Privacy policy

AidKit, Inc. ("AidKit," "we," "our," "us") is a Delaware corporation headquartered in Denver, CO, in the United States, which provides its clients with an end-to-end platform to deliver benefits to diverse populations.

This Privacy Policy explains the kinds of data pertaining to individuals (known as personal information" or “personal data”) that we collect when you visit our website at aidkit.com as well as program-specific portals that we operate (collectively, the “Site"); how we use, disclose and secure that personal data; and the choices and rights you have regarding your personal information. Our objective is to give you clear, transparent information about our privacy practices. Use of the Site constitutes your agreement to the terms of this Privacy Policy. We may modify this Privacy Policy from time to time. Your use of the Site after we post such modifications will constitute your agreement to such modifications.

This Privacy Policy is long. Here are the key points at a glance:

We don’t sell your personal information for money. We share data with service providers   we rely on to run our Site and services (e.g., for hosting, payments, communications). Some states define “‘sale” or “‘share” broadly to include advertising or identity-matching partners. Where those laws apply, you may opt out any time in Cookie Preferences or by emailing privacy@aidkit.cloud. We honor Global Privacy Control (GPC) where required. If your browser sends a GPC signal, we’ll treat it as an opt-out automatically of the sale or sharing of your personal information for that browser or device. Our Site does not respond to Do Not Track ("DNT") browser settings. 

What we keep in our Customer Relationship Management system (CRM). If you sign up for updates, request a demo, talk with our team, or interact with our emails, we may store contact info, subscription status, and campaign history in our CRM system. We keep these records for as long as required to provide the services to you or to comply with legal, accounting, or reporting requirements, as further detailed below. 

Cookies are consent-first. Our Site uses:

• Strictly Necessary cookies (always on) to Keep the Site secure and running
• Marketing & Identity Tracking (optional) for ads/personalization and, if you allow it, contact-level identification by approved providers.
• Personalization cookies (optional) to remember your preferences to make your experience smoother and more tailored.
• Analytics (optional) to help us understand Site usage and performance.

Manage settings in Cookie Preferences or in your browser. If you turn off non-essential cookies, the core Site will still work; analytics/personalization may be limited.

Your rights. You can access, correct, update, or request to delete personal information that we hold about you by emailing your request to privacy@aidkit.cloud. We’ll confirm what personal information we have (to the extent we can verify your request) and respond to your request within the time required by applicable law. Under certain circumstances, we may not be able to delete your personal information due to contractual commitments and program requirements, as detailed below. 

‍

Questions on how we handle personal information—or want to exercise your privacy rights? Contact our Data Protection Officer (“DPO”)

Please include "Privacy Request" in the subject line and tell us your state or country so we route it correctly. We’ll help and respond within the timeline required by applicable law.

We collect personal information when you visit our Site, contact us, join our mailing lists, collaborate with us, apply for employment or internships, or participate in our programs.

Depending on your interactions with AidKit, we may collect:

• Name and Contact information
• Demographic information
• Employment and employer details
• Financial and payment information (for transactions)
• Documents you provide directly to us
• Technical data from Site use (see "Use of the Site")

‍ We do not sell personal information to anyone and only share what is necessary information with third party service providers that help deliver our services.

If you join our mailing lists

We use contact information to keep you up to date on our work.  You can opt out at any time by selecting unsubscribe in the email.

 If you collaborate with us

We use provided information to implement programs and projects.

 If you participate in our programs

We use your information to help our clients execute assistance programs.

 If you apply for a job, internship, or consulting opportunity with us

We use your information to review your application and assess fit for available roles. Your details are shared only with the internal team involved in the hiring process and are not disclosed outside AidKit without your permission or as otherwise expressly provided in this Privacy Policy.

 If you contact us via email, social media or mail

We use your information to respond to or act on your inquiry. We don’t use this information for other purposes and do not share your information or communicate on other matters without your explicit consent.

Receipt of Information from Third Parties

We may receive business-contact information (e.g., employer, role) from trusted sources (e.g., LinkedIn, business-data providers) to keep our records accurate and relevant to your professional context. We use this information only for its intended purpose and will not share it externally except as expressly provided in this Privacy Policy.

Like most websites, our Site automatically collects certain information when you visit and stores it in log files. This may include:

• IP address and region or general location (derived from IP)
• Browser type and operating system
• Pages viewed and how you navigate our Site

How we use Site data

We use information about your visit to:

• Run and secure the Site (load pages, prevent abuse)
• Help diagnose problems with our server (fix issues)
• Analyze trends and understand Site use and preferences (which pages people visit)
• Improve and plan (make content better and plan resources)

We have a legitimate interest in understanding how users, customers and potential customers use our Site. Our goal is to understand how visitors interact with our Site so we can improve what we offer, communicate our impact more clearly, and better serve our corporate members, partners and communities.

We use cookies and similar technologies (like pixels, SDKs, and tags) to make our Site work, improve performance, and support marketing. Cookies also make your interactions faster and more secure.

• Strictly Necessary cookies (always on) to keep the Site secure and running.‍
• Marketing & Identity Tracking (optional) for ads/personalization and, if you allow it, contact-level identification by approved providers.‍
• Personalization cookies (optional) to remember your preferences to make your experience smoother and more tailored.‍
• Analytics (optional) to help us understand Site usage and performance.

Non-essential cookies will only load if you choose to allow them. You can change your choices anytime in Cookie Preferences or your browser. If you turn off non-essential cookies, the core Site will still function, though analytics and personalization may be limited.

For details on the specific cookies we use, how long they last, and our current vendors, please see our Cookie Policy.

You’re in charge of your cookie choices:

• You can change choices anytime in Cookie Preferences.
• Adjust your browser settings to block or delete cookies  (see Chrome, Safari, Firefox, Edge help pages). 
• Non-essential tools stay off unless you turn them on.
• Your choice is saved for this browser. If you clear cookies or use another browser, data collected before you changed your settings may still be used, but we’ll stop collecting new data from any disabled cookies.

 Do Not Track (DNT) Signals

Our Site does not respond to older Do Not Track (DNT) browser settings. DNT is a browser setting that requests websites not to track your browsing activity. However, we Strictly Necessary cookies (always on) to keep the Site secure and running. honor Global Privacy Control (GPC) where required by law, which provide a more standardized way to opt out of the sale or sharing of personal information. 

 Marketing & Identity Tracking

Some of our cookies and tools fall into the Marketing & Identity Tracking category. These are off by default and only load if you choose to allow them through the pop up cookie banner or Cookie Preferences in the footer.

 What this means

If you consent, we may work with approved providers to connect your browsing activity with information about your known business profile (for example, your organization and role). This is sometimes called contact-level identification. It helps us understand which organizations are engaging with our content, and it allows us to make our marketing more relevant.

 How we use it

• To send more relevant marketing communications.
• To deliver targeted ads on platforms like LinkedIn or Google.
• To see which organizations are showing interest in our programs, solutions, and topics.

You may withdraw consent at any time

We may engage in targeted advertising (also called cross-context behavioral advertising) where permitted by law. You may opt out of targeted advertising at any time via Cookie Preferences or by emailing privacy@aidkit.cloud.

For details on the specific tools and the current list of vendors we use for Marketing & Identity Tracking, please see our Cookie Policy.

AidKit shares personal information about you with third parties to help us provide our services, run our business, or when the law requires it or as otherwise expressly provided in this Privacy Policy. Our vendors use your personal information only to provide services to AidKit and not for their own purposes, as governed by Data Use Agreements that include confidentiality, security, and data protection obligations. 

In addition, if we go to were to go through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of our assets, your personal information may be among the assets transferred.

Categories of Third-Party Recipients

We share personal information with the following categories of third parties:

• Cloud infrastructure and hosting providers
• Customer relationship management (CRM) platforms
• Email and communication service providers
• Analytics and performance monitoring tools
• Marketing and advertising platforms 
• Payment processors (for transactions)
• Professional service providers (legal, accounting, auditing)
• Security and fraud prevention services

We are committed to keeping your information private. Unless you consent when applying to a program we will only disclose personal information to government authorities when absolutely mandated by law. We do not cooperate with unofficial or voluntary requests for your personal information. We otherwise disclose personal information only:

• when you request or authorize it;
• if it’s needed to provide services or process transactions;
• to protect our and others’ rights, property, or safety;
• to vendors acting on our behalf under contract;
• to address emergencies;
• with analytics and search engine providers that help improve and optimize the Site;
• to address disputes or to persons with legal authority to act on your behalf; and
• to anyone else with your consent.

We may also use aggregated or de-identified information (that does not identify you personally, and which has been de-identified in accordance with applicable standards including reasonable safeguards against re-identification) to improve our services, report on impact, or for marketing.

For a current list of third party subprocessors and cookie/marketing vendors we work with, see our Cookie Policy.

Data Retention

We retain your personal information only for as long as is reasonably necessary and proportionate to fulfill the purposes for which it was collected, or as otherwise required by law and in accordance with the criteria detailed in the "Data Retention" section of this Privacy Policy.

The criteria we use to determine our retention periods include:

• Fulfilling the Transaction: The length of time necessary to complete the primary business purpose for which the data was collected (e.g., providing services).

• Legal and Regulatory Compliance: The length of time required to comply with our legal obligations, tax, accounting, or audit requirements.

• Dispute Resolution and Claims: The existence of a legal hold, court order, or contract that requires retention, or the need to resolve disputes and enforce our legal agreements.

• System Security and Integrity: The necessity of retaining data for security, anti-fraud, or error detection purposes.

When the retention period expires, we securely delete or anonymize the data using industry-standard methods.

AidKit uses reasonable administrative, technical, and physical safeguards to protect the personal information we collect against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure, or use.

We also require our service providers and partners to implement safeguards that are at least as protective when they process personal information on our behalf. While no method of transmission or storage is completely secure, we work hard to protect your information and continuously improve our security practices.

AidKit is headquartered in the United States, and information we collect is processed here. The Site and related services are intended for use by United States-based nonprofits, government agencies and individuals.

If you use our services from the EEA or UK, you acknowledge that your personal information will be transferred to and processed in the U.S. We protect this data using appropriate safeguards aligned with Article 46 of the GDPR by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK, and we update our agreements as new rules and model clauses are adopted. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved. Where appropriate, we will implement supplementary measures such as encryption, access controls, and vendor due diligence consistent with European Data Protection Board guidance. We may also transfer data where you’ve given consent, where it’s necessary for a contract, or where we have a legitimate interest that doesn’t override your rights. 

AidKit endeavors to apply suitable safeguards to protect the privacy and security of your personal information and to use it only consistent with your relationship with AidKit and the practices described in this Privacy Statement. AidKit also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate.

Depending on where you live, you may have certain specific legal rights over your personal information (e.g., EEA, UK and various U.S. states). We permit all of our users to exercise these rights. Accordingly, you may ask us to access, correct, delete, or download the information we hold about you. However, under certain circumstances detailed below, we may not be able to immediately delete your personal information, and if we do delete your personal information, we may be unable to provide our services to you.

 Your Rights

• Right to be informed
• Right of access
• Right to correct
• Right to request erasure
• Right to restrict processing
• Right of data portability
• Right to object
• Right to opt out of automated decision-making including profiling
• Right to opt out of sale or sharing of personal information (where applicable)
• Right to limit use of sensitive personal information 

To exercise your rights, email us at privacy@aidkit.cloud with "Privacy Request" in the subject line.

To protect your privacy, we’ll verify your identity (or your agent’s authority) before acting.

We aim to respond within 45 days; if we need more time, we’ll explain why.

We generally respond free of charge, unless a request is manifestly unfounded or excessive. If we can’t fulfill a request, we’ll explain why.

You may designate an authorized agent to submit requests on your behalf. We require agents to provide:

• Written authorization signed by you, or
• A valid power of attorney under applicable law

We may also require you to verify your identity directly with us and confirm that you provided the agent permission to submit the request.

Limitations on Rights for Program Participants

While we respect your right to manage your personal information, some of our services are provided under specific program agreements. Because of this, the following limitations apply:

• Contractual Necessity: If you are an active participant in one of our programs, certain information is required to maintain your eligibility and provide services. Requests to delete or limit this essential data may result in your inability to continue in the program.
• Retention Requirements: We are often legally or contractually required to maintain records of program participation for auditing, reporting, and compliance purposes. Consequently, even if you request deletion, we may be unable to remove your information until your participation ends and our mandatory retention period expires.
• Automatic Deletion: To protect your privacy, we do not store your personal information indefinitely. We have a strict data-minimization policy and aim to delete all personally identifiable information (PII) within two (2) years after your involvement with the program ends—and often much sooner.
• Transparency: If we are unable to fulfill a deletion or limitation request due to these obligations, we will explain the specific reason to you in writing so you understand exactly why your data is being retained and for how long.

In particular, deletion requests may be denied if the personal information is necessary for:

• Identity Verification - AidKit requires identity verification prior to deletion to prevent unauthorized requests. Individuals must verify directly with AidKit or through their Client organization before a request is processed.
• Benefits Eligibility or Service Provision - If an individual is active in a program or has received benefit payments, their personal information must be retained for program processing, reporting and audit purposes.
• Risk or Detection of Fraud - AidKit must retain data if fraud is detected or suspected to prevent duplicate applications or other misuse of program funds.
• Legal obligations - such as audit, tax, reporting, compliance, law enforcement.
• Internal uses aligned with expectations - such as analytics with strict access controls.
• Preserving records when deletion would harm system integrity - e.g., logs required for security or compliance.
• Debugging, fixing errors, or ensuring functionality
• Research conducted according to recognized safeguards - only for de-identified data unless consent is obtained.
• Client Contract - Many program contracts require retention of applicant records for auditing, compliance or fraud prevention. AidKit cannot deviate from these requirements without explicit written approval by the Client’s authorizing party.

Appeals

Where required by applicable state law, you have the right to appeal a denied privacy request. We will respond to appeals within the timeframe required by applicable law.

To appeal a denied request, reply to our decision or email privacy@aidkit.cloud with "Appeal" in the subject line.

Limits

If you ask us to delete or restrict information that is necessary to deliver a service you’ve requested, we may be unable to provide that service. We also may still keep certain information if required by law (e.g., audit, fraud prevention, tax).

Non-discrimination

We won’t deny services, charge different prices, or reduce quality just because you exercised a privacy right. But if you withhold or delete data that’s required for a service, some features may not be available.

Sensitive Personal Information

Under certain privacy laws (including the California Consumer Privacy Act), “sensitive personal information" includes data such as:

• Social Security, driver’s license, state ID, or passport numbers
• Account log-in credentials, financial account information, debit or credit card numbers with access codes
• Precise geolocation data
• Racial or ethnic origin, religious or philosophical beliefs, or union membership
• Contents of mail, email, or text messages (where we are not the intended recipient)
• Genetic data, biometric data for identification purposes
• Personal information concerning health, sex life, or sexual orientation

We generally do not collect or process sensitive personal information. However, when acting as a data processor for client programs, we may process sensitive personal information that you provide and as directed by the client as disclosed in program-specific privacy notices.

We will use sensitive personal information only for the purposes disclosed at collection and as permitted by law.

You may opt out from permitting the use of sensitive personal information by emailing privacy@aidkit.cloud with "Limit Sensitive Data" in the subject line. Limiting the use of certain sensitive information may affect our ability to provide certain services to you.

Automated Decision-Making

AidKit does not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals without human intervention.

 Children’s Privacy

Our Site is not directed to children under the age of 18, and we do not knowingly collect personal information from children under 18.

In particular, we comply with the Children’s Online Privacy Protection Act (COPPA) and do not knowingly collect personal information from children under 13 years of age without verifiable parental consent. If we become aware that we have collected personal information from a child under 13 without proper parental consent, we will take steps to delete that information as quickly as possible.

If you are a parent or guardian and believe that your child under 18 has provided personal information to us, please contact us immediately at privacy@aidkit.cloud with "Child Privacy" in the subject line.

Supervisory Authorities

If you are located in the European Economic Area (EEA), United Kingdom (UK), or another jurisdiction with data protection authorities, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated your privacy rights or applicable data protection laws.

Accessibility

This Privacy Policy is designed to be accessible to users with disabilities. If you are a user with a disability and require this Privacy Policy in an alternative format (e.g., hard copy, large print, or orally), please contact us at privacy@aidkit.cloud with "Accessibility Request" in the subject line.

If you have questions about this Privacy Policy, concerns about how we handle your personal information, or wish to exercise your privacy rights, please contact us:

AidKit, Inc. 
Attn: Data Protection Officer - Kim Belk 
2000 S. Colorado Blvd., BLDG 1 - 2000 - 177 
Denver, CO 80222 

Email: privacy@aidkit.cloud 

Please include the following in your email:

• Subject line indicating the nature of your inquiry (e.g., "Privacy Request," "Data Access Request," "Complaint," "Appeal")
• Your name and contact information
• Your state or country of residence
• A description of your request or concern
• Any relevant documentation to verify your identity (if exercising privacy rights)

We will acknowledge receipt of your inquiry and respond within the timeframe required by applicable law.

State-Specific Privacy Notices

This section supplements our Privacy Policy and provides specific disclosures required by U.S. state privacy laws, including the California Consumer Privacy Act (CCPA) as amended by the CPRA, and comprehensive privacy laws in Colorado, Virginia, Connecticut, Utah, Texas, Oregon, Montana, and others.

A. California Residents (CCPA/CPRA)

1. Notice at Collection

In the preceding 12 months, AidKit has collected the following categories of personal information. We retain this data for as long as necessary to provide our services and comply with legal obligations.

2. Your California Rights

California residents have the specific right to:

• Opt-Out of "Sharing": You may opt out of the sharing of your personal information for cross-context behavioral advertising.
• Limit Use of Sensitive Personal Information: You have the right to limit the use of sensitive personal information to that which is necessary to perform the services. (Note: We primarily process such data only as a processor for our clients).
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

California Civil Code Section 1798.83 permits California residents to request a list of third parties to whom we have disclosed personal information for their direct marketing purposes during the preceding calendar year. To make such a request, please contact us at privacy@aidkit.cloud.

B. Colorado, Virginia, Connecticut, Texas, Utah, Oregon, and Montana

Residents of these states have rights similar to those described above. The following additional disclosures apply:

1. Sale and Targeted Advertising

We may "sell" your personal information (as defined by applicable state law) or process it for "targeted advertising" (displaying ads based on your activities across non-affiliated websites).

• Categories Sold/Shared: Identifiers, Internet/Network Activity, Professional Information.
• Third Parties: We share this data with marketing partners, ad networks, and analytics providers.
• Opt-Out: You can opt out of the sale of your data and targeted advertising by clicking Cookie Preferences or by enabling Global Privacy Control (GPC) on your browser.

2. Sensitive Data

We will not process your Sensitive Data (as defined by your state's law) without your prior, affirmative Opt-In Consent, unless otherwise permitted by law (e.g., in Utah, where we provide notice and a right to opt out).

3. Appeals

If we decline to take action on your privacy request, we will inform you of the reason within 45 days. You may appeal our decision by replying to our denial email or contacting privacy@aidkit.cloud with "Privacy Appeal" in the subject line.

• Timeline: We will respond to your appeal within 45 days (or 60 days where permitted by your state's law).
• Escalation: If your appeal is denied, you may have the right to submit a complaint to your state’s Attorney General.

C. Nevada Residents

Nevada law (SB 220) gives Nevada consumers the right to opt out of the sale of certain covered personal information. Although we do not currently sell data as defined broadly by Nevada law (exchange for monetary consideration), you may submit a request to opt out of any potential future sales by emailing privacy@aidkit.cloud.