Effective date: January 1, 2026
This Privacy Policy explains what information we collect, why we collect it, and what choices you have when you use the IHNYC RC web properties and the calendar subscription system (the “Service”).
Quick summary (plain English).
Calendar subscriptions: if you subscribe, you give us your name and email so we can send a magic link and issue a calendar access token.
Token safety matters: calendar links are sensitive—anyone with your tokenized link may be able to access your calendar feed.
Security logs: like most services, we keep access/security logs and may use anti-abuse tools.
Analytics: we use Mixpanel (EU version, GDPR-compliant), but we do not send your raw email address to Mixpanel. Affective Technologies is the data controller; Mixpanel acts as a data processor.
Cookies: Mixpanel (EU version, GDPR-compliant) and Cloudflare (including Turnstile/Access, where enabled) may set cookies.
This summary is here to help. The full policy below is what controls.
Important relationship notice.
Affective Technologies operates the website and technical backend supporting the Resident Council and is not affiliated with the Council, with International House NYC, or with AVI Foodsystems.
1) Who we are
The Service is operated by Affective Technologies LLC (“Affective Technologies,” “we,” “us,” or “our”).
2) What the Service includes
The Service includes IHNYC RC web properties such as ihnyc-rc.org (informational pages and public updates)
and calendar.ihnyc-rc.org (the calendar subscription system and token-gated access to an .ics feed).
The Service also includes the operational tooling used to create and publish calendar events and updates, including automations and databases described below.
3) How the calendar subscription works (high level)
We designed the calendar subscription to be easy to use and reasonably private. At a high level, the system works like this:
Event creation. n8n automations ingest weekly “Happenings” emails and parse them using an OpenAI node, then write structured event content into Notion databases (the Resident Council’s primary knowledge base).
Calendar generation. Events are periodically fetched from Notion and written into an .ics calendar feed stored in Cloudflare R2.
Token-gated delivery.calendar.ihnyc-rc.org serves token-gated access to the .ics file using Cloudflare Pages/Workers plus a Cloudflare D1 database.
Email verification. Subscribing uses email-based magic link verification (transactional email via Resend), token minting, token expiry, token revocation, and last_seen/last_seen_at timestamps.
Anti-abuse. We may use Cloudflare Turnstile (where enabled), Cloudflare Access (admin panels where enabled), and rate limiting/cooldowns for repeated requests.
Important: calendar subscription links can be sensitive. If someone gets your tokenized calendar URL, they may be able to fetch your feed until the token expires or is revoked.
4) Information we collect
4.1 Information you provide
The informational website does not offer user accounts/logins. If you subscribe to the calendar, you may provide:
Name (optional/if requested by the subscription form)
Email address (required to send a magic link and manage your subscription)
If you use third-party services linked from the site (for example, external forms, documents, or resources hosted on other domains), those services may collect information under their own policies.
4.2 Subscription records and identifiers
To operate the calendar subscription system, we store certain records in our database (Cloudflare D1). These may include:
Subscriber records (name and email address, and subscription status)
Verification requests (for example, magic link request records)
Token hashes and verification code hashes (we store hashes of tokens/codes used for verification and access control)
Token lifecycle metadata (for example, expiry, revocation status, and last_seen/last_seen_at timestamps)
4.3 Technical, security, and access data
When you use the Service (including when your calendar app fetches the .ics feed), we and our infrastructure providers automatically receive technical and security information:
Hashed IP address (used for security logging and abuse prevention)
User agent (browser/device and often calendar-client identification)
Request path and timestamps (for example, what endpoint was requested and when, including last_seen_at)
Infrastructure/security metadata (for example, Cloudflare identifiers like CF-RAY)
Theme preference stored in your browser via localStorage (key: ihnyc-rc-theme)
4.4 Analytics data (Mixpanel)
We use Mixpanel (EU version, GDPR-compliant) to understand usage and improve the Service. We do not send your raw email address to Mixpanel.
Affective Technologies is the data controller; Mixpanel acts as a data processor under GDPR.
Mixpanel analytics uses a distinct identifier (distinct_id) that is a SHA-256 hash derived from a normalized version of your email plus a server-side "pepper."
This means Mixpanel receives a stable identifier for analytics, but not your raw email.
Example events we may track include: magic link requested/sent/clicked/consumed, token minted, calendar fetched, invalid/expired/revoked token attempts, and "add to Google/Outlook/copy link" button clicks.
4.5 Event content stored in Notion
The Resident Council’s primary knowledge base is stored in Notion. n8n automations ingest weekly “Happenings” emails and parse them via an OpenAI node to extract structured event content,
which is then stored in Notion databases.
This event content may include event titles, dates/times, locations, descriptions, and other details derived from the “Happenings” emails.
5) How we use information
We use the information we collect to:
Operate the informational site and the calendar subscription system
Verify subscriptions (magic links), mint/rotate/revoke tokens, and deliver the token-gated .ics feed
Secure the Service (fraud prevention, abuse prevention, debugging, auditing, and incident response)
Measure usage and improve the Service (analytics and performance monitoring)
6) Cookies and similar technologies
Depending on which parts of the Service you use, cookies and similar technologies may be set by us and/or by our providers. For example:
Mixpanel (EU version, GDPR-compliant) may set cookies or use similar identifiers for analytics.
Cloudflare may set cookies or use similar identifiers for security/performance features, and Cloudflare Turnstile and Cloudflare Access (where enabled) may set additional cookies to operate.
You can control cookies through your browser settings. Blocking cookies may impact some features.
7) Third-party services and processors
We use the following third-party services to operate the Service (these act as service providers/processors, depending on context):
Cloudflare (Pages/Workers/D1/R2/Turnstile/Access)
Notion (event and content databases)
OpenAI (parsing “Happenings” emails via an OpenAI node in n8n)
Mixpanel (analytics, EU version, GDPR-compliant; acts as a data processor, with Affective Technologies as the data controller)
The Service may also link to third-party websites and resources (for example, Notion pages, Google Forms, Canva documents, and other external resources).
If you follow those links, your interaction is governed by the third party’s policies.
Some pages may display embedded content or previews of third-party documents. When that happens, third parties may receive standard request data (such as IP address and user agent)
as part of serving or rendering that embedded content.
8) How we share information
We may share information in the following circumstances:
Service providers. We share information with the vendors listed above to operate the Service (hosting, storage, security, email delivery, automations, analytics, and document/content platforms).
Legal and safety. We may disclose information if required by law, or if we believe disclosure is necessary to protect our rights, safety, users, or the integrity of the Service.
We do not sell personal information.
9) Data retention
We retain information for as long as reasonably necessary to operate the Service, maintain security, comply with legal obligations, resolve disputes,
and enforce our policies. Retention periods may vary by data type, system configuration, and operational needs, and we may update them over time.
When information is no longer needed for these purposes, we take reasonable steps to delete it or de-identify it, unless we are required to keep it longer
by law or for legitimate business and security needs.
Subscriber records (name/email): retained to provide the subscription and support requests (for example, revoking tokens or re-issuing access).
Verification requests and code hashes: retained according to our operational retention settings for verification and abuse prevention.
Token hashes and token lifecycle metadata: retained to operate access control (including expiry/revocation) and for security/auditing.
Calendar access logs (including hashed IP, user agent, request path, timestamps/last_seen_at): retained according to our operational retention settings for security, abuse prevention, and troubleshooting.
Analytics events: retained according to Mixpanel (EU version, GDPR-compliant) settings and our operational needs.
Notion event content: retained according to the Resident Council’s operational practices.
10) Your choices and privacy requests
Cookies. You can manage cookies through your browser settings.
Theme preference. You can clear the theme preference by clearing site data in your browser (local storage).
Token safety. If you believe your tokenized calendar link has been shared or compromised, contact us so we can revoke it and issue a new one.
Privacy requests. You may request access, correction, deletion, or other help with your information by contacting us (see Section 14). We’ll respond consistent with applicable law and the needs of operating and securing the Service.
11) Data security
We use reasonable administrative, technical, and organizational measures to help protect the Service and the information we process.
This includes measures like access controls (for example, Cloudflare Access where enabled), bot mitigation (for example, Cloudflare Turnstile where enabled),
and rate limiting/cooldowns for repeated requests. No method of transmission or storage is perfectly secure.
12) International users
If you access the site from outside the United States, your information may be processed in the United States or other jurisdictions where our service providers operate.
For users in the European Economic Area (EEA) and other jurisdictions with data protection laws, we comply with applicable requirements, including GDPR.
We try to use GDPR-compliant service providers when possible (for example, Mixpanel EU version) and maintain appropriate data processing agreements where required.
13) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If changes are significant, we will update the Effective date above.
If you keep using the Service after the update takes effect, you’re agreeing to the updated policy.
The technical backend and implementation details that operate the Service are intellectual property of Affective Technologies LLC.
This Privacy Policy describes how data is handled by the Service; it does not grant any rights to the underlying technology.