At SumOfUs we take your privacy rights very seriously. This privacy notice sets out our data collection and processing practices, and your options and rights regarding the ways in which your personal information is handled. Together, our community of millions act as a global consumer watchdog – running and winning campaigns to hold the biggest companies in the world accountable. To campaign effectively where and when needed most, SumOfUs maintains a database of member contact details and actions. We store that data securely, and never sell or rent that data to anyone else. Please read below for details. This notice is split into the following parts (and if you click on a heading you are interested in, you will be taken straight to that section):
- 1. Who We Are
- 2. What is this notice about?
- 3. Do you collect personal information about me?
- 4. Where do you get information about me from?
- 5. What information do you collect, store and otherwise use about me?
- 6 How and why will you use my information?
- 7. What is the legal basis for you collecting and using my personal information?
- 8. What are my rights with regard to information you use about me and how do I exercise them?
- 9. How can I stop getting emails and other communications from you?
- 10. Is my information secure?
- 11. Will you share my information?
- 12. Will you send my personal information abroad?
- 13. How long will you keep my personal information?
- 14. Do you collect personal information about children?
- 15. General provisions
- 16. How do I contact you?
1. Who We Are:
We are SumOfUs, a community from around the world committed to curbing the growing power of corporations. SumOfUs is registered as a 501(c)(4) social welfare non-profit organisation incorporated in the United States of America. Under EU data protection law (the GDPR), we are what is known as a ‘controller’ which means that we collect information about you when you engage with us and we determine how that information is used. We have members and supporters, like you, around the world. In fact there are over 3.4 million SumOfUs members who take action together to fight corporate power Because we are a US organisation, EU data protection law requires us to appoint a ‘representative’ in a country in the EU, as a point of contact for EU-based data privacy questions and queries. Our local representative is Eoin Dubsky who is based in The Netherlands and you can contact them via the following methods:
Phone: +31 70 2500292
Mail: Monnikenstraat 23 Suite #1049 1012 BP Amsterdam The Netherlands
It is important that you know what organisations are doing with information about you and why, and we seek to set this out as clearly as possible here (known as a ‘privacy notice’ in legal language). If you have any questions not answered by this privacy notice or have any concerns, then please do get in touch using the ‘How do I contact you?’ section of this notice.
2. What is this notice about?
This privacy notice explains how SumOfUs uses information that we collect about people when they engage with us or when we want to engage with them. We are committed to protecting your privacy online. The SumOfUs staff are members, too, and we treat your privacy as we do our own. At all times we aim to respect any personal information you share with us and keep it safe.
We may modify this policy from time to time so we encourage you to check this page intermittently and when revisiting our website (the latest changes will be set out within the ‘Changes to this privacy notice’ section).
3. Do you collect personal information about me?
Yes, we do – and we comply with the law when we do so. We use the information in ways that you have agreed to or are lawful - to populate petitions with signatories’ details, provide you with relevant communications from us, fundraise and to check that our campaigns and activities are effective. You can see a fuller list of the ways in which we collect your personal information and why we do so in the section headed ‘Where do you get information about me from?’ and ‘How and why will you use my information?’ sections of this notice.
4. Where do you get information about me from?
When people engage with us we refer to that as an ‘action’. So, for example, if someone signs a petition on our website, makes a donation to us or writes a letter, they would be taking an ‘action’ with us. When you take an action with us, we may ask you to give us some information about you or we might obtain some information about you based on the action that you took, see more details below.
We collect personal information when you give it to us directly, such as when you take the following actions:
- When you sign a petition on our website (currently located at sumofus.org and actions.sumofus.org – the “Website”);
- When you register to become a supporter on our Website;
- When you make a donation to us;
- When you contact us via phone, email or by messaging us on our social media channels or use a contact form on our Website;
- When you share our content and petitions (e.g. through email, social media or other similar means);
- When you sign a petition hosted by a third party and opt-in to share your details with us;
- When you write and send an email, a tweet or a phone call to a campaign target through our system;
- When you fill out a survey we send to you about your experience with us or to find out what you think about social issues
We might also collect personal information about you indirectly, such as when:
- You follow and/or interact with our social media channels;
- You click on a SumOfUs link (for example, if one of your friends has shared a SumOfUs petition on social media or via email and you click on your friend’s post)
- Third parties share information with us – for example, organisations we work with, search information and payment providers
- The information is available publicly - your personal information may be available to us from external publicly available sources. For example, depending on your privacy settings for social media services, we may access information from those accounts or services (for example when you choose to interact with us through platforms such as Facebook, LinkedIn or Twitter).
- You visit our Website. We automatically collect the following types of your personal information when you visit the Website:
- Technical information, including the internet protocol (IP) address used to connect your device to the internet, browser type and version, time zone setting and operating systems and platforms.
- Information about your visit to the websites, including the uniform resource locator (URL) clickstream to, through and from the website (including date and time), services you viewed or searched for, page response times, download errors, length of visits to certain pages, referral sources, page interaction information (such as scrolling and clicks) and methods used to browse away from the page.
- We also collect and use your personal information by using cookies on our Website – please see our Cookie notice
In general, we may combine your personal information from these different sources for the purposes set out in this Policy.
5. What information do you collect, store and otherwise use about me?
We might collect, store and otherwise use the following kinds of personal information about you:
- Your name and contact information, including your physical address, email address and telephone number (when you provide such information to us)
- The petitions you have signed, including any comments submitted in support of such petitions
- Any volunteered specific information you have provided when signing a petition – for example, sometimes we will ask if you are a customer or employee of a business that a petition is targeting
- Any volunteered information when you fill out a survey we send you, which might ask for your experiences with us or your views on certain social and political issues
- Your financial information when you provide it; please see section 6(f) for how banking information is processed
- The actions you have taken with us, such as attending events, sending emails in support of a petition or cause and/or making a donation to us;
- The amount and frequency of any donations made to us;
- Information you have volunteered when you contact us via phone, email, by messaging us on our social media channels or using contact form on our website
- The fact that you are linked to another supporter – for example, if a supporter signs a petition based on a petition you have shared
- The types of issues we think you are interested in based on the actions you have taken and the issues you have engaged with whilst engaging with us – for example, we might flag that you are interested in climate change or tax
- The language you receive content in
- Your content subscription preferences
- Web browser and browsing data: browser type, device type, IP address, referral source, the fact that you are visiting our Website or clicking on our content, length of website visit, number of page views
- Social media profile information where it is available to us
- Any other type of information shared with / obtained by us as listed in the ‘where do you get information about me from’ section of this notice.
Special categories of personal information
Under EU Data Protection law (the GDPR), the law recognises some types of personal information as being sensitive and requiring additional protection. These are known as ‘special categories’ of personal information and include information about health, ethnicity, and political opinions.
We do not seek to collect, store or otherwise process your sensitive personal information (i.e. about race or ethnicity, political opinions, religious or philosophical beliefs, etc.). When we do, it will only be in circumstances where there is a valid reason to collect/use that information and we are allowed to do so under the law. The most likely example of a situation where we might collect special category information about you is if you sign a petition that expresses a political opinion or if you volunteer such information when communicating with us.
Sometimes, our supporters will email us or otherwise get in touch with us and provide special categories of personal information, even when we haven’t asked them to. For example, a supporter might send us an email explaining why they are no longer able to make a donation which contains sensitive information about their personal circumstances. We urge supporters not to volunteer sensitive private information to us in this way.
If and when we receive this type of information, we aim to delete them from our systems (though note that they may be retained, or certain data about the message retained, in server logs and in the messaging/mail service provider’s own systems (such as Google Mail) in accordance with their own procedures).
6 How and why will you use my information?
6.1 Overview of how we use your information
We will use your personal information, for the purposes set out in this notice. In particular, we may use your personal information:
- To facilitate your support and signing of a petition or survey and put the petition/survey to the relevant recipient
- To verify that you appear to be a valid petition signatory
- To provide you with services or information you have requested, such as facilitating your support of a petition on our Website;
- To provide you with content, where possible, in the language that you wish to receive content in;
- To enable, solicit and administer your participation in our programs, events fundraising drives and activities
- To find out whether you might be willing to assist with our work, campaigns and activities, such as if you are a shareholder of a company that we are considering targeting using shareholder activism techniques or if your role or network might assist our work, campaigns and fundraising;
- To process a donation you make to us or refund a donation you make to us;
- To process your request to register as a supporter of SumOfUs;
- To provide you with communications about our work, campaigns, services, activities, and fundraising drives (where you have provided your consent to receive such information) that we think will be of interest to you;
- To analyse, measure and report on the effectiveness of our work, campaigns, services, fundraising and information, including our Website and social media channels;
- To operate our Website, keep the Website safe and secure and ensure that content is presented in the most effective manner for you and your device
- To audit and administer our systems and databases;
- To satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
- For the prevention of fraud or misuse of our services; and/or
- For the establishment, defence and/or enforcement of legal claims.
6.2 Further detail on some of our practices
Below we have set out further detail on some of the ways in which we might use your personal information. Privacy is important, and as a movement we have worked on campaigns in support of data privacy. We strongly believe that individuals should know what companies are doing with information about them. We know that people are often concerned about use of their data behind the scenes, often using technology that doesn’t seem transparent or easy to understand. As such, we have set out below some further detail on some of the things we do that might not be expected or easily understood.
(a) Donor programme
So as to build our fundraising to expand the SumOfUs movement, achieve our aims and ideals, and make sure that we are recognising your support appropriately, we may flag some of our donors who have donated above a specified threshold on our database as being key donors. Those key donors may receive special communications from us via electronic messaging or telephone (provided we can lawfully contact them, for instance where they have provided consent to receiving campaign and fundraising communications from us), to thank them personally for their support, and to explore how to strengthen the relationship between the individual and SumOfUs.
(b) Understanding our supporters
SumOfUs uses personal information about its supporters and those who engage with us to create a record of your interests and preferences so that we can communicate with you in a relevant way, make our work more effective and to help our fundraising. Sometimes this might involve making an assumption about you based on information we have collected in order to send you the most relevant information – for example, if you have signed some emails urging companies to reduce their use of plastic and some emails about protecting the bees, then we might mark you down in our database as someone who is particularly interested in environmental issues. Digital marketing and advertising
We engage in some limited digital marketing and advertising practices to expand the reach of the SumOfUs movement and to help us to realise our aims and ideals. Most of our advertising does not rely on us providing your personal information to a third party – for example, we sometimes place adverts in search results through Google advertising or we might place banner adverts on relevant third party websites. In some cases, those third-party vendors may decide which adverts to show you based on your prior visits to our Website based on information they’ve independently collected. At no time will you be personally identified to those third-party vendors, nor will any of the personal information you share with us be shared with those third-party vendors. This relies on us using third party cookies when you use our Website, which you can disable by using your browser settings.
We also use social media advertising, including Facebook and Twitter. Sometimes we might use and disclose some of your personal information to use Facebook’s ‘Custom Audience’ tool, which enables us to communicate with and display adverts to both existing and prospective members. We do this in a secure and encrypted way and do not engage in any of the practices known as “microtargeting”.
Please see the Customer Audiences Terms of Service.
(c) Communications about campaigns
We may use your contact details to provide you with information about our work, campaigns, activities, events, services and fundraising drives which we consider may be of interest to you (for example, updates about fundraising drives or petitions you have signed, or requests to sign and information about new petitions).
Where we do this via email, social media direct messaging if your profile is private, SMS (text) or similar telephone instant messaging service or by telephone (if you are registered with the Telephone Preference Service), we will not do so without your prior consent. We ask for your consent when we first make contact with you. Where you have provided us with your consent previously but do not wish to be contacted by us about our campaigns and activities in the future, then you can opt-out at any time. Please see the ‘How can I stop getting emails and other communications from you?’ section of this notice.
(d) Processing donations and credit card information
When you use our secure online donation function you will be directed to a specialist payment services provider who will receive your financial information to process the transaction. We will provide your personal information to the payment services provider only to the extent necessary for the purpose of processing your donation. When you contribute to SumOfUs online, we collect credit card information from you. That information is used solely for processing your contribution; it is not maintained by SumOfUs; and is never disclosed to anyone, for any other purpose other than for processing your contribution. When contributing through an express donation, your card details are stored by our payment provider, Braintree Payments (owned by Paypal), which has in place strong security safeguards and handles billions of dollars in payments every year.
(e) Cookies and Data Tracking
The information generated by a cookie about your use of our Website (including your IP address) is transmitted to and stored by Google on servers in the United States. Google may also transfer this information to third parties where Google is legally required, or where such third parties process the information on Google’s behalf. Google can combine your IP address with any other data held by Google. By using this Website, you consent to the processing of data by Google in the manner and for the purposes set out above.
URLs contained in emails may contain an ID that enables us to correctly identify the person who takes an action using a web page. We use these URLs to simplify the process of signing petitions and filling out surveys. We may occasionally present a shortened URL that references a longer URL which you can see in the browser’s address bar when you access the page.
7. What is the legal basis for you collecting and using my personal information?
EU Data Protection law sets out a number of ‘bases’ or grounds which controllers (in this case SumOfUs) can rely on to lawfully collect and use personal information. The grounds that we rely on to use your personal information are as follows:
(a) Where you have provided your consent for us to use your personal information in a certain way (for example, we will ask for your consent to use your personal information to send you promotional or fundraising material by email).
(b) Where necessary so that we can comply with a legal obligation to which we are subject (for example, where we are obliged to share your personal information with regulatory bodies which govern our work and services).
(c) Where it is in your/someone else’s vital interests (for example, if during the course of communication with you, we became aware that there was a medical emergency)
(d) Where there is a “legitimate interest” in us doing so (see below)
EU Data Protection Law allows us to collect and use your personal information if it is reasonably necessary to achieve our or others’ ‘legitimate interests’, i.e. where there is a benefit or need for us or others to do something with your information. We can only use your information for our or others’ legitimate interests when our use is fair, balanced and does not unduly impact your rights.
When we rely on this ground for collecting/using your personal information, our legitimate interest is to work towards achieving the aims and ideals of SumOfUs as a non-profit movement fighting for people over profits, primarily by means of running a digital petition based platform.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you, and your rights under data protection laws. We’re committed to protecting your privacy.
8. What are my rights with regard to information you use about me and how do I exercise them?
Where we rely on your consent to use your personal information, you have the right to withdraw that consent at any time. This includes the right to ask us to stop using your personal information for campaigns or fundraising purposes or to unsubscribe from our email list at any time (see the ‘How can I stop getting emails and other communications from you?’ section below).
You also have the following rights:
- Right of access: you can write to us to ask for confirmation of what personal information we hold on you and to request a copy of that personal information. Provided we are satisfied that you are entitled to see the personal information requested and we have successfully confirmed your identity, we will provide you with your personal information subject to any exemptions that apply
- Right of erasure: at your request we will delete your personal information from our records as far as we are required to do so.
- Right of rectification: if you believe our records of your personal information are inaccurate, you have the right to ask for those records to be updated. You can also ask us to check the personal information we hold about you if you are unsure whether it is accurate / up to date.
- Right to restrict processing: you have the right to ask for processing of your personal information to be restricted in some circumstances such as if there is disagreement about its accuracy or legitimate usage – for example, you might tell us that you think we hold some information about you that is inaccurate. Whilst we take steps to check this and ensure it is accurate, you have the right to ask us not to use your personal information.
- Right to object: you have the right to object to processing where we are (i) processing your personal information on the basis of the legitimate interests ground, (ii) using your personal information for direct marketing or (iii) using your information for statistical purposes.
- Right to data portability: to the extent required by the GDPR, where we are processing your personal information (that you have provided to us) either (i) by relying on your consent or (ii) because such processing is necessary for the performance of a contract to which you are party or to take steps at your request prior to entering into a contract, and in either case we are processing using automated means (i.e. with no human involvement), you may ask us to provide the personal information to you – or another service provider – in a machine-readable format
- Right to define guidelines regarding the processing of your personal data after your death: You may provide us with instructions regarding the manner in which we may continue to store, erase and share your information after your death, and where applicable, the person you have designated to exercise these rights after your death.
To exercise any of these rights, please contact us via the details contained in the ‘How do I contact you’ section below .
Please note that some of these rights only apply in limited circumstances. For more information, we suggest that you contact us. We may ask you for additional information to confirm your identity and for security purposes, before disclosing personal information requested to you.
You are further entitled to make a complaint about us or the way we have processed your personal information to the data protection supervisory authority in your home country. You can find out the identity of the authority in your country and its contact details here.
9. How can I stop getting emails and other communications from you?
We are sorry if you no longer wish to receive communications from us – if you would like to discuss this you can contact us at firstname.lastname@example.org or by using any of the details set out in the ‘How do I contact you’ section below. If you wish to opt-out of communications from us about our campaigns, fundraising and activities where you have previously provided us with your consent then you can do so at any time via the following methods:
- Clicking the unsubscribe link at the bottom of any campaigning/fundraising email we have sent to you
- Going to this link which will unsubscribe you from our mailing list
10. Is my information secure?
We are committed to keeping your personal information safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information. For example, your personal information is only accessible by appropriately trained staff, volunteers and contractors, and stored on secure servers with features enacted to prevent unauthorised access.
Because we are a US organisation, the personal information that we collect from you will be stored at a destination outside the European Economic Area (EEA). Please see the ‘Will you send my personal information abroad?’ section of this notice for further detail.
11. Will you share my information?
We do not share, sell or rent your personal information to third parties for marketing purposes. We may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice. Most importantly, when you sign a petition on our Website we may share your name, city and country, but none of your contact details, with the petition target when delivering the petition. Often, these will be organisations and individuals we contract to be our ‘processors’, who must act only on our instructions and to achieve the purposes set out in this policy and who will not use your personal information for their own purposes. For example, sometimes we contract with consultants to help us run our campaigns and a third party provider administers and provides our supporter database. We require our third party providers to comply with the highest standards of data privacy, including GDPR.
Non-exhaustively, those parties may include:
- Partner organisations (where you have consented to your personal information being shared with that partner organisation);
- Individuals who we contract to assists SumOfUs operations, such as a consultant membership administrator or consultant copywriter, etc;
- Suppliers and sub-contractors for the performance of any contract we enter into with them, for example IT service providers such as website hosts, database providers, sever hosts or cloud storage providers;
- Financial companies such as Paypal and GoCardless that collect or process donations on our behalf;
- Social media platforms
- We will publish your first name and initial of your surname only on our website when you take an action on our Website such as signing a petition
- When you sign a petition or complete a survey on our Website, we consider your name, city or county, state/province and comments as public information. For example, we may provide compilations of petitions, with your comments, to the public official, company or person to whom the petition is addressed, and/or to the press and/or public online to facilitate your expression of support for the cause/petition and to ensure that the petition’s signatories are verifiable. We will not, however, make your email address publicly available, unless you explicitly consent to us doing so in the use of one our campaign tools. SumOfUs is not responsible for further use of your personal information by the recipient of a petition.
We may need to disclose your personal information upon request to regulatory and government bodies as well as law enforcement agencies. Please note that SumOfUs will challenge any attempt to gain access to the information you give us by government agencies or private organisations. In the unlikely event that we are required by law to disclose any of your information we will do our best to contact you first so that you may have the opportunity to object to the disclosure. We will also independently object to any requests for access to information about users of our Site that we believe to be improper.
We may also merge or partner with other organisations and, in so doing, acquire or transfer personal information but your personal information would continue to be used for the purposes set out above.
12. Will you send my personal information abroad?
As stated above, SoU is a US organisation with a network of staff and supporters across the world. We have some offices within the EU but these are not separate companies. As such, if you are in the EU and you take an action with us, your personal information is going to be transmitted from your device in the EU to our infrastructure in the US. US for the purpose of supporting our network and supporters around the world. Your personal information may be shared with, or accessed by, us, our employees and consultants globally, and other service providers in the United States. Some countries outside of the EEA (including the United States) have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. We work hard to implement safeguards and processes equivalent to the protections within the EU to protect your data, as set out in this privacy notice, and we require all of the people and companies who work with us to process personal information to comply with GDPR, including US companies. You may obtain further information concerning the transfer of your personal information by contacting us via the "How do I contact you? " section below.
13. How long will you keep my personal information?
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records no more than six years after the date it was collected. However, if before that date (i) your personal information is no longer required in connection with such purpose(s), (ii) we are no longer lawfully entitled to process it or (iii) you validly exercise your right of erasure, we will remove it from our records at the relevant time.
Please note that, if you request to receive no further contact from us, we will keep some basic information about you on our do not contact list in order to comply with your request and avoid sending you unwanted materials in the future.
14. Do you collect personal information about children?
We do not knowingly collect children’s personal information, by which we refer to individuals of under sixteen years of age. It is a condition of supporting SumOfUs that you be sixteen years old or over and we ask that prospective supporters certify that they meet this requirement when giving us their personal information when signing a petition, making a donation or registering as a supporter. If we are notified that we inadvertently hold personal information about a child, we will remove that information.
15. General provisions
15.1 Links and third parties
We link our website directly to other sites. This notice does not cover external websites and we are not responsible for the privacy practices or content of those sites. We encourage you to read the privacy notices of any external websites you visit via links on our website.
15.2 Changes to this privacy notice
We may update this notice from time to time so please check back periodically. We will notify you of significant changes, such as the implementation of the GDPR, by contacting you directly where reasonably possible for us to do so and by placing a notice on our website. This Notice was last updated on May 21st, 2018.
16. How do I contact you?
Our EU Representative’s details are set out at the start of this notice. You can also contact us via any of the following methods:
Phone: +31 70 2500292
Mail: Monnikenstraat 23 Suite #1049 1012 BP Amsterdam The Netherlands