| THELMA ELLIS SIXTEEN FOUNDATION INC thelmaellis.org PRIVACY & DATA PROTECTION POLICY GDPR | CCPA | Jamaica Data Protection Act | Cookie Policy Effective Date: January 1, 2025 | Version 2.0 |
|---|
| Data Controller Thelma Ellis Sixteen Foundation Inc |
DPO Contact privacy@thelmaellis.org |
Jurisdiction USA | EU | Jamaica |
Breach Notification 72 hrs (GDPR) | 45 days (CCPA) |
|---|
1. Introduction and Organization Overview
Thelma Ellis Sixteen Foundation Inc ("the Foundation," "we," "us," or "our"), operating through the website thelmaellis.org, is committed to protecting the privacy, confidentiality, and security of all personal data we collect, process, and store. This Privacy and Data Protection Policy ("Policy") outlines our obligations, practices, and the rights of individuals ("data subjects") whose data we handle.
This Policy applies to all directors, officers, employees, volunteers, contractors, and third-party service providers acting on behalf of the Foundation. It governs personal data collected through our website, programs, donation processes, email communications, social media presence, and any other means.
1.1 Scope of Application
This Policy covers:
Personal data of donors, volunteers, beneficiaries, employees, and program participants
Data collected via thelmaellis.org and any related subdomains
Offline data collected through events, forms, or direct communication
Data processed by third-party processors acting on our behalf
1.2 Legal Framework
The Foundation operates under multiple overlapping legal frameworks. This Policy is designed to meet the highest applicable standard across all jurisdictions in which we operate or process data, including:
EU/UK General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
Jamaica Data Protection Act, 2020 (DPA 2020)
US sector-specific laws including applicable state privacy statutes
2. Key Definitions
For the purposes of this Policy, the following definitions apply:
| Term | Definition |
|---|---|
| Personal Data | Any information relating to an identified or identifiable natural person, including name, email, IP address, donation history, or any identifier. |
| Data Subject | Any natural person whose personal data is processed by the Foundation. |
| Data Controller | Thelma Ellis Sixteen Foundation Inc, which determines the purposes and means of processing personal data. |
| Data Processor | A third party that processes personal data on behalf of the Foundation under a written agreement. |
| Processing | Any operation performed on personal data, including collection, recording, storage, use, disclosure, or deletion. |
| Special Category Data | Sensitive data including health, racial/ethnic origin, religious beliefs, biometric data, or political opinions (GDPR Art. 9). |
| Consent | Freely given, specific, informed, and unambiguous indication of agreement to data processing. |
| Data Breach | A security incident leading to accidental or unlawful destruction, loss, alteration, disclosure, or access to personal data. |
| DPO | Data Protection Officer - the individual responsible for overseeing data protection strategy and compliance. |
3. Personal Data We Collect
3.1 Categories of Data Collected
We collect the following categories of personal data:
Identity and Contact Information
Full name, title, date of birth
Postal address, email address, telephone number
Organization/employer name (for institutional donors)
Donation and Financial Information
Donation amounts and dates
Payment method type (we do not store full payment card details)
Employer matching gift program information
Program and Beneficiary Data
Application details, eligibility information
Program participation records, educational records
Family composition where relevant to program eligibility
Technical and Usage Data
IP address, browser type, device identifiers
Cookies and tracking technology data (see Appendix A)
Pages visited, time spent, referral sources
Geolocation data (city/country level only)
Communications Data
Records of email, phone, and written communications
Survey responses and feedback
Social media interactions where Foundation accounts are involved
3.2 Data We Do Not Collect
| The Foundation does not intentionally collect Special Category Data (GDPR Art. 9) unless explicitly required for a specific program and with explicit consent. We do not collect data from children under 13 without verifiable parental consent. |
|---|
4. Legal Basis for Processing (GDPR)
In accordance with GDPR Article 6, we process personal data only where a lawful basis exists. The applicable legal bases are:
| Legal Basis | When Applied | Example Processing Activities |
|---|---|---|
| Consent (Art. 6(1)(a)) | Marketing emails, non-essential cookies, newsletter subscriptions | Email newsletter opt-in, social media retargeting |
| Contract (Art. 6(1)(b)) | Fulfilling donor acknowledgments, program agreements | Issuing donation receipts, enrollment confirmations |
| Legal Obligation (Art. 6(1)(c)) | Tax reporting, regulatory compliance | IRS Form 990 filings, audit requirements |
| Legitimate Interests (Art. 6(1)(f)) | Security monitoring, fraud prevention, analytics | Website security logs, aggregate impact reporting |
5. How We Use Personal Data
5.1 Primary Purposes
Processing and acknowledging donations; issuing tax receipts and gift aid declarations
Administering scholarship, grant, and program applications
Communicating updates about the Foundation's mission, programs, and impact
Responding to inquiries, complaints, and data subject requests
Conducting background checks where required for volunteer or staff positions
Maintaining financial and accounting records as required by law
Improving website functionality and user experience
5.2 Marketing and Communications
We will only send marketing or fundraising communications where you have provided consent or where we have a legitimate interest in contacting existing donors. You may opt out at any time by clicking the unsubscribe link in any email or contacting privacy@thelmaellis.org.
5.3 Profiling and Automated Decision-Making
We do not engage in fully automated decision-making that produces legal or similarly significant effects on individuals. We may use aggregate analytics tools to understand donor behavior, but these do not create individual profiles for decision-making purposes.
6. Data Sharing and Third-Party Processors
6.1 When We Share Data
We do not sell personal data. We may share data with:
Payment processors (e.g., Stripe, PayPal) to process donations securely
Email service providers for communications (e.g., Mailchimp)
Cloud storage and CRM providers under written data processing agreements
Legal, accounting, or audit firms under confidentiality obligations
Government or regulatory bodies where required by law
Program partners who co-administer specific initiatives, under appropriate agreements
6.2 Data Processing Agreements
All third-party processors who handle personal data on our behalf are required to enter into a Data Processing Agreement (DPA) that meets the requirements of GDPR Article 28. These agreements mandate that processors implement appropriate technical and organizational security measures, use data only for specified purposes, and assist with data subject rights.
6.3 International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA) or Jamaica, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other lawful transfer mechanisms under GDPR Chapter V and the Jamaica DPA 2020.
7. Your Rights Under GDPR
If you are located in the EU, UK, or EEA, you have the following rights under the GDPR. To exercise any of these rights, contact us at privacy@thelmaellis.org. We will respond within 30 days.
| Right | Description |
|---|---|
| Right of Access (Art. 15) | You may request a copy of all personal data we hold about you and information about how it is processed. |
| Right to Rectification (Art. 16) | You may request correction of inaccurate or incomplete personal data. |
| Right to Erasure (Art. 17) | You may request deletion of your data where it is no longer necessary, consent is withdrawn, or processing was unlawful. |
| Right to Restriction (Art. 18) | You may request that we limit processing of your data in certain circumstances, e.g., while accuracy is contested. |
| Right to Portability (Art. 20) | You may receive your data in a structured, machine-readable format to transmit to another controller. |
| Right to Object (Art. 21) | You may object to processing based on legitimate interests or for direct marketing purposes. |
| Right to Withdraw Consent (Art. 7) | Where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing. |
| Right to Complain | You have the right to lodge a complaint with your local supervisory authority (e.g., ICO in the UK, relevant EU DPA). |
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention schedule includes:
| Data Category | Retention Period | Legal / Business Basis |
|---|---|---|
| Donation and financial records | 7 years | IRS, tax, and audit requirements |
| Program participant records | 7 years post-program | Accountability and reporting |
| Website analytics (non-personal) | 26 months | Standard analytics retention |
| Email marketing preferences | Until opt-out or 3 years inactive | Consent management |
| Staff and volunteer records | 7 years post-engagement | Employment law requirements |
| Security/access logs | 12 months | Cybersecurity best practices |
| Cookie consent records | 3 years | GDPR accountability |
9. Security Measures
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, accidental loss, destruction, or alteration, in accordance with GDPR Article 32, CCPA, and the Jamaica DPA 2020.
9.1 Technical Controls
SSL/TLS encryption for all data in transit to and from thelmaellis.org
AES-256 encryption for sensitive data at rest
Multi-factor authentication (MFA) for all staff accessing personal data systems
Role-based access controls and principle of least privilege
Regular automated vulnerability scanning and penetration testing
Web Application Firewall (WAF) and DDoS protection
9.2 Organizational Controls
Annual data protection training for all staff and volunteers with data access
Privacy impact assessments (DPIAs) for new high-risk processing activities
Data protection clauses in all employment contracts and vendor agreements
Clean desk policy and secure disposal of physical documents
Documented information security policy reviewed annually
10. California Consumer Privacy Act (CCPA/CPRA) Compliance
| This section applies specifically to California residents. If you are a California resident, you have specific rights under the CCPA (as amended by the CPRA) regarding your personal information. |
|---|
10.1 Applicability
The Foundation acknowledges that to the extent it meets the thresholds for CCPA applicability, it will comply fully with its obligations. Even if not legally required, we apply CCPA-aligned practices as a matter of good governance for California-based donors, volunteers, and program participants.
10.2 Categories of Personal Information Collected (CCPA)
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
Identifiers: Name, email, postal address, IP address, unique device identifiers
Commercial Information: Donation history, program enrollment records
Internet/Network Activity: Browsing behavior on thelmaellis.org, interaction with emails
Geolocation Data: Approximate location based on IP address
Inferences: Donor interest segments derived from donation patterns for communications purposes
10.3 Sources of Personal Information
Directly from individuals through website forms, donation pages, event registration
Automatically through cookies and tracking technologies (see Appendix A)
From third-party platforms such as social media or payment processors
10.4 Business or Commercial Purposes for Collection
Processing donations and issuing receipts
Program administration and eligibility determinations
Sending newsletters and fundraising communications (with consent)
Improving website functionality and donor experience
Complying with legal and tax reporting obligations
10.5 Sale or Sharing of Personal Information
| We do NOT sell personal information as defined by the CCPA/CPRA. We do not share personal information with third parties for cross-context behavioral advertising. |
|---|
10.6 Your CCPA Rights
California residents have the following rights:
Right to Know
You have the right to request that we disclose: (1) the categories and specific pieces of personal information we have collected about you; (2) the categories of sources; (3) the business purpose for collection; and (4) the categories of third parties with whom we share information.
Right to Delete
You may request deletion of personal information we have collected, subject to certain exceptions including legal obligations, fraud prevention, and completing transactions.
Right to Correct
Under the CPRA, you have the right to request correction of inaccurate personal information we maintain about you.
Right to Opt-Out of Sale/Sharing
As we do not sell personal information, this right is not triggered. However, should our practices change, we will provide a prominent Do Not Sell or Share My Personal Information link.
Right to Limit Use of Sensitive Personal Information
Where we collect sensitive personal information as defined by CPRA, you have the right to limit its use to what is necessary to perform the services.
Right to Non-Discrimination
We will not discriminate against California residents who exercise their CCPA/CPRA rights. This means we will not deny services, charge different prices, or provide a different level of service based on the exercise of privacy rights.
10.7 Exercising Your CCPA Rights
To exercise your CCPA rights, submit a verifiable consumer request by:
Email: privacy@thelmaellis.org (subject line: CCPA Request)
Online form at: thelmaellis.org/privacy-request
We will respond to verifiable consumer requests within 45 calendar days. We may extend this period by an additional 45 days where necessary, with prior notice. We are not required to provide personal information more than twice in a 12-month period.
10.8 Authorized Agents
California residents may designate an authorized agent to make a CCPA request on their behalf. The agent must provide written authorization signed by the consumer, and we may require additional verification of the consumer's identity.
10.9 CCPA Financial Incentive Notice
We do not offer any financial incentives or price differences in exchange for the collection or sale of personal information.
11. Jamaica Data Protection Act 2020 Compliance
| This section applies to individuals in Jamaica and to the Foundation's operations that involve Jamaican data subjects, including beneficiaries, volunteers, and partners located in Jamaica. |
|---|
11.1 Overview of the Jamaica DPA 2020
The Data Protection Act, 2020 (the "DPA") came into effect in Jamaica with the objective of protecting the privacy of individuals with regard to personal information. The Foundation, to the extent it processes personal data of Jamaican residents or operates programs within Jamaica, commits to full compliance with the DPA and the oversight of the Office of the Information Commissioner (OIC).
11.2 Data Protection Principles Under Jamaica DPA
The Foundation adheres to all data protection principles under Section 6 of the Jamaica DPA, which require that personal data be:
Collected for specified, explicit, and legitimate purposes
Processed lawfully, fairly, and in a transparent manner
Adequate, relevant, and limited to what is necessary
Accurate and, where necessary, kept up to date
Retained no longer than necessary for the specified purpose
Processed in a manner ensuring appropriate security
11.3 Registration with the Office of the Information Commissioner
Where required under the Jamaica DPA, the Foundation will register as a data controller with the Office of the Information Commissioner (OIC) and maintain current registration details including the types of personal data held and purposes for processing.
11.4 Rights of Data Subjects Under Jamaica DPA
Individuals whose personal data is held by the Foundation in connection with Jamaican operations have the following rights under the DPA 2020:
Right of access to personal data held about them
Right to correction of inaccurate, incomplete, or misleading data
Right to request deletion of data held without justification
Right to object to processing for certain purposes
Right to complain to the Office of the Information Commissioner
11.5 Cross-Border Data Transfers - Jamaica
The Foundation will not transfer personal data of Jamaican data subjects to a country or territory outside Jamaica unless: (a) the recipient country ensures an adequate level of protection; (b) the data subject has given consent; (c) the transfer is necessary for a contract; or (d) other conditions specified under the DPA are met.
11.6 Breach Notification - Jamaica
In the event of a personal data breach involving Jamaican data subjects, the Foundation will notify the Office of the Information Commissioner and affected individuals in accordance with the timeframes and procedures prescribed under the Jamaica DPA 2020 and any applicable regulations.
11.7 Contact for Jamaica Data Protection Inquiries
For inquiries related to the Jamaica Data Protection Act, data subjects may contact the Foundation's Privacy Officer at privacy@thelmaellis.org or write to the Foundation's address. Jamaican data subjects may also contact the Office of the Information Commissioner at www.oic.gov.jm.
12. Children's Privacy
The Foundation does not knowingly collect personal data from children under the age of 13 (or 16 in the EU under GDPR) without verifiable parental or guardian consent. Our website is not directed to children. If we become aware that we have inadvertently collected such data, we will take prompt steps to delete it.
For scholarship or program applications involving minors, parental consent is explicitly obtained, and data is handled with heightened care. Such data is stored separately and accessed only by authorized personnel on a need-to-know basis.
13. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Update the effective date at the top of this Policy
Post the revised Policy prominently on thelmaellis.org
Notify registered subscribers via email for significant changes
Obtain fresh consent where required by law
Continued use of our website or services after an update constitutes acceptance of the revised Policy.
14. Contact Information
| Data Controller / Privacy Officer Thelma Ellis Sixteen Foundation Inc Website: thelmaellis.org Email: privacy@thelmaellis.org |
Data Subject Requests Email: privacy@thelmaellis.org Subject: [GDPR / CCPA / DPA Request] Response Time: Within 30 days |
|---|
Appendix A: Cookie Policy
| This Cookie Policy forms part of the Foundation's Privacy Policy and explains how cookies and similar technologies are used on thelmaellis.org. |
|---|
A.1 What Are Cookies?
Cookies are small text files placed on your device when you visit a website. They serve various functions, from enabling essential website features to helping website owners understand how users interact with their content.
A.2 Types of Cookies We Use
| Cookie Type | Consent Required | Retention | Purpose / Examples |
|---|---|---|---|
| Strictly Necessary | No | Session | Login sessions, shopping cart, security tokens, CSRF protection |
| Functionality | Yes | Up to 1 year | Language preferences, remembered form data, accessibility settings |
| Performance / Analytics | Yes | Up to 2 years | Google Analytics, page load monitoring, aggregate usage statistics |
| Marketing / Targeting | Yes | Up to 2 years | Social media pixels (Facebook, Instagram), retargeting, conversion tracking |
A.3 Cookie Consent
On your first visit to thelmaellis.org, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. Your preferences are stored and respected for future visits. You can change your cookie preferences at any time by clicking the Cookie Settings link in the website footer.
A.4 Managing Cookies
You can also manage cookies through your browser settings. Common browser controls include:
Chrome: Settings > Privacy and Security > Cookies and other site data
Firefox: Options > Privacy & Security > Cookies and Site Data
Safari: Preferences > Privacy > Manage Website Data
Edge: Settings > Site Permissions > Cookies and site data
Note that disabling strictly necessary cookies may affect the functionality of our website.
A.5 Third-Party Cookies
Some cookies on our site are set by third-party services such as Google Analytics, social media platforms, and payment processors. These third parties have their own privacy policies which govern their use of cookie data. We recommend reviewing their policies:
Google Analytics: policies.google.com/privacy
Facebook/Meta Pixel: facebook.com/privacy/policy
PayPal: paypal.com/privacy
A.6 Do Not Track
Some browsers have a Do Not Track feature. Currently, there is no industry standard for how websites should respond to Do Not Track signals. Our website does not currently alter its behavior in response to Do Not Track signals, but we will continue to monitor developments in this area.
Appendix B: Data Breach Incident Response Plan
| This appendix provides the Foundation's formal procedure for detecting, containing, assessing, and reporting personal data breaches in compliance with GDPR Article 33, CCPA, and the Jamaica DPA 2020. |
|---|
B.1 Purpose and Scope
This Incident Response Plan (IRP) applies to any actual or suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Thelma Ellis Sixteen Foundation Inc. All staff, volunteers, and contractors must follow this plan.
B.2 Incident Response Team
| Role | Responsibility | Key Actions |
|---|---|---|
| Data Protection Officer (DPO) | Overall incident lead | Coordinate response, make notification decisions, communicate with regulators |
| Executive Director | Organizational authority | Approve communications, escalate to board, authorize resources |
| IT/Systems Administrator | Technical containment | Isolate affected systems, preserve evidence, restore services |
| Legal Counsel | Legal guidance | Assess legal obligations, review notifications, advise on liability |
| Communications Lead | External messaging | Draft statements for public, media, donors, and beneficiaries |
B.3 Incident Response Phases
Phase 1: Detection and Initial Assessment (0-4 Hours)
Identify and log the potential incident with date, time, and nature of the suspected breach
Immediately notify the Data Protection Officer and IT Administrator
Preserve all evidence: do not delete logs, emails, or records
Conduct initial triage to determine if this is a confirmed breach or false positive
Complete the Initial Incident Report Form (IIR-001)
Phase 2: Containment (4-24 Hours)
Isolate affected systems, accounts, or data repositories to prevent further exposure
Revoke compromised credentials and disable unauthorized access points
Notify cloud or hosting providers if their infrastructure is involved
Conduct a preliminary assessment of data affected, individuals impacted, and potential harm
Determine whether law enforcement notification is required (e.g., ransomware, suspected crime)
Phase 3: Risk Assessment and Notification Decision (24-48 Hours)
The DPO, with legal counsel, conducts a formal risk assessment to determine:
Nature of the personal data involved (sensitivity, volume, categories)
Likely consequences for affected individuals (identity theft, discrimination, financial loss)
Effectiveness of security measures in place at the time of the breach
Whether notification to regulators and/or individuals is required
| Notification Thresholds: GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach likely to result in risk to individuals' rights and freedoms. CCPA requires notification to affected California residents within 45 calendar days. Jamaica DPA requires notification as soon as reasonably practicable. |
|---|
Phase 4: Regulatory and Individual Notification
GDPR Supervisory Authority Notification (within 72 hours) must include:
Nature of the breach and categories and approximate number of individuals affected
Name and contact details of the DPO
Likely consequences of the breach
Measures taken or proposed to address the breach
Individual Notification (where high risk to individuals) must include:
Clear description of the nature of the breach in plain language
Name and contact details of the DPO
Likely consequences and risks to the individual
Measures taken to address the breach and mitigate its effects
Recommended steps individuals can take to protect themselves
Phase 5: Eradication and Recovery
Remove malware, close vulnerabilities, and restore systems from clean backups
Implement additional security controls as identified during the investigation
Restore services in a controlled and monitored manner
Verify that the breach has been fully contained and no further exposure exists
Phase 6: Post-Incident Review (Within 30 Days)
Conduct a formal post-incident review with all involved parties
Document lessons learned, root cause analysis, and timeline reconstruction
Update risk assessments, security measures, and this IRP based on findings
Brief the Board of Directors on significant incidents
Retain all incident documentation for a minimum of 5 years
B.4 Incident Severity Classification
| Severity | Criteria | Response Time | Notification |
|---|---|---|---|
| P1 - Critical | Mass data breach, sensitive data exposed, regulatory reportable | Immediate (within 1 hour) | DPO, Legal, Exec, Regulator within 72 hrs |
| P2 - High | Unauthorized access to personal data, potential for significant harm | Within 4 hours | DPO, Exec, assess regulatory notification |
| P3 - Medium | Limited data exposure, low risk to individuals | Within 24 hours | DPO, document; monitor for escalation |
| P4 - Low | No personal data exposed, internal systems only | Within 72 hours | IT log; DPO informed |
Appendix C: Data Protection Risk Matrix
| This risk matrix provides a visual tool for assessing and prioritizing data protection risks facing the Foundation. It is reviewed annually or following significant changes to processing activities. |
|---|
C.1 Risk Matrix (Likelihood vs. Impact)
The matrix below illustrates the intersection of likelihood and impact to produce an overall risk rating. All processing activities and identified threats should be plotted against this matrix.
| Likelihood \ Impact | Negligible | Minor | Moderate | Major | Catastrophic |
|---|---|---|---|---|---|
| Almost Certain | Medium | High | Critical | Critical | Critical |
| Likely | Low | Medium | High | Critical | Critical |
| Possible | Low | Medium | High | High | Critical |
| Unlikely | Low | Low | Medium | High | High |
| Rare | Low | Low | Low | Medium | Medium |
| LOW - Monitor & manage | MEDIUM - Address within 90 days | HIGH - Address within 30 days | CRITICAL - Immediate action required |
|---|
C.2 Risk Register - Current Data Protection Risks
The following table documents identified risks to the Foundation's data processing activities, their assessed ratings, and assigned mitigation controls.
| Risk Description | Likelihood | Impact | Rating | Key Controls / Mitigations |
|---|---|---|---|---|
| Unauthorized data access / breach | Possible | Catastrophic | Critical | Encryption, access controls, MFA |
| Phishing / social engineering attack | Likely | Major | Critical | Staff training, email filtering |
| Accidental data disclosure | Possible | Moderate | High | Data handling procedures, training |
| Third-party vendor breach | Unlikely | Major | High | Vendor assessment, DPAs |
| Ransomware / malware infection | Unlikely | Major | High | Backups, endpoint protection |
| Non-compliance penalty (GDPR/CCPA) | Unlikely | Moderate | Medium | Compliance audits, policy review |
| Data subject rights violation | Unlikely | Minor | Low | Rights request process |
| Cookie/tracking non-compliance | Possible | Minor | Medium | Cookie consent management |
| Website data collection errors | Rare | Minor | Low | Regular audits, testing |
| Loss of donor/beneficiary trust | Unlikely | Major | High | Transparency, communications plan |
C.3 Risk Treatment Approach
Risk treatment decisions are based on the following framework:
| Rating | Treatment | Governance | Review Cycle |
|---|---|---|---|
| Critical | Immediate mitigation or avoidance. Escalate to Board. | Executive Director + DPO + Board | Monthly until resolved |
| High | Implement controls within 30 days. DPIA required. | DPO + Executive Director | Quarterly |
| Medium | Action plan within 90 days. Monitor closely. | DPO | Semi-annually |
| Low | Accept with documented rationale. Monitor. | Privacy Officer | Annually |
| Thelma Ellis Sixteen Foundation Inc Privacy & Data Protection Policy | Version 2.0 | Effective January 1, 2025 thelmaellis.org | privacy@thelmaellis.org This document is subject to annual review. Unauthorized reproduction without permission is prohibited. |
|---|