Additional U.S. Privacy Disclosures
1. Scope of Disclosures
In accordance with applicable U.S. privacy laws, these U.S. Privacy Disclosures provide additional information about how we collect, use, disclose and otherwise process personal data of individual California and Nevada residents either online or offline.
2. Personal Data Disclosures
- Identifiers, including full name, email address, IP address, and account username and password;
- Customer Records, including home address, business address, and phone number;
- Internet/Network Information, including log data and analytics data.
- Profession/Employment Information, including your employer, company name or the name you are doing business as, your business’s contact information, and your job title or description.
- Other Personal data, including personal data you permit us to see when interacting with us through social media, and personal data you provide us in relation to your questions, requests, or inquiries.
- Inferences, including our predictions about interests and preferences based on other personal data we have collected about you.
While we do not “sell” personal data in the traditional sense, we do, however, sell or share personal data for the purpose of displaying advertisements that are selected based on personal data obtained or inferred over time from an individual’s activities across businesses or distinctly-branded websites, applications, or other services (otherwise known as “targeted advertising” or “cross-context behavioral advertising”). For more information, please see the “Disclosure, Sale, and Sharing of Personal data” section below.
3. Sensitive Information
The following personal data elements we collect may be classified as “sensitive” under certain privacy laws (“sensitive information”):
- Account name and password;
- Driver’s license number;
- Credit/debit card number plus expiratin data and security code (CVV);
DonorDrive only uses or discloses sensitive personal data for the following purposes, where such use or disclosure is necessary and proportionate for those purposes: for performing services you have requested, for detecting security incidents, fraud and other illegal actions, to ensure the physical safety of natural persons, to perform services on behalf of the business (where the sensitive information is reasonably necessary and proportionate for this purpose), or for short term transient use.
We do not sell sensitive information, and we do not process or otherwise share sensitive information for the purpose of targeted advertising.
4. Sources of Personal Data
5. Deidentified Information
We may at times receive, or process personal data to create deidentified information that can no longer reasonably be used to infer information about, or otherwise be linked to, a particular individual or household. Where we maintain deidentified information, we will maintain and use the information in deidentified form and not attempt to reidentify the information except as required or permitted by law.
7. Retention of Personal Data
We retain personal data only for as long as is reasonably necessary to fulfil the purpose for which it was collected. However, if necessary, we may retain personal data for longer periods of time, until set retention periods and deadlines expire, for instance where we are required to do so in accordance with legal, tax, or accounting requirements set by a legislature, regulator, or other government authority.
To determine the appropriate duration of the retention of personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of personal data, and whether we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting, and other applicable obligations.
Once retention of the personal data is no longer necessary for the purposes outlined above, we will either delete or deidentify the personal data or, if this is not possible (for example, because personal data has been stored in backup archives), then we will not further process the personal data until deletion or deidentification is possible.
Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights. Individuals who wish to exercise these rights with respect to customer data should direct their requests to the DonorDrive customer contact that controls their personal data:
The Right to Know
The right to confirm whether we are processing personal information about you and to obtain certain personalized details about the personal information we have collected about you, including:
- The categories of personal data collected;
- The categories of sources of the personal data;
- The purposes for which the personal data were collected;
- The categories of personal data disclosed to third parties (if any), and the categories of recipients to whom the personal data was disclosed;
- The categories of personal data shared for cross-context behavioral advertising purposes (or, “targeted advertising”) (if any), and the categories of recipients to whom the personal information was disclosed for those purposes.
The Right to Access & Portability
The right to obtain access to the personal data we have collected about you and, where required by law, the right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.
The Right to Correction
The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.
The Right to Request Deletion
The right to request the deletion of personal data that we maintain about you, subject to certain exceptions.
The Right to Control Over Sensitive Information
The right to direct us not to sell or share personal data for certain targeted or cross-context behavioral advertising purposes.
The Right to Opt Out of Sales or Sharing for Targeted Advertising Purposes
The right to direct us not to sell or share personal data for certain targeted or cross-context behavioral advertising purposes.
“Shine the Light”
California residents that have an established business relationship with us have rights to know how their information is disclosed to third parties for their direct marketing purposes under California’s “Shine the Light” law (Civ. Code §1798.83).
You also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, please note that if the exercise of these rights limits our ability to process personal data, we may no longer be able to engage with you in the same manner. In addition, the exercise of the rights described above may result in a different price, rate, or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.
10. Submitting Privacy Requests
To Exercise Your Privacy Rights
To submit a request to exercise any of your privacy rights listed above, please submit a request specifying the right you wish to exercise by:
- Filling out our "Data Privacy Request" form, or
- Calling us at 1-866-244-0450.
Before processing your request, we will need to verify your identity and confirm you are a resident of an eligible state that offers such right. As a result, we require requests to include:
- The full name of the individual the personal data is about (the consumer);
- The full name of the individual making the request and their relationship to the consumer;
- The consumer’s state of residence;
- The consumer’s relationship to DonorDrive, including the DonorDrive entity, products and/or services relevant to the request;
- The right to be exercised, the associated request and the scope of personal data involved (e.g., all or a subset of the information); and
- The best phone number or email address for us to contact the requesting individual and the consumer.
In order to verify your identity, we may also require additional personal data to match against the information we maintain about you in our systems.
In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or confirm you are a resident of an eligible state.
To Exercise the Right to Opt Out of Personal Data Sales or Sharing for Targeted Advertising Purposes
Unless you have exercised your Right to Opt Out, we may “sell” or “share” your personal data to third parties for targeted or cross-context behavioral advertising purposes. The third parties to whom we sell or share personal data may use such information for their own purposes in accordance with their own privacy statements, which may include reselling or sharing this information to additional third parties.
You do not need to create an account with us to exercise your Right to Opt Out. However, we may ask you to provide additional personal data so that we can properly identify you in our dataset and to track compliance with your opt out request. We will only use personal data provided in an opt out request to review and comply with the request. If you chose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems.
Minors Under Age 16
We do not sell the personal data of consumers we know to be less than 16 years of age. Please contact us at email@example.com to inform us if you, or your minor child, are under the age of 16 and have provided us with personal data.
Submitting Authorized Agent Requests
In certain circumstances, you are permitted to use an authorized agent to submit requests on your behalf through the designated methods set forth above where we can verify the authorized agent’s authority to act on your behalf. In order to verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided and your state of residency, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request.
Notice to European Users
The information provided in this “Notice to European Users” section applies only to individuals in Europe.
To Operate the Service
Legal basis: Processing is necessary to perform the contract governing our provision of the Services or to take steps that you request prior to signing up for the Services. If we have not entered into a contract with you, we process your personal information based on our legitimate interest in providing the Services you access and request.
For Research and Development
- To send you marketing and promotional communications
- To display advertisements
- To manage our recruiting and process employment applications
- For compliance, fraud prevention and safety
- To create anonymous data
Legal Basis: These activities constitute our legitimate interests. We do not use your personal information for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).
To Comply with Law
Legal Basis: Processing is necessary to comply with our legal obligations.
With Your Consent
Legal Basis: Processing is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or in the Services.
Sensitive personal information. We ask that you not provide us with any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Services, or otherwise to us.
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
Cross-Border Data Transfer
DonorDrive has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim for more information or to file a complaint. The services of JAMS are provided at no cost to you. If neither DonorDrive nor JAMS resolves an individual’s complaint, the individual may have the ability to engage in binding arbitration through the Privacy Shield Panel. Additional information on the arbitration process is available on the Privacy Shield website at www.privacyshield.gov.
DonorDrive may share personal information with third party services providers that perform services on behalf of DonorDrive. DonorDrive may be liable if these third parties fail to meet those obligations, and DonorDrive is responsible for the event giving rise to the damage.
European data protection laws give you certain rights regarding your personal information. If you are located within the European Union, you may ask us to take the following actions in relation to your personal information that we hold:
Access. Provide you with information about our processing of your personal information and give you access to your personal information.
Correct. Update or correct inaccuracies in your personal information.
Delete. Delete your personal information.
Transfer. Transfer a machine-readable copy of your personal information to you or a third party of your choice.
Restrict. Restrict the processing of your personal information. Individuals may have the right to limit the use and disclosure of their personal information as required by the Privacy Shield’s Principles, such as whether your personal information is disclosed to a third party or used for purposes materially different from the purpose for which the personal information was originally collected or subsequently authorized by you. If you wish to limit the use and disclosure of personal information in accordance with the Privacy Shield Principles, please contact us at firstname.lastname@example.org.
Object. Object to our reliance on our legitimate interests as the basis of our processing of your personal information that impacts your rights.
You may submit these requests by email to email@example.com or our postal address provided below. We may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. If you would like to submit a complaint about our use of your personal information or our response to your requests regarding your personal information, you may contact us or submit a complaint to the data protection regulator in your jurisdiction. You can find your data protection regulator here.