Privacy Policy

This Privacy Policy explains how Amy Johnston Harper and Nan Kirkpatrick collect, use, disclose, and protect personal information for the Great Hills Holiday Lights Contest.

Effective date: October 10, 2025
Last updated: October 10, 2025

This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the Great Hills Holiday Lights Contest websites (the “Site”) and related services (collectively, the “Services”). It reflects good-faith, security-minded practices for a prize competition and should be reviewed by your counsel for local compliance.

1) Who we are

  • Contest Hosts/Administrators (Controller/Operator): Amy Johnston Harper (Compass Real Estate) & Nan Kirkpatrick (Abundance Home Mortgage LLC).
  • Mailing address: Great Hills neighborhood, Austin, TX 78759 (final mailing address will be posted once confirmed).
  • Contact (privacy): Amy.Harper@compass.com and nan@abundancehomemtg.com (subject: “Privacy Request”).
  • Primary sites: holidaylights.abundancehomemtg.com, holidaylights.amyatx.com.
  • Hosting: Backend APIs on Render.com; frontend pages on Netlify; images on Cloudflare R2.

If you are in the European Economic Area (EEA) or UK, the data controller is the Hosts named above. A Data Protection Officer (DPO) is not required.

2) Scope

This policy covers personal information processed through the Contest: entering homes, publishing entries, voting, awarding prizes, supporting anti-abuse/anti-fraud, and administering the Contest. It does not cover third-party websites you may visit via sponsor links or external social pages.

3) What we collect

We collect information you provide directly, information captured automatically, and information from service providers for security and operations.

3.1 Information you provide directly

  • Entry details: name, email, phone, address of nominated home, relationship to the home, and entry photo (hosted via Cloudflare R2).
  • Voter details: name, email, phone.
  • Admin details: login username; we verify password via PBKDF2 and six-digit TOTP codes.

3.2 Automatically collected (service/technical data)

  • IP address and approximate location (inferred from IP) for security, fraud prevention, and boundary compliance.
  • Cookies and similar identifiers to authenticate accounts and defend against abuse (see Section 8).
  • Timestamps, request metadata, and rate-limit counters used to prevent spam/bot traffic and vote stuffing.
  • Audit logs for admin actions (e.g., login, resets, photo updates).

3.3 Third-party sources & processors (operational)

  • hCaptcha: we verify CAPTCHA tokens server-side to detect bots.
  • Google Maps Geocoding API: we geocode nominee addresses and ensure they fall within the contest boundary.
  • Cloudflare R2: hosting images (entry photos, sponsor logos).
  • Discord (private server/webhook): optional operational alerts (e.g., abnormal vote spikes, admin actions).
  • Email/Simple Mail Transfer (SMTP): if enabled for verification or winner notifications, we send messages through the Hosts’ authenticated Compass/Abundance Google Workspace accounts or another provider disclosed before activation.

Each processor maintains its own privacy policy and terms.

4) Why we use your information (purposes)

  • Operate the Contest (accept entries, render a public map/listing, enable voting, select finalists/winners).
  • Prevent fraud and abuse (enforce rate limits, detect suspicious patterns, validate addresses within the boundary, and verify user actions).
  • Communicate with you (e.g., confirm entry or voting eligibility, contest updates, winner notifications).
  • Maintain site security and reliability (logging, debugging, monitoring).
  • Comply with legal obligations and respond to lawful requests.

6) Sharing and disclosures

We do not sell personal information. We may share information with:

  • Service providers (Render, Netlify, Cloudflare R2, hCaptcha, Google Maps Geocoding, Compass/Abundance email services, optional Discord webhook): hosting, storage, bot defense, geocoding, notifications, and email delivery.
  • Law enforcement or regulators where required by law.
  • Successors in the event of a reorganization related to the Contest assets.

We require processors to protect data and use it only for contracted purposes.

7) Retention

  • Contest records (entries, votes, voter registrations): retained through the contest period and approximately 90 days after conclusion for audit/fraud review.
  • Admin audit logs: up to 12 months, unless a longer retention period is needed for investigations.
  • Server logs and rate-limit counters: typically 30–90 days, subject to infrastructure provider defaults.
  • Backups: per hosting provider’s standard backup schedules.

We may retain minimal records to comply with legal obligations or resolve disputes.

8) Cookies & similar technologies

We use strictly necessary cookies for authentication, CSRF protection, and anti-abuse. Examples:

Cookie Purpose HttpOnly SameSite Secure Scope
voter_token Authenticate a voter after signup/verification Yes None Yes First-party contest domains (holidaylights.amyatx.com, holidaylights.abundancehomemtg.com)
device_id Signed device identifier to help throttle abuse Yes None Yes First-party contest domains (holidaylights.amyatx.com, holidaylights.abundancehomemtg.com)
XSRF-TOKEN CSRF token paired with admin UI requests No (must be readable by JS) Lax/None Yes First-party contest domains (holidaylights.amyatx.com, holidaylights.abundancehomemtg.com)
admin_token Admin session (after password+TOTP) Yes None Yes First-party contest domains (holidaylights.amyatx.com, holidaylights.abundancehomemtg.com)

Cookies are cleared on logout (admin) or expire automatically. If your browser blocks third-party cookies, voting may require using the Site and API on the same domain. You can manage cookies in your browser settings, but essential cookies are required to use the Services.

9) Your choices & rights

Everyone

  • Request deletion of your entry or voter record by contacting Amy.Harper@compass.com or nan@abundancehomemtg.com with the email you used; we will verify before acting.
  • Opt out of any optional emails by contacting the Hosts; required operational emails may continue while your entry or account is active.

California (CCPA/CPRA)

  • You may request to know/access, correct, or delete personal information, and to opt out of “sale” or “sharing” (we do neither).
  • We do not use sensitive personal information for inferring characteristics.
  • Submit requests to Amy.Harper@compass.com or nan@abundancehomemtg.com.

EEA/UK (GDPR)

  • You may request access, correction, erasure, restriction, or portability, and object to processing.
  • Lodge a complaint with your local supervisory authority if you believe we mishandled your data.

We will verify your identity before fulfilling rights requests.

10) Security

We apply reasonable administrative, technical, and physical safeguards: encrypted transport (HTTPS), secure cookies, CSRF tokens for admin actions, rate limiting, CAPTCHA, IP-based checks, anomaly monitoring, PBKDF2 hashing for admin credentials, and TOTP for admin login. No system can be 100% secure. Report suspected vulnerabilities to Amy.Harper@compass.com and nan@abundancehomemtg.com.

11) Children’s privacy

The Services are not intended for children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided personal information, contact us and we will delete it. Minors 13–17 should obtain a parent/guardian’s consent before participating.

12) International transfers

We process and store data primarily in the United States. If you access the Services from outside the US, your information may be transferred to, stored, and processed in the US. Where required, we rely on appropriate safeguards for international transfers.

13) Do Not Track

We do not respond to “Do Not Track” signals. You can control cookies via your browser.

14) Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects. Votes and winners may be reviewed/validated by humans and subject to published contest rules.

16) Changes to this policy

We may update this policy from time to time. We will revise the “Last updated” date above and, if changes are material, provide additional notice (e.g., on the Site).

17) Contact

Contest Hosts/Administrators: Amy Johnston Harper & Nan Kirkpatrick
Email: Amy.Harper@compass.com and nan@abundancehomemtg.com
Mailing address: Great Hills neighborhood, Austin, TX 78759 (final mailing address will be posted once confirmed).