Privacy Policy
​
Welcome to www.sapphireinaction.org (hereinafter the “website”). The website is owned and operated by Sapphire In Action, Inc. in accordance with the laws of the State of Maryland, United States (hereinafter “Sapphire In Action,” “we,” “us,” or “our”).
This Privacy Policy applies to you (hereinafter “user,” “you,” or “your”) who access/visit our website, donate to us, sign up as a volunteer, or purchase any items from our online store. We process all personal data that we collect from you in compliance with the privacy laws of the jurisdictions where we offer the website, including but not limited to applicable U.S. Privacy Laws, European Union General Data Protection Regulation 2016/679 (EU GDPR), and Lei Geral de Proteção de Dados (LGPD).
This Privacy Policy informs our users about the collection, use, sharing, and security measures pertaining to their personal data when we function as the Data Controller.
Please carefully read this Privacy Policy before signing up for an account. If you disagree with this Privacy Policy, please do not access or use the Service.
Table of Contents
​
1. Definitions
2. Data Controller
3. Personal Data Collection and Use
4. Disclosure of Personal Data
5. Transfer of Personal Data
6. California Users
7. Lei Geral de Proteção de Dados Notice for Brazil Residents
8. UK, Switzerland and European Economic Area (EEA) Residents
9. Security of personal data
10. Third-party links
11. Children’s Privacy
12. Amendments
​
1.Definitions
​
The following words, whenever used in this Privacy Policy, shall have the meaning defined hereunder:
‘Controller,’ ‘Data Subject,’ ‘Personal Data,’ ‘Processing,’ ‘Processor,’ and ‘Supervisory Authority’
shall have the same meanings as defined in the EU GDPR.
Data Subject Request
means the exercise by a Data Subject of his/her data rights in accordance with EU GDPR.
Customer
refers to a user who places an order through the website.
Product
refers to an item offered for sale through the website.
Donor
refers to an individual who makes a financial contribution to Sapphire In Action through the website.
Donation
refers to financial contributions made by donors through the website to support our programs and initiatives.
Volunteer
refers to an individual who offers his/her time and services to support our activities and mission without receiving financial compensation.
Youth Volunteer
refers to a volunteer between the ages of thirteen and fifteen who participates in volunteer activities under the supervision of their parent or legal guardian.
‘User,’ ‘you,’ or ‘your’
refers to anyone who accesses or uses the website and interacts with Sapphire In Action, including customers, donors, volunteers, youth volunteers, and website visitors.
2.Data Controller
​
Sapphire In Action, Inc. is the controller of all personal data collected through the website. You can request information regarding our privacy practices or exercise your privacy rights by sending your request in writing to:
1 Research Court, Suite 450, Rockville, Maryland 20850
Alternatively, you can contact us at team@sapphireinaction.org
​
3.Personal Data Collection and Use
​
3.1 What personal data do we collect from you?
​
Depending on the actions you performed on our website, we may collect the following personal data from you:
​​
-
First and last name,
-
Email address,
-
Phone number,
-
Date of birth,
-
Residential address,
-
Billing address,
-
Shipping address,
-
Content of any messages you send to us through the website or email;
-
Transaction information (the item you purchase, the amount you pay for your order, the amount of your donation, etc);
-
Information that you provide us when you participate in our surveys or promotions;
-
Your log data, including your browser type, time and pages you visit, your IP address, etc.;
-
Device data, including the mode and make of your device, operating system, and unique device identifiers;
-
Information is collected through the use of cookies and other tracking technologies.
​
3.2 How do we collect and use your personal data?
​
The personal data we collect from you is either voluntarily provided by you or automatically collected by us. We only process your personal data if we have a legal basis for processing, such as your consent, the performance of a contract, or our legitimate interest that does not override your data protection rights. You may decline to provide any personal data when requested; however, you understand that in such instances, we may be unable to provide you with some website features.
​Voluntarily submitted data
​
3.2.1 Volunteering Data
When you sign up as a volunteer on the website, you will be required to provide us with your:
-
First and last name;
-
Email address;
-
Emergency phone number;
-
Date of birth;
-
Address.
-
We use your above personal data for purposes including:
Assessing your volunteer application;
Contacting you to communicate whether your application is approved or not;
Scheduling your shifts;
Recording your participation in our programs and activities;
Other compatible purposes.
Our legal basis for processing all the above personal data is the performance of our contract with you, which you enter into when you sign up as a volunteer on our website.
Retention Period
We will erase all personal data you provided when you sign up as a volunteer within six months of the termination of your volunteer position unless we have other legal basis for retaining this information.
​​​
3.2.2 Donation Data
When you donate to us through the website, you will be required to provide us with your:
-
First and last name;
-
Email address;
-
Phone number;
-
Whether it is a recurring monthly donation or a single payment;
-
We use your personal data for purposes including:
-
Processing your donation;
-
Sending you a receipt;
-
Fulfilling all our legal compliance obligations.
Our legal basis for processing this personal data is the fulfilment of our legal obligation.
Retention Period
We will erase all personal data you provided us when you donated to our cause after seven years from the date of your donation.​
​
​​​
3.2.3 Purchase Data
When you place an order through our website, you will be required to provide us with your:
-
First and last name,
-
Phone number,
-
Email address,
-
Shipping address, and
-
Billing address.
All payments on our website are processed through a secure third-party payment processor, PayPal. We do not collect or store this data on our database.
We use your personal data for purposes including:
-
Processing your order,
-
Contacting you regarding your order (if required),
-
Processing any returns and refund requests (if applicable).
-
Our accounting and tax compliance.
Our legal basis for processing some of your purchase data is the performance of our contract with you and the fulfillment of our legal obligation.
Retention Period
We may retain your purchase data for up to seven years from the date of your purchase.
3.2.4 Marketing Data
​
When you subscribe to receive direct marketing communication from us, such as when you subscribe to our newsletter, you provide us with your full name and email address.
We use this personal data to send you marketing material that we think you will find interesting.
Our legal basis for processing this personal data is your consent.
Retention Period
We will retain this personal data until you withdraw your consent.​
​
​​
3.2.5 Contact Data
​
When you contact us through the website or by email, we collect your name, email address, and the content of your message.
We process this data to reply to you and take other actions related to your request.
Our legal basis for processing this personal data is our legitimate interest, which does not override your rights as a data subject.
Retention Period
We will retain this personal data for up to six months from the date of the last communication. After that, we may continue to retain the content of our communication with you by anonymizing it so it cannot be linked back to you.
Automatically Collected Data
​
3.2.6 Usage Data
​
We automatically collect some data about you when you use the website, such as your Internet Protocol (IP) address, browser type and version, date, and time stamp.
We process this information to improve your user experience on the website.
Retention period
We do not retain this data for more than 30 days from the date of your last visit.
4.Disclosure of Personal Data
​
We will never rent or sell your personal data. We may disclose your personal data in the following situations:
4.1 Third-Party Service Providers
We may engage third-party service providers to perform some functions on our behalf, including but not limited to payment processing, web development, maintenance, marketing, and legal compliance. Your personal data may be disclosed to such third-party service providers only to the extent required for them to perform relevant functions on our behalf and in accordance with our instructions. In no event will these service providers use your personal data for any purpose other than those specified in this privacy policy.
4.2 Protection of Rights or Fulfilment of Legal Obligations
We will disclose your personal data to third parties in situations where we believe such disclosure is necessary to investigate or remedy any violations of our legal agreement with you or to protect our rights and the rights of others. We will also disclose your personal data in situations where we are required to do so by applicable law/regulation or legal process, such as to comply with a subpoena.
4.3 With Your Consent
We may share your personal data with third parties with your express consent.
​
​
5.Transfer of Personal Data
​​
We collect and process our users’ Personal Data in strict adherence to the principles and provisions of applicable data protection laws, including but not limited to the EU GDPR, California Consumer Privacy Act ("CCPA"), and other relevant jurisdictional data privacy laws. We acquire, use, and may transfer our users’ Personal Data solely in the pursuit of providing our services, fulfilling our legal obligations, effectively addressing any user requests, preventing illegal activities and other similar purposes.
As we are based in the United States of America and have programs and initiatives in other countries, you acknowledge that collected Personal Data may be transferred, stored, and processed in the U.S. or other countries outside of your residential jurisdiction.
We only transfer Personal Data to countries that are recognized as providing an adequate level of legal protection or where we can be satisfied that alternative arrangements are in place to protect your privacy rights. This includes the use of specific contracts approved by relevant authorities, where necessary.
You acknowledge, comprehend, and consent to your Personal Data being transferred cross-border in accordance with this provision. You reserve the right to withdraw this consent at any given time by contacting us directly, subject to compliance with applicable law.
​​
6.California Users
​
This section pertains specifically to California residents and their rights under the California Consumer Privacy Act (CCPA). If you fall under the definition of "resident," as defined in the CCPA, the following rights and obligations apply.
​
6.1 Your Rights Regarding Your Personal Data
6.1.1 Right to request deletion of your data
You have the right to request the deletion of your personal data. Subject to the exceptions provided by law, we will honor your request for deletion of your data.
6.1.2 Right to Information
Under various circumstances, you have the right to know:
6.1.2.1 Whether we collect and use your personal data (described in this Privacy Policy);
6.1.2.2 The categories of personal data we collect (provided in Section 3 of this Privacy Policy);
6.1.2.3 The purposes for which we use collected personal data (provided in Section 3 of this Privacy Policy);
6.1.2.4 Whether we sell or share personal data with third parties (provided in Section 4 of this Privacy Policy);
6.1.2.5 The categories of personal data we have sold, shared, or disclosed for business purposes (provided in Section 4 of this Privacy Policy);
6.1.2.6 The categories of third parties with whom we have shared or disclosed personal data for business purposes (provided in Section 4 of this Privacy Policy);
6.1.2.7 Any business or commercial purpose behind collecting, selling, or sharing personal data (provided in Section 4 of this Privacy Policy);
6.1.2.8 The specific pieces of personal data collected about you (provided in Section 3 of this Privacy Policy);
​
In compliance with applicable law, we are not required to provide or delete consumer information that has been de-identified in response to a consumer request or to re-identify individual data to verify a consumer request.
​​
​
6.1.3 Right to Non-Discrimination for Exercising Privacy Rights
We will not discriminate against you for exercising your privacy rights
6.1.4 Right to Limit Use and Disclosure of Sensitive Personal Data
We do not process our users’ sensitive personal data.
6.1.5 Verification Process
6.1.5.1 Upon receiving your request, we will verify your identity to ensure your request relates to your own personal data in our system. This verification process may require you to provide information that matches with our records. We may also contact you through a previously provided communication method (e.g., phone or email). Additional verification methods may be employed as needed. We will solely use the personal data provided in your request for verification purposes. If additional information is necessary for verification and security reasons, we will request it and promptly delete it upon completing verification.
6.1.6 Other Privacy Rights
​
6.1.6.1 You may object to the processing of your personal data.
6.1.6.2 You may request correction of your personal data if it is inaccurate or no longer relevant or ask to restrict the processing of the information.
6.1.6.3 You can appoint an authorized agent to make a CCPA request on your behalf. If you choose to do so, we may reject a request from an authorized agent without valid proof of authorization in accordance with CCPA guidelines.
6.1.6.4 You may request to opt out of future sales or sharing of your personal data with third parties. Upon receipt of an opt-out request, we will promptly act on it no later than fifteen (15) days from the date of submission.
To exercise these rights or voice a complaint about our data handling practices, please contact us at the email address provided in Section 2 of this Privacy Policy.
​​
7.Lei Geral de Proteção de Dados Notice for Brazil Residents
This section integrates with and supplements the information contained in this Privacy Policy and applies to all users who reside in Brazil. In the event of any conflict between this provision and any other provisions of this Privacy Policy, this provision shall prevail for users who are residents of Brazil. For the purposes of this provision, any use of the term “personal data” shall have the same meaning as the term “personal information” defined in the Lei Geral de Proteção de Dados (“LGPD”).
7.1 What personal data do we process?
To find out what personal data we collect from you, please read Section 3 of this Privacy Policy.
7.2 What is our purpose for processing your personal data?
To find out the purpose for which we process your personal data, please read Section 3 of this Privacy Policy.
​​
​​
7.3 Legal basis for processing your personal data
​
We will only process your personal data if we have a legal basis. Our legal basis for processing your personal data includes the following:
-
Performance of our contract with you;
-
Your consent to our processing of your personal data;
-
Our legitimate interest in processing your personal data to the extent that our interest does not override your fundamental rights;
-
Compliance with our legal obligations;
-
Fulfillment of any legal, regulatory, or contractual public policies;
-
For anonymous research and analysis purposes;
-
To protect the physical safety of any person;
-
To exercise our rights in any judicial, administrative, or arbitration proceedings.
7.4 Your Privacy Rights
LGPD gives you the right to:
-
Receive confirmation whether your personal data is being processed (‘processing confirmation’);
-
Access your personal data that is processed;
-
Rectify any outdated, inaccurate, or incomplete personal data;
-
Request removal, anonymization, or blocking of any personal data that is not processed in accordance with LGPD;
-
Request and receive information on whether you can withdraw or grant your consent and the consequences thereof;
-
Withdraw your consent;
-
Receive information about with whom your personal data is shared;
-
Receive all your personal data that we have on you in a portable and machine-readable manner;
-
Request deletion of your personal data that was being processed on the legal basis of your consent, except in cases where one of the exceptions listed in Art 16 LGPD applies;
-
Lodge a complaint with the National Data Protection Authority or other consumer protection entities for your personal data;
-
Object to the processing of your personal data if such processing is not in compliance with the law;
-
Request information regarding what criteria and procedures are used for making an automated decision;
-
Request a review of any decisions made solely on the basis of automated processing of your personal data where your interests are affected.​​
​
7.5 How do you exercise your privacy rights?
You can exercise your privacy rights by submitting your request to us using the contact information provided in Section 2 of this Privacy Policy.
We make our best effort to respond to all requests promptly. Where we are unable to comply with your request, we will communicate our legal or factual reasons for the same. If you exercise your right to request personal data processing confirmation or access to your personal data, please indicate whether you would like an electronic or printed copy of such information.
When you request that we respond to your request immediately, we will provide you with a summary version of your requested information. However, when you request a complete disclosure, we will respond to your request within calendar 30 days from the time of your request and provide you with all the details, including the origin of your personal data, the purpose of processing, and the criteria used for processing while safeguarding our business secrets.
Where you request us to rectify, delete or anonymise your personal data or you make personal data blocking request, we will immediately pass on your request to the entities with whom we have shared your personal data to enable such other entities to honor your request except in cases where it is either impossible or would involve disproportionate effort on our part.
7.6 Transfer of personal data
LGPD allows us to transfer our users’ data outside of Brazil in the following circumstances:
-
In accordance with legal means provided by international law and where such transfer is required for international legal cooperation between public intelligence, investigation, and prosecution bodies;
-
Where such transfer is required to protect you or another person from any threat to life or physical harm;
-
Any transfer resulting from commitments made under international cooperation agreements;
-
Any transfer authorised by the National Data Protection Authority;
-
Where a transfer is required for executing any public policy;
-
Where a transfer is required for compliance with a legal, regulatory, or contractual obligation;
-
Where a transfer is required to exercise our rights in any judicial, administrative, or arbitration proceedings.​
​​
8.UK, Switzerland and European Economic Area (EEA) Residents
​
If you are a data subject in the UK, Switzerland, or EEA, you have the following rights relating to your personal data:
8.1 Right to access your personal data
You have the right to request access to your personal data or a copy of your personal data by contacting us.
8.2 Right to rectification
If the personal data we process for you is incorrect, outdated, or incomplete, you have the right to request we rectify, update, or complete it.
8.3 Right to withdraw consent
To the extent the legal basis of our processing of your personal data is your consent, you have the right to withdraw your consent at any time. You may withdraw your consent from receiving direct marketing communication from us by clicking the unsubscribe link at the bottom of our marketing emails, and we will cease processing your personal data for direct marketing purposes.
8.4 Right to the erasure of personal data
In limited circumstances, you may exercise your right to request the erasure of your personal data, such as where your personal data is being processed unlawfully.
8.5 Right to data portability
This right entitles you to receive your personal data, which you have previously provided to us in a 'commonly used and machine-readable format,' and you have the right to transmit that data to another controller. This right only applies when the processing is based on your consent or for the performance of a contract and when the processing is carried out by automated means.
We will not charge any fees for the provision of data under your right to data portability unless we can demonstrate that the request is manifestly unfounded or excessive, in particular because of its repetitive character.
8.6 Right to file a complaint
If you believe that your personal data rights are breached, we would truly appreciate it if you would contact us first to discuss the issue. Notwithstanding the foregoing, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence.
Please note that we may request that you provide proof of your identity before servicing your data subject requests.
​
​
9.Security of personal data
​
The security of your personal data is important to us. We take all reasonable and financially viable steps to safeguard your personal data from any unauthorized access, use, modification, destruction, or loss. We have integrated various security measures into the design of our website and our day-to-day business operations. Although we make our best effort to safeguard your personal data, you acknowledge that no mode of transmission over the Internet is one hundred percent secure; therefore, we cannot offer you any guarantees as to the absolute security of your personal data. By using the website, you understand and accept that the transmission of data through the website is carried out at your own risk.
​
10.Third-party links
​
Our website may contain links that will redirect you to third-party websites. Such third-party websites are not owned or operated by us. These third-party websites are governed by their own legal terms and conditions and privacy policy. We advise our users to review all third-party legal agreements before making use of such websites. You understand that the presence of any third-party links on our website does not constitute an endorsement of such a third party, and we cannot be held responsible for such a third party’s actions. Your decision to visit these third-party sites is entirely at your own risk.
11.Children’s Privacy
​
We are committed to protecting children’s privacy. The website does not allow individuals under the age of 13 years to submit any personal data. If you believe that a child has provided his/her personal data to us, please contact us, and we will investigate the matter and take appropriate action.
12.Amendments
​
We reserve the right to make changes to this privacy policy by inclusion, modification, or removal of any part at any time. When we make any material changes to this privacy policy, we will notify you by email or by changing the last modified date on top of this privacy policy. You agree that it is solely your responsibility to review this privacy policy when you revisit the website. Your continued use of the website after we post the updated privacy policy will constitute your acceptance of such changes.