START A PETITION37,000,000 members: the world's largest community for good

Care2 Inc. EU – U.S. Privacy Shield Policy

Care2 complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. Care2 has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. Privacy Shield program, and to view Care2's certification, please visit www.privacyshield.gov/welcome.

Care2 respects individual privacy and values the confidence of its users, customers, employees, business partners and others. Not only does Care2 strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, it also has a tradition of upholding the highest ethical standards in its business practices. This Privacy Shield Policy (the "Policy") sets forth the privacy principles that Care2 follows with respect to transfers of personal information from the EU (European Union) to the United States.

Compliance with EU-U.S. Privacy Shield Principles

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the "EU-U.S. Privacy Shield Framework") to enable U.S. companies to satisfy the requirement under European Union law that adequate protection be given to personal information transferred from the EU to the United States.

Privacy Shield FrameworkWe self-certify compliance with: EU-US Privacy Shield.

Care2 recognizes that the European Community has established a data protection regime which applies to the European Economic Area ("EEA") and restricts companies in the EEA in transferring personal data about individuals in the EEA to the United States, unless there is "adequate protection" for such personal data when it is received in the United States. To create such "adequate protection," Care2 adheres to the EU-U.S. Privacy Shield Framework published by US Department of Commerce ("EU-U.S. Privacy Shield Principles") with respect to personal data about individuals in the EEA that we receive from our customers and other business partners. Care2's EU-U.S. Privacy Shield Certification also extends to data that we receive directly through Care2's publicly accessible websites (care2.com and thepetitionsite.com). More information on the EU-U.S. Privacy Shield and Care2's scope of participation in the EU-U.S. Privacy Shield Framework is available at www.privacyshield.gov/welcome.

Adherence to Seven Privacy Shield Principles

Client Personal Data processed or stored by Care2 may be subject to contractual agreements with our clients that require more stringent privacy and security safeguards than the requirements in the EU-U.S. Privacy Shield. At a minimum, however, Care2 handles Client Personal Data in accordance with our EU-U.S. Privacy Shield Policy, which is based upon the seven principles identified in the EU-U.S. Privacy Shield Framework.

This Notice addresses data subjects residing in the EU ("EU Persons") whose data we may receive from one of our customers, suppliers or other business partners in the EU, e.g., referral partners, integration partners, etc. When Care2 receives Client Personal Data for processing pursuant to instructions of clients or their partners, we are acting as an agent for our client and do not provide notice to individuals regarding the collection and use of their personal data. Our clients remain responsible for providing notice, if and to the extent they believe such notice is necessary under applicable EU law.

Business Purposes for the Collection and Use of Personal Data

Care2 allows individuals around the world to create and sign petitions on topics of public interest. As part of that signing process, we collect personal name and address information to validate the identity of the signer. Our treatment of that information is described here.

As part of the petition signing process, individuals may be offered opportunities to provide their information to receive ongoing communications from our Clients.

Our EU clients may provide us with lists of email addresses or phone numbers of their existing members, encrypted with one-way hashes, to ensure that Care2 does not present signup opportunities to their existing members. As EU Data covered by this Notice is by definition sent to us by another company in the EU (e.g., a client of Care2), the client functions as the Data Controller and Care2 as the Data Processor in these cases. Care2 will not use Client Personal Data for any other purposes than for the purposes that Care2 clients provide such information.

Care2 collects and uses EU Data for purposes of providing products and services to our users, communicating with petition targets, and processing EU Data on behalf of clients, and conducting related tasks for legitimate business purposes.

User Choice & Limits on Sharing

Care2 shares Personal Data with its service providers and among Care2's affiliates. With respect to the Personal Data we share with third parties, we provide our users with an opportunity to opt-out of such sharing. Contact Care2's Privacy Officer (address below) if you would like to opt-out. We do not use Personal Data for purposes incompatible with the purposes for which the information was originally collected without notifying the relevant consumers, customers, suppliers and others of such uses and offering an opportunity to opt-out.

In addition, we may disclose Personal Data (i) if we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials based on an enforceable government request or as may be required under applicable law, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation of suspected or actual illegal activity.

With respect to emails, EU Persons may opt-out of receiving further email communications from Care2 or Care2 clients by following opt-out or "unsubscribe" instructions contained within the email message in question.

Personal Data Access, Review & Update

EU Persons may request access to, and the opportunity to update, correct or delete, EEA Data. Please contact our Privacy Officer (address below). We reserve the right to take appropriate steps to authenticate an applicant's identity, and to deny requests, except as required by the EU-U.S. Privacy Shield Framework.

Note too that users can view, edit, revise, and delete most of the Personal Data stored by Care2 via the Care2.com website's self-serve "member profile" tools, available after logging in to the Care2.com website.

Accountability of Onward Transfer

Care2 recognizes potential liability in cases of onward transfer to third parties. Care2 will not transfer any personal information to a third-party without first ensuring that the third-party adheres to the Privacy Shield principles. Care2 does not transfer Client Personal Data to unrelated third parties, unless lawfully directed by a client, or in certain limited or exceptional circumstances in accordance with the EU-U.S. Privacy Shield Framework.

Compelled Disclosure

Care2 may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In the event that Care2 is requested to transfer Client Personal Data to an unrelated third party, Care2 will ensure that such party is either subject to the EU-U.S. Privacy Shield Agreement, subject to similar laws providing an adequate and equivalent level of privacy protection, or will enter into a written agreement with the third party requiring them to provide protections consistent with the EU-U.S. Privacy Shield Framework and Care2's Privacy Shield Policy. Should Care2 learn that an unrelated third party to which Personal Data has been transferred by Care2 is using or disclosing Personal Data in a manner contrary to this Policy, Care2 will take reasonable steps to prevent or stop the use or disclosure.

Contact information and Client Personal Data is accessible only by those Care2 employees and consultants who have a reasonable need to access such information in order for us to fulfill contractual, legal and professional obligations. All of our employees and consultants have entered into strict confidentiality agreements, and/or have been subjected to thorough criminal background checks requiring that they maintain the confidentiality of Client Personal Data.

Applicability

Care2 is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Care2 also assures compliance with this EU-U.S. Privacy Shield Policy and the EU-U.S. Privacy Shield Framework by fully investigating and attempting to resolve any complaint or dispute regarding the use and disclosure of personal data in violation of this Privacy Policy.

For complaints that cannot be resolved by Care2 and the complainant, The U.S. Direct Marketing Association (DMA) serves as Care2's third-party dispute resolution provider, as required under the Privacy Shield Principles. If by contacting Care2 without satisfactory resolution, complaint(s) may be filed with the U.S. Direct Marketing Association using the following contacts:

  • Online
  • Web
  • Mail:
    Direct Marketing Association
    Attn: Privacy Shield Program
    1615 L Street NW, Suite 1100
    Washington, D.C. 20036

Privacy Shield Policy Updates

The Care2 Privacy Shield Notice may be updated or amended occasionally, in compliance with the requirements of the Privacy Shield principles. Appropriate notice will be given concerning such amendments. The date of the latest revision will appear at the bottom of this document.

Care2 Privacy Shield Contact

In compliance with EU-U.S. Privacy Shield policies, Care2 commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact Care2.

If you have questions, please contact Care2's Security Officer by email: moc.maet2erac@ycavirp

Alternatively, call our Privacy team at +1-661-727-3622.

We will promptly investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Policy.

For complaints that cannot be resolved by Care2 and the complainant, The U.S. Direct Marketing Association (DMA) serves as Care2's third-party dispute resolution provider, as required under the Privacy Shield Principles. If by contacting Care2 without satisfactory resolution, complaint(s) may be filed with the U.S. Direct Marketing Association using the following contacts:

  • Online
  • Web
  • Mail:
    Direct Marketing Association
    Attn: Privacy Shield Program
    1615 L Street NW, Suite 1100
    Washington, D.C. 20036

EU Persons (EU Data Subjects) may complain to their home data protection authority and can invoke binding arbitration for some residual claims not resolved by other redress mechanisms.

If you have a comment or concern that cannot be resolved with us directly, you may contact the competent local data protection authority.

Annual Assessment

Care2 assures compliance with this EU-U.S. Privacy Shield Policy and the EU-U.S. Privacy Shield Framework by utilizing the self-assessment approach as specified by the U.S. Department of Commerce. The assessment is conducted on an annual basis to ensure that all of Care2's relevant privacy practices are being followed in conformance with this EU-U.S. Privacy Shield Policy and the EU-U.S. Privacy Shield Framework. Any employee that Care2 determines is in violation of these policies will be subject to discipline, up to and including termination of employment and/or criminal prosecution.

EU-U.S. Privacy Shield Policy Effective Date: 8/12/2016

New to Care2? Start Here.