Gems logo
Home
About ▼
Our History Boise Gems Drum & Bugle Corps Boise Gems Independent
News Contact
Support the Gems ▼
Donate Volunteer
Calendar Audition Info

Are you sure you want to continue?

Privacy Policy

Last updated: May 29, 2026. This policy describes how Boise Gems Drum & Bugle Corps ("Boise Gems," "we," or "us") handles information when you use boisegems.org, our member and parent portals, and related services, including our mobile app that connects to the same systems.

Who we are

Boise Gems is a youth performing arts organization based in Idaho. Our website supports registration, auditions, events, contracts, payments, and day-to-day corps operations for members, parents, fans, volunteers, and staff.

Information we collect

Depending on how you use the site or app, we may collect:

  • Account details: name, email address, phone number, mailing address, date of birth, section, instrument or role, and account type (member, parent, fan, volunteer, or staff).
  • Login credentials: your password is never stored in plain text. We store only a one-way hash created with bcrypt.
  • Parent and child links: when a parent adds or claims a minor member, we store the relationship so both accounts can access the correct portals and forms.
  • Health and safety information: allergy information and emergency contacts that you choose to provide for yourself or your child.
  • Uniform and program details: shirt size, corps or independent program preferences, and similar member profile fields.
  • Forms and contracts: signed PDFs, electronic signatures, consent acknowledgments, and related metadata (such as the date signed).
  • Payments and donations: amounts owed or paid, transaction history, and Stripe checkout or subscription identifiers. Card numbers and full payment credentials are handled by Stripe, not stored on our servers.
  • Event activity: RSVPs, audition sign-ups, and calendar-related participation.
  • Communications: messages you send through our contact form, support tickets (including optional screenshots), and whistleblower reports (which may be anonymous unless you provide a follow-up email).
  • Technical data: for some form submissions we record IP address and browser user-agent string to support audit and integrity of signed documents. Public forms also use Google reCAPTCHA to reduce spam.
  • Cookies and sessions: a signed login cookie and short-lived session data so you can stay signed in and see flash messages.

How we use your information

We use collected information to:

  • Create and manage accounts for members, parents, fans, volunteers, and staff.
  • Run auditions, contracts, tuition, donations, and event registration.
  • Give authorized parents access to their children's forms, balances, and emergency information.
  • Allow staff and administrators to manage the corps, review signed documents, and respond to support requests.
  • Send transactional email such as welcome messages, password resets, contract links, and payment confirmations through our email provider.
  • Protect the site from abuse using captcha and access controls.

We do not sell your personal information.

How sensitive information is protected

We treat member health information, emergency contacts, signed contracts, and uploaded compliance forms as sensitive. Here is how we help keep that data safe:

  • Password hashing: passwords are hashed with bcrypt before they are saved. We cannot read your original password from our database.
  • Signed authentication tokens: when you log in on the website, we issue a JSON Web Token stored in an httpOnly cookie that is marked secure and sameSite=lax. The mobile app uses the same signing secret with a Bearer token in the Authorization header. Tokens expire after a limited time.
  • Private document storage: sensitive PDFs (such as signed member forms and contracts) are saved outside the public web folder in a private directory that is not served as static files. Only authorized administrators can download those files through protected routes.
  • Role-based access: member, parent, staff, and admin areas require login. Parents see only their linked children. Staff and admin tools are restricted to users with those roles.
  • Payment security: online payments and fan subscriptions are processed by Stripe. We receive confirmation and reference IDs, not your full card number.
  • Server-side validation: forms and API requests are checked on the server before data is written to our database.

No system is perfectly secure, but we design the site so that public visitors cannot browse private uploads, and so that account passwords and payment details are not stored in recoverable form on our servers.

Where data is stored

Account and operational data are stored in a SQLite database on the server that hosts boisegems.org. Uploaded files (public photos, section materials, and private PDFs) are stored on that server as well. Email delivery is handled by Mailgun. Payment processing is handled by Stripe.

Third-party services

We rely on trusted providers for specific functions:

  • Stripe for card payments, checkout, and fan subscriptions.
  • Mailgun for outbound email.
  • Google reCAPTCHA on public forms such as Contact and Whistleblower.

Those services have their own privacy policies. We share only what is needed for them to perform their role (for example, payment amount and customer email with Stripe, or captcha response tokens with Google).

Mobile app

Our mobile app uses the same account database and security model as the website. When you sign in on the app, you receive a Bearer token signed with the same secret as the website cookie. The app can read and update the same profile, allergy, emergency contact, event, and payment-related data that your role allows on the web. Store the app only on devices you trust, and log out on shared devices.

How long we keep information

We retain account and corps records for as long as needed to operate programs, meet legal or contractual obligations, and maintain financial and safety records. Contract extension links expire after a set period. You may contact us to ask about updating or removing information where applicable law allows.

Your choices

  • You can update emergency contacts, allergy information, and many profile fields from your member or parent portal after logging in.
  • You can use the forgot-password flow to reset your password without contacting staff.
  • You can log out at any time to clear your login cookie on that browser.
  • Whistleblower reports can be submitted without providing an email if you wish to remain anonymous.

Children

Many of our members are minors. Parent or guardian accounts are used to manage forms, payments, and safety information for linked children. Minors should register and share information with a parent or guardian involved as appropriate for their family.

Contact us

Questions about this policy or your data can be sent through our Contact page or by email to theboisegems@gmail.com.

For urgent safety concerns, use the Whistleblower form or call 911 if someone is in immediate danger.