Privacy Policy &
Data Governance

Who We Are

Data We Collect

How Your Data Is Used

• Platform operation — authenticate users, manage sessions, display the correct dashboard and features for each role.
• Governance processes — manage elections, polls, proposals, and voting eligibility. Record decisions and outcomes as part of the association's official record.
• Communications — deliver internal notifications (governing body to members), facilitate messaging and discussions among members.
• Event management — register members for events, manage capacity, and communicate event details.
• File management — store, organise, and provide secure access to documents shared within the association.
• Security — detect and respond to unauthorised access attempts, enforce session limits, support 2FA, and maintain an audit trail.
• Accountability — maintain audit logs so that administrative actions can be reviewed by authorised personnel, ensuring no misuse of power.
• Member Directory — display admin-verified public profiles for governing members in the team directory. Contact details within profiles are subject to the visibility setting chosen per profile and are never shown beyond what has been explicitly permitted.
• Good governance — route grievance and feedback submissions to the appropriate authority, track resolution, and uphold member rights (coming soon).

Anonymity & Confidentiality

• Elections & Polls — your participation is recorded as a boolean flag (voted / not voted) to prevent double-voting. Your actual vote (the choice you made) is stored separately with no link to your identity. Not even database administrators can join these two records to identify how you voted.
• Anonymous Feedback & Grievances (coming soon) — when you choose to submit anonymously, no user ID, session token, IP address, or any other identifiable metadata is stored with your submission. The anonymity is absolute and irreversible — even the governing authority receiving the submission cannot determine who sent it.
• Named submissions — where you submit feedback or grievances with your identity, your name is visible only to the specific authority the submission is routed to, and only for the purpose of resolution.

Data Storage & Security

• Passwords are hashed using bcrypt with a suitable cost factor. Plain-text passwords are never stored or logged.
• CSRF protection is enforced on every form submission and AJAX request via rotating, session-bound tokens.
• Sessions are cryptographically signed, server-side, with automatic expiry and idle-timeout enforcement.
• Two-Factor Authentication (2FA) via email OTP is available to all members and is enforced for privileged roles.
• Input sanitisation and prepared SQL statements prevent injection attacks across all data entry points.
• File uploads are validated against MIME type and size limits. Files are stored outside the public web root with access token gating.
• Audit logging records security-relevant events with IP address, timestamp, and risk classification.
• Transport security — all communication between your browser and the server is encrypted in transit via HTTPS/TLS.
• Database backups are encrypted and stored on-premises. Backup access is restricted to the IT department.

Who Can See What — Access Control

Member Directory & Public Profiles

• Admin-controlled publication — only administrators can create, edit, and publish a member profile. A profile exists in draft or archived state until an administrator explicitly publishes it. Members may view their own profile in draft form from their Profile Management page.
• What is publicly visible — when a profile is published, the following are visible to the public (guests and members alike): full name, governance roles and body titles, responsibilities, domain responsibility, profile summary, areas of expertise and interest, and qualifications. No contact details are shown publicly by default.
• Contact visibility controls — each profile has a configurable contact visibility setting: Hidden (never shown), Available on Request (displayed as a note, no detail), or Public (shown to logged-in members only — never to guests). Contact details are never shown to unauthenticated visitors regardless of setting.
• Governance data — governance roles, voting status, board memberships, and body affiliations are displayed on published profiles as part of the association's commitment to transparency in leadership. This data reflects the member's official role within the association's governance structure.
• Member-only detail — logged-in members see the full profile including: employee ID, user type, designation, joining date, all governance detail, and contact information (subject to visibility setting). Guests see a reduced public-safe subset with a prompt to sign in for full access.
• Right to review your own profile — every member can view their published profile exactly as it appears in the directory, from the "My Public Profile" tab in Profile Management. If you believe any information is inaccurate, you may request a correction from the IT department or an administrator.
• Removal & archiving — profiles can be unpublished or archived by an administrator at any time. An archived profile is immediately removed from the public directory. The underlying data is retained according to our data retention policy for governance record purposes.

Messaging & Discussions Coming Soon

• All-Members Group — all current and future members are automatically members of this group. Messages sent here are visible to all members of the association.
• Department Groups — messages are visible only to members of that department. Cross-department access is not possible.
• Private messages within a department — visible only to the sender and recipient. Department representatives and administrators cannot read private messages.
• Cross-department private messages — require a mutual invite acceptance before any message can be sent. Neither party can be messaged without consent.
• Custom groups — visible only to group members. Adding members from another department requires an invite. Group owners cannot add anyone without that person accepting.
• Message retention — messages are retained for the operational continuity of the association. Members may delete their own messages from their view; retention for governance records is subject to the association's document retention policy.
• No administrator message surveillance — administrators do not have access to private messages or group conversations unless a formal, documented governance investigation requires it and is authorised by the appropriate governing body.

Notifications

• Notifications may be targeted to an individual, a department, or broadcast to all members.
• Notification read status is tracked so the governing body can confirm important communications have been seen.
• You can configure your notification preferences in your profile settings to control which categories you receive.
• Notifications with an expiry date are automatically purged from your inbox after expiry.
• Only authorised roles (administrators and department representatives within their scope) may send notifications.

Files & Documents

• Files you upload are accessible to you and to any member you explicitly share them with.
• File access is token-gated — direct URL access without a valid, time-limited token is not possible.
• File access events are logged (who accessed which file and when) for security and accountability.
• Administrators can see file metadata (name, size, uploader, sharing status) for platform management, but file content is only accessible if the administrator is a designated recipient.
• File uploads are restricted to permitted MIME types and a maximum size of 10 MB per file to prevent misuse.

Audit Logs & Accountability

• Logged events include: login and logout, profile updates, password changes, votes cast (participation only, not choices), election and proposal management, file actions, 2FA events, and administrative actions.
• Each log entry records: action type, entity affected, timestamp, IP address, and risk level classification.
• Members can view their own recent activity log in their Profile → Activity History.
• Full audit logs are accessible only to platform administrators and only for legitimate security or governance purposes.
• Audit logs cannot be deleted or modified by any user, including administrators, to ensure integrity of the governance record.

Two-Factor Authentication & Sessions

• 2FA OTP tokens are single-use, time-limited, and automatically expired. They are never stored in recoverable form after use.
• Active sessions are listed in your profile, showing device, browser, IP address, and last activity. You can terminate any individual session or all sessions with a single click.
• Remember-me tokens are stored as secure, hashed values. If you suspect your remember-me token is compromised, you can revoke all sessions from your profile.
• Sessions expire automatically after a period of inactivity, regardless of remember-me status, as a security measure.
• IP addresses associated with your sessions are retained in logs for the duration defined in our data retention policy.
• QR Login sessions are time-limited and set by the approving member — from 15 minutes to a custom maximum of 30 days. The session is automatically revoked on expiry. The approving member can also revoke it at any time from the QR Login Manager. When revoked, the other device is signed out within seconds.
• QR Login data stored: the one-time token, approver ID, requesting device IP and user-agent, chosen duration, and approval timestamp. All QR session records are retained according to our standard data retention policy and visible to the approving member in their session history.
• Chain-session prevention: a session created via QR login is flagged internally as a limited-privilege session. The platform blocks any attempt to use such a session to approve another QR login. Only a full credential-based session can authorise new QR access. This flag is stored in the server-side session and is never transmitted to the client.
• Active Devices tab: the QR Login Manager displays all currently active sessions on your account, including device name, browser, IP address, last-seen time, and whether the session was created via QR or credentials. You can revoke any individual session instantly. This data is fetched live from the server on request and is only visible to you.
• Session audit log: a paginated history of all QR-related events — approvals, denials, and logouts — is available in the Past Sessions tab of the QR Login Manager. Each entry records the event type, device details, IP address, and timestamp. This log is accessible only to the account owner and is retained in accordance with our data retention policy.
• Camera access — the QR scanner requests access to your device camera only when you click "Approve New Device Login." The camera stream is processed entirely on your device using the browser's native APIs. No image, frame, or video data is ever uploaded, transmitted, or stored by M-Board.
• Camera permission is always optional. You can deny the camera permission and use the manual short-code entry instead. Denying camera access has no effect on any other platform functionality.

Grievance & Feedback Coming Soon

• Anonymous submissions — when you choose anonymous, absolutely no identifying data (user ID, IP address, session token, browser fingerprint, or timestamp) is associated with the submission content. Anonymity is permanent and irrevocable.
• Named submissions — your identity is disclosed only to the authority designated to resolve the matter. It is not shared with other members.
• Status tracking — anonymous submitters receive a system-generated reference token at submission time. Using this token, they can check the resolution status without identifying themselves.
• No retaliation by design — because anonymous submissions are architecturally unlinkable, no governing authority can take retaliatory action against the submitter.
• Routing & retention — submissions are retained only for the duration required to resolve and document the governance action taken. Resolved submissions are archived, not deleted, as part of the association's governance record.

Third Parties & External Services

Data Retention

Your Rights Over Your Data

Changes to This Policy

Contact & Concerns