Privacy Policy

The Asylum Project

Effective Date: August 4, 2025

Last Updated: November 11, 2025

1. Introduction

At The Asylum Project ("TAP," "we," "us," "our"), we believe that privacy is a fundamental human right. For the people we serve—many of whom face persecution, systemic violence, or grave threats to their safety—protecting personal information isn't just a legal obligation. It's a sacred trust.

This Privacy Policy explains:

What information we collect and why
How we use, share, and protect that information
Your rights and how to exercise them
How we comply with privacy laws around the world

We are committed to transparency, accountability, and giving you meaningful control over your personal information.

2. Who We Are

Organization Name: The Asylum Project
Legal Structure: 501(c)(3) Nonprofit Public Benefit Corporation
State of Incorporation: Oregon, United States
Mission: Supporting U.S. citizens—particularly LGBTQ+ individuals, BIPOC communities, and people with disabilities—through international relocation assistance, safe housing access, and educational resources for those facing persecution.

Principal Office:
The Asylum Project
24001 Wilson River Hwy
Tillamook, OR 97414
United States

General Contact:
📞 Phone: 503-446-4570
📧 Email: info@theasylumproject.org
🌐 Website: www.theasylumproject.org

Data Protection Contact:
For privacy-specific questions:
📧 Email: privacy@theasylumproject.org
Attention: Chief Operations Officer (Data Protection Lead)

EU Representative (if applicable):
If we process significant amounts of personal data from EU/EEA residents, we will designate a representative in the European Union as required by GDPR Article 27. Contact information will be listed here when applicable.

3. Information We Collect

3.1 Information You Provide Directly

Contact Information:

Name (first, last, preferred name)
Email address
Phone number
Mailing address
Country of residence

Account and Profile Information (if you create an account):

Username and password
Profile information you choose to share
Communication preferences

Service and Program Information:

Information you provide when requesting services or applying for programs
Circumstances and needs related to relocation or support
Documentation you choose to share (e.g., identity documents, proof of circumstances)

Donation and Payment Information:

Name, email, billing address
Payment method (processed through secure third-party platforms—we do not store full credit card numbers)
Donation amount and frequency
Gift designation or preferences

Communication Records:

Emails, messages, and other correspondence with us
Survey responses or feedback
Event registration information

Employment and Volunteer Information:

Resumes, cover letters, references
Background check results (as permitted by law)
Employment or volunteer records

3.2 Information We Collect Automatically

When you visit our website or use our digital platforms:

Technical Information:

IP address
Browser type and version
Device type and operating system
Referring website
Pages visited and time spent
Date and time of access

Cookies and Similar Technologies:

We use cookies, web beacons, and similar technologies to improve functionality and user experience
See Section 11 for detailed information about cookies

3.3 Information from Third Parties

We may receive information about you from:

Service Providers:

Payment processors (transaction records)
Email marketing platforms (engagement metrics)
CRM systems (contact management)

Public Sources:

Publicly available information used to verify eligibility or assess safety concerns
Information from partner organizations (with your consent)

Social Media:

If you interact with us on social media, we may collect publicly available profile information

3.4 Sensitive Personal Information

In some cases, we may collect information that is considered "sensitive" or "special category" under privacy laws:

Health Information: If you disclose health conditions relevant to services
Sexual Orientation and Gender Identity: If you share this information for program eligibility
Racial or Ethnic Origin: If you provide this information
Immigration Status: If relevant to services
Biometric Data: Only if specifically required and with explicit consent

Important: We only collect sensitive information when:

You voluntarily provide it
It is necessary for the services you request
We have a legal basis (explicit consent, vital interests, legal claims)
We have implemented additional safeguards

You are never required to share sensitive information unless it is essential for the specific service you are requesting.

4. How We Use Your Information

We use personal information for the following purposes:

4.1 To Provide Services and Programs

Assess eligibility for relocation assistance, housing support, or other programs
Coordinate services with partners and service providers
Communicate about your case or application
Provide educational resources and information

4.2 To Process Donations and Financial Transactions

Process donations, grants, or payments
Issue tax receipts and acknowledgments
Maintain donor records for stewardship and compliance
Prevent fraud and ensure payment security

4.3 To Communicate with You

Respond to inquiries and requests
Send updates about our programs and impact
Share newsletters, event invitations, or fundraising appeals (with your consent)
Conduct surveys or request feedback

4.4 To Improve Our Services

Analyze website usage and user experience
Conduct research and evaluation to improve programs
Develop new services or resources
Monitor and improve our operations

4.5 To Comply with Legal Obligations

Respond to legal requests (subpoenas, court orders)
Comply with tax, employment, and nonprofit reporting requirements
Conduct background checks as required by law or policy
Investigate and address potential violations of law or policy

4.6 To Protect Rights and Safety

Detect and prevent fraud, abuse, or security threats
Protect the safety of individuals we serve and our staff
Defend legal claims or enforce our policies
Ensure the security and integrity of our systems

5. Legal Bases for Processing (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, we process your personal information based on the following legal grounds under the General Data Protection Regulation (GDPR):

5.1 Consent (Article 6(1)(a) and Article 9(2)(a))

When we use this basis:

You have explicitly agreed to the processing (e.g., subscribing to newsletters, providing sensitive information)

Your rights:

You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal
Withdrawal is as easy as giving consent (email, online form)

5.2 Contractual Necessity (Article 6(1)(b))

When we use this basis:

Processing is necessary to fulfill a contract with you (e.g., providing services you requested)
Processing is necessary to take steps before entering into a contract

Examples:

Providing relocation assistance you applied for
Processing donations you agreed to make

5.3 Legal Obligation (Article 6(1)(c))

When we use this basis:

We are required by law to process your information

Examples:

Tax reporting and IRS compliance
Responding to lawful subpoenas or court orders
Employment law compliance (e.g., payroll, discrimination prevention)

5.4 Vital Interests (Article 6(1)(d) and Article 9(2)(c))

When we use this basis:

Processing is necessary to protect someone's life or physical safety

Examples:

Emergency medical situations
Situations involving imminent danger or threats to safety

5.5 Public Interest (Article 6(1)(e) and Article 9(2)(g))

When we use this basis:

Processing is necessary for tasks carried out in the public interest

Examples:

Operating as a charitable nonprofit organization
Providing services for vulnerable populations
Advocacy and policy work for marginalized communities

5.6 Legitimate Interests (Article 6(1)(f))

When we use this basis:

Processing is necessary for our legitimate interests or those of a third party, provided your rights do not override those interests

Examples:

Fraud prevention and security
Internal administration and operations
Analyzing website usage to improve user experience
Direct marketing to existing supporters (with easy opt-out)

Balancing Test: Before relying on legitimate interests, we assess whether your rights and freedoms outweigh our interests. You can object to processing based on legitimate interests.

5.7 Special Category Data (Article 9(2))

For sensitive information (health, sexual orientation, race, etc.), we use the following legal bases:

Explicit Consent (Article 9(2)(a))
Vital Interests (Article 9(2)(c)) - when you cannot give consent
Substantial Public Interest (Article 9(2)(g)) - for our charitable mission
Legal Claims (Article 9(2)(f)) - to establish, exercise, or defend legal claims

6. How We Share Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

6.1 With Service Providers

We work with trusted third-party organizations that help us operate:

Examples:

Payment Processors (Stripe, PayPal) - to process donations
Cloud Hosting (Google Workspace, AWS) - to store data securely
Email Platforms (Mailchimp, etc.) - to send communications
CRM Systems - to manage contacts and programs
Website Analytics (Google Analytics) - to understand website usage

Our Requirements:

All service providers must sign Data Processing Agreements (DPAs)
They may only use data for the purposes we specify
They must implement appropriate security measures
For international transfers, Standard Contractual Clauses (SCCs) are required

6.2 With Partner Organizations

We may share information with:

Relocation and Housing Partners:

Organizations providing safe housing, legal assistance, or relocation support
Shared only with your explicit consent and on a need-to-know basis

Collaborating Nonprofits:

Partner organizations working on similar missions
Shared only for specific joint projects or with your consent

Grantmakers and Funders:

Aggregated, anonymized data for grant reports
Individual data only with your consent or as required by grant terms

6.3 For Legal Reasons

We may disclose information when required by law:

Legal Requests: Subpoenas, court orders, or lawful government requests
Legal Compliance: Tax reporting, employment law obligations, regulatory requirements
Legal Claims: To establish, exercise, or defend legal claims
Safety and Security: To protect against fraud, abuse, or threats to safety

Our Commitment: We will:

Verify the legitimacy of legal requests
Narrow the scope when possible
Notify you when legally permitted
Challenge overbroad or unlawful requests

6.4 Business Transfers

If The Asylum Project merges with or is acquired by another organization, personal information may be transferred as part of that transaction. We will notify you and ensure the new entity honors this Privacy Policy or obtains your consent for changes.

6.5 With Your Consent

We may share information for other purposes with your explicit consent, such as:

Public recognition as a donor (if you agree)
Testimonials or success stories (always with explicit permission)
Research or case studies (with anonymization or consent)

7. International Data Transfers

7.1 Where We Transfer Data

The Asylum Project is based in the United States, but we may transfer personal data internationally for the following reasons:

Cloud Services: Many technology platforms use global server infrastructure
Partner Organizations: We work with partners in other countries to provide services
Service Providers: Some vendors are located outside the U.S.

Countries We May Transfer Data To:

European Union/European Economic Area (EU/EEA) member states
United Kingdom
Canada
Other countries as necessary for our services

7.2 Legal Safeguards for International Transfers

When we transfer data internationally, we ensure it remains protected:

For Transfers to the EU/EEA/UK:

These jurisdictions have strong data protection laws (GDPR, UK GDPR)
No additional safeguards are typically required

For Transfers to the U.S. from the EU/EEA:

We use Standard Contractual Clauses (SCCs) approved by the EU Commission
We participate in the EU-U.S. Data Privacy Framework (if certified)
We implement supplementary measures (encryption, access controls) as needed

For Transfers to Other Countries:

We verify whether the country has an Adequacy Decision from the EU Commission
If not, we use Standard Contractual Clauses (SCCs) and conduct a Transfer Impact Assessment (TIA)
We implement technical and organizational safeguards to ensure data protection

7.3 Your Rights Regarding International Transfers

Right to Be Informed: You have the right to know where your data is transferred and what safeguards are in place
Right to Object: In some cases, you can object to international transfers
Right to Access Safeguards: You can request a copy of the safeguards we have in place (e.g., SCCs)

For detailed information, see our International Data Transfer Procedures policy.

8. Data Retention

8.1 How Long We Keep Your Information

We retain personal information only as long as necessary for the purposes outlined in this policy and to comply with legal, accounting, and regulatory requirements.

General Retention Periods:

Data Type	Retention Period	Reason
Marketing consent	Until withdrawn or 3 years of inactivity	GDPR and CAN-SPAM Act
Website analytics	26 months	GDPR best practice
Email communications	3-5 years	Operational needs and compliance
Volunteer records	5 years after last engagement	Background check validity
Employment records	7 years after separation	Labor law and compliance
Client service records	7 years after case closure	Legal protection and program evaluation
Financial records	7 years	Tax and audit compliance
Donor Records	7 years after last donation	IRS and accounting requirements

8.2 Anonymization and Aggregation

When possible, we anonymize or aggregate data after the retention period so it can no longer identify individuals. This allows us to:

Conduct research and program evaluation
Report on our impact
Improve our services

Anonymized data is not subject to this Privacy Policy and may be retained indefinitely.

8.3 Secure Destruction

When data reaches the end of its retention period:

Digital Data: Securely deleted using data-wiping software
Physical Records: Cross-shredded or incinerated
Backups: Removed from backup systems or anonymized

For more information, see our Document Retention & Destruction Policy.

9. Your Privacy Rights

You have significant rights regarding your personal information. The specific rights available to you depend on where you live, but we strive to honor these rights for everyone.

9.1 Right to Access

What it means: You can request a copy of the personal information we hold about you.

How to exercise: Email privacy@theasylumproject.org with subject line "Access Request"

Response time: 30 days (may be extended to 60 days for complex requests)

What you'll receive: A copy of your data in a commonly used electronic format

9.2 Right to Rectification (Correction)

What it means: You can ask us to correct inaccurate or incomplete information.

How to exercise: Email privacy@theasylumproject.org with subject line "Correction Request"

Response time: 30 days

9.3 Right to Erasure (Right to Be Forgotten)

What it means: You can request deletion of your personal information in certain circumstances:

The data is no longer necessary for the purposes it was collected
You withdraw consent (and consent was the legal basis)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed
Legal obligation requires deletion

Limitations: We may not be able to delete data if we need it to:

Comply with legal obligations (e.g., tax records)
Establish, exercise, or defend legal claims
Fulfill a contract with you
Protect vital interests

How to exercise: Email privacy@theasylumproject.org with subject line "Deletion Request"

Response time: 30 days

9.4 Right to Restriction of Processing

What it means: You can ask us to limit how we use your data in certain situations:

You contest the accuracy of the data
Processing is unlawful but you don't want deletion
We no longer need the data, but you need it for legal claims
You've objected to processing and we're verifying whether our interests override yours

How to exercise: Email privacy@theasylumproject.org with subject line "Restriction Request"

9.5 Right to Data Portability

What it means: You can receive your data in a structured, commonly used, machine-readable format and transmit it to another organization.

Applies when:

Processing is based on consent or contract
Processing is carried out by automated means

How to exercise: Email privacy@theasylumproject.org with subject line "Portability Request"

9.6 Right to Object

What it means: You can object to processing based on:

Legitimate interests
Direct marketing (absolute right—we will always stop)
Scientific/historical research or statistics

How to exercise:

Email privacy@theasylumproject.org with subject line "Objection"
Click "unsubscribe" in any marketing email

Direct Marketing: You can opt out at any time, and we will stop immediately.

9.7 Right Not to Be Subject to Automated Decision-Making

What it means: You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.

Our Practice: We do not use automated decision-making for significant decisions affecting individuals. If this changes, we will update this policy and obtain consent where required.

9.8 Right to Withdraw Consent

What it means: If processing is based on your consent, you can withdraw it at any time.

How to exercise: Email privacy@theasylumproject.org or click "unsubscribe" in emails

Important: Withdrawing consent does not affect the lawfulness of processing before withdrawal.

9.9 How to Exercise Your Rights

Contact Us: 📧 Email: privacy@theasylumproject.org
📞 Phone: 503-446-4570
✉️ Mail: The Asylum Project, Attn: Privacy Request, 24001 Wilson River Hwy, Tillamook, OR 97414

What to Include:

Your name and contact information
Description of your request
Proof of identity (if needed to verify your request)

Response Timeline:

We will respond within 30 days (may extend to 60 days for complex requests)
We will notify you if we need additional information or more time
If we deny your request, we will explain why and inform you of your right to complain

No Fee:

We do not charge a fee for most requests
We may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests

10. Security Measures

We take data security seriously and implement industry-standard safeguards to protect your information.

10.1 Technical Safeguards

Encryption: Data is encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent)
Access Controls: Role-based access with least privilege principles
Multi-Factor Authentication (MFA): Required for access to sensitive systems
Secure Passwords: Strong password requirements and password manager usage
Firewalls and Intrusion Detection: Network security monitoring
Regular Backups: Daily backups of critical data, stored securely
Secure Development: Security testing and code reviews for custom systems

10.2 Organizational Safeguards

Staff Training: Annual cybersecurity and privacy training for all staff and volunteers
Background Checks: Conducted for staff and volunteers with access to sensitive data
Confidentiality Agreements: All staff and volunteers sign NDAs
Incident Response Plan: Procedures for detecting and responding to breaches
Vendor Management: Security requirements for all third-party processors
Policies and Procedures: Comprehensive data protection policies

10.3 Physical Safeguards

Secure Facilities: Locked offices and restricted access areas
Device Security: Encrypted hard drives, screen locks, remote wipe capability
Secure Disposal: Cross-shredding of paper records, secure data wiping for electronic devices

10.4 Data Breach Response

If we experience a data breach that affects your personal information:

Immediate Actions:

Contain the breach and secure systems
Assess the scope and impact
Investigate the cause

Notification:

Supervisory Authorities: Within 72 hours (if GDPR applies)
Affected Individuals: Without undue delay if high risk to rights and freedoms
Content: Nature of breach, likely consequences, measures taken, contact information

Remediation:

Implement corrective measures
Provide support to affected individuals (e.g., credit monitoring if appropriate)
Review and strengthen security measures

For more information, see our Data Security & Cybersecurity Policy.

11. Cookies and Tracking Technologies

11.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us provide functionality, remember your preferences, and understand how you use our site.

11.2 Types of Cookies We Use

Strictly Necessary Cookies:

Required for the website to function
Enable navigation and access to secure areas
Cannot be disabled
Examples: Session cookies, security cookies

Functional Cookies:

Remember your preferences and choices
Examples: Language preference, accessibility settings
You can opt out: Yes, but site functionality may be limited

Analytics Cookies:

Help us understand how visitors use our website
Collect information about pages visited, time spent, errors encountered
Examples: Google Analytics
You can opt out: Yes, via cookie settings or browser settings

Marketing Cookies:

Track your activity across websites
Used to deliver relevant advertising
You can opt out: Yes, via cookie settings

11.3 How to Manage Cookies

Cookie Consent Banner:

When you first visit our website, you'll see a cookie consent banner
You can accept all, reject non-essential, or customize your preferences

Browser Settings:

You can set your browser to refuse all or some cookies
You can delete cookies already stored on your device
Note: Disabling cookies may affect website functionality

Opt-Out Tools:

Google Analytics Opt-Out: https://tools.google.com/dlpage/gaoptout
NAI Opt-Out: http://optout.networkadvertising.org/

11.4 Do Not Track Signals

Some browsers have "Do Not Track" features. Our website does not currently respond to Do Not Track signals, but we limit tracking and respect your cookie preferences.

11.5 Third-Party Tracking

We do not allow third-party advertisers to track you on our website. Any third-party tools we use (e.g., Google Analytics) are subject to data processing agreements and used only for the purposes we specify.

12. Children's Privacy

12.1 Age Restrictions

Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13 without parental consent.

If you are under 13, please do not provide any personal information through our website or services.

12.2 Parental Consent

If we learn that we have collected personal information from a child under 13 without parental consent, we will delete that information as quickly as possible.

12.3 Services for Minors 13-17

In some cases, we may provide services to individuals aged 13-17:

We will obtain parental or guardian consent when required by law
We will collect only the minimum information necessary
We will implement age-appropriate safeguards

12.4 Parents and Guardians

If you believe your child has provided personal information to us without your consent: 📧 Email: privacy@theasylumproject.org
📞 Phone: 541-435-1881

We will verify your relationship to the child and promptly delete the information.

13. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

13.1 Right to Know

You can request information about:

Categories of personal information collected
Categories of sources from which information was collected
Business or commercial purpose for collecting information
Categories of third parties with whom information is shared
Specific pieces of personal information collected

13.2 Right to Delete

You can request deletion of personal information we collected from you, subject to legal exceptions.

13.3 Right to Opt-Out of Sale or Sharing

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

13.4 Right to Correct

You can request correction of inaccurate personal information.

13.5 Right to Limit Use of Sensitive Personal Information

If we use sensitive personal information for purposes other than providing services, you can request that we limit such use. Currently, we only use sensitive information for the purposes you request.

13.6 Right to Non-Discrimination

We will not discriminate against you for exercising your privacy rights. You will receive the same quality of service whether or not you exercise your rights.

13.7 Authorized Agents

You may designate an authorized agent to make requests on your behalf:

Provide written authorization signed by you
The agent must verify their authority
We may require you to verify your identity directly

13.8 How to Exercise California Rights

📧 Email: privacy@theasylumproject.org (subject: "California Privacy Rights")
📞 Phone: 503-446-4570
✉️ Mail: The Asylum Project, Attn: California Privacy Request, 24001 Wilson River Hwy, Tillamook, OR 97414

Response Time: 45 days (may extend to 90 days for complex requests)

13.9 Shine the Light Law

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

14. Oregon Privacy Rights

If you are an Oregon resident, you have rights under Oregon privacy laws.

14.1 Data Breach Notification

If we experience a data breach affecting Oregon residents:

We will notify you without unreasonable delay
We will notify the Oregon Attorney General if 250+ Oregon residents are affected

14.2 Additional Protections

Oregon law provides additional protections for:

Student data (if we work with educational institutions)
Health information
Biometric data

We comply with all applicable Oregon privacy laws.

15. European Privacy Rights (GDPR)

If you are located in the European Union, European Economic Area, or United Kingdom, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR.

15.1 Legal Bases for Processing

See Section 5 for detailed information about our legal bases for processing your data.

15.2 Individual Rights

You have the rights described in Section 9, including:

Right to access
Right to rectification
Right to erasure
Right to restriction of processing
Right to data portability
Right to object
Right not to be subject to automated decision-making

15.3 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

EU Member States:

Contact your national data protection authority
List: https://edpb.europa.eu/about-edpb/board/members_en

United Kingdom:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
Phone: +44 303 123 1113

15.4 International Transfers

See Section 7 for information about how we protect your data when it is transferred internationally.

15.5 Data Protection Officer (DPO)

While we are not currently required to appoint a Data Protection Officer, we have designated a Data Protection Lead:

Data Protection Lead:
Chief Operations Officer (COO)
📧 Email: privacy@theasylumproject.org
📞 Phone: 541-435-1881

If we are required to appoint a formal DPO in the future, contact information will be updated here.

16. Changes to This Policy

16.1 Updates

We may update this Privacy Policy periodically to reflect:

Changes in our practices
New legal requirements
Technological developments
Feedback from our community

16.2 Notice of Material Changes

For material changes (e.g., new purposes for processing, changes in data sharing):

We will post a prominent notice on our website
We will email registered users and donors
We will obtain consent where required by law
We will update the "Last Updated" date at the top of this policy

16.3 Your Continued Use

By continuing to use our services after changes take effect, you accept the updated policy. If you do not agree, please stop using our services and contact us to delete your information (subject to legal retention requirements).

17. Contact Us

17.1 General Privacy Questions

📧 Email: privacy@theasylumproject.org
📞 Phone: 503-446-4570
✉️ Mail: The Asylum Project, Attn: Privacy Inquiry, PO Box 355, Coquille, OR 97423

17.2 Data Protection Lead

Chief Operations Officer (COO):
Dr. Chrissy Mackey
📞 Phone: 541-435-1881
📧 Email: cmackey@theasylumproject.org

17.3 Executive Team

Chief Executive Officer (CEO):
Jonathan Jones
📞 Phone: 503-583-4450
📧 Email: jjones@theasylumproject.org

Chief Financial Officer (CFO):
Rebecca DeCuir
📞 Phone: 805-229-1726
📧 Email: rdecuir@theasylumproject.org

Chief Technology Officer (CTO):
Nick Rowland

📞 661-213-9180
📧 Email: nrowland@theasylumproject.org

17.4 Main Organization Contact

The Asylum Project
24001 Wilson River Hwy
Tillamook, OR 97414
United States

📞 Main Phone: 503-446-4570
📧 General Email: info@theasylumproject.org
🌐 Website: www.theasylumproject.org

Thank You

Thank you for taking the time to understand how we protect your privacy. Your trust means everything to us, and we are committed to honoring it every day.

If you have questions, concerns, or feedback about this policy or our privacy practices, please reach out. We are here to listen and to serve.

END OF POLICY