Privacy Policy

Sophia Propria LLC — Effective May 2026

1. About Vincerio

Vincerio is a member experience intelligence platform developed and operated by Sophia Propria LLC, a California limited liability company. Vincerio is designed for membership-based nonprofit organizations and provides graph-based member journey analysis, engagement intelligence, and campaign suggestions by connecting to organizations' existing member management systems.

Vincerio is built on the principle that healthy member organizations are built on genuine human relationships, not transactions. The platform helps organizations understand where each member is in their journey — and meet them there thoughtfully. Giving is one expression of a healthy membership relationship, but so is participation, mentorship, advocacy, and belonging. Vincerio is designed to serve the whole relationship, not just the moment of a financial ask.

Four principles guide every design decision in the platform and every data practice described in this policy:

  • Relationship before revenue. Every member is a person first. Giving is a natural expression of connection — never its purpose.
  • Personalized journey recognition. Each member travels a unique path. Engagement must recognize and respond to life stage, career development, and the evolving nature of each member's connection to their organization.
  • Value exchange, not extraction. Every engagement should offer genuine value. Members must experience their organization as an investment in shared values — not as an obligation engine.
  • Multi-generational community. The bonds formed through shared experience do not expire. Vincerio is designed to support connections across generations and life chapters.

This Privacy Policy describes how Sophia Propria LLC collects, uses, stores, and protects data in connection with the Vincerio platform. It applies to all client organizations that access Vincerio and to the member data those organizations authorize Vincerio to process.

If you are a member of an organization that uses Vincerio, please also review the member privacy notice provided by your organization. Vincerio processes your data on behalf of your organization, which is the data controller.

2. Data we process

2.1 Organizational client data

When an organization connects Vincerio to its member management system, we process the following categories of member data on the organization's behalf:

  • Member contact records, including name, membership status, and profile fields relevant to member journey analysis;
  • Participation and contribution history, including amounts, dates, and activity types;
  • Event registration and attendance records;
  • Email engagement metrics such as open rates and click activity, where available through the connected platform's API.

2.2 Data we do not collect

Vincerio does not collect or process the following:

  • Social Security numbers, government identification numbers, or financial account credentials;
  • Health or medical information;
  • Data from minors under the age of 13;
  • Any data not expressly authorized by the client organization's API access grant.

2.3 Platform operational data

We collect limited operational data to run and improve the platform, including authentication logs, API request logs, error reports, and infrastructure metrics. This data does not include member records and is retained for a maximum of ninety (90) days.

3. How we use data

We use member data exclusively for the following purposes:

  • Generating member journey analysis, engagement segmentation, and experience intelligence reports that help client organizations understand where each member is in their relationship with the organization;
  • Identifying member engagement patterns, life stage classifications, relationship health signals, and funding base distribution for the client organization;
  • Producing AI-assisted engagement and campaign suggestions — including event outreach, mentorship connections, and giving appeals — for review and approval by the client organization's authorized personnel;
  • Maintaining and improving the accuracy of the Vincerio platform's analytical models.

We do not use member data for advertising, profiling outside the scope of the services described above, or any purpose not authorized in writing by the client organization.

4. Tenant isolation and data separation

Each client organization's data is stored in a dedicated, isolated environment within our infrastructure. One organization's data cannot be accessed by, compared to, or used to inform services for any other organization. This isolation is enforced at the infrastructure level and is not merely a policy control.

Sophia Propria LLC personnel have no default access to any client organization's data outside of scheduled automated pipeline operations. Access to client data by Sophia Propria LLC is restricted to documented support scenarios with explicit written authorization from the client organization.

5. Data retention

We retain client organization data for the duration of the active service relationship. Upon termination of services, we will permanently delete all data associated with the organization within thirty (30) days and provide written confirmation upon request.

Platform operational logs are retained for ninety (90) days and then deleted automatically.

6. Access controls and support

Sophia Propria LLC maintains a zero-standing-access policy for client data during the operational phase of service. Our personnel do not have routine access to client organization data.

In the event that a support issue requires access to client data, the following controls apply:

  • A written support request must be submitted by the client organization identifying the specific issue;
  • Sophia Propria LLC will request explicit written authorization from an authorized officer of the client organization before accessing any data;
  • Access is time-bounded and expires automatically within 48 hours or upon resolution of the issue;
  • All support access events are logged with timestamp, personnel identity, scope of access, and resolution notes;
  • Support access logs are available to the client organization upon request.

7. Security

We implement and maintain the following security measures:

  • Encryption of data at rest using AWS Key Management Service (KMS);
  • Encryption of data in transit using TLS 1.2 or higher, enforced at the Cloudflare network perimeter;
  • Infrastructure managed through Infrastructure as Code (Terraform) with policy-as-code scanning on every deployment;
  • AWS CloudTrail audit logging of all infrastructure-level actions;
  • API credentials and secrets stored exclusively in AWS Secrets Manager with automatic rotation;
  • Least-privilege access controls enforced through AWS IAM policies.

In the event of a data breach affecting client organization data, we will notify the affected client organization within 72 hours of becoming aware of the breach, consistent with applicable law.

8. Third-party services

Vincerio integrates with third-party member management platforms including Wild Apricot, DonorPerfect, Little Green Light, and others. Data accessed through these integrations is governed by the authorization granted by the client organization and by the third party's own terms and privacy policies.

Vincerio uses the following infrastructure and AI service providers:

  • Amazon Web Services (AWS) for cloud infrastructure and data storage;
  • Cloudflare for network security and API routing;
  • Anthropic (Claude API) for AI-assisted engagement suggestion generation.

Data shared with Anthropic for AI processing is used only to generate engagement suggestions and is not retained by Anthropic for model training under the API terms of service.

9. Rights of member individuals

If you are an individual whose data is processed by Vincerio through your organization's use of the platform, your data rights are primarily governed by your relationship with that organization. Your organization is the data controller and is responsible for responding to individual data rights requests.

If you believe your data is being processed in a manner inconsistent with this policy, you may contact us directly at privacy@sophiapropria.com. We will work with the relevant client organization to address your concern within thirty (30) days.

10. California privacy rights

California residents may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Because Vincerio processes data on behalf of client organizations rather than directly from individuals, most CCPA obligations rest with the client organization as the business. Sophia Propria LLC is committed to cooperating with client organizations in fulfilling their obligations under California privacy law.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated to client organizations in writing at least thirty (30) days before taking effect. Continued use of Vincerio after the effective date of a revised policy constitutes acceptance of the updated terms.

12. Contact

Questions, concerns, or requests related to this Privacy Policy may be directed to:

Sophia Propria LLC
Attn: Privacy
California, United States
privacy@sophiapropria.com