Privacy Policy for Three Things Co.

Effective date: January 10, 2026

Last updated: January 10, 2026

1) Who we are

Three Things Co. ("we," "us," "our") is a nonprofit organization based in Denver, Colorado.

Website: https://threethingsco.org

Contact: threethingsfamily@gmail.com • Mailing address 6227 East 35th St. Denver, CO 80207, USA

2) Scope

This policy explains what personal information we collect, how we use and share it, your rights, and how to contact us. It applies to visitors, donors, newsletter subscribers, event registrants, volunteers, and partners who interact with our website and services.

3) Information we collect

  • Identity & contact information (name, email, phone, mailing address)

  • Donation/payment information (amount, method, transaction ID). Payment card data is processed by our payment processors and not stored by us

  • Account & preferences (newsletter opt‑in, communication preferences)

  • Event/volunteer information (registrations, availability, interests)

  • Technical data (IP address, device/browser information, pages viewed, referring URLs)

  • Cookies & similar technologies for analytics, performance, and preferences

4) How we collect information

  • Directly from you via forms, donations, emails, event registrations, and surveys

  • Automatically via cookies/analytics when you browse our site

  • From service providers such as payment processors, email and CRM tools, ticketing or event platforms, and hosting providers

5) How we use information

  • Process donations and provide tax receipts

  • Communicate about programs, events, and fundraising (with opt‑out)

  • Operate and secure our website, analyze usage to improve our services

  • Manage events, volunteers, ticketing, and community initiatives

  • Comply with legal obligations and protect our rights

6) Cookies & analytics

We use cookies and similar technologies for site functionality and aggregated analytics. You can control cookies via your browser settings. Disabling some cookies may affect site performance.

7) Sharing & disclosures

We do not sell personal information. We share information with service providers (payment processors, email/CRM tools, ticketing/event platforms, hosting providers) under contracts requiring appropriate safeguards and limited use. We may also share information with advisors/auditors, or disclose information when required by law or to protect our rights, users, or the public.

8) Donor privacy

We value donor privacy. We will not publish, sell, lease, or trade donor personal information. We may publicly acknowledge donor names unless you ask to remain anonymous.

9) Children’s privacy

Our site is not directed to children under 13, and we do not knowingly collect children’s data.

10) Data retention

We keep personal information only as long as necessary for the purposes described in this policy, to meet legal/accounting obligations (e.g., donation records), and for security.

11) Security

We use administrative, technical, and physical safeguards appropriate to the sensitivity of the data (e.g., HTTPS, access controls, vendor due diligence). No system is 100% secure; please contact us immediately if you suspect unauthorized use of your data.

12) Your privacy rights (U.S. & Colorado)

Depending on your location, you may have rights to access, correct, delete, or receive a copy of your personal information, and to opt‑out of marketing communications. Colorado residents can exercise rights under the Colorado Privacy Act (CPA), including rights to access, correction, deletion, and data portability, and to opt‑out of targeted advertising or sale (we do not sell personal information). To make a request, contact us at the email above. We may verify your identity and respond within applicable timeframes. If we deny your request, you can appeal by emailing us with ‘Privacy Appeal’ in the subject line.

13) GDPR compliance (EU/EEA users)

Legal bases: For visitors from the EU/EEA, we process personal data under one or more of the following legal bases: consent (e.g., newsletter opt‑in), contract (e.g., processing donations or event registrations), legal obligation (e.g., tax records), and legitimate interests (e.g., site security, fraud prevention, analytics, and mission‑related communications, balanced against your rights and expectations).

Transfers: If you access our site from outside the U.S., your data may be processed in the United States. We apply safeguards such as vendor agreements, security measures, and data minimization. By interacting with the site, you understand your data may be transferred to the U.S.

EU/EEA rights: You may have rights to access, rectify, erase, restrict processing, object to processing (including for direct marketing), and data portability, and to withdraw consent at any time (without affecting lawfulness of processing based on consent before withdrawal). To exercise these rights, contact us at the email above. You may also lodge a complaint with your local data protection authority.

14) Third‑party links

Our site may link to third‑party websites or services we do not control. Review their privacy policies.

15) Changes to this policy

We may update this policy from time to time. We will post the revised date above and, if changes are material, provide a prominent notice on the site.

16) Contact

Questions or requests: threethingsfamily@gmail.com • Mailing address above.