PRIVACY POLICY

Last Updated: 05/26/2018

Buster's Vision Nonprofit respects your personal privacy. 

This privacy policy has been compiled to better serve those who are concerned with how their 'Personally Identifiable Information' (PII) is being used online.

PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

PII in the context of Global Data Privacy Regulations (GDPR) means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data (eg. IP address), an online identifier or to one or more factors specific to the physical (eg. Facial Recognition), physiological, genetic, mental, economic, cultural or social identity of that natural person

Please read our privacy policies carefully to get a clear understanding of how we collect, use, protect or otherwise handle Personal Data.

Our terms and Conditions can be found here Terms and Conditions
GENERAL DATA PROTECTION REGULATIONS (GDPR) SPECIFIC COMPLIENCE OVERVIEW:

We endeavor to use an “OPT IN” model as opposed to the previous “OPT OUT” model. This applies to Contact Forms, E-Commerce Registration and Checkout, Donation Forms, Comments,  and elsewhere on the website if applicable. GDPR describes (PII) somewhat more broadly, for instance things like your IP Address is considered PII.

The core software for this site is  GDPR compliant (as of Wordpress 4.9.6).   We are able to produce for review, delete, or trasfer your personal information upon request. That includes the personal data from the core, and all plugins that have "hooked in to the deletion functionallity, plus  all data from plugins that have not "hooked" into the core yet. A uniform method is available for all data deletion. Please send requests to "exercise right to be forgotten", "review data we have on you", or "Transfer your data" by email to  Data Deletion Request .

We keep a list of where all PII resides, both online and offline.

We do not send Personally Identifiable Information to third parties (See Section for GOOGLE) for more details.  Our security software is GDPR Compliant.  GOOGLE, Social Media and other third party software we use is GDPR Complaint.

WHAT PERSONAL INFORMATION DO WE COLLECT FROM THE PEOPLE THAT VISIT OUR BLOG OR WEBSITE?

When ordering, donating,  registering, or shopping on our site,  you may be asked to enter your name, email address or other details to help you with your experience. Note: you are first required to "OPT IN".

WHEN DO WE COLLECT INFORMATION?

We collect information from you when you  fill out a form, Give a Donation, Leave a Comment, Register for E-Commerce, or at E-Commerce Checkout time, after you first "OPT IN".

HOW DO WE USE YOUR INFORMATION? 

  • To personalize your experience.
  • To improve our website in order to better serve you.

HOW DO WE PROTECT YOUR INFORMATION?

Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.

  1. We use daily Malware Scanning at the server level (website domain host).
  2. We use .htaccess to prevent unauthoized changes  on our server.
  3. We do continuios Malware Scanning on the local Website itself.
  4. We scan daily for Plug in infection, and core software unauthorized changes.
  5. We block all known malicious IP addresses.
  6. We use a Firewall to prevent various attacks such as "Brute Force" , "Man in the Middle", or "Data Base Injection". 
  7. We continually scan (Real-Time) for viruses. 
  8. Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all information you supply is encrypted via Secure Socket Layer (SSL) technology.
  9. We always block INVALID site logins. 
  10. We implement a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information.
  11. Our internal Security Company, Wordfence Inc., is GDPR compliant as of Wordfence 7.1.5 . To anyone interest, Wordfence's Data Privacy Agreement is here: https://www.wordfence.com/gdpr/dpa.pdf

All transactions are processed through a gateway provider and are not stored or processed on our servers. All donations and purchases from the Shop  are processed on PayPal. Please refer to PayPal's Privacy Policy.

Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: Gravatar Privacy Policy . After approval of your comment, your profile picture is visible to the public in the context of your comment.

Media

If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

DO WE USE 'COOKIES'?

We do not use cookies for tracking purposes.

Please see section labeled "GOOGLE".

You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since every browser is a little different, look at your browser's Help Menu to learn the correct way to modify your cookies.

THIRD-PARTY DISCLOSURE

We do not sell or trade your PII to outside parties.

THIRD-PARTY LINKS:

We do not include or offer third-party products or services on our website. We do link to PayPal Payment processor. They are GDPR Compliant. We also link to Amazon Smile for Nonprofits (part of Amazon) that is also GDPR compliant.

RETAINING AND STORING VOLUNTEER (VOLUNTEER EMPLOYEES) INFORMATION:

The Photos, and the Biography text is provided by the volunteers themselves. Since it is freely provided, we consider that consent to keep that information. We store no additional information on them. At any time, if a volunteer wishes to withdraw (have the information deleted), they can do so by requesting in an email to Data Deletion Request .

Their information is protected from data breaches as described in section "How Do We Protect Your Information".

This is true for all volunteers, not only EU volunteers.

SOCIAL MEDIA:

We use Social Connect icons, which do not collect data. We do not use  Social Icons such as "Like" that may identify. No Social Icons on our site sends a Facebook Pixel for Facebook Advertising. Facebook itself is GDPR Compliant. We do not use 3rd party Social Media plugins.

GOOGLE:

We use Google Analytics on our website. We use this technology in order to understand in aggregate how people use our website and to improve its functionality. We never use Ad Targeting or Remarketing.

GDPR in Google TAG Manager:

Before any data arrives at Google Analytics, all Personal Identification/Identifiable Information (PII) is screened out (it is never sent to Google Analytics). We never intend to send any PII in the first place, this is just an additional safeguard we have in place in case something slips through (all PII will just say "REDACTED"). For Global Data Protection Regulation (GDPR), we also ensure all IP addresses are not personally identifiable (that is the last  digit is ZERO) before data is presented to Google Analytics. We set "advertising" to FALSE in Google TAG Manager prior to sending any data to Google Analytics. This is in addition to the Google Analytics Settings.

GDPR in Google Analytics:

We have the Google Analytics Data Retention time (the length of time User Data and Event Data is kept) set to 14 months. (This is the shortest Retention Period Google allows).

We use "Anonomize" IP address so the IP address isn't identifiable for EU visitors before the IP address is presented to Analytics. We do the same thing for all visitors for that matter.

We do not send any PII into Analytics Analytics. Instead any PII will say "REDACTED".

We do NOT use the Analytics "User ID" feature.

"Advertising" and "Remarketing" are OFF in Google Analytics, as a safety measure (although this is set to False in Google Tag Manager).

We mask/screen search terms that come into Analytics via Oganic Searches (Name, Address, Password, Zip, Tel). 

  •  Google Suite Data Processing Agreement   Google Data Processing Agreement
  • Google LLC Privacy Shield Certificate for US-EU Privacy Shield Framework, and Swiss-US Privacy Shield Framework Google Privacy Sheild Certification
  • Google intends to provide a tool to withdraw from Analytics. However, at present it isn't implimented. The other option for end users that exists now is Browser Controls, or an Analytics Opt Out browser Add On. See below.

OPTING OUT (EVEN THOUGH WE DON'T USE THE "ADVERISING OR "REMARKETING" FEATURES IN GOOGLE):
USERS CAN SET PREFERENCES FOR HOW GOOGLE ADVERTISES TO YOU USING THE GOOGLE AD SETTINGS PAGE. ALTERNATIVELY, YOU CAN OPT OUT BY VISITING THE NETWORK ADVERTISING INITIATIVE OPT OUT PAGE OR BY USING THE GOOGLE ANALYTICS OPT OUT BROWSER ADD ON.

Google Analytics Opt Out Browser Add On Analytics Opt Out Browser Add On

CALIFORNIA ONLINE PRIVACY PROTECTION ACT:

CALOPPA is the first state law in the nation to require commercial websites and online services to post a privacy policy. The law's reach stretches well beyond California to require any person or company in the United States (and conceivably the world) that operates websites collecting Personally Identifiable Information from California consumers to post a conspicuous privacy policy on its website stating exactly the information being collected and those individuals or companies with whom it is being shared. - See more at: http://consumercal.org/california-online-privacy-protection-act-caloppa/#sthash.0FdRbT51.dpuf

ACCORDING TO CALOPPA, WE AGREE TO THE FOLLOWING:

Users can visit our site anonymously.

Once this privacy policy is created, we will add a link to it on our home page or as a minimum, on the first significant page after entering our website.

Our Privacy Policy link includes the word 'Privacy' and can easily be found on the page specified above.

You will be notified of any Privacy Policy changes:

  • On our Privacy Policy Page

Can change your personal information:

HOW DOES OUR SITE HANDLE DO NOT TRACK SIGNALS?

We honor Do Not Track signals and Do Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.

DOES OUR SITE ALLOW THIRD-PARTY BEHAVIORAL TRACKING?

It's also important to note that we allow third-party behavioral tracking for the purposes of improving the visitor experience, but never for ad targeting or remarketing. See section "GOOGLE" for additional information.

COPPA (CHILDREN ONLINE PRIVACY PROTECTION ACT):

When it comes to the collection of personal information from children under the age of 13 years old, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States' consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.

We do not market to anyone, specifically not to children under the age of 13 years old.

FAIR INFORMATION PRACTICES:

The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.

IN ORDER TO BE IN LINE WITH FAIR INFORMATION PRACTICES WE WILL TAKE THE FOLLOWING RESPONSIVE ACTION, SHOULD A DATA BREACH OCCUR:

We will notify the users via in-site notification

  • Within 7 business days

We also agree to the Individual Redress Principle that requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.