Privacy Policy

Effective Date: August 4, 2025
Last Updated: November 11, 2025

1. Introduction

At The Asylum Project (“TAP,” “we,” “us,” “our”), we believe that privacy is a fundamental human right. For the people we serve—many of whom face persecution, systemic violence, or grave threats to their safety—protecting personal information isn’t just a legal obligation. It’s a sacred trust.

This Privacy Policy explains:

• What information we collect and why
• How we use, share, and protect that information
• Your rights and how to exercise them
• How we comply with privacy laws around the world

We are committed to transparency, accountability, and giving you meaningful control over your personal information.

2. Who We Are

Organization Name: The Asylum Project
Legal Structure: 501(c)(3) Nonprofit Public Benefit Corporation
State of Incorporation: Oregon, United States
Mission: Supporting U.S. citizens—particularly LGBTQ+ individuals, BIPOC communities, and people with disabilities—through international relocation assistance, safe housing access, and educational resources for those facing persecution.

Principal Office:
The Asylum Project
24001 Wilson River Hwy
Tillamook, OR 97414
United States

General Contact:
📞 Phone: 503-446-4570
📧 Email: hello@theasylumproject.org
🌐 Website: www.theasylumproject.org

Data Protection Contact:
For privacy-specific questions:
📧 Email: privacy@theasylumproject.org
Attention: Chief Operations Officer (Data Protection Lead)

EU Representative (if applicable):
If we process significant amounts of personal data from EU/EEA residents, we will designate a representative in the European Union as required by GDPR Article 27. Contact information will be listed here when applicable.

3. Information We Collect

3.1 Information You Provide Directly

Contact Information:

• Name (first, last, preferred name)
• Email address
• Phone number
• Mailing address
• Country of residence

Account and Profile Information (if you create an account):

• Username and password
• Profile information you choose to share
• Communication preferences

Service and Program Information:

• Information you provide when requesting services or applying for programs
• Circumstances and needs related to relocation or support
• Documentation you choose to share (e.g., identity documents, proof of circumstances)

Donation and Payment Information:

• Name, email, billing address
• Payment method (processed through secure third-party platforms—we do not store full credit card numbers)
• Donation amount and frequency
• Gift designation or preferences

Communication Records:

• Emails, messages, and other correspondence with us
• Survey responses or feedback
• Event registration information

Employment and Volunteer Information:

• Resumes, cover letters, references
• Background check results (as permitted by law)
• Employment or volunteer records

3.2 Information We Collect Automatically

When you visit our website or use our digital platforms:

Technical Information:

• IP address
• Browser type and version
• Device type and operating system
• Referring website
• Pages visited and time spent
• Date and time of access

Cookies and Similar Technologies:

• We use cookies, web beacons, and similar technologies to improve functionality and user experience
• See Section 11 for detailed information about cookies

3.3 Information from Third Parties

We may receive information about you from:

Service Providers:

• Payment processors (transaction records)
• Email marketing platforms (engagement metrics)
• CRM systems (contact management)

Public Sources:

• Publicly available information used to verify eligibility or assess safety concerns
• Information from partner organizations (with your consent)

Social Media:

• If you interact with us on social media, we may collect publicly available profile information

3.4 Sensitive Personal Information

In some cases, we may collect information that is considered “sensitive” or “special category” under privacy laws:

• Health Information: If you disclose health conditions relevant to services
• Sexual Orientation and Gender Identity: If you share this information for program eligibility
• Racial or Ethnic Origin: If you provide this information
• Immigration Status: If relevant to services
• Biometric Data: Only if specifically required and with explicit consent

Important: We only collect sensitive information when:

• You voluntarily provide it
• It is necessary for the services you request
• We have a legal basis (explicit consent, vital interests, legal claims)
• We have implemented additional safeguards

You are never required to share sensitive information unless it is essential for the specific service you are requesting.

4. How We Use Your Information

We use personal information for the following purposes:

4.1 To Provide Services and Programs

• Assess eligibility for relocation assistance, housing support, or other programs
• Coordinate services with partners and service providers
• Communicate about your case or application
• Provide educational resources and information

4.2 To Process Donations and Financial Transactions

• Process donations, grants, or payments
• Issue tax receipts and acknowledgments
• Maintain donor records for stewardship and compliance
• Prevent fraud and ensure payment security

4.3 To Communicate with You

• Respond to inquiries and requests
• Send updates about our programs and impact
• Share newsletters, event invitations, or fundraising appeals (with your consent)
• Conduct surveys or request feedback

4.4 To Improve Our Services

• Analyze website usage and user experience
• Conduct research and evaluation to improve programs
• Develop new services or resources
• Monitor and improve our operations

4.5 To Comply with Legal Obligations

• Respond to legal requests (subpoenas, court orders)
• Comply with tax, employment, and nonprofit reporting requirements
• Conduct background checks as required by law or policy
• Investigate and address potential violations of law or policy

4.6 To Protect Rights and Safety

• Detect and prevent fraud, abuse, or security threats
• Protect the safety of individuals we serve and our staff
• Defend legal claims or enforce our policies
• Ensure the security and integrity of our systems

5. Legal Bases for Processing (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, we process your personal information based on the following legal grounds under the General Data Protection Regulation (GDPR):

5.1 Consent (Article 6(1)(a) and Article 9(2)(a))

When we use this basis:

• You have explicitly agreed to the processing (e.g., subscribing to newsletters, providing sensitive information)

Your rights:

• You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal
• Withdrawal is as easy as giving consent (email, online form)

5.2 Contractual Necessity (Article 6(1)(b))

When we use this basis:

• Processing is necessary to fulfill a contract with you (e.g., providing services you requested)
• Processing is necessary to take steps before entering into a contract

Examples:

• Providing relocation assistance you applied for
• Processing donations you agreed to make

5.3 Legal Obligation (Article 6(1)(c))

When we use this basis:

• We are required by law to process your information

Examples:

• Tax reporting and IRS compliance
• Responding to lawful subpoenas or court orders
• Employment law compliance (e.g., payroll, discrimination prevention)

5.4 Vital Interests (Article 6(1)(d) and Article 9(2)(c))

When we use this basis:

• Processing is necessary to protect someone’s life or physical safety

Examples:

• Emergency medical situations
• Situations involving imminent danger or threats to safety

5.5 Public Interest (Article 6(1)(e) and Article 9(2)(g))

When we use this basis:

• Processing is necessary for tasks carried out in the public interest

Examples:

• Operating as a charitable nonprofit organization
• Providing services for vulnerable populations
• Advocacy and policy work for marginalized communities

5.6 Legitimate Interests (Article 6(1)(f))

When we use this basis:

• Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests

Examples:

• Fraud prevention and security
• Internal administration and operations
• Analyzing website usage to improve user experience
• Direct marketing to existing supporters (with easy opt-out)

Balancing Test: Before relying on legitimate interests, we assess whether your rights and freedoms outweigh our interests. You can object to processing based on legitimate interests.

5.7 Special Category Data (Article 9(2))

For sensitive information (health, sexual orientation, race, etc.), we use the following legal bases:

• Explicit Consent (Article 9(2)(a))
• Vital Interests (Article 9(2)(c)) – when you cannot give consent
• Substantial Public Interest (Article 9(2)(g)) – for our charitable mission
• Legal Claims (Article 9(2)(f)) – to establish, exercise, or defend legal claims

6. How We Share Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

6.1 With Service Providers

We work with trusted third-party organizations that help us operate:

Examples:

• Payment Processors (Stripe, PayPal) – to process donations
• Cloud Hosting (Google Workspace, AWS) – to store data securely
• Email Platforms (Mailchimp, etc.) – to send communications
• CRM Systems – to manage contacts and programs
• Website Analytics (Google Analytics) – to understand website usage

Our Requirements:

• All service providers must sign Data Processing Agreements (DPAs)
• They may only use data for the purposes we specify
• They must implement appropriate security measures
• For international transfers, Standard Contractual Clauses (SCCs) are required

6.2 With Partner Organizations

We may share information with:

Relocation and Housing Partners:

• Organizations providing safe housing, legal assistance, or relocation support
• Shared only with your explicit consent and on a need-to-know basis

Collaborating Nonprofits:

• Partner organizations working on similar missions
• Shared only for specific joint projects or with your consent

Grantmakers and Funders:

• Aggregated, anonymized data for grant reports
• Individual data only with your consent or as required by grant terms

6.3 For Legal Reasons

We may disclose information when required by law:

• Legal Requests: Subpoenas, court orders, or lawful government requests
• Legal Compliance: Tax reporting, employment law obligations, regulatory requirements
• Legal Claims: To establish, exercise, or defend legal claims
• Safety and Security: To protect against fraud, abuse, or threats to safety

Our Commitment: We will:

• Verify the legitimacy of legal requests
• Narrow the scope when possible
• Notify you when legally permitted
• Challenge overbroad or unlawful requests

6.4 Business Transfers

If The Asylum Project merges with or is acquired by another organization, personal information may be transferred as part of that transaction. We will notify you and ensure the new entity honors this Privacy Policy or obtains your consent for changes.

6.5 With Your Consent

We may share information for other purposes with your explicit consent, such as:

• Public recognition as a donor (if you agree)
• Testimonials or success stories (always with explicit permission)
• Research or case studies (with anonymization or consent)

7. International Data Transfers

7.1 Where We Transfer Data

The Asylum Project is based in the United States, but we may transfer personal data internationally for the following reasons:

• Cloud Services: Many technology platforms use global server infrastructure
• Partner Organizations: We work with partners in other countries to provide services
• Service Providers: Some vendors are located outside the U.S.

Countries We May Transfer Data To:

• European Union/European Economic Area (EU/EEA) member states
• United Kingdom
• Canada
• Other countries as necessary for our services

7.2 Legal Safeguards for International Transfers

When we transfer data internationally, we ensure it remains protected:

For Transfers to the EU/EEA/UK:

• These jurisdictions have strong data protection laws (GDPR, UK GDPR)
• No additional safeguards are typically required

For Transfers to the U.S. from the EU/EEA:

• We use Standard Contractual Clauses (SCCs) approved by the EU Commission
• We participate in the EU-U.S. Data Privacy Framework (if certified)
• We implement supplementary measures (encryption, access controls) as needed

For Transfers to Other Countries:

• We verify whether the country has an Adequacy Decision from the EU Commission
• If not, we use Standard Contractual Clauses (SCCs) and conduct a Transfer Impact Assessment (TIA)
• We implement technical and organizational safeguards to ensure data protection

7.3 Your Rights Regarding International Transfers

• Right to Be Informed: You have the right to know where your data is transferred and what safeguards are in place
• Right to Object: In some cases, you can object to international transfers
• Right to Access Safeguards: You can request a copy of the safeguards we have in place (e.g., SCCs)

For detailed information, see our International Data Transfer Procedures policy.

8. Data Retention

8.1 How Long We Keep Your Information

We retain personal information only as long as necessary for the purposes outlined in this policy and to comply with legal, accounting, and regulatory requirements.

General Retention Periods:

8.2 Anonymization and Aggregation

When possible, we anonymize or aggregate data after the retention period so it can no longer identify individuals. This allows us to:

• Conduct research and program evaluation
• Report on our impact
• Improve our services

Anonymized data is not subject to this Privacy Policy and may be retained indefinitely.

8.3 Secure Destruction

When data reaches the end of its retention period:

• Digital Data: Securely deleted using data-wiping software
• Physical Records: Cross-shredded or incinerated
• Backups: Removed from backup systems or anonymized

For more information, see our Document Retention & Destruction Policy.

9. Your Privacy Rights

You have significant rights regarding your personal information. The specific rights available to you depend on where you live, but we strive to honor these rights for everyone.

9.1 Right to Access

What it means: You can request a copy of the personal information we hold about you.

How to exercise: Email privacy@theasylumproject.org with subject line “Access Request”

Response time: 30 days (may be extended to 60 days for complex requests)

What you’ll receive: A copy of your data in a commonly used electronic format

9.2 Right to Rectification (Correction)

What it means: You can ask us to correct inaccurate or incomplete information.

How to exercise: Email privacy@theasylumproject.org with subject line “Correction Request”

Response time: 30 days

9.3 Right to Erasure (Right to Be Forgotten)

What it means: You can request deletion of your personal information in certain circumstances:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent (and consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed
• Legal obligation requires deletion

Limitations: We may not be able to delete data if we need it to:

• Comply with legal obligations (e.g., tax records)
• Establish, exercise, or defend legal claims
• Fulfill a contract with you
• Protect vital interests

How to exercise: Email privacy@theasylumproject.org with subject line “Deletion Request”

Response time: 30 days

9.4 Right to Restriction of Processing

What it means: You can ask us to limit how we use your data in certain situations:

• You contest the accuracy of the data
• Processing is unlawful but you don’t want deletion
• We no longer need the data, but you need it for legal claims
• You’ve objected to processing and we’re verifying whether our interests override yours

How to exercise: Email privacy@theasylumproject.org with subject line “Restriction Request”

9.5 Right to Data Portability

What it means: You can receive your data in a structured, commonly used, machine-readable format and transmit it to another organization.

Applies when:

• Processing is based on consent or contract
• Processing is carried out by automated means

How to exercise: Email privacy@theasylumproject.org with subject line “Portability Request”

9.6 Right to Object

What it means: You can object to processing based on:

• Legitimate interests
• Direct marketing (absolute right—we will always stop)
• Scientific/historical research or statistics

How to exercise:

• Email privacy@theasylumproject.org with subject line “Objection”
• Click “unsubscribe” in any marketing email

Direct Marketing: You can opt out at any time, and we will stop immediately.

9.7 Right Not to Be Subject to Automated Decision-Making

What it means: You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Our Practice: We do not use automated decision-making for significant decisions affecting individuals. If this changes, we will update this policy and obtain consent where required.

9.8 Right to Withdraw Consent

What it means: If processing is based on your consent, you can withdraw it at any time.

How to exercise: Email privacy@theasylumproject.org or click “unsubscribe” in emails

Important: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

9.9 How to Exercise Your Rights

Contact Us: 📧 Email: privacy@theasylumproject.org
📞 Phone: 503-446-4570
✉️ Mail: The Asylum Project, Attn: Privacy Request, PO Box 355, Coquille, OR 97423

What to Include:

• Your name and contact information
• Description of your request
• Proof of identity (if needed to verify your request)

Response Timeline:

• We will respond within 30 days (may extend to 60 days for complex requests)
• We will notify you if we need additional information or more time
• If we deny your request, we will explain why and inform you of your right to complain

No Fee:

• We do not charge a fee for most requests
• We may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests

10. Security Measures

We take data security seriously and implement industry-standard safeguards to protect your information.

10.1 Technical Safeguards

• Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent)
• Access Controls: Role-based access with least privilege principles
• Multi-Factor Authentication (MFA): Required for access to sensitive systems
• Secure Passwords: Strong password requirements and password manager usage
• Firewalls and Intrusion Detection: Network security monitoring
• Regular Backups: Daily backups of critical data, stored securely
• Secure Development: Security testing and code reviews for custom systems

10.2 Organizational Safeguards

• Staff Training: Annual cybersecurity and privacy training for all staff and volunteers
• Background Checks: Conducted for staff and volunteers with access to sensitive data
• Confidentiality Agreements: All staff and volunteers sign NDAs
• Incident Response Plan: Procedures for detecting and responding to breaches
• Vendor Management: Security requirements for all third-party processors
• Policies and Procedures: Comprehensive data protection policies

10.3 Physical Safeguards

• Secure Facilities: Locked offices and restricted access areas
• Device Security: Encrypted hard drives, screen locks, remote wipe capability
• Secure Disposal: Cross-shredding of paper records, secure data wiping for electronic devices

10.4 Data Breach Response

If we experience a data breach that affects your personal information:

Immediate Actions:

• Contain the breach and secure systems
• Assess the scope and impact
• Investigate the cause

Notification:

• Supervisory Authorities: Within 72 hours (if GDPR applies)
• Affected Individuals: Without undue delay if high risk to rights and freedoms
• Content: Nature of breach, likely consequences, measures taken, contact information

Remediation:

• Implement corrective measures
• Provide support to affected individuals (e.g., credit monitoring if appropriate)
• Review and strengthen security measures

For more information, see our Data Security & Cybersecurity Policy.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide functionality, remember your preferences, and understand how you use our site.

11.2 Types of Cookies We Use

Strictly Necessary Cookies:

• Required for the website to function
• Enable navigation and access to secure areas
• Cannot be disabled
• Examples: Session cookies, security cookies

Functional Cookies:

• Remember your preferences and choices
• Examples: Language preference, accessibility settings
• You can opt out: Yes, but site functionality may be limited

Analytics Cookies:

• Help us understand how visitors use our website
• Collect information about pages visited, time spent, errors encountered
• Examples: Google Analytics
• You can opt out: Yes, via cookie settings or browser settings

Marketing Cookies:

• Track your activity across websites
• Used to deliver relevant advertising
• You can opt out: Yes, via cookie settings

11.3 How to Manage Cookies

Cookie Consent Banner:

• When you first visit our website, you’ll see a cookie consent banner
• You can accept all, reject non-essential, or customize your preferences

Browser Settings:

• You can set your browser to refuse all or some cookies
• You can delete cookies already stored on your device
• Note: Disabling cookies may affect website functionality

Opt-Out Tools:

• Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
• NAI Opt-Out: http://optout.networkadvertising.org/

11.4 Do Not Track Signals

Some browsers have “Do Not Track” features. Our website does not currently respond to Do Not Track signals, but we limit tracking and respect your cookie preferences.

11.5 Third-Party Tracking

We do not allow third-party advertisers to track you on our website. Any third-party tools we use (e.g., Google Analytics) are subject to data processing agreements and used only for the purposes we specify.

12. Children’s Privacy

12.1 Age Restrictions

Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without parental consent.

If you are under 13, please do not provide any personal information through our website or services.

12.2 Parental Consent

If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information as quickly as possible.

12.3 Services for Minors 13-17

In some cases, we may provide services to individuals aged 13-17:

• We will obtain parental or guardian consent when required by law
• We will collect only the minimum information necessary
• We will implement age-appropriate safeguards

12.4 Parents and Guardians

If you believe your child has provided personal information to us without your consent: 📧 Email: privacy@theasylumproject.org
📞 Phone: 541-435-1881

We will verify your relationship to the child and promptly delete the information.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

13.1 Right to Know

You can request information about:

• Categories of personal information collected
• Categories of sources from which information was collected
• Business or commercial purpose for collecting information
• Categories of third parties with whom information is shared
• Specific pieces of personal information collected

13.2 Right to Delete

You can request deletion of personal information we collected from you, subject to legal exceptions.

13.3 Right to Opt-Out of Sale or Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

13.4 Right to Correct

You can request correction of inaccurate personal information.

13.5 Right to Limit Use of Sensitive Personal Information

If we use sensitive personal information for purposes other than providing services, you can request that we limit such use. Currently, we only use sensitive information for the purposes you request.

13.6 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. You will receive the same quality of service whether or not you exercise your rights.

13.7 Authorized Agents

You may designate an authorized agent to make requests on your behalf:

• Provide written authorization signed by you
• The agent must verify their authority
• We may require you to verify your identity directly

13.8 How to Exercise California Rights

📧 Email: privacy@theasylumproject.org (subject: “California Privacy Rights”)
📞 Phone: 503-446-4570
✉️ Mail: The Asylum Project, Attn: California Privacy Request, PO Box 355, Coquille, OR 97423

Response Time: 45 days (may extend to 90 days for complex requests)

13.9 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

14. Oregon Privacy Rights

If you are an Oregon resident, you have rights under Oregon privacy laws.

14.1 Data Breach Notification

If we experience a data breach affecting Oregon residents:

• We will notify you without unreasonable delay
• We will notify the Oregon Attorney General if 250+ Oregon residents are affected

14.2 Additional Protections

Oregon law provides additional protections for:

• Student data (if we work with educational institutions)
• Health information
• Biometric data

We comply with all applicable Oregon privacy laws.

15. European Privacy Rights (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR.

15.1 Legal Bases for Processing

See Section 5 for detailed information about our legal bases for processing your data.

15.2 Individual Rights

You have the rights described in Section 9, including:

• Right to access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object
• Right not to be subject to automated decision-making

15.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

EU Member States:

• Contact your national data protection authority
• List: https://edpb.europa.eu/about-edpb/board/members_en

United Kingdom:

• Information Commissioner’s Office (ICO)
• Website: https://ico.org.uk/
• Phone: +44 303 123 1113

15.4 International Transfers

See Section 7 for information about how we protect your data when it is transferred internationally.

15.5 Data Protection Officer (DPO)

While we are not currently required to appoint a Data Protection Officer, we have designated a Data Protection Lead:

Data Protection Lead:
Chief Operations Officer (COO)
📧 Email: privacy@theasylumproject.org
📞 Phone: 541-435-1881

If we are required to appoint a formal DPO in the future, contact information will be updated here.

16. Changes to This Policy

16.1 Updates

We may update this Privacy Policy periodically to reflect:

• Changes in our practices
• New legal requirements
• Technological developments
• Feedback from our community

16.2 Notice of Material Changes

For material changes (e.g., new purposes for processing, changes in data sharing):

• We will post a prominent notice on our website
• We will email registered users and donors
• We will obtain consent where required by law
• We will update the “Last Updated” date at the top of this policy

16.3 Your Continued Use

By continuing to use our services after changes take effect, you accept the updated policy. If you do not agree, please stop using our services and contact us to delete your information (subject to legal retention requirements).

17. Contact Us

17.1 General Privacy Questions

📧 Email: privacy@theasylumproject.org
📞 Phone: 541-435-1881
✉️ Mail: The Asylum Project, Attn: Privacy Inquiry, PO Box 355, Coquille, OR 97423

17.2 Data Protection Lead

Chief Operations Officer (COO):
Dr. Chrissy Mackey
📞 Phone: 541-435-1881
📧 Email: cmackey@theasylumproject.org

17.3 Executive Team

Chief Executive Officer (CEO):
Jonathan Jones
📞 Phone: 503-583-4450
📧 Email: jjones@theasylumproject.org

Chief Financial Officer (CFO):
Rebecca DeCuir
📞 Phone: 805-229-1726
📧 Email: rdecuir@theasylumproject.org

Chief Technology Officer (CTO):
Nick Rowland
📞 661-213-9180
📧 Email: nrowland@theasylumproject.org

17.4 Main Organization Contact

The Asylum Project
24001 Wilson River Hwy
Tillamook, OR 97414
United States

📞 Main Phone: 503-446-4570
📧 General Email: hello@theasylumproject.org
🌐 Website: www.theasylumproject.org

Thank You

Thank you for taking the time to understand how we protect your privacy. Your trust means everything to us, and we are committed to honoring it every day.

If you have questions, concerns, or feedback about this policy or our privacy practices, please reach out. We are here to listen and to serve.

END OF POLICY