Care2 EU/UK/AU-US Privacy Policy

Revised 2021-02-09

This Privacy Policy ("Policy") applies to website users in the UK, European Union, and Australia, encompasing each entities privacy policy mandates, in full and in accordance with the specific language and intent of each article of governance, and in the full scope of the intended applications, audit trails, information requests and data removal, regardless of the respective general or specific terminology therein.

For the US and other countries, please see our Privacy Policy for the US.

View EU language translations (IT, PT, SE, DK, NL, ES, FR, DE) of this document via the language control at the bottom of this page.

For the purposes of the European Union's General Data Protection Regulations ("GDPR") & Australia’s Australian Privacy Principles (“APP”) , Care2.com ("Care2", "we", "us") is the business that makes decisions about the processing of your personal data (also known as the “data controller”), unless expressly specified otherwise. In terms of your personal data which we process for our clients when providing our services, we act as an agent (otherwise known as the “data processor”) on behalf of our clients, and these instances are expressly specified below.

In terms of your personal data which Care2 processes as a data controller, Care2 is not obligated by the GDPR or APP to appoint a Data Protection Officer. However, Care2 has appointed VeraSafe as a point of contact for all related data privacy questions including matters pursuant to Article 27 of the United Kingdom General Data Protection Regulation of the European Union.

VeraSafe can be contacted here using this contact form: https://verasafe.com/public-resources/contact-data-protection-representative.

Alternatively, VeraSafe can be contacted by postal mail at either of these addresses:

VeraSafe United Kingdom Ltd.
37 Albert Embankment
London SE1 7TL
United Kingdom
Telephone: +44 (20) 4532 2003

VeraSafe Czech Republic s.r.o.
Klimentská 46
Prague 1
Czech Republic
11002

VeraSafe Ireland LTD
North Point Business Park
New Mallow Road
Cork T23AT2P, Ireland

Care2 respects individual privacy and values the confidence of its users, customers, employees, business partners and others. Not only does Care2 strive to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business, it also has a tradition of upholding the highest ethical standards in its business practices.

Care2 takes seriously the issue of safeguarding your privacy online. This Policy applies to the two websites owned and operated by Care2: Care2.com and ThePetitionSite.com (the "Websites"). This Policy describes how Care2 collects and uses the personal information you provide on the Websites and your options regarding the ways in which your personal information is used.

Care2 collects personal information directly in the following ways:

• When users sign petitions
• When users create petitions
• When users register to become a member of either or both of the Websites
• When users subscribe to email mailing lists
• When users contact Care2 via email or phone
• When users "opt in" to receive communications from Care2's clients and partners
• When users engage with Care2 partner and client content on the Care2.com website.

• When users "follow" or interact with Care2 representatives on third-party websites such as social media platforms
• When users' postal address data is provided to a third party for format standardization

Care2 collects information when it is available from external publicly available sources.
For example, depending on your privacy settings for social media services, we may access information from those accounts or services.
Care2 also automatically collects the following types of your personal information when you visit the Websites:

• technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting, browser plug-in types and versions and operating systems and platforms.
• Information about your visit to the Websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.

In general, we may combine your personal information from these different sources for the purposes set out in this Policy.

• Name and contact information: physical address (for petition signers), telephone number, email address
• Birth date
• List of petitions signed and/or started by each member, including any comments
• submitted in support of each petition
• Content subscription preferences
• Web browser and browsing data: browser type, device type, IP address, referral source, length of website visit, number of page views
• Interest information expressed by the site sections and services used by website users, as well as throughput and engagement data generated by the site sections and services used by website users, including engagement with Care2 partner and client content. In terms of this throughput and engagement data which Care2 collects and processes on behalf of our clients, Care2 is a data processor.
• Any other type of information shared with / obtained by Care2 by website users.

The GDPR recognises certain categories of personal information as sensitive and therefore requiring more protection, for example: information about your health, ethnicity or political opinions. Where Care2 collects and/or uses these special categories of personal data (for example, information about your political opinions contained within a petition), we will only do so if there is a valid reason and where the GDPR allows us to do so.

Your personal information, however provided to us or obtained by us, will be used for the purposes specified in this Policy. In particular, we may use your personal information:

• To provide you with services, products or information you have requested (for example to sign or start petitions);
• To enable website users, and prospective website users, to use or consider Care2 services, products, and information;
• To enable Care2 (as well as Care2’s partners and clients for whom you have elected to "opt in" to receive communications from) to send website users information about relevant campaigns, services and/or any other information which we (or our relevant partners or clients) consider may be of interest (where appropriate, such contact would only be made with users' consent). In terms of Care2’s processing of your personal data for the purpose of Care2’s partners and clients sending you the above information, Care2 is a data processor;
• To improve website users' experience, for example by personalizing the presentation of information;
• To register, administer and personalise online accounts;
• To enable analysis, targeting, and segmentation of the website audience in order to develop business strategy and improve communications efficiency;
• To conduct research into the impact of Care2's efforts;
• To investigate and respond to user requests and inquiries (and communicate with users in general);
• To enable sharing of website users' information with appropriate and carefully selected third parties;
• To satisfy legal or regulatory obligations which are binding on us, for exampleauditing and accounting purposes to enable Care2 to connect its members to one another, to build communities as well as to build support for petitions and campaigns;
• To establish, defend or enforce legal claims;
• For the purposes of network and system security and performance;
• For the prevention of fraud; and/or
• To enable publication of news related to Care2, where allowed by applicable law or with users' consent where required.

The website may select locally relevant petitions for you based on your IP address.

We may display interest-based advertisements to you on Facebook through Facebook's Custom Audiences tool. We would not share your name or contact information with Facebook; rather, we would share a unique code based on your email address. See the Custom Audiences Terms of Service for more information.

We may use your contact details to provide you with information about our work, services, and/or products which we consider may be of interest to you (for example, updates about a petition you previously signed, information about petitions relating to similar campaigns, or information about other ways in which you can assist one of the campaigns we help).

Where we do this via email, SMS or telephone, we will not do so without your prior consent (unless allowed to do so via applicable law).

Where you have provided us with your consent previously but do not wish to be contacted by us about our work, services and/or products in the future, please let us know by email at privacy@care2team.com. You can also opt out of receiving emails from Care2 at any time by clicking the "unsubscribe" link at the bottom of our emails.

The GDPR requires us to rely on one or more lawful bases to use your personal information. We consider the grounds listed below to be relevant:

• Where you have provided your consent for us to use your personal information in a certain way (for example, we will ask for your consent to use your personal information to send you promotional / marketing material, and we may ask for your explicit consent to collect special categories of your personal information.
• Where necessary so that we can comply with a legal obligation to which we are subject (for example, when we are obliged to share your personal information with regulatory bodies which govern our work and services, or when we are obliged to share information with law enforcement agencies).
• Where there is a legitimate interest in us doing so.

The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others' legitimate interests (as long as the processing in question is fair, balanced and does not unduly impact your rights).

In broad terms, our "legitimate interests" means the interests of running Care2 as a company aiming to encourage engagement with important social and political issues. For example: providing information about the issues which we consider to be important, or, where appropriate, putting members in contact with one another.

When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or permitted by law).

Where we rely on you consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for marketing or fundraising purposes or to unsubscribe from our email list at any time. You also have the following rights:

• Right of access: you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply.
• Right of erasure: at your request we will delete your personal information from our records as far as we are required to do so. In many causes we would propose to suppress further communications with you, rather than delete it.
• Right of rectification:if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate / up to date. To make changes to your account information, please visit the My Settings page.
• Right to restrict processing: you have the right to ask for processing of your personal information to be restricted if there is disagreement about its accuracy or legitimate usage.
• Right to object: you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests ground, (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
• Right to data portability: to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format.
• Rights related to automated decision-making:you have the right not to be subject to a decision based solely on automated processing of your personal information which produces legal or similarly significant effects on you, unless such a decision (i) is necessary to enter into/perform a contract between you and us/another organisation, (ii) is authorised by EU, UK, Australia or Member State law to which Care2 is subject (as long as that law offers you sufficient protection); or (iii) is based on your explicit consent.

To exercise any of these rights, please contact us using our Help Request Form or contact us via the details contained in section 13 below.

Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us using the details in section 13 below. We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.

You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. You can find out the identity of the authority in your country, and its contact information, here.

In general, we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Policy. Please note that, where required under applicable data protection law, we will not do so without your consent.

Non-exhaustively, those parties may include:

• Client and partner organizations whose campaigns appear on Care2/ThePetitionSite
• Social media platforms
• Law enforcement agencies an regulatory authorities (where legally obligated)
• Professional service providers such as accountants,auditors and lawyers
• Sub-contractors for the specific purpose of standardizing member-submitted postal address data
• Media outlets (with consent, and only as allowed by relevant law)
• Analytics and search engine providers

Petition signers' name, comments, and limited demographic information (city, state, country) are published on the petition. Petition signers' personal data could be forwarded to public officials as part of the petition campaign.

Care2 reserves the right to share personal data if necessary for the purpose of merging with or partnering with other organizations(s).

Other than as described here, Care2 would only share personal data with the informed consent of our website users and members.

Care2 is committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures ni place to help protect your information.

This includes corporate policies and staff training regarding how your personal information should be handled, as well as physical security, encryption, and network security for IT infrastructure. Your personal information is only accessible by appropriately trained staff.

Care2 has self-certified with the US Department of Commerce that it adheres to the seven Privacy Shield principles. Care2 is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under certain conditions an individual has the right to invoke binding arbitration. Care2 acknowledges liability in cases of onward transfers to third parties.

Care2 complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, UK or Australia to the United States. Care2 has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov. The EU-U.S. Privacy Shield Framework is no longer considered a legitimate data transfer mechanism for personal information from the EU to the U.S., however Care2 will continue to maintain its EU-U.S. Privacy Shield certification, because we want to continue to honor our commitments to our EU, and UK clients, because we want to continue to honor our commitments to the U.S. Department of Commerce, and because this framework is based on sound data privacy principles which help to protect the personal data of our clients and data subjects.

Further to our adherence to the EU-U.S. Privacy Shield Principles, our Data Processing Addendum, available for any of our clients and vendors to sign, includes the Standard Contractul Clauses (SCCs), which the Schrems II court upheld as a valid data transfer mechanism for transfers of personal data from the EU, UK or Australia to the U.S. In terms of EU-U.S. We will proactively take any future measures necessary to ensure that the SCCs continue to function for transfers of EU, UK or Australia personal data to Care2. We are also monitoring new guidance on EU-U.S. personal information transfers from the EU, UK or Australia supervisory authorities and the European Data Protection Board in order to stay abreast of any recommended modifications to the SCCs or our data protection practices.

Given that we are an organisation headquartered in the USA, users of the services available on the Websites will have their personal information transferred to Care2's infrastructure in the USA. Such transfers are adequately secure in the eyes of the European Commission and/or APP due to Care2's use the SCCs and the further measures which Care2 takes and holds its vendors to in order to ensure the safety of personal data.

In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure (please see section 7 above), we will remove it from our records at the relevant time.

Please note that, if you request to receive no further contact from us, we will keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.

We link our websites directly to other sites. This Policy does not cover external websites and we are not responsible for the privacy practices or content of those sires. We encourage you to read the privacy policies of any external websites you visit via links on our website.

If you have questions or concerns about this Policy or about the way in which Care2 processes your personal information, please contact Care2's Security Officer by email: privacy@care2team.com.

Care2 uses web "cookies" and similar technologies to track users' movements around the Websites, and for other features and services. See our complete cookie policy.

Providing personal information to us which we have requested from you is voluntary. However, website users who do not provide data will not be able to use many of the services offered

Care2 reserves the right to change the Policy, but will notify users of such changes through email and/or by posting a notice on the site. In the event of any material change, this notification will be prior to that change becoming effective. If the change involves the use of a user's personally identifiable information then the notice to users will contain directions on how users can opt-out of the change.