Privacy Policy

Ibiana Foundation ("we", "our", or "us") operates the website ibianafoundation.com (the "Service") is dedicated to safeguarding the privacy and security of Personal Information within our control, pertaining to donors, sponsors, beneficiaries, website visitors, employees, volunteers, interns, and other individuals whose Personal Information we gather ("you" or "your").

This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service. This Privacy Policy outlines the fundamental principles regarding the collection, utilization, disclosure, retention, safeguarding, and disposal of Personal Information. As our organizational practices or legal and regulatory requirements may change, this Policy will be subject to ongoing evolution to reflect current best practices in privacy and data protection. We recommend checking our website periodically for any updates to this Policy. However we have the rights to update our policy with or without notifying you.

We use your data to provide and improve the Service. By using the Service, you agree to the collection and use of information in accordance with this policy.

Personal Information refers to data pertaining to an individual that is personally identifiable or could reasonably be used, either alone or in combination with other information, to identify an individual. It excludes anonymous or aggregate information that cannot be traced back to you personally. For instance, we may utilize aggregate data to enhance the effectiveness of our products and services, as well as to refine our marketing strategies.

PURPOSE STATEMENT

The objective of this Policy is to ensure that:

- We uphold the privacy rights of all individuals ("data subjects") we interact with, with particular focus on safeguarding the Personal Information of children, program participants, and their families.

- Any Personal Information covered by this Policy is collected, used, disclosed, and maintained appropriately.

- Access to Personal Information is restricted to authorized individuals only.

To maintain high standards in managing Personal Information, we adhere to the 10 principles outlined in the Canadian Standards Association’s Model Code for the Protection of Personal Information (CSA Model Code). This Model Code, established as a national standard for privacy protection in 1996, serves as the foundation for personal information legislation, policies, and procedures in Canada, including the federal privacy law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA). The 10 principles of the Model Code include:

  1. Accountability

  2. Identifying Purposes

  3. Consent

  4. Limiting Collection

  5. Limiting Use, Disclosure, and Retention

  6. Accuracy

  7. Safeguards

  8. Openness

  9. Individual Access

  10. Challenging Compliance

 

PRIVACY PRINCIPLES 

Principle 1: Accountability

We fully acknowledge our responsibility for the Personal Information within our control. Internal procedures have been established to ensure compliance with this Policy, and we have appointed a Chief Privacy Officer who is responsible for adhering to the following principles.

1.1 The Chief Privacy Officer bears the responsibility for ensuring compliance with the provisions outlined in this Policy. Delegation of responsibilities to other employees to oversee privacy compliance may occur under the Chief Privacy Officer's authority

1.2 We employ contractual and other commercially reasonable methods to ensure that any third parties granted access to Personal Information entrusted to us maintain a comparable level of protection while processing such information.

1.3 Regular reviews of this Policy are conducted to ensure alignment with privacy best practices and current legislation.

1.4 In addition to this Policy, we have:

- Developed and implemented practices designed to safeguard Personal Information.

- Established procedures to receive and address privacy inquiries or complaints from data subjects, as well as to manage privacy breaches.

- Instituted a privacy training and awareness program for our employees, with a specific focus on the protection of the Personal Information of children, program participants, and their families.

- Committed to integrating data privacy into processes, systems, projects, or work activities that may impact the privacy of Personal Information entrusted to us. These assessments are conducted during the design phase of such work and during substantial modifications involving Personal Information.

 

Principle 2: Purpose Specification

We collect Personal Information for specific purposes and clearly identify these purposes at or before the time of collection.

2.1

- Personal Information is gathered from data subjects and may be utilized for the following lawful purposes, including but not limited to:

  - Understanding individuals' needs and responding to requests for information, products, or services.

  - Verifying an individual's identity.

  - Completing financial transactions such as child sponsorship.

  - Providing appropriate levels of service post-transaction, such as updating banking or credit card information, or modifying sponsorship or donation details.

  - Establishing relationships, offering support, and communicating updates, marketing materials, or other relevant news.

  - Personalizing and enhancing user experiences, including conducting satisfaction surveys, customizing advertising, and reviewing aggregated data reports.

  - Administering employees, volunteers, speakers, and other contributors, along with associated activities.

  - Meeting legal or regulatory requirements imposed upon us.

 

2.2 Unless permitted or required by law, we collect and utilize the minimum amount of Personal Information necessary for the purposes outlined in section 2.1.

2.3 Upon request, we will clarify the purposes for which such information will be used or refer the requester to another representative who can provide an explanation.

Principle 3: Consent

We obtain informed consent for the collection, use, or disclosure of Personal Information, except where inappropriate.

3.1 Unless permitted or required by law, we will not use or disclose existing Personal Information for any new purpose not outlined in section 2.1 without first identifying and documenting the new purpose and obtaining the individual's consent.

3.2 Consent can be obtained in person, by phone, by mail, or online (e.g., by ticking a box). Consent is implied or assumed only when the collection, use, or disclosure of Personal Information is obvious based on the individual's actions or inactions, and when the Personal Information is non-sensitive in nature and context.

3.3 We will only require individuals to consent to the collection, use, or disclosure of Personal Information as a condition for the provision of a product or service if it is necessary to fulfill the identified purposes, such as providing a credit card number to process a sponsorship application.

3.4 By providing your Personal Information to us, you agree to our collection, use, and disclosure of your Personal Information in accordance with this Privacy Policy. If you disagree with these terms, please refrain from providing your Personal Information.

3.5 If an individual provides us or our service providers with Personal Information about another person, it is their responsibility to obtain consent from that person to allow us to collect, use, and disclose such information for the purposes outlined in this Policy.

3.6 Data subjects may withdraw their consent at any time, subject to legal or contractual restrictions and reasonable notice. For example, you always have the option to opt-out of receiving promotional electronic messages from us by using the available "unsubscribe" link. We will inform data subjects of the implications of withdrawing consent, as it may limit or prevent us from providing information, products, or services.

3.7 To safeguard the Personal Information of children and young people engaged in our activities, we take additional precautions, including:

   (i) Providing concise, easily accessible, and clear information to children or young people about the processing of their Personal Information.

   (ii) Ensuring that parental or guardian consent is obtained where appropriate, in accordance with our Safeguarding Policy.

   (iii) Ensuring that all our employees and third parties involved in collecting and processing the Personal Information of children and their families understand the sensitivity of this information and use it only for its intended purposes.

 

3.8 In certain cases, we may hold Personal Information in our records about individuals residing in Quebec, the European Union, or the United Kingdom. In such instances, we have taken measures to ensure compliance with any obligations under relevant privacy laws, such as the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (Law 25), the General Data Protection Regulation (GDPR) (EU 2016/679), and applicable UK Privacy Law.

Principle 4: Minimizing Collection

We restrict the gathering of Personal Information to what is essential for the designated purposes, ensuring fairness and legality in the process.

4.1 Each of our business units is tasked with ensuring that the information collected is limited both in quantity and type to what is necessary to fulfill the legitimate organizational objectives identified.

4.2 Typically, Personal Information is obtained directly from the individual concerned.

4.3 With the individual's consent or as permitted or required by law, we may also acquire Personal Information from references, financial institutions, credit reporting agencies, or other third parties.

 

Principle 5: Restricting Use, Disclosure, and Retention

We refrain from utilizing or disclosing Personal Information for purposes other than those for which it was collected (refer to Principle 2.2), except with the individual's consent or as mandated by law. Personal Information is retained only for as long as necessary to fulfill these purposes or as required by law.

5.1 Disclosures for investigations or law enforcement purposes may occur under justified or permitted circumstances, such as legal investigations or requests from law enforcement authorities, or when we reasonably believe that disclosure is necessary to protect the rights or safety of an identifiable person or group.

5.2 Sharing with Third-Party Service Providers. Personal Information may be shared with third-party service providers who assist us in managing our relationship with you. These organizations, such as banking institutions, credit agencies, media partners, and contractors, are committed to safeguarding your Personal Information. We ensure appropriate controls are in place before disclosing Personal Information, including contractual agreements specifying the purpose of collection and use, outlining privacy responsibilities, ensuring secure transfer and maintenance of the transferred information, and preventing onward transfer to third parties without our consent. We also verify that service providers maintain reasonable administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and security of the transferred Personal Information.

5.3 Transfer of Personal Information outside of your province of residence and/or Canada. Personal Information may be transferred outside of your province of residence and/or Canada for processing or storage by us or our service providers, including data hosting providers. Before such transfer, we implement appropriate safeguards to maintain our privacy standards by these third parties, including compliance with foreign laws upon request by law enforcement or national security authorities of that jurisdiction.

5.4 We do not and will never sell Personal Information to third parties for marketing or any other commercial purposes.

5.5 Personal Information may be shared between Plan International related companies, for internal audit, management, billing, promotional, or administrative purposes, including legal actions.

5.6 Personal Information is retained only for as long as necessary to fulfill the purposes identified in Principle 2.1 or as required by law. The retention period may extend beyond your relationship with us for legitimate business reasons.

5.7 Personal Information that is no longer necessary or relevant for the identified purposes or no longer required by law is securely destroyed, erased, or anonymized. You have the right to request erasure of your Personal Information when it is no longer needed for the purposes for which it was collected or if you suspect unlawful use.

Principle 6: Ensuring Accuracy

We endeavor to maintain Personal Information in a state that is accurate, comprehensive, and current to the extent necessary to fulfill its intended purposes.

6.1 We depend on individuals who provide us with their Personal Information to ensure its accuracy and completeness.

6.2 Internal procedures have been put in place to uphold the integrity of Personal Information received from individuals, in line with reasonable commercial standards.

6.3 Donor's Personal Information will be updated as necessary to fulfill the designated purposes or upon notification by the donor.


We safeguard Personal Information using security measures appropriate to the sensitivity of the data.

 

7.1 Personal Information is protected against various risks, such as loss, theft, or unauthorized access, disclosure, copying, use, modification, or destruction, through the implementation of suitable security measures.

7.2 The safeguards applied to Personal Information are determined by multiple factors, including available technology, the nature, scope, context, and purpose of processing, as well as the sensitivity of the information. These measures encompass physical, organizational, and technical methods, such as:

- Utilizing security card access to our premises.

- Limiting employee access to files based on a "need to know" basis, aligned with their designated roles and responsibilities.

- Securely storing Personal Information to prevent it from being left unattended in plain view.

- Implementing privacy protection protocols for employees working remotely.

- Employing firewalls, anti-malware detection software, strong passwords, and software solutions to ensure technical security, including collecting information exclusively on Plan websites through secure, 256-bit encrypted Secure Socket Layer sessions.

7.3 Employees with access to Personal Information are mandated, as a condition of their employment, to uphold the protection of such data. They are required to sign confidentiality agreements and undergo annual privacy awareness training.

7.4 In instances where applicable law necessitates, we promptly notify the relevant privacy authority and affected data subjects in the event of a security incident involving their Personal Information.

Principle 8: Transparency

We readily provide specific details about our privacy management policies and procedures to individuals upon request.

8.1 We offer information to assist individuals in making informed choices regarding the use and disclosure of their Personal Information upon request. Our employees are equipped to address inquiries about our handling of information and to direct unanswered questions or privacy complaints to our Chief Privacy Officer.

Principle 9: Individual Rights of Access

We inform individuals about the existence, use, and disclosure of their Personal Information upon request, granting them access to their information. Individuals have the opportunity to contest the accuracy and completeness of their data and request corrections or deletions as necessary.

9.1 Upon receipt of a written request, we afford data subjects a reasonable opportunity to review their Personal Information held in our records, whether in electronic or paper format. The request must include sufficient detail to enable us to locate the requested records efficiently.

9.2 Upon request, we furnish individuals with a summary of the utilization and disclosure of their Personal Information and, where feasible, identify the sources of such information.

9.3 To safeguard against fraudulent access to Personal Information, we take reasonable measures to verify the identity of the requester or their legally authorized representative before granting access to their file.

9.4 We endeavor to respond to access requests within 30 days of receipt or in accordance with relevant legislation.

9.5 Individuals receive any necessary assistance to access or comprehend their Personal Information, including clarification on the specifics of their request or the information provided in response.

9.6 Depending on the volume of information requested, a nominal fee may be applied to cover associated costs. Any such fees are communicated to the individual before processing the access request.

9.7 We promptly rectify, complete, or delete any Personal Information found to be inaccurate, incomplete, or lawfully subject to erasure. In cases where disagreement arises regarding the accuracy or completeness of information, the individual's file will note the dispute. Additionally, when appropriate, we transmit any disagreements with the individual to third parties with access to the disputed Personal Information.

9.8 The rights of individuals to access, correct, or request deletion of Personal Information are subject to applicable legal constraints. If we are unable to fulfill an individual's request due to legal, regulatory, or other reasons, an explanation will be provided when permissible.

Principle 10: Addressing Compliance Concerns

Should an individual wish to raise a concern regarding our adherence to the principles outlined in this Privacy Policy, they should direct their challenge to the Chief Privacy Officer.

10.1 We have established procedures to receive, investigate, respond to, and track concerns or complaints regarding our handling of Personal Information.

10.2 Following the conclusion of a complaint investigation, the Chief Privacy Officer will communicate the investigation's findings to the complainant, along with any appropriate remedy or corrective action we intend to undertake to address the complaint. This may include, if necessary, adjustments to Plan's policies and procedures.

RESPONSIBILITIES

Ensuring the implementation and maintenance of robust data privacy practices is a collective responsibility.

4.1 Our employees and volunteers bear the responsibility for safeguarding Personal Information and adhering to this Policy while processing Personal Information in connection with their work or volunteer duties.

4.2 People Leaders are accountable for ensuring that employees, volunteers, and third-party service providers associated with their teams are familiar with and comply with this Policy.

4.3 The Chief Privacy Officer holds the responsibility for ensuring compliance with this Policy.

Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you.

Types of Data Collected

- Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to:

- Email address

- First name and last name

- Phone number

- Address, State, Province, ZIP/Postal code, City

- Cookies and Usage Data

- Payment card Information

Usage Data

Usage data refers to information generated automatically or derived from the use of our service, website, or application by users. This type of data encompasses various interactions and activities conducted by users while utilizing a particular platform or service. Usage data can include:

  1. **User Interactions**: This includes actions performed by users within the service, such as clicks, taps, scrolls, and navigation paths. For example, it may track which pages or features users access, how long they spend on each page, and the sequence of actions they take.

  2. **Session Information**: Data related to user sessions, such as session duration, login/logout times, and frequency of visits. It helps in understanding user engagement patterns and session lengths.

  3. **Device and Browser Information**: Details about the devices and browsers used by users to access the service, including device type, operating system, browser type, screen resolution, and IP address. This information helps in optimizing the user experience for different devices and platforms.

  4. **Geolocation Data**: Location information derived from users' IP addresses or GPS coordinates. It provides insights into the geographic distribution of users and enables the delivery of location-based services or content.

  5. **Referral Sources**: Information about the sources through which users arrived at the service, such as search engines, referral links, or advertisements. It helps in analyzing marketing effectiveness and understanding user acquisition channels.

  6. **Error and Performance Data**: Data related to errors encountered by users while using the service, as well as performance metrics such as page load times and response times. It assists in identifying and troubleshooting technical issues to enhance the overall performance and reliability of the service.

  7. **Preferences and Settings**: User preferences, settings, and configurations within the service, such as language preferences, notification settings, and customization options. It allows for personalized experiences tailored to individual user preferences

Usage data is valuable for businesses and service providers as it provides insights into user behaviour, preferences, and interactions, which can be used to improve the user experience, optimize services, and make data-driven decisions. However, it's important to handle usage data responsibly and in compliance with applicable privacy regulations to protect user privacy and ensure data security.

TOP