Privacy Policy

Smile Train has created this Privacy Policy to explain why we collect particular information and how we will protect your personal privacy within our Website.

 

Last Updated: August 1, 2023

Girl looks at herself in mirror

Smile Train is a 501(c)(3) nonprofit, cleft-focused organization, with a model of supporting surgery and other forms of essential care for individuals with cleft conditions. This Privacy Policy is intended to describe how Smile Train (also referred to as "we" or "us") collects, uses, and shares information that we collect or obtain through smiletrain.org and all subdomains ("Sites"). Without prejudice to your rights under applicable laws, this Privacy Policy is not contractual and does not form a part of your contract with us or our affiliates or subsidiaries.

The Sites are not intended for children under 13, and we do not generally or knowingly collect information relating to children under 13 through the Sites. For more information, see the "Information about Children" section below.

If you are a Colorado resident, please see section 9, "Additional Information for Colorado Residents" for important information for you.

1. Applicability Of This Privacy Policy

This Privacy Policy applies only to personal information that you submit or that we collect or receive through our Sites as well as any information that you may provide to us or that we may collect in connection with our provision of the Sites' services. This Privacy Policy does not apply to other Smile Train websites or applications, or to our Smile Train programs. Our use of patient information that you submit to partners or that we otherwise collect in connection with our partner programs is not subject to this Privacy Policy and is governed by our agreement with the partner organization.

2. Information We Collect

As described in this Privacy Policy, we may collect certain Personal Information from or about you in connection with your use of, or your submissions to, the Sites and our provision of the services. "Personal Information," for purposes of this Privacy Policy, generally includes information that may be used to identify you. Subject to applicable law, Personal Information does not include de-identified data or publicly-available information.

The sources and types of Personal Information we collect may vary depending upon our relationship with you. For example, we may collect information from or about the following categories of individuals:

  • Individuals who visit or otherwise interact with our Sites or request or sign up to subscribe to receive information or materials from us ("Visitors").
  • Individuals who register for an account ("Users").
  • Individuals who make a donation to us, including directly through the Sites or through a partner organization ("Donors").
  • Individuals who volunteer with our organization ("Volunteers").

Unless otherwise specified, we refer to these categories of individuals collectively as "you" or "your" in this Privacy Policy. You are not required to provide all Personal Information identified in this Privacy Policy; however, please be advised that if you do not provide the Personal Information requested, we may be unable to provide some or all of the Services.

Categories of Personal Information.

We may collect the following categories of Personal Information:

Categories of Personal Information Examples
Identifiers, contact, and demographic information Name; mailing address; email address; telephone number; organization; job title or occupation; device ID; age; username and password.
Transaction information Transaction information associated with donations, such as donation and gift aid details. Please note, when you make a donation through our Sites, we utilize third-party payment processors to manage and administer the payment process ("Payment Processors"). When you make donations to us, the processing of payment information is governed by the respective Payment Processor's privacy policy. Smile Train does not collect or store your complete bank account number or credit/debit card number; however, we may collect or receive limited information regarding your transaction and payment, such as your payment card type and last four digits of your payment card number.
Donation information Donation history, including recency, frequency, and amount of donations; your connection to the charity; your participation in charity events and campaigns, including giving patterns.
Internet or similar network activity Browsing history; clickstream data; browser and operating system type; navigation paths; data/time stamps; cookie identifiers; domain names; access times and referring website addresses; and other information about device characteristics and how you interact with our Sites or our services.
Geolocation data Geolocation; IP address.
Professional or employment-related information Occupation; job title and description; organization address; and/or other information related to your organization and/or your employment.
Inference information Inferences we may infer from other Personal Information we have collected, which may include preferences and characteristics (for example, about Donors based upon such criteria as timing and history of donations). We do not use information we collect to derive inferences or conclusions about individual's mental or physical health.
Special category personal information Health information, including information related to cleft conditions and/or your connection to an individual with cleft, if applicable.

Additional Information on Special Categories of Personal Information. As Smile Train is cleft-focused organization, with a model of supporting surgery and other forms of essential care for individuals with cleft conditions, we may collect special categories of personal information, such as health information, including information related to cleft conditions. We will generally only collect this information where we have your explicit consent, unless we are permitted to do so in other circumstances under applicable law. We also may make a record that a person is in a vulnerable circumstance in order to comply with requirements under charity law and the Code of Fundraising Practice to ensure that we do not send fundraising communications to them. If you are a Colorado resident, section 9, "Additional Information for Colorado Residents" contains important information for you about our collection, use, and disclosure of sensitive data under Colorado law.

Cookies, Device Information, and Similar Technologies. As is common practice with almost all professional websites, we use cookies to enhance your experience. We may collect certain information using cookies and other technologies, such as web beacons, device IDs, HTML5 local storage, and IP addresses. Cookies are pieces of information that some websites transfer to the computer that is browsing that website and are used for record-keeping purposes at many websites. Use of cookies makes web-surfing easier by performing certain functions such as login status, your personal preferences regarding your use of the particular website and to make sure you do not see the same ad repeatedly. Many consider the use of cookies to be an industry standard.

We use browser cookies for different purposes, including cookies that are strictly necessary for functionality and cookies that are used for personalization and performance/analytics. We may also automatically collect certain data about your device, such as information about your web browser, IP address, time zone, mobile device ID, model, manufacturer, operating system, version information, carrier-related information, and IDs related to the cell phone hardware in your phone as well as the network to which the device is connected, mobile phone number, application-specific and instance-specific identifiers, and location information, as further described in this Privacy Policy.

Internet browsers normally accept cookies by default. However, most browsers let you turn off either all or third-party cookies. If you would prefer not to receive cookies, you can alter the configuration of your browser to refuse cookies. The option to do this is usually found in the options, settings or preferences menus of your browser or mobile device.

Unfortunately, in most cases there are no industry standard options for disabling cookies without completely disabling the functionality and features that they add to this site. You may choose not to disable cookies if you are not sure whether you need them or not in case they are used to provide a service that you use. If you choose to have your browser refuse cookies, it is possible that your ability to use our Site will be limited or that some areas of our Sites will not function properly when you view them.

You may opt-out of Google's analytics cookies by visiting Google's opt-out page - https://tools.google.com/dlpage/gaoptout. Click on the following links to find out how to change your cookie settings in: Internet Explorer; Firefox; Chrome; Safari; Opera; iPhone and iPad; Samsung. For more information about the use of cookies see: www.allaboutcookies.org. Check out allaboutcookies for instructions and advice.

Aggregated, De-identified, or Anonymous Data. We may create aggregated, de-identified, or anonymous information from Personal Information by removing data components (such as your name, email address, or linkable tracking ID) that makes the data identifiable, or through aggregation, obfuscation, or other means. For example, we may use aggregated, de-identified, or anonymized information to understand how to improve or enhance our services. Subject to applicable law, our use of such aggregated, de-identified, or anonymized information is not Personal Information or subject to this Privacy Policy.

3. Sources Of Information And Purposes Of Collect And Processing

The following is intended to describe the various sources through which we may collect Personal Information and the purposes for which we collect and process it. As noted above, the sources and types of Personal Information and our purposes may vary depending upon our relationship with you:

Sources of Personal Information Categories of Personal Information from Source Purposes of Collection and Use
Communications and Interactions with Us and Participation in our Events and Programs
We may collect Personal Information from you when you interact with the Sites or services, register for an account, sign up for or participate in our events, conferences, or programs, submit inquiries or request information from us, complete quizzes or surveys, contact our support hotlines, or otherwise contact or communicate with us.
  • Identifiers, contact, and demographic information
  • Transaction information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Enable you to participate in our events, programs, and services
  • Communicate with you
  • Market, advertise, and promote our events, programs, and services
  • For fundraising purposes, including to identify and create profiles of our supporters and potential supporters
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
Agreements, Forms, and Applications
We may collect Personal Information from you or your authorized representatives in connection with entering into an agreement with you or through other forms or agreements. We may also collect Personal Information when you submit applications to us, such as for our scholarship, schools, and partner programs.
  • Identifiers, contact, and demographic information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Enable you to participate in our events, programs, and Services
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
Requests Regarding Our Partner Programs
We may collect Personal Information from you when you submit inquiries or request information regarding our partner programs. The information we collect in connection with those inquiries is subject to and treated in accordance with this Privacy Policy. As noted above, the information we may collect once you become a cleft patient or otherwise participate in our partner programs is not subject to this Privacy Policy and is governed by our agreement with the partner organization.
  • Identifiers, contact, and demographic information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Enable you to participate in our events, programs, and Services
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
Account Administration and Transactions
We may collect Personal Information from you and from records we create in connection with administering your account or when you complete transactions.
  • Identifiers, contact, and demographic information
  • Transaction information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide and administer the services
  • Donation administration, including for billing and payment purposes
  • Enable you to participate in our events, programs, and Services
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
Social Media, Online Forums, and Advertisements
We may collect Personal Information from third-party social media platforms and sites, when you engage with our social media pages, online communities and forums, and when you mention us on your own or other social media pages, online communities, or forums, or when you interact with advertisements related to our services. Please note that online forums may be publicly accessible and other users may view information you post in the forums. We encourage you to exercise care in deciding what information and content you wish to disclose on the areas of the Sites that are accessible to the general public.
  • Identifiers, contact, and demographic information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Provide, administer, and enhance our events, programs, and services
  • Tailor content and opportunities that may be of interest to you
  • Enable you to participate in our events, programs, and services
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Communicate with you
  • Market, advertise, and promote our events, programs, and Services
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
From Our Affiliates
We may collect Personal Information from our subsidiaries, affiliates, and other companies under our common control or within our corporate family (collectively, "Affiliates").
  • Identifiers, contact, and demographic information
  • Transaction information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Enable you to participate in our events, programs, and services
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • Market, advertise, and promote our events, programs, and services
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
From Partner Organizations and Service Providers
We may collect Personal Information from our partner organizations and service providers, or other third parties who are authorized to act on our behalf.
  • Identifiers, contact, and demographic information
  • Transaction information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Tailor content and opportunities that may be of interest to you
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Donation administration, including for billing and payment purposes
  • Provide and enhance our events, programs, and Services
  • Enable you to participate in our events, programs, and Services
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • Market, advertise, and promote our events, programs, and Services
  • For security purposes and for fraud- and crime-prevention purposes
  • Comply with legal and regulatory obligations
When You Make a Donation
We may collect Personal Information from Donors when you make a donation or you otherwise contact or communicate with us in connection with our donation program.
  • Identifiers, contact, and demographic information
  • Transaction information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Communicate with you
  • Internal administrative purposes and record-keeping
  • Donation administration, including for billing and payment purposes
  • For fundraising purposes, including to create profiles of our supporters and potential supporters
  • Market, advertise, or promote the Services
  • Comply with legal and regulatory obligations
Publicly available Sources
We may collect Personal Information from publicly available sources.
  • Identifiers, contact, and demographic information
  • Transaction information
  • Donation information
  • Internet or similar network activity
  • Geolocation data
  • Professional or employment-related information
  • Inference information
  • Special category information
  • Provide, administer, and enhance our events, programs, and services
  • Enable you to participate in our events, programs, and Services
  • Communicate with you
  • Market, advertise, and promote our events, programs, and Services
  • For security purposes and for fraud- and crime-prevention purposes
  • Implement and enforce our agreements
  • Comply with legal and regulatory obligations

4. How We May Disclose Information

We may disclose personal information as described in this Privacy Policy, including with the following categories of third parties:

Categories of Third Parties with Whom We May Share Personal Information Categories of Personal Information We May Share
Affiliates
We may share Personal Information with our Affiliates. Where we share personal information with our Affiliates, we will require our Affiliates to honor this Privacy Policy.
  • Identifiers, contact, and demographic information • Transaction information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information • Special category information
Technical and Operational Service Providers and Partner Organizations
We may engage third parties to perform certain functions on our behalf. To do so, we may disclose Personal Information to our third-party partners and service providers in order to maintain and operate the Sites and to provide, improve, and personalize the services, including to fulfill requests for the services, process donations and payment transactions, to administer your account, and for other technical and processing functions, such as sending e-mails on our behalf, administering transactions, and technical support. We may also share Personal Information with service providers or other third parties to detect, protect against, and respond to security incidents or other malicious, deceptive, illegal or fraudulent activity or other threats and for legal compliance purposes or pursuant to legal process.
  • Identifiers, contact, and demographic information • Transaction information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information • Special category information
Marketing, Advertising, and Analytics Providers for Our Direct Marketing Purposes
We may share Personal Information with third-party providers, including social media providers, for marketing, advertising, and analytics purposes. For additional information regarding our advertising practices, please see the Advertising and Social Media section.
  • Identifiers, contact, and demographic information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information
Third-Party Marketing Purposes (Non-UK Donors)
From time to time, Smile Train allows other organizations to send mail to our Donors, subject to applicable law. We take steps to screen these organizations in order to permit mailings from those whose services may be of interest to our supporters. If you do not wish to receive these mailings, or if you would like to change the frequency or types of communications you receive from us, you can opt-out of such sharing by following the instructions in the "Updating Your Communications Preferences and Withdrawing Consent section of this Privacy Policy. We do not share special categories of personal information with third parties for marketing purposes. Smile Train currently does not share Personal Information of UK Donors with third parties for those third parties' own marketing purposes.
  • Identifiers, contact, and demographic information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information
Government Entities and Legal Compliance
We may share Personal Information with government entities and agencies, regulators, law enforcement, and other third parties, including to comply with any court order, law, or legal process or to respond to a subpoena, search warrant, or government or regulatory request; for fraud- or crime-prevention purposes; to enforce agreements and to assert and defend against legal claims; and to establish, protect, and/or defend the rights of our organization or the rights or safety of third parties.
  • Identifiers, contact, and demographic information • Transaction information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information • Special category information
Professional Service Firms
We may share Personal Information with professional service firms in connection with our legal and regulatory obligations and to establish or exercise our rights and defend against claims, including, for example, auditors, law firms, and consultants.
  • Identifiers, contact, and demographic information • Transaction information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information • Special category information
Corporate Transactions
Subject to applicable law, we reserve the right to transfer some or all Personal Information in our possession to a successor organization in the event of a merger, acquisition, bankruptcy, re-organization, or other sale or transfer of all or a portion of our assets, or in contemplation of any such proposed transaction, including for the purpose of permitting the due diligence required to decide whether to proceed with such a transaction. If any such transaction occurs, the purchaser will be entitled to use and disclose the Personal Information collected by us in the same manner that we are able to, and the purchaser will assume the rights and obligations regarding Personal Information as described in this Privacy Policy.
  • Identifiers, contact, and demographic information • Transaction information • Donation information • Internet or similar network activity • Geolocation data • Professional or employment-related information • Inference information • Special category information

5. Advertising and Social Media

Interest-Based Advertising

Interest-based advertising is advertising that is targeted to you based on your web browsing and app usage over time and across websites or apps. You have the option to restrict the use of information for interest-based advertising and to opt-out of receiving interest-based ads. Depending on from where you access the Sites, you may also be asked to consent to our use of cookies, including advertising cookies.

Opt-outs for interest-based advertising require that strictly necessary cookies are not blocked by the settings in your web browser. To learn more about this type of advertising and how to opt-out of this form of advertising, you may either visit optout.aboutads.info to opt-out of sites and services participating in the Digital Advertising Alliance ("DAA") self-regulatory program, or visit optout.networkadvertising.org to opt-out of this form of advertising by members of the Network Advertising Initiative ("NAI"). If you live in the United States, Canada, or the European Union, you can visit Ad Choices (U.S.), Your Ad Choices (Canada), or our Online ChoicesY (EU) to opt-out of interest-based advertising with participating entities for each region. These websites also provide detailed information about how interest-based advertising works.

Opting out does not mean that you will no longer receive advertising from us, or when you use the Internet. It just means that the data collected from our Sites will not be used for interest-based advertising and that the advertising you see displayed on websites will not be customized to your interests. Note that electing to opt-out will not stop advertising from appearing in your browser or applications, although it may make the ads you see less relevant to your interests.

Your choice to opt out on a particular browser or mobile device will apply only to the collection and use of information from that particular browser or mobile device. Opting out on a particular device will not opt you out of information collection on other devices (including mobile devices), nor will it limit cross-device sharing on those other devices. Similarly, opting out on a particular browser will not opt you out of information collection on other browsers. (This opt-out works through cookies set on a particular browser, so if you delete cookies from a web browser, or use a different browser, you will need to opt out again.) If you use different browsers on a device or multiple mobile devices, for each browser and device you wish to opt out, please opt out each device and browser separately at optout.aboutad.info and at optout.networkadvertising.org.

Profiling and Donor Prospect Research

We may analyze your Personal Information and create a profile of your interests and preferences as part of our fundraising activities. This allows us to ensure communications are relevant and timely, and provide an improved experience for our supporters. It also helps us, for example, understand the background of our supporters and prospective supporters so that we can make appropriate requests to those who may be willing and able to give more than they already do, enabling us to raise funds sooner and more cost-effectively.

When building such a profile, we may make use of additional information about you, including geo-demographic information. This information may be collected from third parties or publicly-available sources, for example from public registers, such as listed Directorships and trusteeships on the Companies House and Charity Commission registers, typical earnings and house prices in a geographical area, information from the electoral roll, press reports, and social media posts. The type of information we collect may include a career overview, gift capacity, and measures of affluence, areas of interest, and history of giving to charities/public information on any philanthropic activities.

We may also engage specialist prospect research and wealth-screening agencies to assist with our profiling activities. This includes screening our supporter database against the agency's demographic database in order to assess (based on estimated levels of wealth), whether our existing supporters may have the capacity and propensity to provide greater financial or other support to our organization. This activity enables us, for example, to better communicate and engage with supporters.

Social Media Tools

We may use Personal Information to participate in Facebook's Custom Audience and Lookalike Audience programs, which enable us to display advertisements to both existing and potential supporters when they visit Facebook (and/or Instagram, which is also operated by Facebook). We choose to use Facebook Audience tools as a means to reach our current supporters and new supporters in order to pursue fundraising in a more cost-effective way. We may provide your Personal Information, including (currently) your email address, name, phone number and postal address to Facebook so that it can determine whether you are a registered account holder with them. Our advertisements may then appear when you access their platforms.

Do-Not-Track

Do-Not-Track is a public-private initiative that has developed a "flag" or signal that an Internet user may activate in the user's browser software to notify websites that the user does not wish to be "tracked" by third-parties as defined by the initiative. Please note that the Sites do not alter its behavior or use practices when we receive a Do Not Track signal from your browser.

6. Information About Children

Due to the nature of our Services, we may collect or receive Personal Information about children in order to provide the services. We do not knowingly collect information directly from children under 13 years old without the consent of the minor's parent, legal guardian, or authorize representative, except as permitted or required by law or for safety and security purposes. If you become aware that a child under 13 years old has provided us with Personal Information without appropriate consent, please contact us using the information in the "How to Contact Us" section. If we become aware that a child under 13 years old has provided us with Personal Information without appropriate consent, we will take steps to remove the data as permitted by law.

7. Your Rights Regarding Personal Information

This section describes some rights you may have with respect to your Personal Information as well as how to exercise those rights. If you are a California or Colorado resident, you should also read section 8, "Additional Information for California Residents" or section 9, "Additional Information for Colorado Residents," as those sections contain relevant information for you. Subject to applicable law, you may have the right to request confirmation from us as to whether or not we are processing your Personal Information. Where we are processing your Personal Information, subject to applicable law, you may also have the following rights regarding your Personal Information:

  • Request access to, modification of, or correction of your Personal Information. You may have the right to request access to, modification of, or correction of your Personal Information. If you believe our records are inaccurate, you may have the right to ask for those records concerning you to be updated. If you have registered for an account, you can also make changes to your Personal Information within your account settings.
  • Request deletion of your Personal Information. You may have the right to request that we delete the Personal Information that we have collected about you.
  • Request restriction of processing. You may have the right to request that we restrict processing of your Personal Information in certain circumstances, such as where you believe that the Personal Information we hold about you is inaccurate or our processing is unlawful.
  • Object to processing and withdrawing consent. In certain circumstances, you may have the right to request that we stop processing your Personal Information, such as a request to stop sending you direct marketing communications. Where we process your Personal Information on the basis of your consent (for example, to send you marketing texts or e-mails), you can withdraw that consent at any time. For more information on withdrawing consent and opting-out of direct marketing communications, please see the instructions in the "Updating Your Communications Preferences and Withdrawing Consent" section of this Privacy Policy. For more information regarding opting out of certain profiling and advertising practices, please see the "Advertising and Social Media" section of this Privacy Policy.
  • Data portability. In certain circumstances, you may have the right to receive the Personal Information concerning you that you provided to us or to request that we transmit your Personal Information to another data controller.
  • Lodge a Complaint. If you have concerns regarding our processing of your Personal Information, we encourage you to contact us using the details below. You also have the right to lodge a complaint with a supervisory authority. If you are located in the EEA, you may locate the supervisory authority in your country here and if are you in the UK, your supervisory authority is the ICO. We always appreciate the opportunity to discuss complaints with you before you feel it is necessary to approach a supervisory authority.

Depending on where you live, you may be entitled by law to exercise some or all of the rights described above. If you are not entitled to these rights under applicable law, we may offer to you voluntarily and at our discretion, and we reserve the right to limit or revoke any such rights at any time, as may be permitted by applicable law.

To exercise your rights, please contact us at the email or telephone number in the "How to Contact Us" section of this Privacy Policy. If you have registered for an account, you can also access and update certain Personal Information within your account. You may also authorize someone to exercise the above rights on your behalf.

As permitted by law, certain data elements may not be subject to access, modification, portability, restriction, and/or deletion. We will respond to authorized and verified requests as soon as practicable and as required by law. To protect your privacy and security, we may take steps to verify your identity in order to respond to your request. The above rights are subject to our being able to reasonably verify your identity and authority to make these requests. These rights are also subject to various exclusions and exceptions under the law. Under certain circumstances, we may be unable to implement your request, pursuant to applicable law. We will advise you of any reason for denying or restricting a request to the extent permitted by law.

8. Additional Information For California Residents

Under Section 1798.83 of the California Civil Code (California's "Shine the Light" law), residents of California have the right to request from a business, with whom the California resident has an established business relationship, certain information with respect to the types of Personal Information the business shares with third parties for those third parties' direct marketing purposes, and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year. To exercise your rights, you may make one request each year by emailing us at info@smiletrain.org with "Request for California Shine the Light Information" on the subject line and in the body of your message. Be sure to provide in the request sufficient information to properly identify you and/or the members of your family.

We are not subject to the California Consumer Privacy Act because that law applies only to for-profit entities, and we are a 501(c)(3) nonprofit.

9. Additional Information For Colorado Residents

Your rights under the Colorado Privacy Act

First, a Colorado resident may opt out of processing their Personal Information for purposes of targeted advertising, the sale of their Personal Information, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning that Colorado resident.

Second, a Colorado resident has the right to confirm whether we are processing Personal Information concerning them and to access their Personal Information. As part of a request for access, the Colorado resident may also request to receive their Personal Information in a portable and, if technically feasible, readily usable format.

Third, a Colorado resident may have the right to correct inaccuracies in their Personal Information we hold.

Fourth, a Colorado resident may have the right to request we delete Personal Information concerning them.

Please understand that we do not engage in profiling activities that produce legal or similarly significant effects. Although we may engage in processing for purposes of targeted advertising, we do so only with respect to Personal Information we collect from or about Colorado residents in their capacity as a Visitor. If a Colorado resident is also a Volunteer, for example, we do not process the information we collect from or about the Colorado resident in their capacity as a Volunteer for purposes of targeted advertising. Similarly, we may sell or rent our mailing list of Donors to other non-profit entities. We do not otherwise sell Personal Information of Colorado residents.

To exercise your rights, please fill in our online webform or email us at info@smiletrain.org. If you email us, please put in the subject line of your email the right you are seeking to invoke: "Right to Opt-Out," "Right to Access," "Right to Correct," or "Right to Delete."

You may submit multiple requests at once through our webform or in an email. There is no cost for submitting your first request; if you submit multiple requests in a twelve-month period, we may charge you a fee for answering your request. We are permitted to use commercially reasonable efforts to authenticate you are who you say you are, and if you are submitting the requesting on behalf of another, that you have the authority to do so. So we may need to ask you to provide additional information, in light of the rights exercised, the type, sensitivity, value, or volume of Personal Information, the level of possible harm if we improperly grant the request, and the cost to us. If we cannot authenticate you or your authority, we will deny the request.

If you submit a request, we will tell you what the result is for your request (including, if you submit a Right to Access, your Personal Information) without undue delay and within 45 days after we receive your request. We may extend that deadline by 45 days, to 90 days in total, in some cases. If we extend the deadline, we will tell you that and why.

The Colorado Privacy Act includes exceptions for Personal Information regulated under other laws or maintained for certain reasons or in certain contexts. For example, the Colorado Privacy Act does not apply to publicly available information, including information that we reasonably believe Colorado residents have lawfully made available to the general public. As another example, we will not delete Personal Information when it is necessary to maintain that Personal Information to comply with a legal obligation.

If we do not grant your request, we will tell you why we did not. You may appeal our decision by emailing us at info@smiletrain.org with the subject line "Appeal of Request" and including our response to your request. We will also include this information in our response to your request. If you appeal our decision, we have 45 days to respond. We may also extend our deadline by 45 days, to 90 days in total, in some cases. If we extend the deadline, we will tell you that and why. If you have concerns about the results of your appeal, you may contact The Colorado attorney general.

Additional Colorado Mandatory Disclosures

As a cleft-focused organization providing treatment to impacted individuals, we collect, use, and disclose Personal Information revealing a physical health condition or diagnosis, which is considered a form of sensitive data under the Colorado Privacy Act ("CPA Sensitive Data"). In the event such CPA Sensitive Data is collected from you, we will provide you with information about how we collect, use, and disclose CPA Sensitive Data and get your consent to do so before proceeding.

We do not otherwise collect CPA Sensitive Data through our Sites.

If you are a Donor, we may sell your contact information to other non-profit entities as part of a donor list sale or rental. Section 4, "How We May Disclose Information" in the row "Third-Party Marketing Purposes (Non-UK Donors)" has more information about our activities that may constitute a "sale" under the Colorado Privacy Act.

If you are a Visitor—that is, someone visiting our website—we may use your identifiers and contact information, information from cookies, Internet or similar network activity information, and inference information for targeted advertising, which we may disclose or make available to advertising and social media networks. Section 5, "Advertising and Social Media" has more information.

10. Bases For Processing

We may use Personal Information for a variety of different purposes as set out in further detail in this Privacy Policy. Subject to applicable law, we process Personal Information pursuant to the following legal bases:

  • To perform our contractual obligations to you, including to fulfil your request for services, or to take steps in response to information or inquiries you may submit prior to entering into a contract with us (for example, to provide you with event tickets).
  • For our legitimate interests, including to operate our organization and provide the services. We will not process Personal Information pursuant to our legitimate interests where we believe such interests are overridden by the interests or fundamental rights and freedoms of the individual. Our legitimate interests include, but are not limited to:
    • Charity governance, including delivery of our charitable purposes, statutory, and financial reporting and other regulatory compliance purposes and intergroup transfers of Personal Information between our organization and our Affiliates;
    • Administration and operational management, including responding to solicited inquiries, providing information that you have requested, research, events management, and the administration of volunteers and related requirements.
    • Fundraising and campaigning, including administering campaigns and donations, and sending direct marketing by post and social media, sending thank you letters, analysis, profiling (including our supporter research as set out in the "Advertising and Social Media" section), targeting and segmentation to develop communication strategies (including our use of social media as set out in the "Advertising and Social Media" section) and maintaining communication preferences. You can see our legitimate interest assessment for this activity at this link: https://www.smiletrain.org.uk/legitimate-interests-assessment.
  • To comply with laws, regulators, court orders, or other legal obligations, or pursuant to legal process.
  • To protect the vital interests of you or of another person.
  • With consent, where we are not already authorized to process the Personal Information under applicable law (for example, to collect special categories of personal information or, in certain cases, to send you direct marketing by e-mail or SMS).

11. Updating Your Communications Preferences And Withdrawing Consent

Withdrawing Consent

Where consent is the basis of processing, you may at any time withdraw the consent you provided for the processing of your Personal Information for the purposes set forth in this Privacy Policy by contacting us at the information in the "How To Contact Us" section. Please be advised that, subject to applicable law, if you withdraw your consent, such withdrawal will not apply to or affect the processing of your Personal Information that occurred prior to your withdrawal of consent.

Please note that if you do not provide consent, if you withdraw your consent or object to processing, or if you choose not to provide certain Personal Information, we may be unable to provide some or all of the services.

Opting-Out of Direct Marketing Communications

If you would like to stop receiving newsletters or other marketing or promotional messages, notifications, or updates, you may do so by following the unsubscribe instructions that appear in these e-mail communications, or you may contact us at the information in the "How To Contact Us" section to opt-out of direct marketing. Individuals in the UK can also opt-out of receiving marketing communications from us by signing up to the Fundraising Preference Service. Please be advised that you may not be able to opt-out of receiving certain service or transactional messages from us, including legal notices and communications in connection with administering donations.

Opting Out of Third-Party Marketing Communications (Non-UK Donors)

As noted above, from time to time, Smile Train may allow other organizations to send mail to our Donors, subject to applicable law. If you do not wish to receive these mailings, or if you would like to change the frequency or types of communications you receive from us, you can opt-out of such sharing by contacting us at the information in the "How To Contact Us" section.

12. Links To Other Sites

Our Sites may contain links or otherwise provide access to another website, mobile application, or Internet location (collectively "Third-Party Sites"). For example, our Sites may offer links to various resources to support individuals with cleft conditions and their family members. Please note that we have no control over and are not responsible for Third-Party Sites, their content, or any goods or services available through the Third-Party Sites. Our Privacy Policy does not apply to Third-Party Sites. We encourage you to read the privacy policies of any Third-Party Site with which you choose to interact.

13. Data Retention

We will retain your Personal Information for as long as is necessary to fulfill the purposes for which we obtained the Personal Information, including to provide the services, or for such longer period as may be required or permitted by applicable law, in accordance with our internal data retention policy. The length of time that Personal Information will be kept may depend on the reasons for which we are processing the information and on the law or regulations that the information falls under, such as financial regulations, statute of limitations, health and safety regulation, or any contractual obligation we might have (for example, under grant funding agreements).

Subject to the above, we will typically retain Personal Information relating to Donors for seven (7) years after their last donation or interaction with us, after which time it will either be deleted, archived, de-identified, or anonymized. Please note if you request to receive no further contact from us, we may need to retain certain basic information about you in order to avoid sending you unwanted materials in the future or to comply with our legal obligations.

14. Data Security

We implement technical and organizational security measures designed to secure and protect Personal Information. Please note, however, we cannot fully eliminate security risks associated with the storage and transmission of Personal Information.

15. Transfer of Data

The Personal Information we collect from you may be transferred to and processed and/or stored at a destination outside of your country, including in the U.S. Some countries may have a lower standard of protection for Personal Information, including lower security requirements and fewer rights for individuals, than your jurisdiction. If you are located outside of the United States, the transfer of Personal Information may be necessary to provide you with the requested information and services and/or to perform any requested transaction. By accessing or using any portion of the Sites, you acknowledge and consent to the transfer of your information to our facilities in the United States.

If we send your Personal Information outside the UK and EU, we will take reasonable steps to ensure that the recipient implements appropriate measures to protect your information (such as entering into the EU approved standard contractual clauses). If you have any questions about the international data transfers we make, please get in touch with us using the details in the "How To Contact Us" section below.

16. Updates to This Policy

We may update this Privacy Policy from time to time. The most recent version of the Privacy Policy is reflected by the version date located at the top of this Privacy Policy. We encourage you to review this Privacy Policy often to stay informed of how we may process your information.

How to Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us by e-mail at info@smiletrain.org or by phone or mail using the details provided below:

Smile Train
633 3rd Ave
New York, New York
+1.212.689.9199