Privacy Policy

Last updated: 2026-05-24

Who we are

crff.org is operated by the Colorado River Fall Festival committee, a volunteer body drawn from the York Rite jurisdictions of Arizona, California, Nevada, New Mexico, and Utah. The site is hosted by StudioBalke on a server controlled by the committee.

What we collect

We collect only the information necessary to administer the festival:

• Registration form: your first name, optional nickname, email, optional phone and mailing address, body / lodge / chapter affiliation, role (attendee, candidate, ladies' program, etc.), and any year-specific extras (dietary, lodging, notes).
• Contact form: name, email, optional phone, department, and your message.
• Server logs: standard web-server access logs (IP, user-agent, URL), retained for security and troubleshooting.
• Admin sign-in: for committee accounts only — email, password hash (when set), session metadata, and a tamper-evident audit log of admin actions.

What we do with it

• Run the festival — registration roster, candidate paperwork, meal counts, hospitality logistics.
• Confirm your registration and reconcile your payment with our donation processor.
• Email you about your registration (confirmation, schedule changes, follow-up).
• Compile aggregate statistics across years for committee planning (you'll never be identified in published numbers).

What we do not do

• We don't sell, rent, or share your information with third parties for marketing.
• We don't use Google Analytics, Facebook Pixel, or any other behavioral tracker on this site.
• We don't store payment-card numbers. Payments are handled entirely by Zeffy under their own terms; we only see the reconciliation information they share with us (your name, email, amount, transaction ID).

Cookies

We set one functional cookie when you sign in to the admin area (and a non-sensitive companion cookie that tells the static page you are signed in, so the dashboard renders without a flash). We don't set any analytics or advertising cookies.

How long we keep your data

Registration and payment records are retained indefinitely so the committee can answer year-over-year questions ("did Brother X attend in 2024?") and so we don't lose your participation history if you return later. Server logs are pruned on the host's default schedule.

Your rights

You can ask us to send you a copy of the information we hold about you, correct it, or delete it (with the caveat that we may need to retain a minimal record for prior-year financial reconciliation). To make a request, contact the committee and select "General Information" or your preferred subject.

Security

The site is served over HTTPS only. Sessions are protected with HttpOnly + Secure + SameSite=Lax cookies. Sign-in attempts and admin actions are rate-limited and audit-logged. Backups of the registration data run nightly with integrity checks.

Contact

Questions or requests about this policy: contact the committee.