Privacy Policy

1. Scope and Acceptance

This Privacy Policy applies to personal information collected by the Foundation through (a) our website at globalopportunityfoundation.org and any successor or affiliated domains; (b) program applications, donation forms, newsletters, surveys, and other digital and offline interactions; (c) communications you have with us via email, telephone, postal mail, or otherwise; and (d) participation in our programs, events, and initiatives. By using our services or providing information to us, you acknowledge that you have read and understood this Privacy Policy.

This Privacy Policy does not apply to information that does not identify you and that cannot reasonably be linked to you (such as fully anonymized statistical data).

2. Data Controller

For purposes of the European Union General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the United Kingdom Data Protection Act 2018 and UK GDPR, the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais, "LGPD"), the Personal Information Protection and Electronic Documents Act of Canada ("PIPEDA"), and analogous laws of other jurisdictions, the data controller responsible for your personal information is:

3. Categories of Personal Information We Collect

We collect the following categories of personal information, as those categories are defined under applicable law:

3.1 Identifiers

Name, postal address, email address, telephone number, date of birth, government identification numbers where required for tax reporting, account credentials, and other similar identifiers.

3.2 Financial Information

Payment card information (processed by third-party payment processors and not stored on our systems in unencrypted form), bank account information for ACH transfers, donation history, and tax-related information.

3.3 Application and Eligibility Information

Educational background, employment history, business plans and ideas, financial circumstances, household composition, and other information you voluntarily provide in connection with applications to our programs, scholarships, or grants.

3.4 Demographic Information

When voluntarily provided, information about race, ethnicity, gender, gender identity, sexual orientation, veteran status, disability status, immigration status, marital status, and similar characteristics. This information is collected only with your consent for purposes of evaluating equity and inclusion in our programs.

3.5 Special Categories (Sensitive Personal Information)

Under the GDPR, the categories described in Section 3.4 above and information about health, religious beliefs, political opinions, trade union membership, biometric data, and genetic data are classified as "special categories" of personal data. Under the CCPA/CPRA, similar categories (along with precise geolocation, contents of mail or messages, and certain other categories) are classified as "sensitive personal information." We collect this information only when (a) you have provided explicit consent, (b) it is necessary to comply with applicable law, or (c) it is necessary to protect your or another person's vital interests.

3.6 Internet and Electronic Activity

Internet Protocol (IP) address, device identifiers, browser type and version, operating system, language preferences, referring URLs, pages visited, links clicked, time spent on pages, search terms, and other information collected through cookies and similar tracking technologies. See our Cookie Policy for details.

3.7 Communications

Emails, letters, telephone conversations, social media interactions, and other communications between you and the Foundation. We may record customer service calls for quality and training purposes where permitted by law.

3.8 Audio, Visual, and Similar Information

Photographs, video recordings, and audio recordings of program participants, mentors, event attendees, and others, where you have provided consent or where such recording is conducted in public settings with appropriate notice.

3.9 Mentor, Volunteer, and Background Check Information

For individuals applying to serve as mentors, volunteers, or in certain other capacities, we may collect background information including criminal history check results, professional references, employment verification, and similar information, subject to applicable law and your written authorization.

4. Sources of Personal Information

We obtain personal information from the following sources:

• Directly from you when you submit forms, donate, apply to programs, register for events, communicate with us, or otherwise interact with the Foundation.
• Automatically when you visit our website or use our digital services, through cookies, web beacons, server logs, and similar technologies.
• From third-party service providers that we engage to perform services on our behalf, including payment processors, email service providers, customer relationship management systems, analytics providers, background check vendors, and identity verification services.
• From program partners and referring organizations when they refer applicants or participants to our programs.
• From publicly available sources, including government registries, professional licensing boards, news media, and social media profiles you have made public.
• From compliance screening databases, including U.S. Treasury Department Office of Foreign Assets Control (OFAC) sanctions lists, anti-money laundering databases, and similar sources required for our regulatory compliance.

5. How We Use Personal Information

We use personal information for the following purposes:

• Administering programs: reviewing applications, selecting participants, communicating with applicants, delivering program content, evaluating outcomes, and improving programs.
• Processing donations: accepting and processing one-time and recurring donations, providing tax acknowledgments, managing donor records, and stewarding donor relationships.
• Communications: sending you newsletters, program updates, event invitations, fundraising appeals, and other communications you have not opted out of.
• Research, evaluation, and reporting: measuring program effectiveness, evaluating equity in our programs, preparing aggregated reports for funders and the public, and improving our work.
• Legal compliance: complying with tax reporting requirements (including Form 990 disclosures), charitable solicitation laws, anti-money laundering and counter-terrorism financing requirements, OFAC sanctions screening, and other applicable legal obligations.
• Safety and security: protecting the safety of program participants, mentors, employees, and others; preventing fraud; investigating misconduct; and enforcing our policies.
• Service improvement: understanding how visitors use our website, identifying problems, and improving user experience.
• Mentor and volunteer screening: verifying credentials and conducting background checks where applicable.

6. Legal Bases for Processing (GDPR and Similar Regimes)

If you are in the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with similar requirements, we rely on the following legal bases under Article 6 of the GDPR (and analogous provisions of similar laws) to process your personal information:

For processing based on legitimate interests, you have the right to object under Section 12 of this Policy. For processing based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing performed before withdrawal.

7. How We Share Personal Information

We do not sell personal information. We disclose personal information in the following circumstances:

7.1 Service Providers

We share personal information with third-party service providers that perform services on our behalf, including:

• Payment processors (e.g., Stripe, payment-processor-of-record)
• Email and marketing platforms (e.g., Mailchimp, ConvertKit, or similar)
• Customer relationship management systems (e.g., Salesforce Nonprofit Cloud, HubSpot, or similar)
• Cloud hosting and storage providers (e.g., Amazon Web Services, Google Cloud Platform, Microsoft Azure)
• Analytics providers (e.g., Google Analytics, Plausible Analytics, or similar)
• Background check vendors for mentor and volunteer screening
• Professional advisors (legal, accounting, audit, tax)
• Document management and electronic signature platforms
• Anti-fraud and identity verification services

Each service provider is contractually required to maintain the confidentiality and security of personal information and to use the information only for the purposes for which we engage them.

7.2 Program Partners

When necessary to deliver services to you, we may share information with program partner organizations, mentors, or instructors. We do so only with your knowledge, after appropriate notice, and consistent with the purposes for which you provided the information.

7.3 Government and Legal Authorities

We disclose information when required by law, including tax reporting (Form 990 disclosures of certain donor information for Schedule B), responses to lawful subpoenas or court orders, regulatory examinations, and compliance with anti-money laundering and counter-terrorism financing requirements.

7.4 Corporate Transactions

If the Foundation enters into a merger, consolidation, dissolution, or transfer of substantially all assets, personal information may be transferred as part of that transaction, subject to confidentiality protections and continuing compliance with this Privacy Policy.

7.5 With Your Consent

We may share personal information for any other purpose with your express consent.

7.6 Aggregated and De-Identified Information

We may share aggregated or de-identified information (information that cannot reasonably be used to identify you) for any purpose, including research, evaluation, and public reporting.

7.7 Donor Information

We do not exchange, rent, or sell donor information with other charitable organizations. We may publicly acknowledge donors who have not requested anonymity, in annual reports, donor walls, and similar communications.

8. International Data Transfers

The Foundation is headquartered in the United States. Personal information we collect may be transferred to, stored in, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from those of your country of residence.

8.1 Transfers from the European Economic Area, United Kingdom, and Switzerland

When we transfer personal information from the European Economic Area, United Kingdom, or Switzerland to the United States or other countries that have not been deemed by the European Commission to provide adequate protection, we rely on the following safeguards:

• Standard Contractual Clauses approved by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum, where required.
• Supplementary measures, including technical safeguards (encryption, pseudonymization), organizational measures (access controls, training), and contractual commitments designed to ensure an essentially equivalent level of protection.
• Adequacy decisions of the European Commission, where applicable.
• Derogations for specific situations set forth in Article 49 of the GDPR, including your explicit consent, where applicable.

You may request a copy of the safeguards we have implemented for international transfers by contacting privacy@globalopportunityfoundation.org.

9. Data Retention

We retain personal information for the period necessary to fulfill the purposes for which it was collected, including any legal, accounting, audit, regulatory, or reporting requirements. Retention periods vary by category of information and are governed by our Document Retention and Destruction Policy. Representative retention periods include:

When personal information is no longer needed, we securely delete or anonymize it in accordance with our Document Retention and Destruction Policy.

10. Information Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include:

• Encryption of personal information in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
• Multi-factor authentication for access to systems containing personal information
• Role-based access controls limiting access to those with a legitimate need
• Annual security awareness training for all personnel with access to personal information
• Periodic vulnerability assessments and penetration testing
• Vendor due diligence and contractual data-protection commitments
• Incident response procedures and breach notification protocols

No security measure is impenetrable, and we cannot guarantee absolute security. If you have reason to believe your information has been compromised, contact us immediately at privacy@globalopportunityfoundation.org.

10.1 Breach Notification

In the event of a security incident involving unauthorized access to your personal information, we will notify you and applicable regulators as required by law. Under the GDPR, we will notify supervisory authorities within 72 hours where feasible and notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms. Under the CCPA/CPRA and applicable U.S. state breach notification laws, we will notify affected California residents and applicable state attorneys general as required.

11. Your General Privacy Rights

Subject to applicable law and verification of your identity, you have the following rights with respect to personal information we hold about you:

• Right to access: Request confirmation of whether we process your personal information and, if so, a copy of the information and information about how we process it.
• Right to correction: Request correction of inaccurate or incomplete personal information.
• Right to deletion: Request deletion of your personal information, subject to certain exceptions (such as records we are legally required to retain).
• Right to restriction: Request that we limit our processing of your personal information in certain circumstances.
• Right to data portability: Receive your personal information in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to object: Object to processing based on our legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of processing before withdrawal.
• Right to opt out of marketing: Unsubscribe from email marketing communications at any time by clicking the "unsubscribe" link in any marketing email or by contacting privacy@globalopportunityfoundation.org.

To exercise these rights, see Section 21 (Contact) below. We will respond within thirty (30) days, except where applicable law permits a longer period.

12. Additional Rights for Individuals in the European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the rights described in Section 11 above as well as the following additional rights under the GDPR or UK GDPR:

12.1 Right to Object to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you, except where the decision is necessary for performance of a contract, authorized by law, or based on your explicit consent. The Foundation does not currently engage in solely automated decision-making with legal or similarly significant effects.

12.2 Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with the supervisory authority in your member state of residence, place of work, or where the alleged infringement occurred. A list of EU data protection authorities is available at edpb.europa.eu. UK residents may lodge complaints with the Information Commissioner's Office at ico.org.uk.

12.3 Right to Information About Source

Where we obtain personal information about you from sources other than directly from you, you have the right to information about the source of that data.

12.4 Compelled Disclosure

Where we are legally compelled to disclose your personal information to a public authority, we will, where permitted by law and reasonably possible, notify you of the request and challenge any request that is overly broad or unlawful.

13. Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"):

13.1 Right to Know

You have the right to request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the information was collected; (c) the business or commercial purpose for collecting or selling the information; (d) the categories of third parties with whom we share the information; and (e) the specific pieces of personal information we have collected about you.

13.2 Right to Delete

You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction, comply with legal obligations, or detect security incidents).

13.3 Right to Correct

You have the right to request that we correct inaccurate personal information we maintain about you.

13.4 Right to Opt Out of Sale or Sharing

The Foundation does not sell personal information or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. If our practices change, we will update this Privacy Policy and provide the required opt-out mechanism.

13.5 Right to Limit Use of Sensitive Personal Information

You have the right to direct us to limit the use of your "sensitive personal information" (as defined under CCPA/CPRA) to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer. We currently use sensitive personal information only as necessary to perform our charitable activities and as otherwise permitted under the CCPA/CPRA.

13.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying goods or services, charging different prices, or providing different quality of goods or services.

13.7 Authorized Agents

You may designate an authorized agent to make a CCPA/CPRA request on your behalf. The agent must provide proof of authorization, and we may require you to verify your identity directly with us before processing the request.

13.8 California "Shine the Light" Law

California Civil Code Section 1798.83 entitles California residents to request information concerning whether a business has disclosed personal information to any third parties for the third parties' direct marketing purposes. The Foundation does not disclose personal information to third parties for their direct marketing purposes.

14. Additional Rights for Residents of Other U.S. States

Residents of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, Iowa, Montana, Tennessee, New Hampshire, New Jersey, Indiana, Kentucky, Minnesota, Maryland, Nebraska, Rhode Island, and other states with comprehensive privacy laws have rights substantially similar to those described in Sections 11 and 13 above, including the right to access, correct, delete, and obtain a copy of their personal information, and the right to opt out of certain processing. To exercise these rights, contact privacy@globalopportunityfoundation.org. We will verify your identity and respond within the timeframe required by your state's law.

15. Additional Rights for Brazil Residents (LGPD)

If you are located in Brazil, you have the following rights under the Lei Geral de Proteção de Dados Pessoais (LGPD, Federal Law 13,709/2018):

• Confirmation of the existence of processing
• Access to your data
• Correction of incomplete, inaccurate, or out-of-date data
• Anonymization, blocking, or deletion of unnecessary or excessive data, or data processed in non-compliance with the LGPD
• Portability of data to another service provider or product
• Deletion of personal data processed with your consent
• Information about public and private entities with which we have shared data
• Information about the possibility of denying consent and the consequences of denial
• Revocation of consent

To exercise these rights or lodge a complaint with the Brazilian National Data Protection Authority (Autoridade Nacional de Proteção de Dados, ANPD), contact privacy@globalopportunityfoundation.org or visit gov.br/anpd.

16. Additional Rights for Canada Residents (PIPEDA and Provincial Laws)

If you are located in Canada, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), the Quebec Act respecting the protection of personal information in the private sector (Law 25), the Alberta Personal Information Protection Act, the British Columbia Personal Information Protection Act, and applicable provincial laws, including the right to access and correct your personal information and to withdraw consent. Quebec residents have additional rights regarding automated decision-making and data portability under Law 25. To exercise these rights or lodge a complaint with the Office of the Privacy Commissioner of Canada, contact privacy@globalopportunityfoundation.org or visit priv.gc.ca.

17. Children's Privacy (COPPA and Similar Laws)

Our website and services are generally not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen without verifiable parental consent. If you believe we have collected personal information from a child under thirteen without parental consent, please contact us immediately at privacy@globalopportunityfoundation.org and we will take steps to delete the information.

For our youth-focused programs (such as the Youth Leadership Academy), we require parental or guardian consent before collecting personal information from participants under eighteen (18) and we limit the information we collect to that necessary for program administration.

17.1 GDPR Children's Provisions

Under the GDPR, where we process personal information of children under sixteen (16) (or such lower age as may apply in a particular EU member state, with a minimum of thirteen) based on consent, we require verifiable parental authorization.

18. Do Not Track and Global Privacy Control

Some web browsers transmit "Do Not Track" signals or "Global Privacy Control" signals indicating that the user does not wish to be tracked. There is no universal standard for responding to such signals. We honor Global Privacy Control (GPC) signals as opt-out preference signals under the CCPA/CPRA and applicable state laws. We do not engage in cross-context behavioral advertising or sell personal information.

19. Third-Party Websites and Services

Our website may contain links to third-party websites and services, including social media platforms, payment processors, and partner organizations. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party services you use.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For material changes, we will provide notice through additional means (such as email to active subscribers and program participants, or a prominent notice on our website). Your continued use of our services after the effective date of any change constitutes your acceptance of the updated Policy.

21. Contact and Complaints

We respond to verifiable requests within thirty (30) days. For EEA/UK residents, you also have the right to lodge a complaint with your local supervisory authority. For California residents, you may contact the California Attorney General's Office at oag.ca.gov.