Generalidades de la Política de Privacidad

Information We Collect

We collect and use different types of information from and about you including:

• Information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual ("Personal Information").
• Non-personal information that does not directly or indirectly reveal your identity or directly relate to an identified individual, such as demographic information, statistics, or aggregated information. Statistical or aggregated data does not directly identify a specific person, but we may derive non-personal statistical or aggregated data from personal data. For example, we may aggregate personal data to calculate the percentage of users accessing a specific Website feature.
• Technical information, including the Internet protocol ("IP") address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, or operating system and platform. In some jurisdictions, an IP address is considered Personal Information.
• Non-personal details about your Website interactions, including the full Uniform Resource Locators ("URLs"), clickstream information to, through, and from our Website (including date and time), products viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), or methods used to browse away from the page.

How We Collect Your Personal Information

Direct Collection of Personal Information

The information we collect on or through our Website or directly from you through other means may include:

• Information that you provide by filling in forms on our Website.
• Records and copies of your correspondence (including email address) if you contact us.
• Your search queries on the Website.
• Information submitted when you report a problem with our Website.
• Information submitted when you request further services.
• Your responses to surveys that we might ask you to complete.
• Information used to create your user account.
• Information used to subscribe to one or more of our services.
• Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
• Information collected through any chat feature on our Website, which may include chat transcripts and any information you choose to provide during the chat session.
• Information provided while using any other interactive features of our Website.

You also may provide information to be published or displayed (hereinafter, "posted") on public areas of the Website, or transmitted to other users of the Website or third parties (collectively, "User Contributions"). Your User Contributions are posted on and transmitted to others at your own risk. Although we may limit access to certain pages, or may permit you to set certain privacy settings for such information, please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Website with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons.

Automated Technologies or Interactions

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Website, including traffic data, logs, location data, other communication data and the resources that you access and use on the Website.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically may include Personal Information, or we may maintain it or associate it with Personal Information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

• Store information about your preferences, allowing us to customize our Website according to your individual interests.
• Recognize you when you return to our Website.
• Speed up your searches.
• Estimate our audience size and usage patterns.

We may use the following automatic data collection technologies on the Website:

• Cookies We may collect information automatically using cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website. For further information, visit https://allaboutcookies.org. tracking_pixels_and_web_beacons:
• Tracking Pixels and Web Beacons Pages of our Website and our emails may contain small electronic files known as tracking pixels or web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
• Session Recording Software We use session recording software from Hotjar to record certain behaviors of visitors to our Website. This software generates certain anonymous information about visitors' use of the Website such as pages visited, the visitor's mouse movements and clicks, keystroke data, HTML data on a page visited by a visitor if such HTML data includes Personal Information (collectively, "Traffic Data"). We use Traffic Data to further our legitimate business interests in analyzing the effectiveness of the Website and to improve the look, function and content of the Website.

From Third Parties or Publicly Available Sources

We may receive information about you from third parties including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies, data brokers, or aggregators.

Third Party Use of Cookies and Other Tracking Technologies

Some content or applications, including advertisements, on the Website are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons, location, or other tracking technologies to collect information about you when you use our website. The information they collect may be associated with your Personal Information or they may collect information, including Personal Information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the provider responsible for that advertisement or other targeted content directly.

Purpose for Collection and Use of Your Personal Information

We use information that we collect about you or that you provide to us, including any Personal Information:

• To present our Website and its contents to you.
• To provide you with information, products, or services that you request from us.
• To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that Personal Information to respond to your inquiry. If you provide your Personal Information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save your information to facilitate new product orders or process returns.
• To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
• In order to process any orders for products or services, we may send your data to, and also use the resulting information from, credit reporting agencies to prevent fraudulent purchases.
• To fulfill any other purpose for which you provide it.
• To notify you about changes to our Website or any products or services we offer or provide through it.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our Website users or consumers is among the assets transferred.
• To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
• As described to you when collecting your Personal Information.
• To allow you to participate in interactive features on our Website.
• For any other purpose with your consent.

We may also use your information to contact you about our goods and services that may be of interest to you. If you have agreed to receive marketing, you may always opt out at a later date. If you no longer wish to be contacted for marketing purposes, please contact us at support@donorbox.org.

Personal Information Collected During Prior Twelve Months

The chart below specifies whether we have collected any Personal Information from individuals for each category during the twelve months prior to the date listed at the top of this policy. For each category of Personal Information collected, the chart also specifies the purpose of its collection. Not all types of Personal Information may be collected or received for every individual.

Legal Basis of Processing

For the legal basis of collection/processing, the designations for each category have the following meanings:

• With consent: The data subject has given consent for us to process this type of Personal Information for one or more specific purposes in accordance with Article 6, Section 1(a) of the GDPR.
• Necessary for performance: Processing this type of Personal Information is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract in accordance with Article 6, Section 1(b) of the GDPR.
• Legal obligation: Processing this type of Personal Information is necessary for compliance with a legal obligation we must comply with in accordance with Article 6, Section 1(c) of the GDPR.
• Vital personal interests: Processing this type of Personal Information is necessary in order to protect the vital interests of the data subject or of another natural person in accordance with Article 6, Section 1(d) of the GDPR.
• Public interest or official authority: Processing this type of Personal Information is necessary for the performance of a task carried out in the public interest or in the exercise of our official authority in accordance with Article 6, Section 1(e) of the GDPR.
• Other legitimate interest: Processing this type of Personal Information is necessary for our other legitimate interests or the other legitimate interests of a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child in accordance with Article 6, Section 1(f) of the GDPR.

We may share your Personal Information by disclosing it to a third party for a business purpose. We do not sell your Personal Information to third parties.

We may also share your Personal Information:

• To fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the information.
• With your consent.
• To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
• To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our Website users or consumers is among the assets transferred.
• To enforce or apply our terms of use found at https://donorbox.org/terms and other agreements, including for billing and collection purposes.
• If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Rebel Idealist, Inc., dba Donorbox, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction.

We may share non-personal information without restriction.

Personal Information Shared During Prior Twelve Months

The chart below specifies our disclosures (if any) of each Personal Information category to third parties for a business purpose during the twelve months prior to the date listed at the top of this policy. We do not include information regarding sales of Personal Information to third parties because we do not sell Personal Information to third parties.

Restrictions on Future Collection and Use

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

If you provide us with a phone number capable of receiving SMS messages, we will send you SMS messages only with your consent. We will only utilize an automatic telephone dialing system ("ATDS") as defined in the Telephone Consumer Protection Act ("TCPA") with your express prior written consent, as provided in TCPA. We securely store your phone information and will not share your SMS consent, or any third party.

Contents of Email and Other Messages

Users of our Website can send and receive email and other messages. We use certain technologies that utilize artificial intelligence to summarize these emails and other messages. As part of this processing, these artificial intelligence technologies will access the contents of messages and emails to generate suggested email replies. In addition, certain employees from our support team can access the content of these emails and messages for the purpose of evaluating the replies generated by the artificial intelligence technologies.

Your Personal Information Use Choices

We strive to provide you with choices regarding the Personal Information you provide to us. We have created mechanisms to provide you with the following control over your information:

• Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of this Website may then be inaccessible or not function properly.
• Promotional Offers. If you do not wish to have your contact information used to promote our products or services, you can opt-out by sending us an email stating your request to support@donorbox.org. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to us as a result of a registration, account management, services provided or other transactions.

We do not control third parties' collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website at https://optout.networkadvertising.org/?c=1.

Accessing and Correcting Your Personal Information

You can access, review, and change your Personal Information by logging into the Website and visiting your account profile page. You may also send us an email at support@donorbox.org to request access to, correct, or delete Personal Information that you have provided to us. We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the Personal Information that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the Personal Information that we hold about you, or we may have destroyed, erased, or made your Personal Information anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your Personal Information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

If you delete your User Contributions from the Website, copies of your User Contributions may remain viewable in cached and archived pages or because other Website users may have copied or stored them. Our terms of use located at https://donorbox.org/terms govern proper access and use of information provided on the Website, including User Contributions.

Residents of Canada

Residents of Canada have the following additional rights described in this section. This section is intended to comply with the requirements of the Personal Information Protection and Electronic Documents Act (S.C. 2000, c.5) (PIPEDA).

Personal Information

Privacy laws in Canada generally define "personal information" as any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person. Personal information does not include business contact information, including your name, title, or business contact information.

For residents of Canada, Personal Information include their social insurance number. However, we do not collect social insurance numbers.

Privacy laws in Canada also specify that IP addresses are considered Personal Information. Please see Personal Information Collected During Prior Twelve Months to see if we have collected IP addresses during the prior twelve months and Personal Information Shared During Prior Twelve Months to see whether, and with whom, we have shared IP addresses collected during the prior twelve months.

Personal Information Collection

We only collect Personal Information from you with your consent, with the following exceptions:

• The collection is clearly in an individual's interests and the organization cannot obtain consent in a timely way.
• The collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province, and collection with consent would compromise the availability or the accuracy of the information.
• The information is publicly available and specified by the Regulations Specifying Publicly Available Information, SOR/2001-7 (13 December, 2000) (Regulations).
• The collection is to make a disclosure required by law.

We will not collect more Personal Information from you than is necessary to fulfill the purposes identified for its collection.

Please see Personal Information Collected During Prior Twelve Months to see the information we have collected during the prior twelve months.

Personal Information Use and Sharing

We only use Personal Information with your knowledge and consent, with the following exceptions:

• The collection is clearly in an individual's interests and the organization cannot obtain consent in a timely way.
• The collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province, and collection with consent would compromise the availability or the accuracy of the information.
• The information is publicly available and specified by the Regulations Specifying Publicly Available Information, SOR/2001-7 (13 December, 2000) (Regulations).
• The collection is to make a disclosure required by law.
• The collection is clearly in an individual's interests and the organization cannot obtain consent in a timely way.
• We are using it to act in an emergency that threatens the life, health, or security of an individual.
• We are using it as part of a witness statement and the use is necessary to assess, process, or settle an insurance claim.

We will not use your Personal Information for purposes other than for which it was collected, except with your consent or as required by law.

Please see Personal Information Collected During Prior Twelve Months to see the uses of Personal Information we have collected during the prior twelve months.

Personal Information Sharing

We only share your Personal Information with third parties with your knowledge and consent, with the following exceptions:

• To collect a debt you owe to us.
• The Personal Information is necessary to comply with a subpoena, warrant, or an order made by a court, person, or body with jurisdiction to compel the production of information, or to comply with court rules relating to record production.
• It is made to a government institution that has identified its lawful authority to obtain the information, and indicated that: (i) it suspects that the information relates to national security, the defence of Canada, or the conduct of international affairs; (ii) it needs the information to gather intelligence, carry out an investigation, or enforce any law of Canada, a province, or a foreign jurisdiction; (iii) it needs the information to administer any law of Canada or a province; or (iv) it needs the information to communicate with the next of kin or authorized representative of an injured, ill, or deceased individual.
• It is made on the initiative of the organization to a government institution and the organization: (i) has reasonable grounds to believe that the information relates to a contravention or potential contravention of the laws of Canada, a province, or a foreign jurisdiction; or (ii) suspects that the information relates to national security, the defence of Canada, or the conduct of international affairs.
• It is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province, and disclosure with consent would compromise the investigation.
• It is made to a government institution or the individual's next of kin or authorized representative because it is necessary to identify an individual who is injured, ill, or deceased. If the individual is alive, the organization must inform the individual in writing without delay of the disclosure.
• It is made to a person who needs the information because of an emergency that threatens an individual's life, health, or security. If the individual is alive, the organization must inform the individual in writing without delay of the disclosure.
• It is part of a witness statement and the disclosure is necessary to assess, process, or settle an insurance claim.
• The information is publicly available and is specified by the regulations of PIPEDA.
• In the context of a prospective merger or acquisition if: the information is necessary to determine whether to proceed with and complete the transaction; and we have entered into an agreement with the receiving organization before disclosure of the information that requires the receiving organization to: (i) use and disclose the information solely for purposes relating to the transaction; (ii) protect that information by security safeguards appropriate to the information sensitivity; and (iii) return the information to the disclosing organization, or destroy it, within a reasonable time if the transaction does not proceed.
• When completing a merger or acquisition if: the information is necessary for carrying on the business that is the subject of the transaction; we have entered into an agreement with the receiving organization that requires both us and the other organizations to: (i) use and disclose the Personal Information under their control solely for the purposes for which the Personal Information was collected, used, or disclosed before the transaction was completed; (ii) protect the Personal Information by using security safeguards appropriate to the information sensitivity; and (iii) give effect to any consent withdrawal by an individual; and one of the parties notifies affected individuals within a reasonable time of the transaction's completion that: (i) the transaction is complete and (ii) their Personal Information was disclosed to the purchasing organization.

We will not share your Personal Information for purposes other than for which it was collected, except with your consent or as required by law.

Please see Personal Information Shared During Prior Twelve Months to see the Personal Information we have shared during the prior twelve months.

Data Subject Rights

In addition to the rights listed under Your Personal Information Use Choices and Accessing and Correcting Your Personal Information, the following additional rights are available to residents of Canada:

• In addition to your ability to opt out of receiving targeted ads from members of the Network Advertising Initiative (NAI) on the NAI's website at https://optout.networkadvertising.org/?c=1, you can opt out of several third-party ad servers' and networks' cookies simultaneously by using an opt-out tool created by the Digital Advertising Alliance of Canada at https://youradchoices.ca/en/tools.
• Specific exceptions to any obligations we might otherwise have under Canadian privacy laws to provide you access to your Personal Information include: information protected by solicitor-client privilege, information that is part of a formal dispute resolution process, information that is about another individual that would reveal their personal information or confidential information, or information that is prohibitively expensive to provide.
• If you are concerned about our response or would like to correct the information provided, you may contact Joey Victorino, our Director of Information Security & Compliance our at joey@donorbox.com.
• Where you have provided your consent to the collection, use, and transfer of your Personal Information, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at support@donorbox.org. Please note that if you withdraw your consent we may not be able to provide you with a particular product or service. We will explain the impact to you at the time to help you with your decision.

Residents of Quebec

Residents of Quebec have the following additional rights under the Québec Act described in this section.

Processing of Sensitive Information

We will only collect and process medical, biometric, or Personal Information that is of an otherwise intimate nature (Sensitive Québec Information), with express consent. We will not use Sensitive Québec Information for any purpose other than that initially intended at collection time without first obtaining express consent for such additional purpose.

Exceptions to Consent when Communicating Personal Information

As permitted by the Québec Act, we may communicate your Personal Information without consent to:

• The Director of Criminal and Penal Prosecutions to prosecute an offense under an act applicable in Québec.
• A person or body responsible for the prevention, detection, or repression of crime or statutory offenses to perform its duties, if it needs the information to prosecute an offense under an act applicable in Québec.
• A person it is necessary to communicate the information to under an act applicable in Québec or under a collective agreement.
• A public body that collects the information in the exercise of its functions or to implement a program under its management.
• A person or body having the power to compel communication of the information to exercise their duties or functions.
• A person that requires the information because of the urgency of a situation that threatens the life, health, or safety of the person concerned.
• A person authorized by law to recover debts on behalf of others and requiring it for that purpose to perform their duties.
• Prevent an act of violence, including a suicide, where reasonable cause exists to believe that there is a serious risk of death or serious bodily injury threatening a person or an identifiable group of persons and where the nature of the threat generates a sense of urgency.
• A receiving party in a commercial transaction (such as a merger or acquisition) where communicating your Personal Information is necessary to conclude the commercial transaction and we have entered into an agreement with the receiving party where the receiving party agrees: To use the information only to conclude the transaction. Not to communicate the information for any other purpose unless it obtains consent or the Québec Act otherwise permits it. To take steps to protect the information's confidentiality. To destroy the information if it is no longer necessary to complete the transaction or if the transaction does not close.
• A person that wants to use the information for study or research purposes or for the production of statistics where, before communicating the information, we have done both of the following: Completed a privacy impact assessment (PIA) that concludes: the person can achieve the study or research objective or statistics production only if we communicate the information in a way that permits identification of the concerned persons; obtaining consent is unreasonable; the objective outweighs the impact of communicating and using the information on the privacy of the individual, considering the public interest; the Personal Information is to be used in a way that ensures confidentiality; and only necessary information is communicated. Submitted to the Québec CAI a written agreement with the information recipient that: sets out restrictions around the information use; and establishes data minimization requirements.

Communicating Personal Information to Service Providers

In addition to the above exceptions, as permitted by the Québec Act, we may transfer Personal Information to a service provider without consent if such transfer is subject to a contract with the service provider that includes:

• A description of service provider's measures to ensure confidentiality.
• Service provider obligations to use Personal Information solely to provide the services and to destroy or return the Personal Information once the contract expires.
• Service provider obligations to notify Joey Victorino, our Director of Information Security & Compliance our at joey@donorbox.com without delay of any violation or attempted violation of information confidentiality and permitting them to conduct any verification relating to these requirements.

Data Subject Rights

Rights Available

Residents of Québec have the following rights under the Québec Act:

• Information Right: You have the right to transparency on our part, including access to this detailed and comprehensive Privacy Policy.
• Access Right/Data Portability Right: You have the right, upon written request, to certain access to your Personal Information. This Access Right allows you to: Confirm the existence of Personal Information we have collected. Have this Personal Information communicated to you. Obtain a copy of the Personal Information. Computerized Personal Information will be communicated: In a written, intelligible transcript. To you or, at your request, to another organization in a structured, commonly used, technological format. With reasonable accommodation if you are handicapped. Your Data Portability Right excludes Personal Information we create or derive from your Personal Information. Our obligation to provide you with computerized Personal Information in a structured, commonly used, technological format, does not apply if doing so raises seriously practical difficulties. No charge will be incurred for Access Right requests, except that we may require a reasonable charge if you request the transcription, reproduction or transmission of such information. We will inform you in advance of the approximate amount that will be charged for the transcription, reproduction or transmission of information.
• Rectification Right: You have the right, upon written request, to rectification of Personal Information. This Rectification Right only applies if: we hold Personal Information that is inaccurate, incomplete, or equivocal; or our collecting, communicating, or keeping the Personal Information are not authorized by law. In the case of a disagreement relating to a Rectification Right request, we must prove that the Personal Information need not be rectified, unless the information in question was communicated to us by you or with your consent. If we grant a Rectification Right request, we will issue, free of charge to you, any Personal Information modified or added or, as the case may be, an attestation of the deletion of Personal Information.
• Right to be Forgotten: You have the right to request we stop disseminating your Personal Information or to de-index any hyperlink attached to your name giving access to information if this dissemination causes you harm or contravenes the law or a court order.
• Rights Regarding Automated Decision Making: You have the right to know when you are the subject of a decision based exclusively on automated processing of your Personal Information. You may also request from us: The Personal Information used to make the decision. The reasons and main factors leading to the decision. The right to request correction of the Personal Information used to make the decision. The right to present your observations regarding our decision to a member of our staff for review of the decision.

Exercising Your Rights

Before considering any Access Right or Rectification Right request:

• You must submit the request in writing.
• You must prove that you are: the person whose Personal Information is subject to the rights request (Concerned Person) the representative, heir or successor of the Concerned Person; the liquidator of the succession of the Concerned Person; a beneficiary of life insurance or of a death benefit of the Concerned Person; the person having parental authority over the Concerned Person, even if the Concerned Person is a minor child who is deceased; or the spouse or a close relative of the deceased Concerned Person.
• Your request must be addressed to the person in charge of our protection of Personal Information.
• If your request is not sufficiently precise or if you require it, we will assist in identifying the information sought.
• We will respond in writing to an Access Right or a Rectification Right request within 30 days after the date the request is received.
• If we refuse to grant a request, we will: Give the reasons for any refusal. Indicate the provision of law on which the refusal is based Provide the remedies available to you under the Québec Act and the time limit for exercising them. If you request, we will help you understand the refusal. In addition, if we refuse to grant an Access Right or Rectification Right request, we will retain the information subject to such request for such time as is necessary to allow you to exhaust the recourses provided by law.

Residents of the EU or UK

This section applies only to residents of the EU or UK.

Data Privacy Manager

We have appointed a data privacy manager. If you have any questions about this section, please contact them at:

• Full name of legal entity: Rebel Idealist, Inc., dba Donorbox
• Name or title of data privacy manager: Joey Victorino, Director of Information Security & Compliance
• Email address: joey@donorbox.com
• Postal address: Rebel Idealist, Inc. ATTN: Joey Victorino, 712 H St NE, Unit #8790, Washington, DC 20002
• Telephone number: (202) 900-5639

Automated Decision Making and Profiling

We do not make decisions based solely on automated processing or profiling that produce legal effects concerning you (or have similarly significant effects).

Criminal Offence Data and Special Category Data

We do not intentionally collect criminal offence data about you. However, we may process data relating to criminal offences in monitoring the use of our Website for security purposes, where we suspect you may have committed a crime, such as attempting to make a fraudulent purchase or claim or circumvent the security of the Website. In such circumstances we will provide that information to law enforcement and/or use it to establish, exercise or defend a legal claim. In those circumstances, according to the type of activity and purpose, we will rely on legitimate interests (protecting our business, employees and other users) and legal obligation (where required by legal, judicial or law enforcement to disclose or process that information). UK law authorises that processing under the Data Protection Act 2018 and although the appropriate authorisation will depend on a case-by-case basis, monitoring for criminal behaviour through the use of our Website is in the Substantial public interest (preventing or detecting unlawful acts) and processing information related to suspected criminal activity for legal claims is permitted under applicable national law.

Special categories of personal data

We do not intentionally collect any special categories of personal data described in Article 9 of GDPR about you.

International Transfers

Whenever we transfer your personal data out of the UK OR EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• Where we use certain service providers located outside the UK OR EEA, we use specific contracts approved by the UK or EEA which give personal data the same protection it has in the UK and EEA.

Please contact the data privacy manager using the contact details above if you want further information on the specific mechanism used by us when transferring your personal data out of the UK OR EEA.

Your Legal Rights

You have the following rights UK OR EEA data protection laws in relation to your personal data.

• Access. Request access to and/or a copy of the personal data we process about you (commonly known as a data subject access request). This enables you to check that we are lawfully processing it.
• Correction. Request correction of any incomplete or inaccurate data we hold about you. (We may need to verify the accuracy of the new data you provide to us.)
• Deletion. Request us to delete or remove personal data where there is no good reason for us continuing to process it. You also can ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we need to erase your personal data to comply with law. (In some cases, we may need to continue to retain some of your personal data where required by law. If these apply, we will notify you at the time of our response.)
• Objection. Object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information which override your rights and freedoms.
• Restriction. Request that we restrict or suspend our processing of your personal data: if you want us to establish the data's accuracy; where our use of the data is unlawful, but you do not want us to erase it; where we no longer require it, but you need us to hold onto it to establish, exercise or defend legal claims; or you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
• Data portability. Request we transfer certain of your personal data to you or your chosen third party in a structured, commonly used, machine-readable format. This right only applies to information processed by automated means that we process on the lawful bases of consent or performance of a contract.
• Withdraw consent. Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
• Complain to the UK and other applicable data protection regulator. If you are unhappy with how we process your personal data, we ask that you contact us first using the details below so that we have the chance to put it right. However, should you wish to report a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the appropriate Information Commissioner's Office. A list of Data Protection Authorities for EU GDPR can be found at https://www.edpb.europa.eu/about-edpb/about-edpb/members_en. For the UK GDPR, complaints may be made at https://ico.org.uk/make-a-complaint/data-protection-complaints/data-protection-complaints/.

You can exercise any of these rights at any time by contacting us support@donorbox.com.

We employ physical, procedural, and technological security measures to help protect your information from unauthorized access or disclosure. We may use encryption, passwords, and physical security measures to help protect your information against unauthorized access and disclosure.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

We urge you to be careful about giving out information in public areas of the Website like message boards. The information you share in public areas may be viewed by any user of the Website.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information, we cannot guarantee the security of your Personal Information transmitted to our Website. Any transmission of Personal Information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

Except as otherwise permitted or required by applicable law or regulation, we will only retain your Personal Information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Under some circumstances we may anonymize your Personal Information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

Our Website is controlled and operated by Rebel Idealist, Inc., dba Donorbox. If you are accessing our Website from any location with regulations or laws governing personal data collection, use or disclosure that differ from United States laws or regulations, please note that through your continued use of our Website, you are transferring personal information to the United States. Also, we may transfer your data from the United States to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating our Website. By providing any information, including personal information, on or to our Website, you consent to such transfer, storage and processing. By choosing to visit our Website or provide your personal information to us, you agree that any dispute over privacy or the terms contained in our Privacy Policy will be governed in accordance with the governing dispute resolution and arbitration provisions in our terms of use found at https://donorbox.org/terms.

We reserve the right to amend our Privacy Policy at our discretion and at any time. It is our policy to post any changes we make to our Privacy Policy on this page. If we make material changes to how we treat our users' Personal Information, we will notify you by email to the primary email address specified in your account and through a notice on the Website home page. The date the Privacy Policy was last revised is identified at the top of the page. When we make changes to our Privacy Policy, we will post the updated notice on the Website and update the notice's effective date. You are responsible for ensuring we have an up-to-date active and deliverable email address for you, and for periodically visiting our Website and our Privacy Policy to check for any changes. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.

If you have any questions or comments about this notice, the ways in which collects and uses your information described here and in the Privacy Policy, your choices and rights regarding such use, or wish to exercise your rights, please do not hesitate to contact us by:

• Emailing us at support@donorbox.org
• Mailing us at Rebel Idealist, Inc., dba Donorbox, Rebel Idealist, Inc., ATTN: Privacy Request, 1520 Belle View Blvd #4106, Alexandria, VA 22307
• Visiting https://trust.donorbox.org

4904-8726-5861, v. 2