Privacy Policy
Your privacy is important to us. This policy explains how The Lucky Foundation (“TLF,” “we,” “us,” or “our”) collects, uses, and protects your information. By using our website and services, you consent to the terms described in this policy.
Last Updated: May 2026 | Effective Date: April 1, 2026
Information We Collect
Volunteer Information
When you register as a volunteer, we collect your name, email address, phone number, address, skills, availability, and volunteer history. We also collect information about your activities, hours logged, and achievements.
Donor Information
When you donate to TLF, we collect your name, email address, phone number, address, and donation history. Payment information is collected and processed by our secure third-party payment processors. and No payment information is not stored on in our servers systems.
Beneficiary Information
For beneficiary families, we collect name, contact information, family composition, service member information, injury status, and financial need assessment. This information is treated as highly sensitive.
Automatically Collected Information
We automatically collect information via cookies about your device, browser type, IP address, pages visited, time spent on pages, and referral sources. This information is used to improve our website and understand user behavior.
How We Use Your Data
Service Delivery
To provide volunteer opportunities, process donations, and deliver, manage, and report on scholarships and assistance to beneficiary families.
Communication
To send you updates about volunteer opportunities, donation confirmations, impact reports, and organizational news. You can opt out of marketing communications at any time.
Improvement & Analytics
To understand how our website is used, improve our services, and develop new programs. We use aggregated, anonymized data for analytics.
Legal & Safety
To comply with legal obligations, prevent fraud, protect security, and enforce our terms of service.
Donor Relations
To acknowledge donations, provide tax documentation, and share impact reports. Donor information is kept strictly confidential.
Data Information Sharing
TLF will not sell, trade, or share donor or beneficiary information with third parties. We may share information with trusted third parties (e.g., our payment processors for donations) who assist us in operations. These trusted third parties are required to safeguard information collected and keep it confidential.
Program Participation Policies
Health Insurance Portability and Accountability Act (HIPAA)
For beneficiary families participating in certain programs, TLF may collect protected health information (PHI) as part of our program participation requirements. A HIPAA Notice of Privacy will be provided to beneficiaries enrolled in applicable programs.
Children’s Privacy
Our website is not intended for children under 13. We do not knowingly collect information from children under 13. However, for beneficiary families participating in our programs, we will collect information about minors (individuals under 18 years of age). only as necessary to administer our programs. This information will only be collected upon receiving the appropriate parental or guardian consent.
Your Privacy Rights
General Data Protection Regulation (GDPR) Applicable to Rights (EU European Union and European Economic Area Residents)
TLF acts as the Data Controller for the personal data collected and process, as described in this Privacy Policy, to fulfill our organizational purposes. At times, we may act as a data processor on behalf of partners or vendors. This section describes how we collect, process, store, and protect personal data in compliance with GDPR requirements. Below is a summary of data categories, purposes, legal bases, and roles:
| Data Category | Purpose of Processing | Legal Basis (GDPR) | Role |
|---|---|---|---|
| Volunteer Information | Recordkeeping and IRS Form 990 reporting | Legitimate Interest, Legal Obligation | Controller |
| Donor Information | Donation processing, IRS Form 990 reporting, and communication | Consent, Contractual Obligation, Legal Obligation | Controller |
| Beneficiary Information | Program delivery and support | Legitimate Interest, Consent | Controller |
| Vendor Information | Contract management | Contractual Obligation | Controller |
Lawful Basis for Processing:
We rely on the following lawful bases under GDPR:
Consent: Where explicit permission is obtained from individuals.
Contractual Obligation: To fulfill agreements with donors, volunteers, or vendors.
Legal Obligation: To comply with applicable laws.
Legitimate Interest: For operational purposes where rights are balanced.
Consent Management
We obtain clear, informed consent where required and provide easy mechanisms for individuals to withdraw consent or opt out of communications. Consent records are maintained securely.
Data Minimization and Retention
We collect only data necessary for specified purposes and retain it only as long as legally or operationally required. Data is securely deleted or anonymized after retention periods expire. Individuals may request deletion or correction of their data prior to the retention expiration period. Please see the Data Retention section below for our data retention periods.
Your Rights Under GDPR
Right of Access: Request a copy of your personal data
Right to Erasure: Request deletion of your data ("right to be forgotten")
Right to Rectification: Correct inaccurate data
Right to Restrict Processing: Limit how we use your data
Right to Data Portability: Receive your data in portable format
Right to Object: Object to processing of your data
Third-Party Processors and Vendors
We engage third-party service providers (e.g., payment processors, CRM platforms, email services) under data processing agreements that ensure GDPR compliance. Business Associate Agreements (BAAs) are in place where applicable, especially for sensitive data (such as protected health information in compliance with HIPAA).
International Data Transfers
Where personal data is transferred outside of the EEA, we ensure appropriate safeguards such. By using our website and affiliated links, you are consenting to the transfer of data between the EU and TLF, pursuant to the specific conditions and limits specified in this Privacy Policy.
Data Security and Breach Notification
We implement technical and organizational measures to protect personal data, including encryption, access controls, and volunteer training. For specific details of security information, please see the Data Security section below. In the event of a data breach, we follow a strict procedure:
Detection and containment
Internal escalation and investigation
Notification to supervisory authorities within 72 hours when required
Communication to affected individuals if high risk
Remediation and prevention measures
Contact for breach notifications: [email protected]
California Consumer Privacy Act (CCPA) Rights Applicable to (California Residents)
Although TLF is a nonprofit organization and is generally not subject to the CCPA, we voluntarily extend key privacy rights to California residents to promote transparency and trust. The following rights apply to personal information we collect in connection with our programs, donations, volunteer activities, and website as described within this Privacy Policy.
Your Rights Under the CCPA (As Voluntarily Honored by Us)
Right to Know: Know what personal information is collected
Right to Access: Request a copy of your personal data
Right to Delete: Request deletion of your information
Right to Opt-Out: Opt out of data sales (we do not sell data)
Right to Correct: Correct inaccurate information
How to Exercise Your CCPA Rights
You may submit a request by:
Email: [email protected]
Online Form: Submit a request through our Data Access Request Form
Mail: The Lucky Foundation
5900 Balcones Drive, STE 100
Austin, TX 78731
We will verify your identity before fulfilling your request. We respond within 45 days, with an additional 45-day extension if reasonably necessary.
Authorized Agents
California residents may designate an authorized agent to submit requests on their behalf. We may require proof of authorization and identity verification.
Non-Discrimination
We will not deny services or provide a different level of service if you exercise your privacy rights.
Other State Privacy Rights
If you are a resident of Virginia, Colorado, Connecticut, Utah, or Montana, you have similar privacy rights to that of California under your state's privacy law. We honor all applicable state privacy requirements.
How to Exercise Your Rights
To exercise any of these rights, please submit a request using our data access form or email us at [email protected]. We will respond within 30 days (45 days for complex requests).
Submit Data RequestData Security
We implement industry-standard security measures to protect your personal information:
AES-256 encryption for data at rest
TLS 1.2+ encryption for data in transit
Role-based access control (RBAC)
Comprehensive audit logging
Regular security assessments
Breach notification procedures
Data Retention
| Data Type | Retention Period | Reason |
|---|---|---|
| Volunteer Records | 7 years | Tax (IRS Form 990) and legal compliance |
| Donor Records | 7 years | IRS Form 990 requirements |
| Beneficiary Records | 10 years | Program evaluation and legal protection |
| Website Analytics | 13 months | Website improvement and analysis |
| Audit Logs | 2 years | Security and compliance monitoring |
Contact Us
Privacy Questions or Requests:
Data Protection Officer (GDPR):
Mailing Address:
The Lucky Foundation
5900 Balcones Drive, STE 100
Austin, TX 78731
Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date above. Your continued use of our website following the posting of the revised Privacy Policy means that you accept and agree to the changes.