Privacy Policy

Effective date: January 25, 2026. Version: 2026-01-25.v1.

This Privacy Policy describes how Campaign Reach (the “Service”) collects, uses, and protects information when used as a recruitment/outreach CRM platform by an institution (the “Institution”). Campaign Reach is designed for authorized users to support student recruitment, communication, and workflow tracking.

Roles and data ownership

• Institution is the data controller. The Institution owns and controls Institution Data entered into the Service.
• Campaign Reach is a data processor. We process Institution Data only on the Institution’s documented instructions.
• No sale of data. We do not sell Institution Data or use it for advertising profiling.

Information processed

The Service may process contact and admissions-related information provided by the Institution, such as names, email addresses, phone numbers, high school information, admissions status codes, and recruitment interaction notes. The specific fields depend on the Institution’s configuration and uploads.

FERPA-aligned handling

Campaign Reach is intended to support education records workflows and is operated in a manner aligned with common FERPA expectations. This statement is informational and does not represent a legal certification or guarantee. The Institution remains responsible for determining appropriate access, permissible uses, and disclosures.

How the Service uses Institution Data

• Provide, maintain, and secure the Service and its features.
• Authenticate users and enforce access controls (including role-based access).
• Operate audit and activity logs to support accountability and troubleshooting.
• Perform backups and disaster recovery operations consistent with the Service’s operational needs.

Security and safeguards

The Service uses industry-standard security practices appropriate for SaaS applications, which may include:

• Access controls (authentication, role-based authorization, and least-privilege defaults).
• Encryption in transit (TLS) and encryption at rest where supported by the hosting provider.
• Audit logging for administrative review and operational troubleshooting.
• Routine backups and recovery procedures.

No system is perfectly secure. The Institution is responsible for securing user accounts and configuring access appropriately (e.g., user provisioning, role assignments, and credential hygiene).

Subprocessors and hosting

Campaign Reach uses third-party infrastructure providers to host and operate the Service (for example, cloud hosting and database services). Subprocessors are used solely to deliver the Service and are expected to maintain appropriate security controls.

Data retention and deletion

Institution Data is retained for as long as needed to provide the Service and as instructed by the Institution. Institutions should establish their own retention schedules. Upon request and subject to applicable law and contractual terms, Campaign Reach will support deletion or export of Institution Data.

User accounts and access

Access to the Service is restricted to users authorized by the Institution. Users may have different roles and scopes. The Institution controls which users are permitted and what they can access.

Contact

For privacy questions, contact your Institution’s Campaign Reach administrator. If you are an Institution representative and need additional information about operational controls, refer to your administrative documentation or support channel.