Optimist International Privacy Policy

Executive Statement

At Optimist International, we believe privacy is a fundamental right. We are committed to protecting and respecting your privacy through comprehensive data protection measures that comply with international privacy laws, including Quebec's Law 25, the European Union's General Data Protection Regulation (GDPR), and other applicable privacy regulations worldwide.

This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you interact with our services, websites, or participate in our programs. We are committed to transparency, accountability, and giving you control over your personal data.

This policy applies to all Optimist International employees, volunteers, contractors, and Districts, and personal data processing activities worldwide under our responsibility.

Contact Information and Data Protection Officer

Privacy Officer Contact Information

Our Data Protection Officer (DPO) is responsible for:

• Monitoring compliance with this privacy policy and applicable data protection laws
• Conducting privacy impact assessments
• Serving as the point of contact for data protection authorities
• Handling data subject requests and privacy complaints
• Providing privacy training and guidance within our organization

Scope and Applicability

This Privacy Policy applies to:

• All personal data processed by Optimist International employees, contractors, volunteers, and partners
• All legal entities, operating locations, and business processes conducted by Optimist International globally
• Any individual whose personal data we process, regardless of their location
• All digital platforms, websites, mobile applications, and services we operate

Territorial Scope: This policy applies to the processing of personal data of individuals located anywhere in the world, including but not limited to residents of Quebec, the European Union, and other jurisdictions with specific privacy rights.

Legal Basis for Processing

We process personal data based on the following legal grounds:

Consent

Where you have given explicit, informed consent for specific processing activities. You may withdraw consent at any time.

Contractual Necessity

To fulfill our contractual obligations with members, donors, or service recipients.

Legitimate Interests

For our legitimate organizational interests, balanced against your privacy rights, including:

• Organizational administration and management
• Communications with members and stakeholders
• Fundraising and development activities
• Improving our services and programs

Legal Obligations

To comply with legal requirements, court orders, or regulatory obligations.

Vital Interests

To protect the vital interests of individuals in emergency situations.

Personal Data We Collect

Standard Personal Data

• Name and contact information (address, phone, email)
• Date of birth and age
• Membership information and history
• Communication preferences
• Financial information (for payments)
• Authentication and login credentials
• Device and technical information
• Website usage data and analytics
• Photos and videos from events (with consent)

Sensitive Personal Information (Quebec Law 25 Definition)

We may collect sensitive personal information that requires enhanced protection:

• Health information (for medical emergencies at events)
• Information about minors and children
• Financial account details
• Any information that, due to its nature or context of use, creates heightened privacy expectations

Children's Information

We have special protections for information about individuals under 18:

• Parental consent is required for children under 13
• Enhanced protections apply to all minors' information
• Limited collection and use of children's data
• Special retention and deletion procedures

How We Collect Personal Data

Direct Collection

• Membership applications and forms
• Event registrations
• Website interactions and online forms
• Email communications
• Phone conversations
• In-person interactions

Automated Collection

• Website session cookies and similar technologies
• Server logs and access records
• Analytics and performance monitoring
• Social media interactions

Third-Party Sources

• Partner organizations (with appropriate consent)
• Public directories and databases
• Social media platforms (with your privacy settings respected)

How We Use Personal Data

Membership Services

• Processing membership applications and renewals
• Communicating about programs and activities
• Providing member benefits and services
• Maintaining membership records

Event Management

• Registration and attendance tracking
• Safety and emergency purposes
• Photography and promotional materials (with consent)
• Logistics and coordination

Communications

• Newsletters and updates
• Event announcements
• Administrative notices

Organizational Operations

• Financial management and accounting
• Legal compliance and reporting
• Quality improvement and evaluation
• Strategic planning and development

We do NOT use personal data for:

• Automated decision-making that significantly affects individuals
• Selling or renting data to third parties for marketing purposes
• Profiling for discriminatory purposes

Data Sharing and Disclosure

Internal Sharing

Personal data may be shared within Optimist International entities globally, subject to this Privacy Policy and appropriate safeguards.

Service Providers

We may share data with trusted third-party service providers who:

• Process data on our behalf under strict contractual obligations
• Implement appropriate technical and organizational security measures
• Are prohibited from using data for their own purposes
• Examples: hosting providers, payment processors, email service providers

Legal Requirements

We may disclose personal data when required by law, including:

• Court orders and legal processes
• Regulatory investigations
• National security requirements
• Protection of rights, property, or safety

Organizational Changes

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor organization under the same privacy protections.

We NEVER:

• Sell personal data to marketers or data brokers
• Provide data to "people finder" or directory services without consent
• Share data for purposes incompatible with the original collection purpose

International Data Transfers

Transfer Safeguards

When transferring personal data outside your jurisdiction, we implement appropriate safeguards:

For Quebec Residents (Law 25 Requirements):

• Privacy Impact Assessment (PIA) for all transfers outside Quebec
• Contractual safeguards ensuring equivalent protection
• Notification to individuals about international transfers
• Assessment of destination jurisdiction's privacy protections

For EU Residents (GDPR Requirements):

• Standard Contractual Clauses (SCCs)
• Adequacy decisions where available
• Binding Corporate Rules (BCRs)
• Additional safeguards for transfers to countries without adequate protection

For Other Jurisdictions:

• Appropriate contractual and technical safeguards
• Compliance with applicable data protection laws
• Regular assessment of transfer mechanisms

Your Rights

You have comprehensive rights regarding your personal data:

Right to Information

• Clear information about how we process your data
• Transparent privacy notices
• Regular updates about our privacy practices

Right of Access

• Request copies of your personal data
• Information about how we use your data
• Details about data sharing and transfers

Right to Rectification

• Correct inaccurate or incomplete data
• Update your information
• Attach statements of disagreement

Right to Erasure ("Right to be Forgotten")

• Request deletion of your personal data in certain circumstances
• Automatic deletion when retention purposes are fulfilled
• Exceptions for legal obligations or legitimate interests

Right to Data Portability

• Receive your data in a structured, machine-readable format
• Transfer data to another organization
• Available through our online portal's "Export" function

Users can access this tool by logging into their member account and navigating to the Privacy Settings section.

Right to Object

• Object to processing based on legitimate interests
• Opt out of direct marketing communications
• Object to automated decision-making

Right to Restrict Processing

• Limit how we use your data in certain circumstances
• Temporary suspension of processing during disputes

How to Exercise Your Rights:

1. Contact our Data Protection Officer using the information above
2. Use our online "Contact Us" form
3. Submit requests in writing with proper identification

Response Time: We will respond to your requests within 30 days (or as required by applicable law).

Consent Management

When We Rely on Consent

• Optional services and features
• Marketing communications
• Photography and publicity
• Non-essential cookies and tracking

Consent Requirements

• Explicit: Clear, affirmative action required
• Informed: Full information provided about processing
• Specific: Separate consent for different purposes
• Freely Given: No coercion or bundling with other services

Withdrawing Consent

• Contact our Data Protection Officer
• Use unsubscribe links in communications
• Adjust settings in your online account
• Cookie preference controls on our websites

Data Retention

Retention Principles

We retain personal data only as long as necessary for the purposes for which it was collected:

Retention Periods

• Active Members: During membership plus 7 years after termination
• Former Members: 7 years after membership ends

Secure Deletion

When retention periods expire, we securely delete or anonymize personal data using industry-standard methods.

Security Measures

Technical Safeguards

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Access controls and authentication systems
• Regular security monitoring and threat detection
• Secure backup and disaster recovery procedures
• Network security and firewall protection

Organizational Measures

• Privacy and security training for all staff
• Data protection policies and procedures
• Regular privacy impact assessments
• Incident response and breach notification procedures

Physical Security

• Secure facilities with access controls
• Protection of physical documents and devices
• Secure disposal of hardware and documents

Cookies and Tracking Technologies

Cookie Categories

Essential Cookies:

Required for website functionality

• Session management
• Security features

Marketing Cookies:

Support communications and outreach (with consent)

• Email campaign tracking
• Social media integration
• Conversion tracking

Data Breach Notification

Breach Response Procedures

In the event of a data breach that poses risks to individuals:

Quebec Law 25 Requirements:

• Notify Commission d'accès à l'information du Québec (CAI) within 72 hours
• Notify affected individuals without undue delay
• Maintain breach register with all incidents

GDPR Requirements:

• Notify relevant supervisory authority within 72 hours
• Notify affected individuals when high risk to rights and freedoms
• Document all breaches and response measures

General Response:

• Immediate containment and investigation
• Risk assessment and impact evaluation
• Remedial measures and prevention strategies
• Transparent communication with affected individuals

Children's Privacy

Age Verification

• Individuals under 13: Parental consent required
• Ages 13-17: Enhanced protections apply
• Reasonable efforts to verify parental consent

Special Protections

• Limited data collection
• No behavioral advertising to children
• Enhanced security measures
• Shorter retention periods
• Easy parental access and deletion rights

Parental Rights

• Access to child's information
• Request corrections or deletions
• Withdraw consent at any time
• Receive notifications about data practices

Complaints and Disputes

Internal Complaints

Contact our Data Protection Officer using the information provided above. We will:

• Acknowledge receipt within 5 business days
• Investigate thoroughly and impartially
• Provide a written response within 30 days
• Implement corrective measures if necessary

External Complaints

You may also file complaints with relevant authorities:

Quebec Residents:

• Commission d'accès à l'information du Québec (CAI)
• Website: www.cai.gouv.qc.ca

EU Residents:

• Your local Data Protection Authority
• Directory: European Commission DPA List

US Residents:

• Federal Trade Commission: FTC Complaint Assistant
• State Attorneys General (depending on your state)

Other Jurisdictions:

• Relevant national or regional privacy authorities

Updates to This Policy

Regular Reviews

This Privacy Policy is reviewed and updated annually by our Board of Directors to ensure:

• Compliance with new and changing laws
• Alignment with best practices
• Accuracy and completeness
• Clear and understandable language

Notification of Changes

For material changes to this Privacy Policy:

• Prominent notice on our website homepage
• Direct notification to members and users
• 30-day notice period before changes take effect
• Clear explanation of what has changed

Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

Definitions

Personal Data/Personal Information: Any information relating to an identified or identifiable individual, including direct identifiers (name, email) and indirect identifiers (IP addresses, device IDs).

Sensitive Personal Information: Information that, due to its nature or context of use, creates heightened privacy expectations and potential for harm if disclosed, including health data, biometric data, financial information, and information about children.

Data Controller: The organization that determines the purposes and means of processing personal data (Optimist International in most cases).

Data Processor: A third party that processes personal data on behalf of the data controller under specific instructions.

Consent: Freely given, specific, informed, and unambiguous indication of agreement to personal data processing.

Data Subject: The individual to whom personal data relates.

Pseudonymization: Replacement of identifying information with artificial identifiers to reduce privacy risks.

Anonymization: Irreversible removal or alteration of personal data so that individuals cannot be identified.

Legal Framework References

This Privacy Policy is designed to comply with:

Primary Legislation

• Quebec Law 25 (Act respecting the protection of personal information in the private sector)
• EU General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Personal Information Protection and Electronic Documents Act (PIPEDA) - Canada
• Various US state privacy laws (Virginia CDPA, Colorado CPA, etc.)

International Standards

• ISO/IEC 27001 (Information Security Management)
• ISO/IEC 27018 (Cloud Privacy Protection)
• NIST Cybersecurity Framework
• APEC Privacy Framework

Contact Information

Data Protection Officer:

Version History