ensure all communication and documentation (e.g., tax receipts) are accurate.

9.3. Right to Erasure (Right to be Forgotten)

You have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right is not absolute and does not apply where the data must be retained to comply with a legal obligation (e.g., financial records) or for the establishment, exercise, or defense of legal claims. Upon receiving a verified request for erasure, we will take all reasonable steps to delete the data from our live systems and instruct any third-party processors acting on our behalf to do the same, unless the retention criteria outlined in Section 6 apply.

9.4. Right to Restriction of Processing

You have the right to “block” or suppress the processing of your personal data in certain circumstances, such as if you contest the accuracy of the data (while we verify its accuracy) or if you object to the processing on legitimate interest grounds. When processing is restricted, we are permitted to store the personal data, but not to carry out further processing, without your explicit consent, save for legal exceptions.

9.5. Right to Data Portability

Where applicable (e.g., data processed by automated means based on consent or contract), you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller without hindrance from us, where technically feasible.

9.6. Right to Object

You have the right to object to the processing of your personal data that is based on the PTO’s legitimate interests. If you object, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. This includes the right to object to processing for direct marketing purposes, in which case we will cease that processing immediately.

9.7. Verification and Documentation

To protect the privacy and security of all data subjects, we are legally required to verify the identity of the individual making a request before processing any data rights request. Verification may require you to provide two or more pieces of identifying information that match the data we already hold on file (e.g., your full name, email address, and mailing address). We will never ask for sensitive PII like social security numbers for verification purposes.

10. Cookies and Tracking Technologies

Digital Identifiers and Website Enhancement

The CCAA PTO website, like most modern websites, uses “cookies” and similar tracking technologies to enhance user experience, ensure website security, and analyze site traffic and usage patterns. Cookies are small text files placed on your computer or mobile device when you visit a website.

• Strictly Necessary Cookies: These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the PTO portal or enabling the functionality of the online donation form. Without these cookies, the site cannot function securely.
• Analytical/Performance Cookies: These cookies collect information about how visitors use our website (e.g., which pages are viewed most frequently, how long visitors stay on a page). This data is aggregated and anonymous and is solely used to help us understand and improve the performance and usability of our website and communication strategies.
• Functionality Cookies: These cookies are used to remember choices you make (such as remembering your login details for a volunteer portal or your preferred language) and provide more personalized features.

Your Control and Opt-Out Options

When you first visit our website, you will be presented with a clear banner informing you about our use of cookies and requesting your consent for the use of non-essential cookies (Analytical/Performance). You have the right to accept or decline the use of these non-essential cookies. Furthermore, most web browsers allow you to control cookies through their settings preferences. You can typically set your browser to notify you when you receive a cookie or to block cookies entirely. However, please be aware that blocking necessary cookies may prevent you from taking full advantage of the website’s features, particularly the secure payment and sign-up portals. The PTO does not currently respond to “Do Not Track” signals.

11. International Data Transfers

Given the localized nature of the Creative Connections Arts Academy PTO’s mission, which is based entirely within North Highlands, California, USA, the primary processing and storage of all personal data occur within the United States. While our third-party data processors (such as cloud storage providers and email distribution platforms) may have servers located in other jurisdictions, the PTO ensures that any international transfer of data complies with relevant legal standards and that appropriate safeguards (e.g., standard contractual clauses or adherence to relevant data security frameworks) are in place to ensure your personal data is afforded a comparable level of protection regardless of where it is processed. If you are accessing our services from outside the United States, your information will be transferred to, stored, and processed in the U.S., where our databases are centrally maintained.

12. Changes to this Privacy Policy

Notification of Policy Amendments

The Creative Connections Arts Academy PTO reserves the right to update or modify this Policy at any time to reflect changes in our data processing practices or changes in legal requirements. We will notify you of any material changes by posting the new Policy on this page and updating the “Effective Date” at the top of the document.

For material changes that significantly alter the way we use or disclose your previously collected personal data, we will provide you with reasonable advance notice, typically by prominently posting an announcement on the PTO website’s homepage or by sending a notification via the primary contact email we have on file for you. We encourage all members, volunteers, and donors to periodically review this Privacy Policy to stay informed about how we are protecting the personal information we collect.

13. Full Contact Details for Privacy Concerns

If you have any questions or concerns about this Policy, or if you wish to exercise any of your data rights, please contact us immediately. We are committed to working with you to obtain a fair resolution of any complaint or concern regarding your privacy.

Creative Connections Arts Academy Parent Teacher Organization (CCAA PTO)

Designated Privacy Contact: The PTO Secretary / Communications Committee

Primary General Inquiry Email for all Privacy Requests: info@ccapt.site

Physical Address: 7201 Arutas Dr North Highlands, CA 95660

Mission Statement: Supporting creativity, fostering community, and empowering our students through the arts, The Creative Connections Arts Academy PTO is dedicated to enriching the educational experience through parent involvement, fundraising, and community building.