Privacy Policy & Terms of Service & Data Processing Addendum

Here's the legal mumbo-jumbo you might be interested in.

This page include Privacy Policy, Terms & Conditions and Data Processing Addendum (GDPR)

Volunteer Matrix Privacy Policy

Last Updated:
January 27, 2026

Volunteer Matrix (“VMX”, “we”, “us”, or “our”) provides volunteer management software to organizations in the United States and Canada. This Privacy Policy explains how information is collected, used, stored, and protected within the Volunteer Matrix service.

1. Roles and Ownership of Data

Organizations using Volunteer Matrix are the Data Controllers of all information they enter into the system.
Volunteer Matrix acts only as a Data Processor on behalf of those organizations.
Clients own 100% of their data at all times.

Volunteer Matrix does not claim ownership of, sell, rent, share, or monetize any client or volunteer data.

2. Information We Process

Volunteer Matrix processes only the data that our client organizations choose to enter into the system. This may include:

Organization and Administrator Information

Organization name and contact details
Administrator names, email addresses, and login credentials
Configuration and account settings

Volunteer and Participant Information

Depending on how each organization uses the system, stored data may include:

Names, email addresses, phone numbers
Scheduling and attendance records
Volunteer hours and activity history
Uploaded documents and waivers
Internal notes and program records

Volunteer Matrix collects only the information provided by our client organizations or their authorized users.

3. How Information Is Used

Data is used solely to provide the Volunteer Matrix service to our clients, including:

Managing volunteer scheduling
Tracking participation and hours
Communicating with volunteers
Producing reports
Operating and supporting the VMX platform

We do not use client data for marketing, advertising, analytics, or any purpose outside of providing the contracted service.

4. Data Hosting and Location

All Volunteer Matrix servers are physically located in the United States at the Patmos Data Center in St. Louis, Missouri.
Client data never leaves the United States.
Backups are stored in a separate U.S.-based data center in a different state.

5. Security Practices

Volunteer Matrix uses reasonable and industry-standard safeguards, including:

Encryption of all data in transit (HTTPS/TLS)
Role-based access controls managed by each client
Secure authentication systems
Dedicated servers managed by in-house administrators
Daily system backups

Each client organization controls who within their organization has access to their data.

Backups

Full system backups are created daily.
Snapshots are retained for approximately 30 days.
Clients have access to downloadable database backups for the most recent 5 days.

Breach Notification

If a confirmed data breach affecting client data occurs, Volunteer Matrix will notify affected customers by email as soon as reasonably possible after verification of the incident.

6. Cookies and Tracking

Volunteer Matrix uses cookies only for:

User authentication
Maintaining administrator sessions
Storing limited administrative preferences

We do not use analytics tracking, marketing cookies, or behavioral tracking tools.

If a client embeds VMX tools inside their own website, any analytics or cookies from that website are governed solely by the client’s own policies.

7. Third-Party Integrations

Volunteer Matrix offers optional API connectors that allow clients to connect VMX with services they already use.

All integrations are initiated and authorized by the client.
Data may be exchanged between VMX and the third-party service at the client’s direction.
Use of any third-party service is subject to that provider’s own terms and privacy policies.

Volunteer Matrix is not responsible for unauthorized access, misuse, or data loss that occurs within third-party systems connected at the client’s request.

8. Data Retention and Deletion

Client-Controlled Access

Clients may export 100% of their data at any time through built-in tools.

Cancellation by Client

Upon written cancellation:

On the cancellation date, all client data is removed from active systems and placed in a secure “deleted” area.
After 30 days, this data is permanently purged from accessible systems.
Backups may still contain non-accessible fragments for up to approximately 30 days following cancellation.

Non-Payment

If payment is not received:

Day 0 (due date): Account becomes limited to billing access only
Day 7: Administrative access is disabled
Day 14: Public-facing tools become inaccessible
Day 21: Full purge of all data and files from the system

Reinstatement after cancellation is possible only if backups still exist and is subject to an administrative reinstatement fee.

9. Children’s Privacy

Volunteer Matrix may be used by organizations that work with minors.

The system includes a parental consent and waiver workflow for users under 18.
Parents may receive notifications and approve documents online.
Volunteer Matrix does not knowingly allow children under 13 to register without parental involvement.

Requests regarding a minor’s data should be directed first to the organization using VMX.

10. Requests from Individual Volunteers

Volunteer Matrix generally processes data only at the direction of client organizations.

If an individual volunteer requests deletion or correction of their information, we will:

Direct them to contact the organization controlling their data, and
If the organization refuses or is unresponsive, VMX may honor a direct deletion request from the individual.

11. Demonstration Use

Volunteer Matrix may, on occasion, display examples of publicly visible client pages (such as public calendars) to prospective customers.

Only information already publicly accessible is ever shown.
No private or sensitive data is used.
Client organizations may opt out of such use at any time upon request.

Note: In some cases, a publicly visible page or “home base” screen may display volunteer names along with non-sensitive information such as project names or hours. No private contact details or restricted data is shown in demonstrations.

12. Geographic Scope

Volunteer Matrix primarily serves organizations located in the United States and Canada.

13. Changes to This Policy

This policy may be updated from time to time. Continued use of the service constitutes acceptance of the current policy.

14. Contact Information

Questions regarding this Privacy Policy may be directed to:

Volunteer Matrix
Email:
[[ email ]]
Website:
https://volunteermatrix.com

Volunteer Matrix Terms of Service

Last Updated:
January 27, 2026

These Terms of Service (“Terms”) govern the use of the Volunteer Matrix platform (“Service”) provided by Volunteer Matrix (“VMX”).

1. Acceptance of Terms

By using the Service, the organization (“Client”) agrees to these Terms.

2. Description of Service

Volunteer Matrix provides online software tools for volunteer scheduling, management, communication, and reporting.

3. Client Responsibilities

Clients are solely responsible for:

The accuracy of all data entered
Compliance with applicable laws
Managing user accounts and permissions
Content and communications sent through the system

Clients must not use the Service for illegal, abusive, or spam-related purposes.

4. Acceptable Use

The following are strictly prohibited:

Harassment or unlawful activity
Sending unsolicited bulk email unrelated to volunteering
Uploading illegal or harmful content
Attempting to bypass system security

Violation may result in immediate suspension or termination.

5. Support

Support is provided on a best-effort basis at no additional charge. No guaranteed response time or service level agreement is provided.

6. Payment Terms

Services are invoiced manually, typically every 6–12 months, and are paid in advance.
The initial payment period is non-refundable.
After the initial period, refunds for unused prepaid time are available upon written cancellation request.
No refunds are provided for past service periods.

7. Free Trial

A 30-day (or longer) free trial may be offered. Clients may begin live use before the end of the trial only after initial payment is received.

8. Cancellation and Termination

Client Cancellation

Cancellation must be submitted in writing (email acceptable).
Refunds of unused prepaid time are honored after the initial paid period.
Data handling follows the schedule described in the Privacy Policy.

Non-Payment (Hard Dates)

If payment is not received:

Day 0:Access limited to billing functions
Day 7:Administrative access disabled
Day 14:Public tools disabled
Day 21:Complete data purge

Reinstatement

If backups remain available, reinstatement may be performed for an administrative fee (hourly rate with minimum service time).

9. No Warranty

The Service is provided “AS IS” and “AS AVAILABLE.”

Volunteer Matrix makes no guarantees of uptime, availability, or error-free operation.

10. Limitation of Liability

To the fullest extent permitted by law:

VMX is not liable for indirect, incidental, or consequential damages.
Total liability is limited to the amount paid by the Client to VMX in the preceding 12 months.

11. Third-Party Integrations

Any third-party services connected to VMX are used at the Client’s direction and risk.

VMX is not responsible for:

Unauthorized access, misuse, or data loss occurring within third-party systems connected at the Client’s request
Availability, security, or performance of third-party services
Any damages arising from the Client’s use of third-party integrations

12. Demonstration Use

VMX may display publicly visible portions of a client’s implementation to prospective customers. Clients may opt out at any time by written request.

13. Governing Law

These Terms are governed exclusively by the laws of the State of Texas, USA.

Any legal action must be brought solely in the courts located in Texas.

14. Modifications

VMX may update these Terms at any time. Continued use of the Service constitutes acceptance of updated Terms.

15. Contact

Questions regarding these Terms may be directed to:

Volunteer Matrix
Email:
[[ email ]]

Volunteer Matrix Data Processing Addendum (DPA)

Last Updated: January 27, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Volunteer Matrix (“Processor”, “VMX”, “Vendor”, “we”, “us”) and the client organization (“Controller”, “Client”, “you”) for provision of the Volunteer Matrix service (“Service”).This DPA applies where VMX processes Personal Data on behalf of Client and such processing is subject to applicable data protection law, including the EU General Data Protection Regulation (“GDPR”).

1. Definitions

Controller: the entity that determines the purposes and means of processing Personal Data.
Processor: the entity that processes Personal Data on behalf of the Controller.
Personal Data: any information relating to an identified or identifiable individual processed under this DPA.
Processing: any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Roles of the Parties

Client is the Data Controller.
VMX is the Data Processor.

VMX processes Personal Data solely on Client’s documented instructions and in accordance with this DPA, including as necessary to provide the Service.

3. Scope and Purpose of Processing

3.1 Categories of Data Subjects

Client administrators and staff users
Volunteers, participants, parents or guardians (as applicable)
Other individuals whose Personal Data Client chooses to store in the Service

3.2 Categories of Personal Data

Personal Data may include, as configured and provided by Client:

Identifiers and contact data (such as name, email, phone)
Scheduling, attendance, and volunteer activity records
Uploaded documents and waivers, where enabled by Client
Communications and internal notes, where used by Client
Administrative account data and configuration information
Login credentials (stored in hashed form)

VMX does not intentionally process special categories of personal data as defined under GDPR Article 9 except where such data is knowingly submitted or configured by Client, in which case Client is solely responsible for establishing a lawful basis for such processing.

3.3 Purpose of Processing

VMX processes Personal Data only as necessary to provide, operate, maintain, support, and secure the Service and to comply with applicable law.The Service includes, as applicable:

Volunteer registration and scheduling
Communication and notifications initiated by Client
Reporting and administrative functions
Technical support and system maintenance

VMX does not process Client data for marketing or advertising purposes. VMX does not perform analytics on Client systems other than operational logging necessary for service reliability and security.

3.4 Duration of Processing

Processing continues for the term of Client’s use of the Service and until deletion as described in this DPA and the applicable Privacy Policy and Terms of Service.

4. Client Instructions

Client instructs VMX to process Personal Data as necessary to provide the Service. Client may also instruct VMX through Service functionality (including configuration settings and user permission controls).

5. Confidentiality

VMX will ensure that persons authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and will process Personal Data only as necessary to provide the Service.

6. Processing Location

Primary data hosting location: United States
Personal Data may be accessed by VMX personnel solely for support, maintenance, and security purposes

7. Subprocessors and Third-Party Integrations

7.1 Subprocessors

VMX may engage subprocessors as reasonably necessary to provide the Service. VMX does not authorize subprocessors to process Client data for their own purposes.Client acknowledges that certain subprocessors may be added or replaced over time. VMX will make a current list of subprocessors available upon request.VMX does not disclose Client data to third parties except as necessary to provide the Service or where explicitly configured by Client.

7.2 Client-Directed Integrations

Client may choose to connect the Service to third-party services via optional API connectors or integrations. Where Client enables such integrations:

Personal Data may be transferred between VMX and the third-party service at Client’s direction.
The third-party provider’s terms and privacy policies apply to that provider’s processing.
VMX is not responsible for the security, availability, or performance of third-party services connected at Client’s request.
VMX is not liable for unauthorized access, misuse, or data loss occurring within third-party systems connected at Client’s request.

8. Security Measures

VMX implements commercially reasonable administrative, technical, and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including:

Encryption in transit (HTTPS/TLS)
Access controls and least-privilege permissions
Logical separation of Client data
Password hashing
Regular system backups
Monitoring for unauthorized access

9. Client Obligations

Client is responsible for:

Establishing a lawful basis for processing Personal Data
Providing required notices and obtaining consent where applicable
Ensuring data accuracy
Configuring retention and deletion settings consistent with applicable law

10. Assistance With Data Subject Rights

VMX will, upon reasonable request, provide reasonable assistance to Client in responding to data subject rights requests (including access, correction, deletion, and export) to the extent technically feasible and consistent with the nature of the Service, and to the extent Client cannot accomplish this through the Service itself. Client remains responsible for responding to such requests within applicable legal timeframes.

11. Personal Data Breach Notification

If VMX becomes aware of a confirmed Personal Data Breach affecting Client data, VMX will notify Client without undue delay and where feasible after the breach is confirmed, typically by email to Client’s designated account contact.

12. Data Retention, Return, and Deletion

Client may export data through the Service during the subscription term, subject to Service functionality.Personal Data is retained for the duration of the Client’s active account.Upon termination or cancellation, VMX will delete or anonymize Client Personal Data within a commercially reasonable period, except where retention is required for backups, legal obligations, or legitimate business purposes.For clarity, VMX may (as part of standard operations) move Client data out of active systems upon cancellation and subsequently purge it. Where VMX provides indicative timeframes in its policies, deletion from accessible systems is typically completed within approximately 30 days, with backup retention typically lasting up to approximately 30 additional days, subject to VMX’s backup retention policies.

13. Audits and Information Rights

Client may request reasonable written information necessary to verify VMX’s compliance with this DPA. VMX may satisfy this obligation by providing written responses, policy documentation, and/or security descriptions appropriate to the Service. Any audits are limited to documentation review and shall not include access to VMX systems, facilities, or other clients’ data without VMX’s prior written consent.

14. International Data Transfers

Client data is hosted and processed in the United States. Where Personal Data originating in the European Economic Area or Switzerland is transferred outside those regions, international transfers are governed by the European Commission Standard Contractual Clauses (Controller-to-Processor), Module Two, which are incorporated by reference and deemed executed upon acceptance of this DPA.

15. Liability

Liability under this DPA is subject to the limitations and exclusions in the applicable Terms of Service or other governing agreement between the parties.

16. Order of Precedence and Limitation

This DPA does not expand VMX’s obligations beyond those set forth in the applicable Terms of Service. If there is a conflict between this DPA and the Terms of Service or other agreement, this DPA will control only with respect to data processing obligations, and the Terms of Service will control in all other respects.

17. Governing Law

This DPA is governed by the laws specified in the VMX Terms of Service.

18. Contact

Questions regarding this DPA may be directed to:

Volunteer Matrix
Email:
[ email ]