Privacy Policy

1. Introduction

The Shteig Foundation ("Shteig," "we," "us," or "our") is a Delaware nonprofit corporation recognized as tax-exempt under Section 501(c)(3) of the Internal Revenue Code. We operate the Shteig platform at shteig.org, which facilitates one-on-one Torah learning by connecting donors and learners with qualified Torah educators as part of our charitable educational mission. This Privacy Policy explains how we collect, use, disclose, and protect your personal information — including donor information — when you use our Platform.

We are committed to protecting the privacy of our donors, learners, educators, and all users, and to complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable state nonprofit solicitation and donor privacy laws. By using Shteig, you agree to the practices described in this policy.

2. Information We Collect

2.1 Personal Data. When you create an account, make a donation, or use our Platform, we may collect the following personal information:

• Full name and display name
• Email address
• Profile photo
• Phone number (if provided)
• Mailing address (for donation receipts and tax acknowledgments)
• Biographical information (for Educator profiles)
• Qualifications and areas of expertise (for Educators)
• Time zone and language preferences
• Donation and contribution history
• Payment information (processed securely by our third-party payment processor; the Foundation does not store credit card numbers or bank account details)

2.2 Usage Data. We automatically collect information about how you interact with the Platform, including:

• IP address and approximate geolocation
• Browser type and version
• Device type and operating system
• Pages visited, features used, and actions taken
• Date and time of access
• Referring URL
• Session duration and frequency of use

2.3 Session Data. In connection with learning sessions facilitated through our charitable programs, we may collect:

• Session scheduling information (date, time, duration)
• Subject matter and learning topics selected
• Session attendance and completion status
• Reviews and ratings submitted by users
• Technical data related to video sessions (connection quality, duration)

We do not record the audio or video content of learning sessions unless both participants explicitly consent.

2.4 Scholarship Application Data. If you apply for a scholarship or financial hardship accommodation, we may collect additional information regarding your financial circumstances. This information is treated with the highest level of confidentiality and is used solely for the purpose of evaluating scholarship eligibility.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To create and manage your account
• To facilitate the matching and scheduling of Torah learning sessions as part of our charitable programs
• To process donations and issue tax-deductible donation receipts
• To communicate with you about your account, sessions, donations, and Foundation updates
• To display Educator profiles and enable discovery by Learners
• To evaluate scholarship and hardship applications
• To improve, personalize, and optimize the Platform
• To monitor and analyze usage trends and Platform performance
• To detect, prevent, and address fraud, abuse, or security issues
• To comply with legal obligations, including IRS reporting requirements for nonprofit organizations, and enforce our Terms of Service
• To send communications about the Foundation's programs, impact, and fundraising initiatives (with your consent, where required)

4. Donor Privacy Protections

The Shteig Foundation is committed to protecting the privacy and confidentiality of our donors. We maintain the following donor privacy commitments:

• We do not sell, trade, or rent donor personal information — including names, addresses, email addresses, phone numbers, or donation history — to any third party for any purpose.
• We do not share donor lists with other organizations, whether nonprofit or for-profit, except as required by law.
• Donation amounts are kept confidential. We will not publicly disclose the amount of any individual's donation without the donor's express written consent.
• Anonymous donations are respected. Donors who wish to remain anonymous may do so, and we will take reasonable steps to honor that request in all communications and records accessible to other users.
• Donor information is accessible only to Foundation personnel and authorized service providers who need it to process donations, issue receipts, or fulfill the Foundation's charitable mission.

These commitments are consistent with the Association of Fundraising Professionals (AFP) Donor Bill of Rights and applicable state nonprofit solicitation laws.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Legitimate Interests: Processing necessary for the Foundation's legitimate charitable interests, such as facilitating Torah education programs, processing donations, improving the Platform, preventing fraud, and ensuring security, provided these interests are not overridden by your rights.
• Consent: Processing based on your freely given, specific, and informed consent, such as for fundraising communications. You may withdraw consent at any time.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations, including tax and nonprofit reporting requirements.
• Performance of a Contract: Processing necessary to fulfill our obligations under our Terms of Service where applicable.

6. Information Sharing

We do not sell your personal information. We may share your information with the following categories of service providers who assist us in operating the Platform and fulfilling our charitable mission:

• Supabase — Database hosting and authentication services
• Daily.co — Video conferencing infrastructure for learning sessions
• Resend — Transactional email delivery
• Stripe — Donation processing

These service providers are contractually obligated to use your information only as necessary to provide their services to us and in accordance with applicable data protection laws. They are prohibited from using donor information for their own marketing or other unrelated purposes.

We may also share information:

• With other users as necessary to facilitate learning sessions (e.g., sharing your name and profile with your matched Educator or Learner)
• When required by law, subpoena, court order, or governmental request
• To protect the rights, property, or safety of the Shteig Foundation, our users, or the public
• With the IRS or state agencies as required for nonprofit compliance and reporting
• In connection with a merger, reorganization, or transfer of assets to another nonprofit organization, with notice to affected users and donors

7. Cookies and Tracking

We use cookies and similar technologies to enhance your experience on the Platform. These include:

• Essential Cookies: Required for the Platform to function (e.g., authentication, session management). These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with the Platform so we can improve it. These are only set with your consent where required by law.
• Preference Cookies: Remember your settings and preferences (e.g., language, time zone).

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Platform functionality. We do not use tracking technologies to build advertising profiles or sell data to advertisers.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to fulfill our charitable mission and comply with legal obligations. Specifically:

• Account data is retained for the duration of your account and for up to 30 days after deletion to allow for account recovery
• Session records and history are retained for up to 3 years after the session date
• Donation and contribution records are retained for a minimum of seven (7) years as required by IRS regulations for nonprofit organizations and applicable state record-retention laws
• Tax receipts and acknowledgment records are retained for a minimum of seven (7) years
• Scholarship application data is retained for 3 years after the determination
• Usage and analytics data is retained in aggregated, anonymized form indefinitely

When personal data is no longer needed and no legal retention requirement applies, we securely delete or anonymize it in accordance with our data retention procedures.

9. Your Rights

9.1 GDPR Rights (EEA, UK, Switzerland). If you are located in a jurisdiction covered by the GDPR, you have the following rights:

• Right of Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements for donation records
• Right to Restrict Processing: Request that we limit how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for fundraising communications
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Lodge a Complaint: File a complaint with your local data protection authority

9.2 CCPA Rights (California Residents). If you are a California resident, you have the following rights under the CCPA:

• Right to Know: Request information about the categories and specific pieces of personal information we have collected about you, including donation history
• Right to Delete: Request deletion of your personal information, subject to legal retention requirements
• Right to Opt-Out of Sale: We do not sell personal information; however, you have the right to opt out if this ever changes
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

9.3 Donor-Specific Rights. In addition to the above, all donors have the right to:

• Request a copy of their complete donation history
• Request copies of tax receipts and acknowledgment letters
• Opt out of all fundraising and promotional communications while retaining access to transactional communications
• Request that their donation be treated as anonymous

To exercise any of these rights, please contact us at privacy@shteig.org. We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA).

10. Data Security

We implement appropriate technical and organizational measures to protect your personal information — including donor and financial data — against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure authentication mechanisms including support for multi-factor authentication
• Regular security assessments and vulnerability testing
• Access controls limiting personnel access to personal and donor data on a need-to-know basis
• Incident response procedures for data breaches
• Secure disposal of records containing personal information when retention periods expire

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security but commit to promptly notifying affected users, donors, and relevant authorities in the event of a data breach as required by law.

11. State Nonprofit Solicitation Compliance

The Shteig Foundation complies with state charitable solicitation registration requirements where applicable. Certain states require nonprofit organizations to register before soliciting donations from residents of those states.

Information about the Foundation's charitable solicitation registrations, financial statements, and other disclosures required by state law is available upon request by contacting legal@shteig.org. Registration with a state agency does not constitute or imply endorsement, approval, or recommendation by that state.

12. International Data Transfers

The Shteig Foundation is based in the United States. If you access the Platform from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally recognized transfer mechanisms.

13. Children's Privacy

Shteig is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13. If you are between 13 and 18 years of age, you may use the Platform only with the consent and supervision of a parent or legal guardian.

For users in the EEA, the minimum age for consent to data processing is 16 (or the applicable age in your member state). Users under 16 in the EEA require verifiable parental consent.

If we learn that we have collected personal information from a child under the applicable minimum age without proper consent, we will take steps to delete that information promptly. If you believe we have inadvertently collected such information, please contact us at privacy@shteig.org.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify you by email or through a prominent notice on the Platform
• Provide at least 30 days' notice before material changes take effect

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes become effective constitutes your acceptance of the revised policy.

15. Data Deletion Requests

You may request deletion of your account and associated personal data at any time. You can do this by:

• Visiting your Account Deletion page in your account settings
• Emailing us at privacy@shteig.org with the subject line "Data Deletion Request"

Upon receiving a verified deletion request, we will delete your personal data within 30 days, except for information we are legally required to retain. Please note that donation records and tax receipt records must be retained for a minimum of seven (7) years as required by IRS regulations, even after account deletion. We will confirm the completion of your deletion request by email and inform you of any data that must be retained and the legal basis for its retention.

16. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

The Shteig Foundation
A 501(c)(3) Nonprofit Organization
Privacy Inquiries
Email: privacy@shteig.org
Website: shteig.org

If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.