Effective Date: April 30, 2026
Last Updated: April 30, 2026
This Privacy Policy ("Policy") describes how Chirp ("we", "us", "our") collects, uses, discloses, and protects information when you or your organization use the Chirp mobile application, the Chirp web registration portal, the Chirp administrative web console, the Chirp API, and any related services (collectively, the "Services").
Chirp is a camp management platform for summer camps, retreats, schools, and similar organizations ("Camp Customers"). The Services support multi-role communication, camper profile management, weather alerting, geofence and staff-location features, photo and document storage, and emergency parent contact via SMS and email.
For most personal information processed through the Services, Chirp acts as a service provider (under California law) and processor (under the EU/UK GDPR) on behalf of the Camp Customer, which is the business / controller. The Camp Customer determines the purposes and means of processing camper, parent, and staff data.
For limited categories — including account-management data, payment metadata, security telemetry, and product-improvement data — Chirp acts as an independent controller / business. This Policy describes Chirp's practices in both roles.
If you are a parent or guardian and want to know what information a Camp has provided to Chirp about your child, please contact the Camp directly. Chirp will assist Camps in responding to such requests as a service provider.
Account and Identity Data (Admins and Counselors)
Camper Profile Data (provided by Camp Admins, Counselors, or Parents during registration)
Parent / Emergency Contact Data
Communications Content
Location Data (only when the Camp has enabled location features and the user has granted permission): real-time GPS latitude, longitude, and accuracy of staff devices; geofence enter/exit events; background location while the app is suspended on iOS and Android, where permitted. Location is collected from staff devices only. Chirp does not track campers via GPS.
Device and Technical Data: device model, operating system and version, app version, language, time zone, push-notification tokens, IP address and approximate network location, crash logs, stack traces, and breadcrumbs (via Sentry).
Authentication and Security Data: session and refresh tokens (stored in the device secure enclave, hashed on the server), login timestamps and originating IP, audit log entries describing security-relevant actions.
We do not use personal information to train generative AI models, and we do not feed messages or camper data into third-party large language model services.
Chirp is designed primarily for use by Camp staff (adults) to manage information about campers, the majority of whom are minors under 18 and many of whom are under 13. Children's privacy is governed by the U.S. Children's Online Privacy Protection Act ("COPPA") and analogous laws.
Chirp implements a layered consent model that combines Camp Customer responsibility with a direct-to-parent confirmation flow.
Camp Customer attestation. Each time a Camp Admin or Counselor adds a camper to Chirp, they must affirm — via a per-camper attestation captured at create time — that the Camp has obtained verifiable parental consent for that camper. The attestation is recorded in an append-only audit log along with the user, timestamp, IP address, and the version of this Privacy Policy and the Terms in effect.
Email-plus parent confirmation. When a parent's email address is provided to Chirp (during admin entry, bulk import, or contact update), Chirp sends a direct notice to that parent describing what is collected, how it is used, and the consequences of refusal. The parent confirms by clicking a single-use, time-limited link, typing the camper's first name, and affirming that they are the parent or legal guardian. Chirp then sends a second confirmation email containing a permanent revocation link. This two-email mechanism is designed to satisfy 16 CFR § 312.5(b)(2)(iv) for internal-use processing.
Feature gating. Until a parent has confirmed via email-plus, Chirp disables the following features for that camper:
Basic profile data (name, date of birth, cabin, allergies, medications, special needs, emergency notes) remains available to the Camp on the strength of the Camp's own consent paperwork and the admin attestation.
Bulk import. Camps importing campers from prior-season records via CSV must complete a single per-import attestation that they have obtained verifiable parental consent for every camper in the file. Per-camper attestation rows are written automatically.
Revocation and expiry. Parents may withdraw consent at any time using the link in their confirmation email or by contacting the Camp. Withdrawn consent disables parent communications immediately and surfaces existing photos and medical files for Camp review. Chirp also automatically expires consent older than 24 months (configurable per Camp) and re-issues a fresh consent email to keep records current.
Camper profiles are administrative records. Camper accounts are not intended for direct use by children under 13. If a Camp grants login access to a teen leader, that access requires a date of birth indicating age 13 or older. The 13+ check is enforced server-side at registration; under-13 logins are rejected.
A parent or legal guardian may request to review, correct, or delete information about their child by contacting the Camp directly. Parents who have received a confirmation email may also withdraw consent at any time via the revocation link in that email. Upon Camp instruction or upon a verifiable direct request, Chirp will assist with deletion within a reasonable time.
Each consent-related event — admin attestation, notice-email send, parent click-through, confirmation-email send, parent revocation, bounce, and automatic expiry — is recorded as an immutable row in the audit table, with the timestamp, IP address, user agent, parent email at the time of the event, and the version of this Privacy Policy and Terms then in effect.
Chirp uses location data only as needed to support staff-location features that Camps have enabled. We collect:
Location data is stored on Chirp's servers, transmitted to Google Maps for map rendering on staff devices, and retained per the Camp's configuration. Staff may disable location sharing at any time from device settings; doing so may disable certain safety features the Camp depends on. Chirp does not track campers via GPS.
Chirp stores camper health information at the direction of the Camp Customer, including allergies, medications, dietary restrictions, and uploaded medical or immunization documents. Chirp is not a healthcare provider, is not a HIPAA Covered Entity, and is not a Business Associate of any healthcare provider unless a separate Business Associate Agreement is signed. Camps and parents should not use Chirp to communicate Protected Health Information beyond what is necessary for camp safety operations.
Health information is stored encrypted at rest in our PostgreSQL database, transmitted over HTTPS/TLS, and kept inside the Camp's tenant. Access is limited to authorized Admins and Counselors of the Camp.
Messages and Voice. Direct messages, group chat, announcements, and walkie-talkie voice messages are stored on Chirp's servers in encrypted form at rest and transmitted over TLS. Messages are not end-to-end encrypted. Authorized Chirp engineering personnel can, in narrow circumstances (e.g., debugging a delivery failure or responding to legal process), access message content. Camps and users should not use Chirp to share information they would not be willing to share with the Camp's administration.
Walkie-Talkie / Audio Recording. Where enabled, the Services record short voice messages from staff devices and transmit them to other staff. By using this feature, you consent to being recorded for the purpose of communicating with your Camp team. Audio messages are retained for the period configured by the Camp (default 48 hours) and then deleted.
Push Notifications. Chirp sends push notifications via the Expo Push service, which routes to Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM). Notifications may include event titles and brief contextual content. You can disable notifications in device settings, though doing so may disable safety alerts.
SMS to Parents/Emergency Contacts. Chirp uses Twilio to deliver emergency SMS to phone numbers a Camp has stored on a camper profile. Before any phone number is used for SMS, the Camp's authorized administrator must affirmatively attest in the Chirp app that the phone owner has consented to receive emergency SMS at that number, and Chirp blocks SMS to any contact lacking that attestation. By providing a phone number to a Camp for emergency-contact purposes, the Parent agrees to receive transactional SMS from the Camp via Chirp. Message frequency varies based on emergencies and may be infrequent. Standard message and data rates may apply. Reply STOP to opt out at any time. Reply HELP for help, or contact hello@chirp.camp. Phone numbers are not shared with any third party for marketing purposes; we share them only with the Twilio SMS-delivery sub-processor strictly to deliver the Camp's emergency messages. See our full SMS disclosure at chirp.camp/sms-consent.
All data submitted to Chirp by or about you is, by default, available to authorized Admins (and, where appropriate, Counselors) of the Camp you are associated with.
We use the following sub-processors to operate the Services. Each is bound by contract to use personal information only to provide services to Chirp.
We may disclose information when we believe in good faith that disclosure is required to comply with a lawful subpoena, court order, or other legal process; to protect the safety of any person; to address fraud, security, or technical issues; or to protect Chirp's rights and property.
If Chirp is involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred as part of that transaction, subject to standard confidentiality and to the receiving party's obligation to honor this Policy or provide equivalent protections.
We do not sell personal information, and we do not "share" personal information as those terms are defined under the California Consumer Privacy Act ("CCPA") as amended by the CPRA. We do not engage in targeted advertising based on personal information collected through the Services.
When the Camp Customer relationship ends, we will, on request and within 60 days, return or delete personal information, except where retention is required by law.
We use industry-standard administrative, technical, and physical safeguards, including:
No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify you and the affected Camp Customer in accordance with applicable law.
You have the right to access, correct, or delete your personal information. To exercise these rights, contact the Camp Customer if your data was provided through a Camp, or contact Chirp at hello@chirp.camp for data Chirp controls directly. We may need to verify your identity before fulfilling a request.
You may request deletion of your Chirp account at any time:
Upon a verified request, we will delete or anonymize personal information associated with the account within 30 days, except where retention is required by law (e.g., financial records) or to resolve safety or fraud incidents.
California residents have rights to: (a) know what personal information we collect, use, disclose, and (where applicable) sell or share; (b) delete personal information; (c) correct inaccurate personal information; (d) opt out of sale or sharing of personal information (we do neither); (e) limit the use and disclosure of sensitive personal information; and (f) non-discrimination for exercising these rights. To exercise rights, contact hello@chirp.camp. We do not knowingly sell or share the personal information of consumers under 16.
If you are in the EU, UK, or EEA, your legal bases for processing are: performance of a contract (to deliver the Services to you and your Camp), legitimate interests (to operate, secure, and improve the Services), consent (for optional features such as background location and push notifications), and compliance with legal obligations (for tax, accounting, and safety records). You have the right to access, rectification, erasure, restriction, portability, and objection. You may lodge a complaint with your local supervisory authority.
Residents of states with comprehensive consumer privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Indiana, Tennessee, and others) have similar rights. We honor those rights through the same channels described above.
Some browsers transmit a "Do Not Track" signal. Because there is no industry consensus on how to interpret these signals, we do not currently respond to them.
Chirp is operated from the United States, and the Services are hosted in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States. Where required, we use Standard Contractual Clauses or other approved mechanisms to lawfully transfer EU/UK personal data.
The Chirp web registration portal and admin console use cookies and local storage strictly for authentication, security, and core site functionality. We do not use third-party advertising or analytics cookies. Disabling cookies will prevent you from logging in.
The Services may contain links to third-party websites or services we do not control. This Policy does not apply to those third parties, and we are not responsible for their practices.
For the Apple App Store privacy nutrition label and the Google Play Data Safety form, we declare:
We may update this Policy from time to time. If we make material changes, we will notify you by email (to the address on file for Camp Admins) or by an in-app notice at least 30 days before the change takes effect. The "Last Updated" date at the top of this Policy identifies the most recent revision.
If you have questions about this Privacy Policy or our data practices, contact us at:
Chirp
Email: hello@chirp.camp
Website: chirp.camp
If you are a parent or guardian and want to know what information your child's Camp has provided to Chirp, please first contact the Camp; Chirp will assist as a service provider.