Natural Resources Wildlife Lab — Privacy Policy

Effective Date: May 22, 2026 Last Updated: May 22, 2026

This Privacy Policy describes how [Natural Resources Wildlife Lab, Inc.], a [Washington] nonprofit corporation tax-exempt under IRC § 501(c)(3) ("NRWL," "we," "our," or "us") collects, uses, discloses, retains, and protects personal information when you access or use our website, mobile application, application-programming interfaces, donation channels, citizen-science programs, and related online products and services (collectively, the "Services"), and the rights you have regarding that information.

This Privacy Policy is incorporated by reference into our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

NRWL is a charitable organization. Many of the principles below — donor privacy, restraint in data collection, and a default position of not selling or sharing personal information for advertising — reflect our adherence to the Donor Bill of Rights and to nonprofit-sector best practices.

If you are located in the EEA, U.K., or Switzerland, see Section 13 for GDPR/UK-GDPR/Swiss FADP information. If you are a California resident, see Section 14 for CCPA/CPRA information. If you are a Washington resident, see Section 15.

1. Scope

This Privacy Policy covers personal information about:

  • Visitors to the Services;
  • Donors (one-time and recurring);
  • Account holders (members, volunteers, citizen-science contributors, newsletter subscribers, partner-organization representatives);
  • Job applicants, where applicable (see Section 16).

It does not cover information collected by third-party websites or services, even if linked from the Services. Each is governed by its operator's privacy policy.

2. Information We Collect

We aim to collect only what is necessary to fulfill our mission and your requests.

2.1 Information You Provide Directly

| Category | Examples | Where Collected | |---|---|---| | Donor information | Name, mailing address, email, billing address, recurring-gift cadence, tribute/honoree name, dedication notes, tax-acknowledgement preferences | Donation forms | | Payment information | Tokenized payment method, last 4 digits of card or bank account, transaction history. Full card and ACH details are handled by our PCI-compliant payment processors and are not retained by NRWL | Donation forms | | Account information | Email, password (hashed), display name, preferences | Account signup | | Citizen-science contributions | Wildlife observation reports (species, date, photographs, audio recordings, observer notes, location) | Observation submissions | | Volunteer information | Contact info, availability, role preferences, emergency contact, signed waiver | Volunteer signup | | Newsletter / communications | Email, channel preferences, topic interests | Newsletter signup | | Survey, feedback, and research | Voluntary responses | Optional research | | Correspondence | Email content, letters, phone-call notes | Contact with NRWL |

2.2 Information Collected Automatically

| Category | Examples | |---|---| | Device and connection | IP address (and approximate location), device type, OS, browser, language, time zone, referring URL | | Usage | Pages and features accessed, click paths, dwell time, error reports, performance metrics | | Cookies and similar technologies | Session cookies, security tokens, analytics identifiers — see Section 7 | | Citizen-science telemetry | If you enable a device-level "precise location" permission to attach a GPS coordinate to a wildlife observation, that coordinate is collected with your authorization |

We do not collect precise geolocation (GPS coordinates) outside the citizen-science observation workflow without explicit per-feature consent.

2.3 Information from Third Parties

| Source | Examples | |---|---| | Payment processors (Stripe, PayPal, Apple Pay, Google Pay) | Tokenized payment, billing status, fraud signals | | Identity providers (Google, Apple, Microsoft SSO) | Email, name, profile photo — only the scopes you authorize | | Charity software vendors (e.g., CRM, donor-management tools) | Standard donor-management fields you authorize | | Analytics and observability vendors | Aggregated or pseudonymous usage | | Anti-abuse providers (reCAPTCHA) | Bot detection signals | | Public sources (only where directly relevant) | Publicly available information on a partner organization or grantor |

3. How We Use Information

We use personal information for the following purposes:

  1. Service operation — render the Services, authenticate you, process Donations, issue tax-acknowledgement letters, support citizen-science programs.
  2. Mission delivery — communicate about conservation programs you have supported, update donors on outcomes, advance our charitable mission.
  3. Donor stewardship — acknowledge gifts, recognize donor classes (e.g., "Friend of NRWL") at the level you authorize, send impact updates, manage planned-giving inquiries.
  4. Communications — send transactional messages (e.g., gift receipts, recurring reminders, account security alerts) and, with consent where required, newsletters and appeals.
  5. Citizen science — aggregate and de-identify wildlife observations for scientific use, share generalized observations with partner researchers under data-use agreements, apply our sensitive-species masking protocol (see Section 5 and the Terms of Service Section 8).
  6. Compliance — comply with our legal obligations (including state charitable-solicitation reporting, IRS reporting, donor disclosure obligations, anti-money-laundering review of large gifts, OFAC/sanctions screening), respond to lawful government requests, and enforce our Terms.
  7. Security and abuse prevention — detect and block fraud, unauthorized access, spam, harassment, false sightings, and policy violations.
  8. Service improvement — diagnose bugs, measure performance, evaluate new features. We use de-identified or aggregated data wherever feasible.
  9. Personalization — remember your preferences (e.g., topics of interest, donation amount defaults).
  10. Corporate transactions — facilitate or evaluate merger, consolidation, reorganization, or transfer of assets to a successor charitable organization, subject to confidentiality and notice obligations.

We do not use your personal information to:

  • Sell it to data brokers;
  • Engage in cross-context behavioral advertising;
  • Train third-party AI models;
  • Profile you for credit, employment, insurance, or housing decisions;
  • Disclose sensitive-species observation locations in any way that could facilitate poaching, harassment, or unauthorized intrusion.

4. Donor Information — Special Practices

We hold donor privacy as a core trust commitment. Specifically:

  • No donor-list rental, sale, or exchange. We do not rent, sell, or exchange donor lists for marketing or solicitation by third parties.
  • Anonymous gifts. You may request that your gift be anonymous; we will not list your name in public donor recognition. Internal records of the gift remain for accounting and tax purposes.
  • Tribute and memorial gifts. We notify the honoree (or designated family member) of the gift, without disclosing the amount unless authorized.
  • Recognition opt-out. You may opt out of all donor recognition (printed reports, websites, signage) at any time by emailing [giving@nrwl.org].
  • Tax acknowledgement. We send IRS-compliant acknowledgements; you may request re-issuance for legitimate tax purposes.
  • Large gifts. For gifts subject to anti-money-laundering, sanctions, or IRS-reporting thresholds, we may verify additional information about the source of funds; that information is used only for compliance purposes and is access- restricted internally.

5. Citizen-Science Data — Sensitive-Species Protocol

When you submit a wildlife observation:

  1. We retain the precise GPS coordinates internally for scientific use.
  2. For observations involving threatened, endangered, or otherwise sensitive species, we generalize the location (e.g., to a 10 km × 10 km grid) before any public display or non-internal sharing.
  3. Precise locations may be shared with qualified researchers under a data-use agreement that prohibits redistribution, with conservation-law-enforcement authorities pursuant to law, and with the photographer where the photographer is the original observer.
  4. You may request that your observer attribution be displayed as a pseudonym or omitted entirely.
  5. We delete observation media (photos, audio) on your request, unless retention is required for an active research project to which you have contributed (in which case we redact identifying metadata if practicable).

We treat citizen-science contributions as a co-stewardship relationship; we will not weaponize your data against the species you helped protect.

6. How We Share Information

We share personal information only as described below.

| Recipient Category | Purpose | Safeguards | |---|---|---| | Cloud-infrastructure providers (Google Cloud Platform) | Hosting, compute, storage | DPA, SCCs, encryption-in-transit and at-rest | | Payment processors (Stripe, PayPal, etc.) | Authorize and settle Donations | PCI-DSS compliance, tokenization | | Donor-management / CRM vendors | Donor records, acknowledgement letters | DPA, role-based access | | Email vendors (Mailgun, etc.) | Deliver transactional and (with consent) appeal email | DPA, encryption in transit | | Analytics and observability | Crash and performance reporting | DPA, IP truncation where supported | | Anti-abuse | Bot detection | DPA, minimum-necessary signals | | Conservation research partners (academics, NGOs, government wildlife agencies) | Citizen-science data, generalized for sensitive species; precise only under data-use agreements | DUA, attribution policy, sensitive-species protocol | | Affiliate-program providers | Commission tracking on Affiliate Recommendations — we do not provide them your personal information beyond the click identifier; the affiliate partner's privacy policy governs their cookies | Affiliate program terms | | Auditors, attorneys, accountants | Audits (including IRS Form 990 audits), legal advice | Professional confidentiality, NDAs | | Affiliates and successor charities under common mission | Operational support, future merger/consolidation | Internal data-handling standards, notice + opt-out for material changes | | Government and law-enforcement | Charitable-solicitation reporting, IRS Form 990 (publicly available), lawful requests, mandatory reporting (e.g., child-protection statutes) | Validity review; pushback on overbroad requests | | With your direction | Tribute notifications, partner integrations | As configured by you |

We do not sell personal information. We do not engage in cross-context behavioral advertising. We do not exchange donor lists with other organizations.

7. Cookies and Similar Technologies

We use cookies and similar technologies in three categories:

  1. Strictly necessary — authentication, security, donation-flow continuity, load balancing. Cannot be disabled without breaking the Service.
  2. Functional — remember preferences (language, theme, dismissed banners). Set by default.
  3. Analytics and performance — measure usage and detect errors. Where the law requires opt-in consent (EEA, U.K., Switzerland, California for non-essential analytics), we obtain consent through our cookie banner. We honor browser-level Global Privacy Control (GPC) signals where applicable.

We do not use advertising cookies. Affiliate links may set first-party cookies of the affiliate partner upon click; you can decline by not clicking the link, and those cookies are subject to the partner's own privacy policy.

8. Children's Privacy

The Services are not directed to children under 13. We do not knowingly collect personal information from anyone under 13 without verifiable parental consent in accordance with COPPA.

Some education-program features may be intended for use by classroom teachers with their students; in those cases, the school or teacher obtains COPPA-compliant parental consent on behalf of students, and NRWL acts in accordance with that consent and the FTC's COPPA "school authorization" framework.

For users between 13 and the age of majority in their jurisdiction, certain features may require parental or guardian permission. In jurisdictions where 16 is the digital-consent age, we do not knowingly process personal information of users under 16 without verified parental consent for purposes requiring consent.

If you believe a child has provided personal information without your consent, contact [privacy@nrwl.org] and we will delete it.

9. Data Retention

We retain personal information only as long as needed to fulfill the purposes for which it was collected, plus any period required by law. Specific retention windows:

| Data | Default Retention | |---|---| | Donor records | Indefinitely for accounting/tax/legacy-giving stewardship, subject to your right to request deletion (see Section 12). Tax-acknowledgement letters retained at least 7 years | | Recurring-gift authorizations | While active, plus 7 years after termination | | Account profile | Lifetime of Account; deleted within 30 days of Account closure | | Citizen-science observations (public, generalized) | Indefinitely as part of the scientific record; observer attribution removable on request | | Citizen-science observations (precise location, sensitive species) | Indefinitely under restricted access; precise media deletable on request unless part of an active study | | Backups | Rolling 90 days, then irreversibly deleted | | Marketing-consent records | While the consent is active, plus 3 years after withdrawal | | Server logs (truncated IP) | 90 days | | Security-incident records | As long as the matter remains open, plus 3 years after closure | | Support tickets | 3 years | | Anti-money-laundering / sanctions documentation | 5 years (statutory minimum) | | Legal-hold data | Until the hold is released |

You can request earlier deletion via Section 12 — we will honor it unless required to retain by law (in particular, tax records associated with deductible contributions).

10. Security

We implement administrative, technical, and physical safeguards designed to protect personal information. Controls include:

  • TLS 1.2+ encryption in transit; AES-256 at rest;
  • Multi-factor authentication for all production access;
  • Least-privilege access controls, audit logging, and regular access reviews;
  • Vulnerability scanning, dependency updates, secret scanning;
  • Coordinated vulnerability disclosure for security researchers (see Terms of Service Section 13);
  • Annual security review;
  • Vendor security assessments for processors handling donor or sensitive data;
  • Incident-response runbooks with defined SLAs.

If we determine that a security incident materially affected your personal information, we will notify you and the relevant authorities as required by applicable law (e.g., Washington's breach-notice statute, RCW 19.255 et seq.; the CCPA/CPRA notice rules; GDPR Art. 33–34; and equivalent statutes), and we will provide guidance to mitigate harm.

11. International Transfers

NRWL is based in the United States. Personal information you provide may be transferred to and processed in the U.S. and other countries. Where the GDPR or analogous law applies, we rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU–U.S. Data Privacy Framework and the U.K. Extension and Swiss Data Privacy Framework. A copy of the SCCs is available on request.

12. Your Privacy Rights

Depending on where you live, you may have some or all of the following rights:

  • Access / Know — request a copy of the personal information we hold;
  • Correction / Rectification — correct inaccurate or incomplete information;
  • Deletion / Erasure — request that we delete personal information (subject to legal-retention exceptions, notably for tax records of deductible contributions);
  • Portability — receive a portable copy of certain information;
  • Restriction / Object — restrict or object to certain processing, including direct-marketing processing;
  • Withdraw consent — withdraw a consent you previously gave (e.g., newsletter, research participation, AI training if ever applicable);
  • Opt-out of sale or sharing — though we do not sell or share for advertising, you may submit a verifiable request to confirm this;
  • Donor-recognition opt-out — remove your name from public donor recognition;
  • Non-discrimination — we will not penalize you for exercising any right;
  • Appeal — if we deny a rights request, you may appeal as described in our response.

How to submit a request:

  • Email [privacy@nrwl.org] with the subject "Privacy Request"; or
  • Use the in-product privacy controls in your Account settings (where available).

We verify identity proportionate to the sensitivity of the request. Authorized agents may submit requests with written authorization, subject to the agent-verification provisions of CCPA/CPRA and analogous state laws.

We respond within 45 days (or 30 days for EEA/UK/Swiss requests where shorter periods apply), extendable by an additional 45 days where reasonably necessary, with notice.

13. EEA, U.K., and Swiss Residents (GDPR / UK-GDPR / FADP)

If you are located in the EEA, U.K., or Switzerland:

  • Controller: [Natural Resources Wildlife Lab, Inc.] is the controller of your personal information.

  • EU/UK Representative (if required): [Designate per Art. 27 GDPR before publication if NRWL targets EEA/UK without an EU establishment].

  • Legal Bases:

    | Purpose | Legal Basis | |---|---| | Account creation, Service delivery, Donation processing | Performance of a contract or pre-contractual steps; legal obligation (tax) | | Security, abuse prevention, fraud detection | Legitimate interests | | Service improvement and analytics (aggregated) | Legitimate interests | | Marketing emails (where consent is required) | Consent | | Cookies for non-essential analytics | Consent | | Citizen-science sharing with research partners | Public interest (Art. 6(1)(e)) / legitimate interests, plus Art. 89 safeguards for scientific research | | Anti-money-laundering, sanctions compliance, IRS reporting | Legal obligation |

  • Special-category data: We do not, in the default configuration, process special-category data under Art. 9 GDPR. If you voluntarily disclose such data (e.g., in a free-text donor message), we treat it consistent with Art. 9(2)(e) (data manifestly made public by the subject) or another available basis.

  • International Transfers: SCCs apply.

  • Complaints: You may lodge a complaint with your local supervisory authority.

14. California Residents (CCPA / CPRA)

This section is required by the CCPA, as amended by the CPRA.

14.1 Categories Collected in the Last 12 Months

Similar to Section 13 of the InterPegasus Privacy Policy. We collect: identifiers, California Civil Code § 1798.80(e) personal information, commercial information (Donations), internet activity, approximate geolocation, audio (only if you submit audio in a citizen-science observation), professional/employment (for applicants only), and inferences (for personalization).

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising. We do not, in the default configuration, process sensitive personal information beyond what is necessary to provide the Services.

14.2 Retention

Per Section 9.

14.3 Rights

Per Section 12, including the right to limit our use of sensitive personal information.

14.4 California Shine the Light

We do not share personal information for direct-marketing purposes of third parties.

15. Washington Residents

15.1 My Health My Data Act (RCW 19.373)

Applicability: The MHMDA applies to "consumer health data."

Our position: NRWL does not, in the default configuration, collect data intended to identify your physical or mental health status. Educational content about animal health, ecology, or wildlife disease is not consumer health data within the meaning of MHMDA, which is concerned with the personal health of consumers.

If you submit content that includes your personal health information (for example, in a free-text donor message or a volunteer-application medical accommodation request), we will treat it consistent with the relevant law (HIPAA, MHMDA, ADA), use it only for the purpose for which you provided it, and delete it on request.

If we ever add a feature that materially processes consumer health data as defined by MHMDA, we will update this Privacy Policy with the disclosures MHMDA requires, obtain affirmative consent, and provide a separate Consumer Health Data Privacy Policy under RCW 19.373.020.

15.2 Biometric Information (RCW 19.375)

We do not enroll, collect, or capture biometric identifiers in the default configuration. Audio submitted as part of a wildlife observation is not a "voice print" of a person under RCW 19.375 and is treated as citizen-science data.

15.3 Washington Breach Notice (RCW 19.255)

If we suffer a breach of the security of unencrypted personal information of a Washington resident, we will notify the affected individuals and, where required, the Washington Attorney General within the statutory timeframe.

15.4 Washington Charitable-Solicitation Records

Washington Charitable Solicitations Act records are filed with the Washington Secretary of State pursuant to RCW 19.09. You can verify NRWL's filings at www.sos.wa.gov/charities. NRWL does not engage in commercial fundraising (use of paid solicitors) without filing the additional disclosures required by RCW 19.09.

16. Job Applicants

If you apply for a position with NRWL, we collect the information you provide on your application (resume, CV, cover letter, references) plus information from authorized third parties (background-check provider, after consent; references you nominate). We use this information solely to evaluate your application, communicate with you, and comply with employment laws. We retain applicant data for the period required by law (and no longer than four years after the close of the relevant recruitment) unless you have agreed to retention for future opportunities.

For California-resident applicants, your CCPA/CPRA rights as described in Section 14 apply with the limitations stated in the statute.

17. Do-Not-Track and Global Privacy Control

Our websites currently do not respond to "DNT" browser signals because there is no industry consensus on how DNT should be implemented. We do honor the Global Privacy Control (GPC) signal as an opt-out of sale and sharing where applicable law treats GPC as such an opt-out.

18. Notice of Material Changes

We will post any changes with an updated "Last Updated" date. For material changes that expand the use or sharing of personal information beyond what was previously disclosed, we will provide at least 30 days' advance notice (by email, in-product notice, or homepage banner) and, where required by law, obtain consent before the change takes effect for your data.

19. Contact and Data Protection Officer

| Role | Contact | |---|---| | Privacy / Data Subject Requests | [privacy@nrwl.org] | | Data Protection Officer | [dpo@nrwl.org] | | Security incidents (researchers) | [security@nrwl.org] | | Donor Services | [giving@nrwl.org] | | General Legal | [legal@nrwl.org] | | Mail | Natural Resources Wildlife Lab, Inc., Attn: Privacy, [STREET ADDRESS, CITY, WA ZIP] |

We aim to respond to privacy inquiries within 5 business days.

This Privacy Policy is also available at nrwl.org/privacy. By using the Services or making a Donation, you acknowledge that you have read and understood this Privacy Policy.