LAST UPDATED July 7, 2023 Prior version
This Policy applies to your use of our “Services,” which include our Website, fundraising platform, social media pages, and any other online services, as well as related phone support.
Except for processing by our service providers on our behalf (described below), this Policy does not apply to third party websites, products, or services. For example, we may manage portions of our Services directly, and third party businesses (such as payment processors) may manage others. Third parties, including nonprofit organizations who have registered to use our Services (“Nonprofits”), may operate or develop content on certain pages of the Website. In these cases, the terms, conditions, and privacy practices of the third party, not those of Colorado Gives, may govern your transactions, and we may have no control over the Personal Data collected.
The controller of your Personal Data under this Policy is Colorado Gives Foundation. You may contact our Data Privacy Team as follows:
Data Requests (available under the laws of certain regions)
Visit our data request page or call 720-898-5900
For further information on how to exercise data rights you may have in certain regions, please view the Regional Supplement below.
Colorado Gives Foundation
Attn: Privacy 5855 Wadsworth Bypass, Unit A
Arvada, CO 80003, U.S.A.
For other matters, please see our Contact Us page.
The following describes how we process data relating to identified or identifiable individuals and households (“Personal Data”).
Categories of Personal Data We Process
Identity Data - Information such as your name; address; email address; account login details, e.g. username and password, avatar, or other account handles/usernames.
Contact Data - Identity Data we can use to contact you, such as email and physical addresses, phone numbers, social media or communications platform usernames/handles.
Device / Network Data - Browsing history, search history, and information regarding your interaction with a website, application, or advertisement (e.g. IP Address, MAC Address, SSIDs, application ID/AdID/IDFA, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, first party cookies, third party cookies, web beacons, clear gifs and pixel tags.
Transaction Data - Information about transactions you make with us or other Nonprofit organizations through our Website (such as, making an individual donation, and similar information).
Payment Data - Information such as bank account details, payment card information, and relevant information in connection with a financial transaction.
Audio Data - Audio files and records, such as voicemails, call recordings, and the like.
Visual Data - Image files, such as photos you choose to add to your account profile, or photos uploaded by a Nonprofit to its fundraising page.
General Location Data - Non-precise location data, e.g. location information derived from social media tags/posts.
Sensitive Personal Data -Personal Data deemed “sensitive” under Colorado or other applicable laws, such as racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or citizenship status, genetic or biometric data, or personal data from a known child. We do not actively solicit Sensitive Personal Data, but we may process Sensitive Personal Data in some contexts if you choose to provide it, as described below.
User Content - Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields on a Website form or email.
We collect Personal Data from various sources, which include:
Individuals - We receive Personal Data when individual users provide them to us, when they visit our Website or make a donation, or otherwise use our Services.
Non Profit Organizations - We receive Personal Data when a Nonprofit provides them to us, when they create a Non Profit Profile or fundraising page, or otherwise use our Services.
Service Providers - We receive Personal Data from the operator of our fundraising platforms, payment processors, and other service providers who transfer Personal Data to us when you create an account or make a donation, and other service providers performing services on our behalf.
Data we collect automatically - We (or service providers on our behalf) collect Personal Data about or generated by any device used to access our Website and Services.
Data Aggregators - We receive Personal Data from ad networks, data brokers, Targeted Advertising vendors, market research, and social media companies or similar companies who provide us with additional Personal Data, e.g. Preference Data.
Social media companies - We receive Personal Data from social media companies when you use social media to sign-in to our Website, or when you interact with that social media company on or in connection with our Services.
Data we create - We, certain partners, social media companies, and third parties operating on our behalf, create Personal Data such as Aggregate Data or profiles based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you.
We process Device/Network Data, Contact Data, Identity Data, and General Location Data when you visit our Website. You may also be able to make a donation, register for an account, or enroll in marketing communications through our Website.
We use this Personal Data as necessary to operate our Website, such as keeping you logged in, delivering pages, etc., for our Business Purposes, and our other legitimate interests, such as:
We may process this Personal Data for our Commercial/Fundraising Purposes (which may include Targeted Advertising).
Cookies and other tracking technologies
We may also process this Personal Data for our Business Purposes and Commercial/Fundraising Purposes (which may include Targeted Advertising). See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.
Third parties may view, edit, or set their own cookies or place web beacons on our websites. We, or third party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Third parties have their own privacy policies and their processing is not subject to this Policy.
User Account Registration
We process Identity Data, Contact Data, and Device/Network Data when you register and create an account for our Services, whether an individual donor account, or a Nonprofit account. We process Transaction Data and Payment Data if you associate one-time or recurring donations or other payment information with that account. We process Visual Data if you upload a profile photo.
We use this Personal Data to create and maintain your account, to provide the Services you request, and for our Business Purposes. We may process Identity Data and Contact Data for Commercial/Fundraising Purposes (which may include Targeted Advertising).
We process Transaction Data, Payment Data, Contact Data, Identity Data, and Device/Network Data when you make a donation or purchase a Giving Card. We do not permanently store your Payment Data, except at your request. When you make a donation through a fundraising page on our Website, some of the information you provide (your first and last name, email address, mailing address, and Transaction Data such as the Nonprofit's name, date and time of your donation, and the amount of your donation) will be delivered to the creator of that fundraising page, whether it is created by the Nonprofit, or by an unrelated individual who create the page on behalf of the Nonprofit ("Fundraising Page Creator"). We may also collect User Data if you provide it in free text or comment field on a donation page on our Website. We may collect Sensitive Personal Data only if you provide it in a free text or comment field on a donation page, however we strongly discourage you from sending any Sensitive Personal Data to a Nonprofit through our Website or otherwise entering such data on our Website.
We process this Personal Data as necessary to perform or initiate a transaction with you, process your order or payment, document transactions, and for our Business Purposes.
We may process Identity Data, Contact Data, and Device/Network Data for Commercial/Fundraising Purposes (which may include Targeted Advertising).
Marketing Communications for Individuals
We process Contact Data, Identity Data, and Device/Network Data in connection with marketing emails, our newsletter, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a donation.
We process this Personal Data to contact you about relevant Services and for our Business Purposes. We may use this data for our Commercial/Fundraising Purposes (which may include Targeted Advertising). See your Rights & Choices to limit or opt out of this processing.
Please note: when you make a donation to a Nonprofit through Colorado Gives, you consent to receive marketing and other communications from that Nonprofit. Nonprofits have their own privacy policies and their processing is not subject to this Policy. See your Rights & Choices to limit or opt out of this processing.
Customer Service; Contact Us
We collect and process Identity Data, Contact Data, and User Content when you contact us, e.g. through a contact us form, for customer service, or when you report a problem with our Website. If you call us via phone, we may collect Audio Data from the call recording. We may collect Sensitive Personal Data only if you provide it to us in a free text field or over the phone, however we strongly discourage you from sending any Sensitive Personal Data to us.
We process this Personal Data to respond to your request, and communicate with you, as appropriate, and for our Business Purposes. If you consent or if permitted by law, we may use Identity Data and Contact Data to send you marketing communications and for our Commercial/Fundraising Purposes (which may include Targeted Advertising).
Posts and Social Media
We process Identity Data, Contact Data, and User Content you post (e.g. comments and social media posts, etc.) when you interact with us on social media platforms, such as Facebook, Twitter, and YouTube.
We process this Personal Data for our Business Purposes, and Commercial/Fundraising Purposes (which may include Targeted Advertising).
Posts may be public, or reposted on our Services. Content you provide may be publicly-available when you post it on our Services, or in some cases, if you reference, engage, or tag our official social media accounts on social media platforms.
Nonprofit Profile Registration
We process Identity Data, Contact Data, General Location Data, and User Content when you register and create a Nonprofit account for our Services. We process Visual Data if you upload photos.
We process this Personal Data to create and maintain your Nonprofit account, to provide the Services you request, and for our Business Purposes. We may process Identity Data and Contact Data for Commercial/Fundraising Purposes (which may include Targeted Advertising).
We process Identity Data, Contact Data, Device/Network Data, Transaction Data, Payment Data, and User Content when you create a fundraising page associated with a Nonprofit on our Services.
We process this Personal Data to create and maintain your fundraising page, to provide the Services you request, and for our Business Purposes. We may process Identity Data and Contact Data for Commercial/Fundraising Purposes (which may include Targeted Advertising).
Become a Regional Champion
We process Identity Data, Contact Data, General Location Data, Device/Network Data, Transaction Data, and Payment Data when you become a regional champion.
We process this Personal Data in connection with your regional champion application, to add you to our regional champion directory, and for our Business Purposes.
Communications for Nonprofit Stakeholders
We process Contact Data, Identity Data, and Device/Network Data in connection with Nonprofit marketing emails, our newsletter, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of Nonprofit Profile registration or setting up a donation page on our Services.
We process this Personal Data to contact you about relevant services and for our Business Purposes. We may use this data for our Commercial/Fundraising Purposes (which may include Targeted Advertising). See your Rights & Choices to limit or opt out of this processing.
We and our Service Providers process Personal Data we hold for numerous business purposes, depending on the context of collection, your Rights & Choices, and our legitimate interests. We generally process Personal Data for the following “Business Purposes.”
We process Personal Data as necessary to provide our Services. For example, we process Personal Data to authenticate individual users, Nonprofit users, and their rights to access the Services, or as otherwise necessary to fulfill our contractual obligations to you, provide you with the information, features, and Services you request, and create relevant documentation.
Internal Processing and Service Improvement
We may use any Personal Data we process through our Services as necessary in connection with our legitimate interests in improving the design of our Services, understanding how our Services are used or function, for customer service purposes, for internal research, technical or feature development, to track use of our Services, quality assurance and debugging, audits, and similar purposes.
Security and Incident Detection
We may process Personal Data in connection with our legitimate interest in ensuring that our Services are secure, to identify and prevent crime, prevent fraud, verify or authenticate users, and ensure the safety of our users. Similarly, we process Personal Data on our Website as necessary to detect security incidents, protect against, and respond to malicious, deceptive, fraudulent, or illegal activity. We may analyze network traffic, device patterns, and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security activities.
We may process certain Personal Data as necessary in connection with our legitimate interest in personalizing our Services. For example, we may display a list of Nonprofits to which you have previously donated when you are signed in to your User Account. We may also personalize based on Profiles, where permitted by law, e.g. by displaying your name and other appearance or display preferences, to display content that you have interacted with in the past, or to display content that we think may be of interest to you based on your interactions with our Services and other content.
We may process Personal Data in order to identify trends, including to create aggregated and anonymized data about donor trends, use of our Services, and other similar information (“Aggregated Data”). Aggregated Data that does not contain Personal Data is not subject to this Policy.
ColoradoGives.org uses Google Analytics which is a web analytics service offered by Google (https://www.google.com) that tracks and reports website traffic. We use Google Analytics to allow us to determine information such as the number of unique and returning visitors, how they were referred to our Website, the length of time they spend on our Website, the number of pages they visit, and other similar information. As part of Google Analytics, we have also implemented the Google Tag Manager, Google signals, and Google Advertising Features which enables Google Analytics to report and remarket across devices, which helps to enable targeted advertising. It provides deeper insights on who is visiting the Website, and allowing us to better understand the demographics and interests of people visiting the Website, and to better target advertising to our users. Visitors can edit their inferred demographic categories for websites or opt-out of Google Analytics Advertising Features by visiting Google Analytics' currently available opt-outs for the web. You may learn more about Google Analytics security by visiting its website.
Compliance, Health, Safety, Public Interest
We may also process Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law, for the establishment and defense of legal claims, where we must comply with requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent required or permitted under applicable law. Please see the Disclosure/Sharing of Personal Data section for more information about how we disclose Personal Data in extraordinary circumstances.
Personalized Marketing Communications
We may personalize Marketing Communications based on your interactions with our Services. If consent to consumer profiling or Targeted Advertising is required by law, we will seek your consent.
In some jurisdictions, the Foundation and certain third parties operating on or through our Services, may engage in advertising targeted to your interests based on Personal Data that we or those third parties obtain from your activities across non-affiliated websites, applications, or services in order to predict your preferences or interests (“Targeted Advertising”). This form of advertising includes various parties and service providers, including third party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.
The parties that control the processing of Personal Data for Targeted Advertising purposes may create or leverage information derived from Google Analytics as described above, as well as from our Personalization and Marketing Communications. In some cases, these parties may also develop and assess Personal Data about you to determine whether you are a type of person a company wants to advertise to, and determine whether and how ads you see are effective. These third parties may augment your profile with demographic and other Preference Data, and may track whether you view, interact with, or how often you have seen an ad, or whether you purchased advertised goods or services.
We generally use Targeted Advertising for the purpose of marketing our Services, and to send marketing and development communications, including by creating custom marketing audiences on third-party websites or social media platforms.
We may disclose Personal Data to the following categories of third-party recipients and/or for the following reasons:
Nonprofits and Fundraising Page Creators – We disclose Personal Data to Nonprofits and other Fundraising Page Creators in support of our Business Purposes, and Commercial/Fundraising Purposes. For example, we will make all information you submit to a donation page available to that Nonprofit or other Fundraising Page Creator, any Regional Champions with which the Nonprofit is associated, other third parties who we have determined have a legitimate, non-commercial interest in funds to which you may donate, and/or online fundraising reports identifying, where available, your name, address, email, any other optional data provided by you during the donation process.
If you choose to make your donation and/or name hidden from the public, we will not share the amount and/or your name respectively publicly on our Site and we will communicate your desire in our reporting to the applicable Nonprofit or Fundraising Page Creator.
Colorado Gives Foundation - We may disclose your Personal Data to employees and authorized personnel within the Colorado Gives Foundation in order to streamline certain business operations, and in support of our Business Purposes, and Commercial/Fundraising Purposes.
Service Providers - We may disclose your Personal Data to service providers who help run Colorado Gives 365 and Colorado Gives Day, collect and process donations on behalf of our nonprofit partners, and who provide certain services on our behalf in connection with our general business operations, including email services, payment processing, CRM, and in connection with our (or our Service Providers’) Business Purposes.
Social Media Platforms - We may disclose certain Personal Data to social media platforms in support of our Business Purposes and Commercial/Fundraising Purposes.
Financial Partners - We disclose certain Personal Data to financial institutions to facilitate donation matching programs, such as the Incentive Fund.
Public Disclosure - If you use any social media plugin, API, or other similar feature, use a fundraising hashtag or similar link, or otherwise interact with us or our Services via social media, we may make your post available on our Services or to the general public. We may share, rebroadcast, or redisplay Personal Data or other information in the post to the extent permitted by the relevant social media service.
Data Aggregators - We may disclose Personal Data to data aggregators in support of our Commercial/Fundraising Purposes and in connection with Targeted Advertising. These disclosures can help better personalize our Services, the services of third parties, and help ensure that you see advertisements that are more relevant to your interests.
Successors - We may disclose Personal Data if we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. While we endeavor to protect our Services and your Personal Data from unauthorized access, use, modification and disclosure, we cannot guarantee that any information, during transmission or while stored on our systems, will be absolutely safe from intrusion by others.
We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider factors including the following when we determine how long to retain data:
We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.
Our Services are neither directed at nor intended for use by persons under the age of majority. If a child under the age of 13 in the U.S. has provided us with Personal Data and if the parent or guardian of the child would like the information submitted by the child deleted from our database, we asks that a parent or guardian of the child Contact Us. If we learn that our Website has collected Personal Data from a child under the age of 13, we will take reasonable steps to promptly delete that information.
We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Digital Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.
You may have certain rights and choices regarding the Personal Data we process. Please note, these rights may vary based on the country or state where you reside, and our obligations under applicable law. See the following sections for more information regarding your rights/choices in specific regions:
You may have certain rights and choices regarding the Personal Data we process. See the “Regional Supplement” section below for rights available to you in your jurisdiction. To submit a request, contact our Data Privacy Team. We verify your identity in connection with most requests, as described below.
If you submit a request, we typically must verify your identity to ensure that you have the right to make that request, reduce fraud, and to ensure the security of Personal Data. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.
We may require that you match personal information we have on file in order to adequately verify your identity. If you have an account, we may require that you log into the account to submit the request as part of the verification process. We may not grant access to certain Personal Data to you if prohibited by law.
You can withdraw your consent to receive email marketing communications by clicking on the unsubscribe link in an email, or for other communications, Contact Us by using the information above.
Nonprofit Marketing Communications.
When you make a donation to a Nonprofit through Colorado Gives, you consent to receive marketing communications from that Nonprofit. To withdraw your consent to receive marketing communications from a Nonprofit, please contact that Nonprofit directly.
Withdrawing Your Consent/Opt-Out
You may withdraw any consent you have provided at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as location-based services, personalizing or making relevant certain types of advertising, or other services conditioned on your consent or choice not to opt-out.
Cookies, Similar Technologies, and Targeted Advertising
Targeted Advertising - You may opt out or withdraw your consent to Targeted Advertising by visiting our data request page . In some cases, you may be able to opt-out by submitting requests to third party partners, including for the vendors listed below:
Do-Not-Track - Our Services do not respond to your browser’s do-not-track request.
Under the Colorado Privacy Act (“CPA”) and other state privacy laws if applicable, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.
Opt-Out Rights - Right to opt-out of the following:
Access - Right to receive a copy of all the specific pieces of Personal Data we have collected and maintained about you that are subject to your request, including any Personal Data held by our Service Providers in connection with our Services.
Correction - Right to correct inaccuracies in certain Personal Data that we hold about you.
Deletion - Right to delete certain Personal Data that we hold about you.
Portability - Right to request that we provide certain Personal Data through a secure method in a commonly used, readily usable electronic format.
Submission of Requests
You may submit requests by visiting our data request page or contact us at 720-898-5900 (please also review our verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at 720-898-5900. We will respond to any request to appeal within the period required by law.
The controller of Personal Data relating to residents of the UK/EEA/Switzerland/Cayman Islands is: Colorado Gives Foundation, 5855 Wadsworth Bypass, Unit A, Arvada, CO 80003, USA.
Rights & Choices
Residents of the EEA, UK, Switzerland, and the Cayman Islands have the following rights. You may submit requests by visiting our data request page, or calling us at +1720-898-5900. Please review our verification requirements. Applicable law may provide exceptions and limitations to all rights.
Access - You may have a right to access the Personal Data we process.
Rectification - You may correct any Personal Data that you believe is inaccurate.
Deletion - You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.
Data Export - You may request that we send you a copy of your Personal Data in a common portable format of our choice.
Restriction - You may request that we restrict the processing of personal data to what is necessary for a lawful basis.
Objection - You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:
Regulator Contact - You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.
Lawful Basis for Processing
Description of Basis & Relevant Purposes
Relevant Contexts / Purposes / Disclosures
Performance of a contract
The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g. to perform the agreement you have with us, to provide services to you, to open and maintain your user accounts, to manage your Nonprofit profile, or process requests.
This processing is based on our legitimate interests. For example, we rely on our legitimate interest to administer, analyze and improve our Website and related content, to operate our business including through the use of service providers and subcontractors, to send you notifications about our Website or your transactions, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes. See the Business Purposes of Processing section above for more information regarding the nature of processing performed on the basis of our legitimate interests.
This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal.
Compliance with legal obligations
This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for compliance purposes.
Performance of a task carried out in the public interest
This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for such purposes.
We process data in the United States, and other countries where our subprocessors are located. In cases where we transfer Personal Data to jurisdiction that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework. You can obtain more information about transfer measures we use for specific transfers by contacting us using the information above.