Privacy Policy

At SumOfUs we take your privacy rights very seriously. This privacy notice sets out our data collection and processing practices, and your options and rights regarding the ways in which your personal information is handled.

Together, our community of millions act as a global consumer watchdog – running and winning campaigns to hold the biggest companies in the world accountable. To campaign effectively where and when needed most, SumOfUs maintains a database of member contact details and actions. We store that data securely, and never sell or rent that data to anyone else. Please read below for details. This notice is split into the following parts (and if you click on a heading you are interested in, you will be taken straight to that section):

1. Who We Are:

We are SumOfUs, a community from around the world committed to curbing the growing power of corporations. SumOfUs is registered as a 501(c)(4) social welfare non-profit organisation incorporated in the United States of America. Under EU data protection law (the GDPR), we are what is known as a ‘controller’ which means that we collect information about you when you engage with us and we determine how that information is used. We have members and supporters, like you, around the world. In fact there are over 3.4 million SumOfUs members who take action together to fight corporate power Because we are a US organisation, EU data protection law requires us to appoint a ‘representative’ in a country in the EU, as a point of contact for EU-based data privacy questions and queries. Our local representative is Eoin Dubsky who is based in The Netherlands and you can contact them via the following methods:

Email: privacy@sumofus.org

Phone: +31 70 2500292

Mail: Monnikenstraat 23 Suite #1049 1012 BP Amsterdam The Netherlands

It is important that you know what organisations are doing with information about you and why, and we seek to set this out as clearly as possible here (known as a ‘privacy notice’ in legal language). If you have any questions not answered by this privacy notice or have any concerns, then please do get in touch using the ‘How do I contact you?’ section of this notice.

2. What is this notice about?

This privacy notice explains how SumOfUs uses information that we collect about people when they engage with us or when we want to engage with them. We are committed to protecting your privacy online. The SumOfUs staff are members, too, and we treat your privacy as we do our own. At all times we aim to respect any personal information you share with us and keep it safe.
We may modify this policy from time to time so we encourage you to check this page intermittently and when revisiting our website (the latest changes will be set out within the ‘Changes to this privacy notice’ section).

3. Do you collect personal information about me?

Yes, we do – and we comply with the law when we do so. We use the information in ways that you have agreed to or are lawful - to populate petitions with signatories’ details, provide you with relevant communications from us, fundraise and to check that our campaigns and activities are effective. You can see a fuller list of the ways in which we collect your personal information and why we do so in the section headed ‘Where do you get information about me from?’ and ‘How and why will you use my information?’ sections of this notice.

4. Where do you get information about me from?

When people engage with us we refer to that as an ‘action’. So, for example, if someone signs a petition on our website, makes a donation to us or writes a letter, they would be taking an ‘action’ with us. When you take an action with us, we may ask you to give us some information about you or we might obtain some information about you based on the action that you took, see more details below.

We collect personal information when you give it to us directly, such as when you take the following actions:

We might also collect personal information about you indirectly, such as when:

In general, we may combine your personal information from these different sources for the purposes set out in this Policy.

5. What information do you collect, store and otherwise use about me?

We might collect, store and otherwise use the following kinds of personal information about you:

Special categories of personal information

Under EU Data Protection law (the GDPR), the law recognises some types of personal information as being sensitive and requiring additional protection. These are known as ‘special categories’ of personal information and include information about health, ethnicity, and political opinions.

We do not seek to collect, store or otherwise process your sensitive personal information (i.e. about race or ethnicity, political opinions, religious or philosophical beliefs, etc.). When we do, it will only be in circumstances where there is a valid reason to collect/use that information and we are allowed to do so under the law. The most likely example of a situation where we might collect special category information about you is if you sign a petition that expresses a political opinion or if you volunteer such information when communicating with us.

Sometimes, our supporters will email us or otherwise get in touch with us and provide special categories of personal information, even when we haven’t asked them to. For example, a supporter might send us an email explaining why they are no longer able to make a donation which contains sensitive information about their personal circumstances. We urge supporters not to volunteer sensitive private information to us in this way.

If and when we receive this type of information, we aim to delete them from our systems (though note that they may be retained, or certain data about the message retained, in server logs and in the messaging/mail service provider’s own systems (such as Google Mail) in accordance with their own procedures).

6 How and why will you use my information?

6.1 Overview of how we use your information

We will use your personal information, for the purposes set out in this notice. In particular, we may use your personal information:

6.2 Further detail on some of our practices

Below we have set out further detail on some of the ways in which we might use your personal information. Privacy is important, and as a movement we have worked on campaigns in support of data privacy. We strongly believe that individuals should know what companies are doing with information about them. We know that people are often concerned about use of their data behind the scenes, often using technology that doesn’t seem transparent or easy to understand. As such, we have set out below some further detail on some of the things we do that might not be expected or easily understood.

(a) Donor programme

So as to build our fundraising to expand the SumOfUs movement, achieve our aims and ideals, and make sure that we are recognising your support appropriately, we may flag some of our donors who have donated above a specified threshold on our database as being key donors. Those key donors may receive special communications from us via electronic messaging or telephone (provided we can lawfully contact them, for instance where they have provided consent to receiving campaign and fundraising communications from us), to thank them personally for their support, and to explore how to strengthen the relationship between the individual and SumOfUs.

(b) Understanding our supporters

SumOfUs uses personal information about its supporters and those who engage with us to create a record of your interests and preferences so that we can communicate with you in a relevant way, make our work more effective and to help our fundraising. Sometimes this might involve making an assumption about you based on information we have collected in order to send you the most relevant information – for example, if you have signed some emails urging companies to reduce their use of plastic and some emails about protecting the bees, then we might mark you down in our database as someone who is particularly interested in environmental issues. Digital marketing and advertising

We engage in some limited digital marketing and advertising practices to expand the reach of the SumOfUs movement and to help us to realise our aims and ideals. Most of our advertising does not rely on us providing your personal information to a third party – for example, we sometimes place adverts in search results through Google advertising or we might place banner adverts on relevant third party websites. In some cases, those third-party vendors may decide which adverts to show you based on your prior visits to our Website based on information they’ve independently collected. At no time will you be personally identified to those third-party vendors, nor will any of the personal information you share with us be shared with those third-party vendors. This relies on us using third party cookies when you use our Website, which you can disable by using your browser settings.

We also use social media advertising, including Facebook and Twitter. Sometimes we might use and disclose some of your personal information to use Facebook’s ‘Custom Audience’ tool, which enables us to communicate with and display adverts to both existing and prospective members. We do this in a secure and encrypted way and do not engage in any of the practices known as “microtargeting”.

Please see the Customer Audiences Terms of Service.

(c) Communications about campaigns

We may use your contact details to provide you with information about our work, campaigns, activities, events, services and fundraising drives which we consider may be of interest to you (for example, updates about fundraising drives or petitions you have signed, or requests to sign and information about new petitions).

Where we do this via email, social media direct messaging if your profile is private, SMS (text) or similar telephone instant messaging service or by telephone (if you are registered with the Telephone Preference Service), we will not do so without your prior consent. We ask for your consent when we first make contact with you. Where you have provided us with your consent previously but do not wish to be contacted by us about our campaigns and activities in the future, then you can opt-out at any time. Please see the ‘How can I stop getting emails and other communications from you?’ section of this notice.

(d) Processing donations and credit card information

When you use our secure online donation function you will be directed to a specialist payment services provider who will receive your financial information to process the transaction. We will provide your personal information to the payment services provider only to the extent necessary for the purpose of processing your donation. When you contribute to SumOfUs online, we collect credit card information from you. That information is used solely for processing your contribution; it is not maintained by SumOfUs; and is never disclosed to anyone, for any other purpose other than for processing your contribution. When contributing through an express donation, your card details are stored by our payment provider, Braintree Payments (owned by Paypal), which has in place strong security safeguards and handles billions of dollars in payments every year.

(e) Cookies and Data Tracking

In order to better serve our supporters, we use cookies and periodically analyse web logs. Some cookies are used to prepopulate forms for you so that on repeat visits to the Website you don’t need to re-enter certain information. You can set your browser to disable cookies, but then you would not have the advantage of having certain sections of forms being prepopulated for you, and you may not be able to access certain parts of the Website. We may also use third-party services such as Google Analytics. This helps us understand traffic patterns and know if there are problems with our Website. We may also use embedded images in emails to track open rates for our mailings, so that we can tell which mailings appeal most to SumOfUs supporters.

The information generated by a cookie about your use of our Website (including your IP address) is transmitted to and stored by Google on servers in the United States. Google may also transfer this information to third parties where Google is legally required, or where such third parties process the information on Google’s behalf. Google can combine your IP address with any other data held by Google. By using this Website, you consent to the processing of data by Google in the manner and for the purposes set out above.

URLs contained in emails may contain an ID that enables us to correctly identify the person who takes an action using a web page. We use these URLs to simplify the process of signing petitions and filling out surveys. We may occasionally present a shortened URL that references a longer URL which you can see in the browser’s address bar when you access the page.

EU Data Protection law sets out a number of ‘bases’ or grounds which controllers (in this case SumOfUs) can rely on to lawfully collect and use personal information. The grounds that we rely on to use your personal information are as follows:

(a) Where you have provided your consent for us to use your personal information in a certain way (for example, we will ask for your consent to use your personal information to send you promotional or fundraising material by email).

(b) Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).

(c) Where it is in your/someone else’s vital interests (for example, if during the course of communication with you, we became aware that there was a medical emergency)

(d) Where there is a “legitimate interest” in us doing so (see below)

EU Data Protection Law allows us to collect and use your personal information if it is reasonably necessary to achieve our or others’ ‘legitimate interests’, i.e. where there is a benefit or need for us or others to do something with your information. We can only use your information for our or others’ legitimate interests when our use is fair, balanced and does not unduly impact your rights.

When we rely on this ground for collecting/using your personal information, our legitimate interest is to work towards achieving the aims and ideals of SumOfUs as a non-profit movement fighting for people over profits, primarily by means of running a digital petition based platform.

When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you, and your rights under data protection laws. We’re committed to protecting your privacy.

8. What are my rights with regard to information you use about me and how do I exercise them?

Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for campaigns or fundraising purposes or to unsubscribe from our email list at any time (see the ‘How can I stop getting emails and other communications from you?’ section below).

You also have the following rights:

To exercise any of these rights, please contact us via the details contained in the ‘How do I contact you’ section below .

Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us. We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.

You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. You can find out the identity of the authority in your country and its contact details here.

9. How can I stop getting emails and other communications from you?

We are sorry if you no longer wish to receive communications from us – if you would like to discuss this you can contact us at info@sumofus.org or by using any of the details set out in the ‘How do I contact you’ section below. If you wish to opt-out of communications from us about our campaigns, fundraising and activities where you have previously provided us with your consent then you can do so at any time via the following methods:

10. Is my information secure?

We are committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information. For example, your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers with features enacted to prevent unauthorised access.

Because we are a US organisation, the personal information that we collect from you will be stored at a destination outside the European Economic Area (EEA). Please see the ‘Will you send my personal information abroad?’ section of this notice for further detail.

11. Will you share my information?

We do not share, sell or rent your personal information to third parties for marketing purposes. We may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice. Most importantly, when you sign a petition on our Website we may share your name, city and country, but none of your contact details, with the petition target when delivering the petition. Often, these will be organisations and individuals we contract to be our ‘processors’, who must act only on our instructions and to achieve the purposes set out in this policy and who will not use your personal information for their own purposes. For example, sometimes we contract with consultants to help us run our campaigns and a third party provider administers and provides our supporter database. We require our third party providers to comply with the highest standards of data privacy, including GDPR.

Non-exhaustively, those parties may include:

We may need to disclose your personal information upon request to regulatory and government bodies as well as law enforcement agencies. Please note that SumOfUs will challenge any attempt to gain access to the information you give us by government agencies or private organisations. In the unlikely event that we are required by law to disclose any of your information we will do our best to contact you first so that you may have the opportunity to object to the disclosure. We will also independently object to any requests for access to information about users of our Site that we believe to be improper.

We may also merge or partner with other organisations and, in so doing, acquire or transfer personal information but your personal information would continue to be used for the purposes set out above.

12. Will you send my personal information abroad?

As stated above, SoU is a US organisation with a network of staff and supporters across the world. We have some offices within the EU but these are not separate companies. As such, if you are in the EU and you take an action with us, your personal information is going to be transmitted from your device in the EU to our infrastructure in the US for the purpose of supporting our network and supporters around the world. Your personal information may be shared with, or accessed by, us, our employees and consultants globally, and other service providers in the United States. Some countries outside of the EEA (including the United States) have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. We work hard to implement safeguards and processes equivalent to the protections within the EU to protect your data, as set out in this privacy notice, and we require all of the people and companies who work with us to process personal information to comply with GDPR, including US companies. You may obtain further information concerning the transfer of your personal information by contacting us via the "How do I contact you? " section below.

13. How long will you keep my personal information?

In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records no more than six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.

Please note that, if you request to receive no further contact from us, we will keep some basic information about you on our do not contact list in order to comply with your request and avoid sending you unwanted materials in the future.

14. Do you collect personal information about children?

We do not knowingly collect children’s personal information, by which we refer to individuals of under sixteen years of age. It is a condition of supporting SumOfUs that you be sixteen years old or over and we ask that prospective supporters certify that they meet this requirement when giving us their personal information when signing a petition, making a donation or registering as a supporter. If we are notified that we inadvertently hold personal information about a child, we will remove that information.

15. General provisions

We link our website directly to other sites. This notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy notices of any external websites you visit via links on our website.

15.2 Changes to this privacy notice

We may update this notice from time to time so please check back periodically. We will notify you of significant changes, such as the implementation of the GDPR, by contacting you directly where reasonably possible for us to do so and by placing a notice on our website. This Notice was last updated on May 21st, 2018.

16. How do I contact you?

Our EU Representative’s details are set out at the start of this notice. You can also contact us via any of the following methods:

Email: privacy@sumofus.org

Phone: +31 70 2500292

Mail: Monnikenstraat 23 Suite #1049 1012 BP Amsterdam The Netherlands