← Back to Legal

Privacy Policy

Last updated: 6 May 2026

This policy applies to all services operated by Onegift Foundation, Inc., including the WishWell birthday fundraising platform.

1. Who We Are — Data Controller

The data controller for personal data collected through this website and the WishWell platform is:

Onegift Foundation, Inc. (“OneGift”, “we”, “us”)
Onegift Foundation, Inc.
Delaware nonprofit non-stock corporation
EIN: 99-2187028
5270 Brooklawn Terrace
Boynton Beach, FL 33437
United States

Email: privacy@onegiftfoundation.org

Tax-exempt status: IRS 501(c)(3) determination letter (PDF)

For general data enquiries or to exercise your rights, email privacy@onegiftfoundation.org.

2. Scope of This Policy

This policy covers personal data processed through:

  • WishWell — our automated birthday-fundraising platform used by nurseries, preschools, retirement communities, alumni associations, faith groups, and similar community organisations
  • OneGift donation processing — accepting and receipting charitable donations
  • This website — onegiftfoundation.org and its sub-pages

Where an organisation (e.g. a nursery) uses WishWell and uploads its own member list, that organisation is the data controller for that member data, and OneGift acts as a data processor on its behalf under a Data Processing Agreement (DPA). Section 8 explains this in detail.

3. What Personal Data We Collect

3a. Donors / well-wishers

When a parent, community member, or supporter registers or donates through WishWell:

  • First and last name
  • Email address
  • Birthday month and day (optional — so community can wish you happy birthday in turn)
  • Payment details (processed by Stripe; we store only a tokenised reference)
  • Optional family members' names added voluntarily by the donor

3b. Community members (children, teachers, staff)

When an organisation uses WishWell and adds members to their programme:

  • First name (and optionally last name)
  • Birthday month and day
  • Role or class (e.g. “Year 1”, “Teacher”) — if provided by the organisation
  • Postal address — only if the organisation has enabled physical birthday-card delivery

We do not collect any special-category data (health data, ethnicity, religion, etc.) about children or any other community members.

3c. Organisation administrators

  • Name, email address, and account credentials
  • Organisation name and bank/payment details for disbursements

3d. Website visitors

  • Analytics data (page views, referrer, device type) via anonymised tracking
  • Cookie preferences — see our Cookie Policy

4. Lawful Basis for Processing (UK & EU GDPR)

Processing activityLawful basis (Art. 6 UK/EU GDPR)
Processing donor registration, payment, and donation receiptsContract performance (Art. 6(1)(b)) — necessary to complete the transaction you requested
Sending birthday campaign emails to donors/parentsLegitimate interests (Art. 6(1)(f)) — to operate the fundraising programme the donor joined; you can opt out at any time
Processing a child's name and birthday to facilitate birthday wishes and a birthday cardLegitimate interests (Art. 6(1)(f)) of the organisation — proportionate, limited-purpose, and with no material impact on the child's rights; see Section 8
Sending a physical birthday card to a community member (where enabled)Legitimate interests (Art. 6(1)(f)) — core product feature; address used only for card delivery
Organisation administrator account managementContract performance (Art. 6(1)(b))
Legal and financial compliance (tax records, fraud prevention)Legal obligation (Art. 6(1)(c))
Analytics and platform improvementLegitimate interests (Art. 6(1)(f)) — anonymised or aggregated where possible

Where we rely on legitimate interests we have carried out a balancing test. If you would like a copy, email privacy@onegiftfoundation.org.

5. How We Use Personal Data

  • To operate the WishWell birthday programme — sending wish emails, generating birthday cards, and processing donations
  • To disburse collected funds to the organisation's chosen charity or account
  • To send quarterly birthday-campaign reminders to donors who have registered
  • To issue donation receipts and tax acknowledgements
  • To provide customer support and respond to enquiries
  • To maintain the security and integrity of the platform
  • To comply with legal and financial obligations

No profiling. No secondary fundraising use.

We do not use personal data — including children's data — for behavioural profiling, targeted advertising, or any secondary fundraising purpose beyond the programme the individual or their organisation has enrolled in. We do not sell or rent personal data to any third party.

6. Data Sharing

We share personal data only as necessary and never sell it. Recipients include:

  • Stripe, Inc. — payment processing. Stripe is PCI DSS compliant and operates under its own privacy policy. We pass billing name and email only.
  • Amazon Web Services (AWS) — cloud infrastructure and data storage (EU/US regions depending on configuration).
  • Email delivery providers — to send campaign and transactional emails on our behalf, under data-processing agreements.
  • The organisation you donated to — if you make a donation through a WishWell programme, the organisation receives your name and donation amount for their records (standard charity reporting). They do not receive payment card details.
  • Legal / regulatory authorities — where required by law.

All sub-processors are bound by contractual data-processing terms consistent with UK/EU GDPR requirements.

7. Retention Periods

Data categoryRetention period
Donor registration and donation records7 years from the date of donation (UK/US tax and charity law)
Payment transaction records7 years (financial records obligation)
Community member records (children, teachers)Retained while the organisation's WishWell is active; deleted within 90 days of the organisation closing their account or upon verified request from the organisation (as data controller)
Postal addresses for physical card deliveryDeleted promptly after each card is dispatched; not retained beyond the relevant birthday cycle
Organisation administrator accountsRetained while the account is active; deleted within 90 days of account closure on request
Website analyticsAggregated data retained indefinitely; individual session data deleted after 26 months
Support communicationsUp to 3 years after the matter is resolved

We review stored data annually and delete or anonymise any data no longer required for its stated purpose.

8. Children's Data — WishWell for Nurseries & Schools

WishWell is used by nurseries, preschools, and similar settings where children's personal data (first name and birthday) is held on the platform to enable birthday wishes and cards. We take this responsibility seriously and operate as follows:

Controller / processor relationship

The nursery or organisation is the data controller for its members' data (children, teachers, staff). They decide why and how that data is processed. OneGift acts as a data processor, processing that data only on the organisation's documented instructions under a Data Processing Agreement (DPA). Organisations may request a copy of our standard DPA by emailing privacy@onegiftfoundation.org.

What children's data is used for

  • Generating birthday emails to parent/donor participants showing whose birthday is upcoming
  • Printing or producing a personalised birthday card (first name used on the card)
  • Displaying the child's name on the checkout so parents can select whose birthday to wish

What children's data is not used for

  • Profiling, advertising targeting, or any analytics beyond anonymous programme statistics
  • Secondary fundraising appeals unrelated to the organisation's own programme
  • Sharing with any third party except the card-printing sub-processor where physical cards are enabled
  • Contacting the child or their family directly — OneGift communicates only with registered donors/parents

Parental rights

Parents and guardians have the right to request access to, correction of, or deletion of their child's data. Because the nursery is the data controller, requests should be directed to the nursery in the first instance. Where a nursery uses WishWell, they can amend or delete any child's record directly in their dashboard, or submit a deletion request to OneGift which we will fulfil within 30 days. You may also contact us directly at privacy@onegiftfoundation.org.

Organisation responsibilities

Organisations using WishWell are responsible for:

  • Notifying parents and guardians that their child's name and birthday are held on WishWell for the birthday programme
  • Ensuring they have a valid lawful basis (typically legitimate interests under Art. 6(1)(f) of the UK/EU GDPR) for processing children's birthday data for this purpose
  • Providing parents with their own privacy notice that references WishWell as a data processor
  • Handling parental data-subject requests promptly

Need a template parent notice or DPA? Email us at privacy@onegiftfoundation.org and we will provide a ready-to-use parent privacy notice template and a signed DPA.

9. International Data Transfers

OneGift is incorporated in the United States. If you are located in the UK or European Economic Area (EEA), your personal data will be transferred to and processed in the US. We ensure this transfer is lawful through:

  • Standard Contractual Clauses (SCCs) — the UK International Data Transfer Agreement (IDTA) for UK transfers, and EU SCCs (2021) for EEA transfers, incorporated into our sub-processor agreements
  • Supplementary technical measures — data encrypted in transit and at rest; access controls limiting exposure to personal data

You may request a copy of the applicable transfer mechanism by emailing privacy@onegiftfoundation.org.

10. Data Security

We implement technical and organisational measures proportionate to the sensitivity of the data, including TLS encryption in transit, AES-256 encryption at rest, access controls with principle of least privilege, and regular security reviews. No system is 100% secure; in the event of a breach affecting your rights we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where required.

11. Cookies and Tracking

We use cookies for session management, analytics, and fraud prevention. For full details and your opt-out options, see our Cookie Policy.

12. Your Rights (UK & EU GDPR)

If you are in the UK or EEA you have the following rights. We will respond within 30 days (extendable to 90 days for complex requests, with notice):

  • Access (Art. 15) — obtain a copy of the personal data we hold about you and information about how we use it
  • Rectification (Art. 16) — correct inaccurate or incomplete data
  • Erasure (Art. 17) — request deletion where there is no overriding legal basis for continued processing
  • Restriction (Art. 18) — limit how we use your data while a dispute is resolved
  • Portability (Art. 20) — receive your data in a structured, machine-readable format (applies to data you provided and that is processed by automated means on a contractual or consent basis)
  • Object (Art. 21) — object to processing based on legitimate interests at any time; we will cease unless we can demonstrate compelling legitimate grounds
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing
  • Lodge a complaint — with your national supervisory authority (in the UK: the Information Commissioner's Office, ico.org.uk)

To exercise any right, email privacy@onegiftfoundation.org with “Data Rights Request” in the subject line. We may ask you to verify your identity before proceeding.

13. Changes to This Policy

Material changes will be announced on this page with a revised “Last updated” date. For significant changes affecting how we process children's data, we will notify affected organisations by email at least 30 days before the change takes effect.

14. Contact

For all privacy and data-protection enquiries:

Onegift Foundation, Inc.
Delaware nonprofit non-stock corporation
EIN: 99-2187028
5270 Brooklawn Terrace
Boynton Beach, FL 33437
United States

Email: privacy@onegiftfoundation.org

Tax-exempt status: IRS 501(c)(3) determination letter (PDF)