1. INTRODUCTION AND SCOPE OF THIS POLICY

The BLUE AND YELLOW HEARTS FOUNDATION (“the Foundation,” “we,” “us,” or “our”) is committed to upholding the highest standards of integrity and trust in all our operations, which includes the transparent, ethical, and secure management of personal information entrusted to us by our diverse community of participants, families, donors, volunteers, and website visitors. Our mission—to uplift individuals and families in need by providing essential resources, emotional support, and opportunities for growth—is founded upon the principle of profound human dignity, and that principle extends unequivocally to protecting your privacy. This Comprehensive Privacy Policy outlines in exhaustive detail the types of information we collect, the specific methods by which we collect it, the legal basis and purposes for its use, the robust security measures we employ to protect it, and the rights you possess regarding your personal data. This document covers all forms of interaction with the Foundation, whether in person at our center (STE 114-148, POTOMAC, MD 20854), through our various programs (Education & Learning, Wellness Support, Resource Distribution), during volunteer or donation processes, or via any digital platforms, including our website and official communications (such as info@byhf.site). We recognize the extreme sensitivity of the data we handle, particularly concerning vulnerable families and children, and this policy is designed to assure every stakeholder that their trust is placed in an organization dedicated to rigorous data governance, respecting confidentiality as an absolute priority at every level of our operations and administrative structure. We encourage you to read this policy fully to understand how your information contributes to our vital work while being comprehensively protected.

2. CATEGORIES OF DATA COLLECTED AND METHODOLOGY

The Foundation collects different categories of personal data based on the nature of your interaction with us. We adhere to the principle of data minimization, collecting only the information strictly necessary for the fulfillment of our charitable mission and regulatory compliance.

2.1. Program Participant and Family Data (Highly Sensitive)

This category includes information gathered from individuals and families enrolled in our Stability Services, Developmental Programs, and Wellness Support. Collection typically occurs through confidential intake interviews conducted by Case Managers and licensed clinicians (Dr. Marcus Chen’s team) at our facility.

• Identifiable Information: Full legal names, dates of birth, social security numbers (only when legally required for tax or benefits reporting), current and previous physical addresses, emergency contact details, and relationship status of family members.
• Socio-Economic Data: Household income, employment history and status (used for Adult Empowerment Program eligibility), housing status (critical for Stability Services), public benefits received, and financial literacy assessment results.
• Wellness and Clinical Data: Detailed notes from therapeutic counseling sessions (managed with utmost confidentiality by licensed professionals), mental health assessment results, records of participation in grief support or stress management workshops, and any disclosed health conditions relevant to program safety or resource provision.
• Educational Data: School attendance records (with parental consent), academic assessment results, tutoring progress reports (tracked by Sofia Rodriguez’s team), and personalized educational plans.
• Resource Utilization Data: Records detailing the specific resources received, such as food pantry access dates, clothing distribution tallies, and utility assistance amounts (managed by Fatima Hassan’s team).

2.2. Donor and Financial Data (Confidential)

This data is collected from individuals and organizations that provide financial contributions or in-kind donations. Collection occurs via our secure online donation portal, mailed checks, or during event attendance.

• Personal Identifiers: Full name, mailing address, email address, and phone number (used for acknowledgment and receipting).
• Financial Transaction Data: Donation amount, date, method of payment (e.g., credit card type, last four digits, expiration date, which are processed by secure, PCI-compliant third-party processors and NEVER stored directly on Foundation servers), and bank information (for recurring ACH donations, stored by certified financial service providers).
• Donor History: Records of giving history, campaign participation, and communication preferences.

2.3. Volunteer Data (Operational and Background Check Data)

Data collected from individuals offering their time and skills, managed by David Kim, Volunteer Coordinator. Collection occurs through online application forms and in-person interviews.

• Application Data: Name, contact information, educational background, professional skills and certifications (e.g., teaching credentials for tutors), and emergency contact.
• Background Check Data: Results of mandated state and federal background checks, including identity verification and criminal history checks (handled by a designated, accredited third-party agency and only the eligibility status is retained by the Foundation).
• Logistical Data: Availability, shift preferences, training attendance records (especially in trauma-informed care), and performance reviews.

2.4. Website and Digital Interaction Data (Technical)

This data is collected automatically when individuals interact with the Foundation’s website and digital platforms.

• Usage Data: IP addresses, browser type, device information, operating system, pages visited, time spent on pages, referral sources, and interaction data (e.g., clicks on donation links).
• Cookies and Tracking: We use necessary functional cookies to ensure website operation (e.g., maintaining donation cart contents). We also use analytics cookies (with consent where required) to understand traffic patterns and optimize the user experience, aiding in effective fundraising and public awareness campaigns. This data is typically aggregated and anonymized.

3. LEGAL BASIS AND USE OF COLLECTED DATA

The Foundation uses collected data exclusively for purposes directly related to our mission, ensuring every use is based on a legitimate legal justification, maintaining the privacy and trust of our stakeholders.

3.1. Fulfillment of Charitable Mission and Contractual Necessity (Program Data) The primary use of Program Participant and Family Data is to provide the requested integrated services effectively.

• Service Delivery: Using socio-economic and wellness data to determine eligibility for resources (housing, food, utilities), develop tailored educational plans, and provide appropriate therapeutic interventions.
• Case Management: Primary Case Managers use the integrated data to coordinate seamless care across departments (e.g., sharing academic progress with the Wellness Director to inform counseling strategies).
• Safety and Compliance: Using emergency contact details and health information to ensure participant safety while on-site and during program activities.

3.2. Legitimate Interest and Consent (Donor and Volunteer Data)

• Donor Stewardship: Using identifiable and transaction data to process donations, issue legally required tax receipts, and acknowledge generosity, which is vital for maintaining the sustainability of our non-profit operations (Legitimate Interest). Donor names and contribution levels are kept confidential unless explicit consent is given for public recognition.
• Volunteer Management: Using application and background data to verify suitability, assign roles, schedule shifts, and ensure the safety of our program participants (Contractual Necessity and Legitimate Interest).
• Communications: Using contact details to send periodic updates, newsletters, and mission-related appeals (Consent or Legitimate Interest, with clear opt-out mechanisms provided in every communication, per David Kim’s communication strategy).

3.3. Legal Obligation and Public Interest (All Data Categories)

• Regulatory Compliance: Using relevant data to comply with federal and state regulations, including non-profit tax filings (IRS Form 990), financial auditing requirements, and mandated reporting obligations (e.g., suspected child abuse, in line with Dr. Marcus Chen’s professional obligations).
• Operational Improvement: Utilizing anonymized, aggregated data (especially Usage Data and Resource Utilization Data) to evaluate program effectiveness, measure community impact (as guided by the Impact section of our mission), and make data-driven decisions regarding resource allocation and strategic planning.

4. DATA SHARING AND THIRD PARTIES

The Foundation does not sell, rent, or trade any personal data to third parties. Data is only shared under specific, controlled conditions, strictly necessary for operational functionality, legal compliance, or service delivery, with robust contractual agreements in place to ensure the recipient adheres to our high privacy standards.

4.1. Program-Specific Sharing (Need-to-Know Basis)

• External Referrals: With explicit written consent from the participant/family, we may share minimal necessary data with carefully vetted community partners (as detailed in our Community Partnerships section) for direct service provision, such as local housing agencies or vocational training centers. For example, Fatima Hassan may share employment background with a partner agency for job placement, but only with the participant’s signed authorization.
• Clinical Confidentiality: Clinical data (from Dr. Chen’s team) is subject to strict professional ethics and legal privilege and is only shared internally on a need-to-know basis (e.g., with a Case Manager to monitor therapeutic goals) or externally only under mandatory legal compulsion (e.g., court order, duty to warn).

4.2. Operational Third-Party Service Providers

• Payment Processors: Secure, PCI-DSS compliant third-party vendors handle all online financial transactions and do not share payment card data with the Foundation beyond transaction approval and the last four digits of the card.
• IT and Cloud Services: We use reputable, industry-leading vendors for secure cloud storage, email hosting, and CRM functionality. These vendors are bound by strict Data Processing Agreements (DPAs) mandating robust security measures, encryption, and prohibiting the use of our data for their own purposes.
• Background Check Agencies: Accredited agencies conduct background checks for volunteers and staff (managed by David Kim) and provide the Foundation only with a Pass/Fail eligibility outcome, retaining the detailed sensitive data securely under their own regulatory frameworks.

4.3. Legal and Regulatory Disclosure We will disclose personal information when required to do so by law, such as to comply with a subpoena or similar legal process, or when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5. SECURITY AND DATA PROTECTION MEASURES

Given the highly sensitive nature of the information we manage, the Foundation implements comprehensive technical, organizational, and physical security measures to protect personal data from unauthorized access, disclosure, alteration, and destruction, continuously reviewing and upgrading our defenses.

5.1. Technical Measures

• Encryption: All data transmitted to or from our website and service providers is protected using industry-standard Transport Layer Security (TLS) encryption. Highly sensitive data, especially Program Participant and Clinical records, is encrypted both in transit and at rest using AES-256 encryption within our secure cloud environment.
• Access Control: Access to our CRM and case management systems is strictly controlled using unique user IDs, strong passwords, multi-factor authentication (MFA), and role-based access control (RBAC), ensuring that staff can only access the data required for their specific job functions (e.g., Fatima Hassan’s team only accesses resource distribution logs; Dr. Chen’s team maintains separate, secure access for clinical notes).
• Network Security: We utilize firewalls, intrusion detection systems (IDS), and continuous monitoring tools to guard against external threats and unauthorized network access.

5.2. Organizational and Physical Measures

• Staff Training: All Foundation employees and long-term volunteers undergo mandatory, annual data privacy and security awareness training, with specialized modules on trauma-informed confidentiality and HIPAA-style data handling protocols for clinical and program staff.
• Data Minimization and Destruction: We enforce strict data retention schedules, destroying or irreversibly anonymizing personal data once it is no longer necessary for the purposes for which it was collected or legally required. Physical records, which are minimal, are stored in locked cabinets within secured offices at STE 114-148 and destroyed via cross-shredding.
• Confidentiality Agreements: All staff and volunteers sign comprehensive confidentiality agreements explicitly detailing their obligation to protect participant and donor privacy under penalty of immediate termination and potential legal action.

6. CHILDREN’S PRIVACY

The BLUE AND YELLOW HEARTS FOUNDATION serves a significant number of minors through our Early Childhood and School-Age Programs. We are strongly committed to protecting the privacy of children under the age of 13, in compliance with the Children’s Online Privacy Protection Act (COPPA), where applicable, and our own stringent ethical standards.

6.1. Parental Consent We do not knowingly collect personal information online from children under 13 without verifiable parental consent for the specific purpose of the collection (e.g., enrolling them in an online tutoring program). For all in-person programs and data collection related to minors (e.g., academic assessments), we require explicit, documented consent from the child’s parent or legal guardian during the initial enrollment process.

6.2. Data Use and Access The educational and wellness data collected about minors is used solely for the purpose of service provision (tutoring, counseling, development of educational plans) and is never used for marketing, fundraising, or sold to third parties. Parents/guardians are given full rights to review their child’s file (subject to clinical confidentiality rules enforced by Dr. Chen’s team) and request its deletion.

7. DATA RETENTION POLICY

The Foundation retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including the purpose of satisfying any legal, accounting, or reporting requirements, and to provide comprehensive longitudinal support to families who may cycle in and out of our programs.

• Program Participant Data: Retained for the duration of the family’s active participation plus a legally mandated period (typically 7-10 years post-exit) to allow for re-enrollment, continuity of care, and compliance with grant-funding audit requirements.
• Donor Data: Financial transaction records are retained for a minimum of seven years to comply with tax and auditing laws. Donor contact and history information may be retained indefinitely to support the Foundation’s continued fundraising and stewardship efforts, unless the donor requests removal.
• Volunteer Data: Application and performance data is retained for the duration of the volunteer’s service plus a reasonable period thereafter (typically 3-5 years) for compliance and future re-engagement purposes. Background check results are retained only for the legally required period and then securely destroyed.
• Website Usage Data: Anonymized aggregate data may be retained indefinitely for trend analysis. Individual IP logs are typically destroyed within 90 days.

8. YOUR RIGHTS AS A DATA SUBJECT

We respect your right to control your personal data. Subject to certain legal exemptions, you have the following rights concerning the personal data we hold about you:

8.1. Right of Access and Transparency You have the right to request confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data and specific information regarding its use and disclosure. We provide clear, plain-language summaries of the data we hold upon verifiable request.

8.2. Right to Rectification You have the right to request the prompt correction of inaccurate or incomplete personal data held by the Foundation. Our administrative team will update records (address, phone numbers, employment status) immediately upon notification, as accurate information is crucial for service delivery.

8.3. Right to Erasure (Right to be Forgotten) You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, or if you withdraw consent and no other legal basis for processing exists. Note that we may be legally obligated to retain certain data (e.g., tax records, mandated clinical notes) even if deletion is requested.

8.4. Right to Restrict Processing You have the right to request that we cease or limit the processing of your data under specific circumstances, such as when contesting the accuracy of the data or when the data is no longer needed but required by you for legal claims.

8.5. Right to Object to Processing You have the right to object to the processing of your personal data where it is based on legitimate interests (e.g., fundraising communications). If you object to receiving appeals or newsletters, you will be promptly unsubscribed from those lists (as managed by David Kim’s communication protocols).

To exercise any of these rights, please submit a written request via email to info@byhf.site or mail to the address listed below, clearly stating your name, contact information, and the specific right you wish to exercise. We will respond to all verifiable requests within thirty (30) days.

9. CHANGES TO THIS PRIVACY POLICY

The BLUE AND YELLOW HEARTS FOUNDATION reserves the right to update or modify this Comprehensive Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or mission evolution. When we make material changes to this policy, we will revise the “Effective Date” at the top of this page. We will notify all active stakeholders, including Program Participants, Donors, and Volunteers, of any significant changes via email or prominent notice on our website prior to the change becoming effective. Your continued engagement with the Foundation after the revised policy is in effect will constitute your acceptance of the revised policy. We encourage you to periodically review this page for the latest information on our privacy practices.

10. CONTACT INFORMATION

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy or our handling of your personal information, please contact us using the details below. All inquiries are handled with the utmost seriousness, confidentiality, and commitment to resolution by our Executive Director’s administrative team.

Organization Name: BLUE AND YELLOW HEARTS FOUNDATION

Data Protection / Administrative Contact: Email: info@byhf.site (Preferred method for quickest response)

Physical and Mailing Address (Main Office & Program Center): STE 114-148 POTOMAC, MD 20854

We are committed to resolving any complaints about our collection or use of your personal information. If you feel that we have not addressed your complaint in a satisfactory manner, you may have the right to contact relevant regulatory authorities in your jurisdiction.