Effective as of: May 25, 2019
Privacy Policy
The Amber Education Enterprises (“Company”) has created this Privacy Policy in order to explain Company’s approach to privacy on Company’s website, ambereducationenterprises.org, as well as other websites owned and controlled by Company. Company’s Privacy Policy describes only Company’s practices for gathering, using, and disclosing personally identifiable information collected by Company solely at Company’s website. Company’s website may contain links to other websites that are not operated by Company. Company is not in any way responsible for the privacy practices, collection, use, or disclosure of personally identifiable information by such other websites, nor is Company responsible in any way for the content of such other websites.
For purposes of this Privacy Policy, the term “Company” includes all Company offices worldwide, all Company affiliates, all Company employees and contractors subject to Company control, and all partner entities owned or controlled by Company.
Company encourages its users to be aware when they leave Company’s website and to read the privacy statements of each and every website that collects any personally identifiable information.
The Collection, Use, and Disclosure of Personally Identifiable Information
As used in Company’s Privacy Policy, the phrase “personally identifiable information” is personal information that identifies a specific natural person and means: (a) a first and last name; (b) an address, including a street name, city or town, and zip code (but excluding a post office box); (c) an e-mail address; (d) a telephone number; (e) a Social Security number; (f) self-identified health information, and/or (g) an account number or credit card number (including but not limited to, banking account and routing numbers). In Company’s Privacy Policy, the phrase “personally identifiable information” is abbreviated as “PII”.
The definition of PII will differ depending upon applicable law. In Europe, it will include all information that directly or indirectly relates to a user, and includes “personal data” as defined by the General Data Protection Regulation (GDPR). Where GDPR or other EU privacy laws apply to a user, this Privacy Policy details how a user can exercise user’s rights.
Company is the owner of all PII that is collected by Company on Company’s website. Company may collect PII from users, customers, and in responses to online surveys and group discussions at several different points on Company’s website.
Company will not sell or rent PII to other organizations in ways that are different from what is disclosed in this Privacy Policy or not permitted under the GDPR.
Company may use PII to contact the user about Company, the goods and services available on Company’s website, and to provide information about other topics and discussion groups.
Company may disclose PII to third parties as required or permitted by law.
Company may share aggregate demographic information that does not contain PII.
“Legitimate Interest” under the GDPR
Company will generally only collect European Union (EU) and European Economic Area (EEA) (comprised of EU member states, and Iceland, Liechtenstein, and Norway) based user’s PII when it is necessary for Company’s “legitimate interests,” including but not limited to, performing Company’s legitimate legal, employment, and business interests. Company may also use user’s PII for the legitimate interest of providing goods and services, needs, and processing donations. The table below provides some examples of how Company uses user PII, and the legal basis for such use of user PII.
How Company Uses PII | The Types of PII | Legal Basis | Legitimate Interest |
To contact users with information about the activities of Company | Identity Data; Contact information | Legitimate Interest | Company may use user’s contact information to send user information about Company activities that that he/she has requested |
For electronic marketing communication | Identity Data; Contact Information; Marketing/Communication Data | Consent; Legitimate Interest | When users engage with Company, the law permits Company to send user relevant email marketing |
For physical communication (e.g., post, telephone calls, etc.) and non-marketing electronic communication | Identity Data; Contact Information; Marketing/Communication Data | Legitimate Interest | To keep users informed of Company’s work; To send users work information and resources that Company believes would interest user |
For contact management | Identity Data; Financial Data; Contact Information; Requests and Preferences; Demographics | Legitimate Interest | To manage participation in Company’s work and contact management |
To improve user’s experience and allow log-in access to Company affiliated websites and online portals | Identity data; Contact Information; Security Credentials | Contract; Legitimate Interest | To ensure that Users’ accounts on Company’s websites and online portals are kept safe and private |
For fund development | Identity Data; Financial Data; Financial Transaction Data; Contact Information; Information about user’s beliefs and circumstances; requests and preferences | Legitimate Interest | To provide opportunities for user to partner with Company through financial giving and communication |
To process donations | Identity data; Financial Data; Financial Transaction Data; Contact Information; Tax Status | Contract; Legitimate Interest | To securely receive user’s donation toward Company’s charitable aims |
For statutory reporting | Identity Data; Contact Information; Tax Status | Legal Obligations; Legitimate Interest | Company may have obligations to report government authorities |
To deliver goods and services | Financial Data; Financial Transaction Data; Contact Information | Contract | To provide user with goods or services that the user has purchased |
To enable user to partake in a prize draw, sweepstakes, competition, or complete a survey | Identity Data; Contact Information; Marketing/Communication Data | Contract | To collect contact information to provide user with any prize they have one; To gather survey data that the user has provided voluntarily |
To allow Company to improve its tools; To maintain an audit trail of access to data; Troubleshooting; Data analysis; System maintenance | Historical Transaction Data; System Data; Audit Logs; Location Data | Legitimate Interest | To manage and protect access to Company affiliated websites; To ensure that Company’s services operate effectively and to track who is accessing user’s data |
To respond to complaints and requests | Identify Data; Contact Information; Historical Transaction Data; Application Data | Legal Obligation; Legitimate Interest | To ensure that user’s concerns are addressed |
To apply for, or participate in volunteer opportunities with Company | Identity Data; Contact Information; Application Data; Self-identified Health Information | Contract | In the application process, user must provide certain personal information to assess user’s suitability to serve as a volunteer |
To apply for Employment with Company through a job application | Identity Data; Contact Information; Application Data; Information about user’s Personal Beliefs; Requests and Preferences; Security Credentials, Demographics; Employment Information; Self-identified Health Information | Contract; Legal Obligations | In the application process, users must provide certain personal information to facilitate employment |
Types of Data
To carry out the legitimate interests discussed above, Company may collect, store, process and transfer different kinds of personal data about users, which Company has grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from user and other details of products and services user have purchased from Company.
- Technical Data includes internet protocol (IP) address, user’s login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices users use to access Company’s network.
- Profile Data includesuser’s username and password, user’s interests, preferences, feedback and survey responses.
- Usage Data includes information about how user use Company’s website, and information technology products and services.
Special Categories of Data: Company may also collect, store, process and transfer the following types of data that GDPR defines as “special categories” of more sensitive personal information:
- Information about user’s race or ethnicity, religious beliefs, gender, and marital status.
- Information about user’s health, including any medical condition, health and sickness records.
- Information about criminal convictions and offenses only where the law allows Company to do so.
Government and Legal Requests
It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside a user’s country of residence − for Company to disclose PII. Company may share PII if Company has a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable terms of service, including investigations of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of Company, its users or the public as required or permitted by law.
User Contributions
Users may provide information to be published or displayed (hereinafter, “posted”) on public areas of Company’s website, or transmitted to other users of the website or third parties (collectively, “User Contributions”). User Contributions are posted on and transmitted to others at user’s own risk. Although Company limits access to certain pages, users must be aware that no security measures are perfect or impenetrable. Additionally, Company cannot control the actions of other users of Company’s website with whom a user chooses to share his/her User Contributions. Therefore, Company cannot and does not guarantee that User Contributions will not be viewed by unauthorized persons.
IP Addresses
Company’s website uses IP addresses to help Company analyze trends, administer Company’s website, track user movement, and gather broad demographic information for aggregate use. IP addresses do not contain PII.
Company’s website uses “cookies”. A “cookie” is a piece of data stored on a user’s hard drive that contains information about the user. A cookie does not contain and is not linked to PII while a user is on Company’s website. For instance, by setting a cookie on Company’s website, a user would not have to log in a password more than once, thereby saving time while on Company’s website. If a user rejects the cookie, the user may still use Company’s website, but would be limited in some areas of Company’s website. Cookies can also enable Company to track and target the interests of users to enhance their experience on Company’s website.
Various Registrations
In order to receive certain updates or use certain features on Company’s website, a user may have to complete a registration form. During registration, a user may be required to provide PII, such as the user’s name and/or an e-mail address. If requested, it is optional for a user to provide demographic information (such as income level and gender) and unique identifiers which enable Company to provide a more personalized experience on Company’s website.
Newsletters
A user may subscribe to Company’s newsletters or other publications on Company’s website. In that case, Company will request PII, such as the user’s name, mailing address, and/or an e-mail address. PII may be used to send such newsletters and may be used to contact the user about Company, the goods and services available on Company’s website, and to provide information about other topics and discussion groups.
Contact Information
Company’s website includes an online catalog for customers to order goods and services related to Company’s work, and contact forms for customers to request information and services. In such instances, Company collects customer PII, such as a name, an e-mail address, a mailing address, an account number and/or credit card number.
Third Party Contractors
Company may contract with third parties to provide services to Company, including services relating to the internal operations of Company’s website, the storage and retrieval of information, including PII, and other services. PII, on-line survey information, discussion group information, and aggregate demographic information may be maintained on Company’s servers or on Company’s third party contractor’s servers. Company may use a third-party contractor to facilitate the serving of targeted content and may transmit data to the third party to facilitate this service. Except as may be required by law, Company is not responsible for the acts of any such third parties with regard to their handling and treatment of PII.
Use of Shipping Companies and Credit Card Processing Companies
Company may use shipping companies to ship orders and credit card processing companies to process and bill customers for goods and services related to Company’s work. Company may affiliate with other organizations to provide goods and services related to Company’s work. When a user or customer signs up for or orders goods or services, Company may share PII as necessary to provide such goods and services, and to provide information about Company, the goods and services available on Company’s website, and information about other topics and discussion groups. Except as may be required by law, Company is not responsible for the acts of any of the entities discussed in this section with regard to their handling and treatment of PII. With respect to entities based in the EEA, whenever Company transfers PII, Company may use standard contractual clauses approved by the European Commission that protect the confidentiality of such PII to provide similar data protection as is available in Europe.
Security
Company’s website has security measures in place to attempt to protect against the loss, misuse, and alteration of information, including PII, which is under Company’s control. However, because of the nature of the threats to the security of information, Company cannot guarantee that it can prevent security breaches that could compromise information, including PII, which is under Company’s control. The safety and security of PII also depends on the actions of the user. Where the user has been given (or where user has been chosen) a password for access to certain parts of Company’s website, the user is responsible for keeping this password confidential. Company urges users to be careful about giving information in public areas of the website, such as message boards. The information users share in public areas may be viewed by any user of the website.
Protection of Children
Company is committed to the protection of children. Company works to voluntarily comply with applicable provisions of the Children’s Online Privacy Protection Act of 1998 (COPPA) and its accompanying Federal Trade Commission regulations, which establish United States Federal law that protects the privacy of children using the Internet.
Company develops materials for children, including pre-teens. Company maintains web pages that are specially geared to the interests of younger children, and publish electronic newsletters in an effort to inform and develop their interest in all that the Company is doing around the world. There are many activities on the Company site that children can participate in and enjoy without having to share personally identifiable information.
For those activities that require PII, such as newsletters or other resources, in compliance with the Federal Trade Commission’s Children’s Online Privacy Protection Act, Company will require verifiable parental consent before collecting or using PII from children under the age of 13. With these activities, Company will notify the respective parent of Company’s Privacy Policy and obtain verifiable parental consent before collecting PII from the child, unless we collect only the child’s name and online contact information, which Company will keep no longer than reasonably necessary, to (1) obtain parental consent or provide parents with notice; (2) respond directly on a one-time basis to a child’s specific request; (3) respond more than once to a child’s specific request along with providing parental notice of such use; (4) protect the safety of a child; or (5) comply with legal requirements. When we provide parents with notice and/or seek consent, we also give parents the ability to let Company know if they do not want any further use made of the personally identifiable information we have collected from their child.
Parents can request to review or have deleted their child’s PII from Company’s records, and refuse to permit further use of a child’s PII by writing to Company at: ATTN: Privacy Policy, Amber Education Enterprises, 6564 Loisdale Court, Suite 600-D, Springfield, VA 22150. Upon proper identification, a parent or legal guardian may review the PII that Company has collected about their child, update their child’s contact details, request deletion, or refuse to allow further collection or use of the information.
The Company will not condition a child’s participation in an activity on that child disclosing more PII than is reasonably necessary to administer the activity.
The Company does not share PII from children under the age of 13 with any third party.
Anti-Spam Statement
Company opposes the use of unsolicited commercial email and mass posting to inappropriate newsgroups (spam) as a way to promote or advertise. Company attempts not to send email to persons who are not related to Company’s ministries or who have not otherwise requested contact from us, nor do we post advertisements to unrelated newsgroups. If user receives any unsolicited commercial email that appears to be from Company or an employee of Company, please notify Company immediately.
Company will reasonably investigate instances of unsolicited commercial email that appears to originate from Company. If we find persons or entities using Company’s name inappropriately, we will contact Company’s lawyers and take reasonable steps, which may include legal action, to stop the unauthorized use of Company’s name.
Company has measures in place to attempt to require double opt-in, which means if someone receives a forwarded email or is added to an email list by another person or entity, the receiver of the forwarded email must nonetheless still agree to a subscription for themselves before they become a subscriber to that list.
User’s Rights under the GDPR
Users have the right of access (Art.15 GDPR), rectification (Art.16 GDPR), erasure (Art.17 GDPR), restriction of processing (Art.18 GDPR) and the right to data portability (Art.20 GDPR). In addition, users have the right to object to processing that is based on Art.6 (1)(f) GDPR. Users also have the right to lodge a complaint with the data privacy supervisory authority.
If a user has given Company his/her consent to process personal data for specific purposes, this consent is the legal basis for processing user’s personal data. Consent can be revoked at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. The revocation can take place form-free and should be directed if possible to the contact information provided in this policy.
Correcting, Updating, and Removing Personally Identifiable Information
Company will use reasonable efforts to provide a way for Company’s website users and customers to request that Company correct, update, or remove that respective user’s or customer’s PII in or from Company’s database. If a user’s or a customer’s PII changes, or if a user or customer no longer desires Company’s goods or services, such user or customer may contact Company as directed in this Privacy Policy and request that Company correct, update, or remove that respective user’s or customer’s PII in or from Company’s database.
Under the GDPR, if a user is located in the EU or EEA, a user may request the following:
- Editing and updating personal information
- Accessing personal information
- Deletion of personal information
- Restriction of processing of personal information
- Objecting to certain types of data processing including automated decision making
- Portability of personal information
- Withdrawing consent – Company primarily relies on legitimate business interests to process users’ data. Users have the right to withdraw any consent they may have given Company at any time. Company will comply with users’ requests promptly. However, the withdrawal of consent will limit Company’s ability to provide users with Company’s products and service.
Choice/Opt-Out
Company’s website provides users and customers the opportunity to opt-out of receiving further mailings and e-mailings from Company at the point where Company requests information about the user, customer, survey participant, or discussion group participant.
Company’s website also provides users, customers, survey participants, and discussion group participants with the following options for removing their PII from Company’s database and for notifying Company that they do not want to receive future communications or services from Company’s website by contacting Company as directed in this Privacy Policy.
Contacting Company
Users or customers wishing to contact Company to update or removing their PII, to opt-out of newsletters or other mailings, to report a suspected breach of this Privacy Policy, exercise rights under the GDPR, or to inquire about any other of Company’s privacy practices, should contact Company in either of the following ways:
(a) The user or customer can contact Company on the website for GDPR matters, or (b) The user or customer can send Company a request by United States mail to the following postal address:
ATTN: Privacy Policy, Amber Education Enterprises, 6564 Loisdale Court, Suite 600-D, Springfield, VA 22150
Changes to Company’s Privacy Policy
Company may revise this Privacy Policy at any time without prior notice to users or customers and will post the revised Privacy Policy on the Company website under “Privacy Policy”.