Arushiom Foundation Privacy Policy

Last updated: July 12, 2025

1 – Arushiom Foundation Privacy Policy

The Arushiom Foundation (“we,” “us,” “our”) is committed to protecting your privacy and ensuring the security of your personal information. This privacy policy explains how we collect, use, store, disclose, and protect your information in accordance with applicable laws, including, but not limited to:

  • Act respecting the protection of personal information in the private sector (Act 25 – Quebec)
  • Personal Information Protection and Electronic Documents Act (PIPEDA – Canada)
  • General Data Protection Regulation (GDPR – EU)
  • California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA – US)
  • Virginia Consumer Data Protection Act (VCDPA – US)
  • Lei Geral de Proteção de Dados Pessoais (LGPD – Brazil)
  • Personal Information Protection Act (POPIA – South Africa)

2 – Collection and use of personal information

We collect personal information that you provide to us directly (e.g., through registration forms, donations, email or telephone communications) and information generated by your interaction with our services. We are committed to collecting only the information necessary to carry out our activities and for legitimate and proportionate purposes. The types of personal information we may collect include:

  • Name
  • Postal address
  • Phone number
  • Email address
  • Country of residence
  • Language spoken
  • Details necessary for your participation in events or donations

Please note that we do not store your payment information directly; this is processed by secure external payment service providers. The collection of this data is carried out in accordance with the principles of transparency, minimization, and legitimacy of processing, as required by Law 25 and the GDPR.

3 – Purpose of collection and legal basis

The data collected is used for the following specific purposes, based on an appropriate legal basis:

  • Management of our activities and communications (legal basis: performance of a contract or legitimate interest)
  • To communicate with our members and participants, disseminate information about our activities, retreats, and newsletters, and manage your participation in these events.
  • Processing donations (legal basis: performance of a contract) To process your donations, issue tax receipts where applicable, and manage the relationship with our donors.
  • Improvement of our services and internal analysis (legal basis: legitimate interest): To perform internal statistical analysis on the engagement of our members and the effectiveness of our programs in order to improve our services. These analyses are, to the extent possible, carried out using aggregated or anonymized data.
  • Compliance with our legal obligations (legal basis: legal obligation): To comply with applicable laws, regulations, court decisions, or government requests.

4 – Consent

When the processing of your personal information is based on your consent (for example, to send certain marketing communications that are not essential to the provision of services or to use certain non-essential cookies), your consent will be requested in a clear and explicit manner.

You have the right to withdraw your consent at any time, without affecting the lawfulness of the processing based on consent before its withdrawal.

To withdraw your consent, please change your consent preferences by clicking on the icon (Consent Choice) on each page of our website: https://arushiom.org/

If you encounter any difficulties, please write to [email protected]

5 – Your rights

Depending on the legislation applicable to your situation, you have several rights regarding your personal information. These rights may include, but are not limited to:

  • Right of access: Obtain confirmation that your data is being processed and access it.
  • Right of rectification: Request the correction or updating of inaccurate or incomplete information.
  • Right to erasure (right to be forgotten): Request the deletion of your data under certain conditions.
  • Right to restriction of processing: Request the suspension of the processing of your data in certain circumstances.
  • Right to object: Object to the processing of your data for legitimate reasons, including for direct marketing or profiling purposes.
  • Right to data portability: Receive your data in a structured, commonly used, and machine-readable format, and transmit it to another data controller, where technically feasible.
  • Right to withdraw consent: Withdraw your consent at any time where the processing is based on consent (see Section 4).
  • Right to be informed in the event of a privacy incident: If a privacy incident presents a high risk of harm.

How to exercise your rights:

To exercise any of these rights, please send an email to our Privacy Officer at [email protected]. We may ask you to provide information to verify your identity before processing your request. We are committed to responding to your request within the time frame required by applicable law, generally within thirty (30) days of receiving your complete request.

6 – Sharing and disclosure of your personal information

Your personal information is never sold or rented to third parties.

  • We do not publicly disclose your personal information without your explicit prior consent, except in very specific and limited circumstances.
  • We may share your personal information with the following categories of third parties, only when necessary and in accordance with this Privacy Policy:
  • Service providers and subcontractors: We may share your data with service providers and subcontractors acting on our behalf (e.g., communication platforms, ticketing services, payment service providers, hosting services). These providers are contractually bound to protect your personal information and are only authorized to use it for the specific purposes for which we have provided it to them.
  • Partners and event organizers: In connection with the organization of events or activities of the Foundation, your data may be shared with the organizers or partners involved, strictly for logistical, security, or event management purposes.
  • Testimonials and public content: If you provide us with a testimonial or content intended for public sharing, it will only be published with your prior express written or verbal consent.
  • Legal obligations and emergencies: We may be required to disclose your personal information if required by law, in response to a court order, subpoena or search warrant, or to protect the health, safety or rights of the Foundation or third parties in an emergency.

7 – International transfer and privacy impact assessment (PIA)

In the course of its activities, the Arushiom Foundation may use service providers located outside Quebec or Canada (e.g., communication, donation management, or event registration tools). These providers act as subcontractors and are contractually bound to protect your personal information in accordance with international data protection laws (including the GDPR, Bill 25, and PIPEDA).

No sensitive data (e.g., banking, medical, or confidential information) is retained by the Foundation. The information we collect and store is limited to first name, last name, address, language, country, and email address.

Before transferring any personal data outside Quebec, we ensure that a level of protection equivalent to that provided by applicable laws is in place. When required, we conduct a privacy impact assessment (PIA) to ensure that adequate measures are in place to protect your information.

8 – Data security

We have implemented strict physical, technical, and administrative security measures to protect your personal information from unauthorized access, misuse, disclosure, alteration, or destruction. These measures include, but are not limited to:

Strict access controls: Access to personal information is limited to employees or contractors who need it to perform their duties and who are subject to confidentiality obligations.

System security: Use of firewalls, antivirus protection, intrusion detection systems, and regular software updates.

Secure storage: Your data is stored on secure servers, including cloud storage solutions that meet high security standards.

Encryption: Encryption of sensitive data, both in transit and at rest, where appropriate. Our security measures are regularly evaluated and improved to ensure a level of protection appropriate to the risks.

9 – Data retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or for as long as required by law.As a general rule, your data is retained for three (3) years after your last interaction with the Foundation or the end of your participation in an activity, unless a legal obligation requires us to retain it for a longer period (e.g., for tax or accounting purposes) or you exercise your right to erasure. At the end of the retention period, your personal information will be securely deleted or irreversibly anonymized.

10 – Cookies and tracking technology

Our website uses cookies and other similar tracking technologies to improve your browsing experience. When you first visit our website, a consent banner is displayed, allowing you to accept or decline the use of certain types of cookies.

No non-essential cookies will be installed on your device without your explicit consent. Cookies that are categorized as “necessary” are stored on your browser as they are essential for the basic functionality of the website. We also use third-party cookies that help us analyze how you use this website, remember your preferences, and provide you with relevant content and advertisements. 

These cookies will only be stored in your browser with your prior consent. You can choose to enable or disable some or all of these cookies, but disabling some of them may affect your browsing experience. We use cookies for the following purposes:

  • Necessary cookies are always active. They are crucial for the basic functions of the website and the website will not work as intended without them. These cookies do not store any personally identifiable data.
  • Functional cookies enable certain features to function, such as sharing website content on social media platforms, collecting feedback, and other third-party features.
  • Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on the number of visitors, bounce rate, traffic source, etc.
  • Performance cookies are used to understand and analyze key performance indicators of the website, which allows us to provide a better user experience to visitors.
  • Advertising cookies are used to provide visitors with personalized advertisements based on previously visited pages and to analyze the effectiveness of the advertising campaign.
  • Uncategorized cookies are those that are currently being analyzed and have not yet been classified into a category.

You can change your cookie preferences at any time via the consent banner or your browser settings.

11 – Changes to the privacy policy

We reserve the right to modify this privacy policy at any time to reflect changes in our practices, services, or legal requirements.

Any significant changes to this policy will be notified by email to our contacts and/or posted prominently on our website at least thirty (30) days prior to their effective date. The date of the last update will appear at the top of this page. Your continued use of our services after these changes take effect constitutes your acceptance of the revised policy.

Privacy Officer

The Foundation has appointed a Privacy Officer:

Name: Mr. Louis Brassard

Email: [email protected]

12- Questions, Complaints and Recourse

If you have any questions about this privacy policy, or if you have any concerns or complaints about how we handle your personal information, we encourage you to contact us first. We are committed to reviewing your request promptly and responding to you in a timely manner.

Contact for internal questions and complaints:

Email: [email protected]

If you are not satisfied with our response or believe that your data protection rights have not been respected, you have the right to file a complaint with the data protection authority in your jurisdiction. Here is a non-exhaustive list of relevant authorities:

  • Quebec (Canada): Commission d’accès à l’information du Québec (CAI)
  • Canada (Federal): Office of the Privacy Commissioner of Canada
  • European Union: The data protection authority of the Member State where you usually reside or where the alleged infringement occurred.
  • California (United States): California Privacy Protection Agency (CPPA)
  • Virginia (United States): Virginia Attorney General’s Office
  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD)
  • South Africa: Information Regulator (IR) – (Email address: [email protected])