View EU language translations (IT, PT, SE, DK, NL, ES, FR, DE) of this document via the language control at the bottom of this page.
For the purposes of the European Union's General Data Protection Regulations ("GDPR"), Care2.com ("Care2", "we", "us") is the business that makes decisions about the processing of your personal data (also known as the “data controller”), unless expressly specified otherwise. In terms of your personal data which we process for our clients when providing our services, we act as an agent (otherwise known as the “data processor”) on behalf of our clients, and these instances are expressly specified below.
In terms of your personal data which Care2 processes as a data controller, Care2 is not obligated by the GDPR to appoint a Data Protection Officer. However, Care2 has appointed VeraSafe, a local EU-based representative, as a point of contact for all EU-based data privacy questions. VeraSafe can be contacted here using this contact form: VeraSafe.com
Alternatively, VeraSafe can be contacted by postal mail at either of these addresses:
VeraSafe Czech Republic s.r.o.
VeraSafe Ireland LTD
North Point Business Park
New Mallow Road
Cork T23AT2P, Ireland
Care2 respects individual privacy and values the confidence of its users, customers, employees, business partners and others. Not only does Care2 strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, it also has a tradition of upholding the highest ethical standards in its business practices.
Care2 takes seriously the issue of safeguarding your privacy online. This Policy applies to the two websites owned and operated by Care2: Care2.com and ThePetitionSite.com (the "Websites"). This Policy describes how Care2 collects and uses the personal information you provide on the Websites and your options regarding the ways in which your personal information is used.
The GDPR recognises certain categories of personal information as sensitive and therefore requiring more protection, for example: information about your health, ethnicity or political opinions. Where Care2 collects and/or uses these special categories of personal data (for example, information about your political opinions contained within a petition), we will only do so if there is a valid reason and where the GDPR allows us to do so.
The website may select locally relevant petitions for you based on your IP address.
We may display interest-based advertisements to you on Facebook through Facebook's Custom Audiences tool. We would not share your name or contact information with Facebook; rather, we would share a unique code based on your email address. See the Custom Audiences Terms of Service for more information.
We may use your contact details to provide you with information about our work, services, and/or products which we consider may be of interest to you (for example, updates about a petition you previously signed, information about petitions relating to similar campaigns, or information about other ways in which you can assist one of the campaigns we help).
Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless allowed to do so via applicable law).
Where you have provided us with your consent previously but do not wish to be contacted by us about our work, services and/or products in the future, please let us know by email at firstname.lastname@example.org. You can also opt out of receiving emails from Care2 at any time by clicking the "unsubscribe" link at the bottom of our emails.
The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others' legitimate interests (as long as the processing in question is fair, balanced and does not unduly impact your rights).
In broad terms, our "legitimate interests" means the interests of running Care2 as a company aiming to encourage engagement with important social and political issues. For example: providing information about the issues which we consider to be important, or, where appropriate, putting members in contact with one another.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted by law).
Where we rely on you consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:
To exercise any of these rights, please contact us using our Help Request Form or contact us via the details contained in section 13 below.
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in section 13 below. We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.
You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. You can find out the identity of the authority in your country, and its contact information, here.
In general, we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy. Please note that, where required under applicable data protection law, we will not do so without your consent.
Non-exhaustively, those parties may include:
Petition signers' name, comments, and limited demographic information (city, state, country) are published on the petition. Petition signers' personal data could be forwarded to public officials as part of the petition campaign.
Care2 reserves the right to share personal data if necessary for the purpose of merging with or partnering with other organizations(s).
Other than as described here, Care2 would only share personal data with the informed consent of our website users and members.
Care2 is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures ni place to help protect your information.
This includes corporate policies and staff training regarding how your personal information should be handled, as well as physical security, encryption, and network security for IT infrastructure. Your personal information is only accessible by appropriately trained staff.
Care2 has self-certified with the US Department of Commerce that it adheres to the seven Privacy Shield principles. Care2 is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under certain conditions an individual has the right to invoke binding arbitration. Care2 acknowledges liability in cases of onward transfers to third parties.
Further to our adherence to the EU-U.S. Privacy Shield Principles, our Data Processing Addendum, available for any of our clients and vendors to sign, includes the Standard Contractul Clauses (SCCs), which the Schrems II court upheld as a valid data transfer mechanism for transfers of personal data from the EU to the U.S. In terms of EU-U.S. We will proactively take any future measures necessary to ensure that the SCCs continue to function for transfers of EU personal data to Care2. We are also monitoring new guidance on EU-U.S. personal information transfers from the EU supervisory authorities and the European Data Protection Board in order to stay abreast of any recommended modifications to the SCCs or our data protection practices.
Given that we are an organisation headquartered in the USA, users of the services available on the Websites will have their personal information transferred to Care2's infrastructure in the USA. Such transfers are adequately secure in the eyes of the European Commission due to Care2's use the SCCs and the further measures which Care2 takes and holds its vendors to in order to ensure the safety of personal data.
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 7 above), we will remove it from our records at the relevant time.
Please note that, if you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
We link our websites directly to other sites. This Policy does not cover external websites and we are not responsible for the privacy practices or content of those sires. We encourage you to read the privacy policies of any external websites you visit via links on our website.
If you have questions or concerns about this Policy or about the way in which Care2 processes your personal information, please contact Care2's Security Officer by email: email@example.com.
Providing personal information to us which we have requested from you is voluntary. However, website users who do not provide data will not be able to use many of the services offered