Privacy Policy

This Privacy Policy explains how Flexion Foundation("we," "us," or "our"), a 501(c)(3) tax-exempt nonprofit corporation (EIN 33-3252902), collects, uses, and shares information when you use flexionfoundation.org(the "Site") or interact with us as a donor, volunteer, or subscriber. By using the Site, you agree to this Policy.

1. Information We Collect

We collect limited information in three ways:

• Information you submit. When you donate, subscribe to the newsletter, request a scholarship or course sponsorship, offer to volunteer, or contact us, we collect the information you provide, such as your name, email address, mailing address, phone number, employer (for matching-gift purposes), the program you chose, the gift amount, and the content of your message.
• Information collected automatically. Like most websites, we collect basic server logs and analytics, including truncated IP address, browser type, device type, referrer URL, and pages visited.
• Cookies and similar technologies. We use minimal cookies required for site functionality and a privacy-respecting analytics tool that does not rely on cross-site tracking cookies.

We do not collect protected health information. Do not submit patient names, medical records, or sensitive health details through forms on the Site. Requests for clinical services are handled through a separate intake process with the licensed clinicians who deliver care.

2. How We Use Information

We use the information we collect to process donations, issue tax receipts, send transactional email (receipts, thank-you acknowledgments, recurring-gift confirmations), respond to volunteer or scholarship inquiries, send newsletters to subscribers, comply with IRS recordkeeping and state charitable solicitation rules, improve the Site, and protect against abuse. We do not sell your personal information.

3. How We Share Information

We share information only with service providers who help us operate the Foundation and only to the extent necessary for them to perform their services. Our principal data processors are Donorbox (donation platform) and Stripe (payment processing), each of which maintains its own GDPR-compliant data handling and offers a Data Processing Agreement through its standard merchant terms. Additional categories include our hosting provider, email provider, analytics provider, and professional advisors (accountants, counsel, auditors). We may disclose information if required by law, subpoena, or to protect the rights, property, or safety of Flexion Foundation or others. We may also disclose aggregate, de-identified statistics in annual reports and grant applications.

Donor recognition. Donors may be listed in our annual report, campaign materials, or on the Site by name at a giving-level category. You may opt out of public recognition at any time by requesting anonymity in writing. Your gift amount is not disclosed unless you expressly ask us to include it.

4. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to request access to, correction of, and deletion of the personal information we hold about you, and to limit or opt out of the sale or sharing of your personal information. We do not sell your personal information.We also comply with the California Attorney General's Registry of Charitable Trusts and AB 488 platform-payout requirements. To exercise your rights, contact us at donate@flexionfoundation.org. We will not discriminate against you for exercising these rights.

5. Your GDPR and UK GDPR Rights

If you are a resident of the European Economic Area (EEA), the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and the UK GDPR give you additional rights regarding the personal data we hold about you. Flexion Foundation acts as the data controller for personal data you provide to us.

Lawful basis for processing. We process your personal data on the following bases:

• Consent (Article 6(1)(a)): when you donate through our website, you provide consent via the GDPR opt-in checkbox on the donation form. You may withdraw consent at any time by emailing donate@flexionfoundation.org; withdrawal does not affect the lawfulness of processing before withdrawal.
• Contract (Article 6(1)(b)): to fulfill the donation transaction and issue your tax receipt.
• Legal obligation (Article 6(1)(c)): to comply with US Internal Revenue Service recordkeeping requirements and California Attorney General Registry of Charitable Trusts filings.
• Legitimate interest (Article 6(1)(f)): to send transactional communications (receipts, recurring-gift confirmations) and to operate and protect the Site against abuse.

Your rights. Under GDPR and UK GDPR, you have the right to:

• Access the personal data we hold about you
• Rectify inaccurate or incomplete data
• Erase your data, subject to our legal retention obligations under US tax law
• Restrict processing in certain circumstances
• Receive your data in a portable, machine-readable format and transfer it to another controller
• Object to processing based on legitimate interest
• Withdraw consent at any time, where consent is the basis of processing
• Lodge a complaint with your home country's supervisory authority. For UK residents, the Information Commissioner's Office at ico.org.uk. For EEA residents, your national Data Protection Authority, a directory of which is maintained by the European Data Protection Board at edpb.europa.eu.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

International data transfers. Flexion Foundationis established in California, United States. When you donate from outside the United States, your personal data is transferred to and processed in the United States. We rely on the Standard Contractual Clauses approved by the European Commission, and the UK International Data Transfer Addendum approved by the UK Information Commissioner's Office, included in our standard merchant agreements with our data processors Donorbox and Stripe, as the safeguard for these transfers.

How to exercise your rights. Email donate@flexionfoundation.org with your request and the email address associated with your gift or subscription. We will acknowledge within 72 hours and respond substantively within 30 days. We may require identity verification before fulfilling a request.

6. Data Retention

We retain donor records for at least seven (7) years to comply with IRS recordkeeping requirements and state charitable solicitation rules. Server logs are retained for a short rolling window. Newsletter subscriber data is retained until you unsubscribe. Volunteer and scholarship applicant data is retained for as long as necessary to support the relationship plus a reasonable administrative period. Where you exercise a valid GDPR or UK GDPR erasure right, we delete or anonymize personal data except where US tax law or state charitable solicitation rules require continued retention; in those cases we explain the reason and delete the data once the retention obligation expires.

7. Security

We use reasonable administrative, technical, and physical safeguards to protect information we collect, including encryption in transit, restricted staff access, and PCI-DSS compliance through our payment processor. No method of transmission over the internet is fully secure, however, and we cannot guarantee absolute security.

8. Children

The Site is not directed to children under 13, and we do not knowingly collect personal information from children under 13. Donations from minors are accepted only with the involvement of a parent or legal guardian.

9. Email Communications (CAN-SPAM)

Any commercial email we send will comply with the CAN-SPAM Act of 2003, including accurate header information, identification as an advertisement where applicable, a valid physical postal address, and a clear opt-out mechanism. Transactional messages (donation receipts, recurring-gift confirmations) are required by IRS substantiation rules and are not subject to opt-out.

10. Changes to This Policy

We may update this Policy from time to time by posting an updated version on the Site and revising the Effective Date. Your continued use of the Site after any revision constitutes your acceptance of the revised Policy.

11. Contact

Questions about this Policy, requests to exercise privacy rights, or requests to opt out of donor recognition may be sent to donate@flexionfoundation.org.