Last Updated: 05/26/2018
Buster's Vision Nonprofit respects your personal privacy.
PII, as described in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
PII in the context of Global Data Privacy Regulations (GDPR) means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data (e.g. IP address), an online identifier or to one or more factors specific to the physical (e.g. Facial Recognition), physiological, genetic, mental, economic, cultural or social identity of that natural person
Please read our privacy policies carefully to get a clear understanding of how we collect, use, protect or otherwise handle Personal Data.
OUR TERMS AND CONDITIONS CAN BE FOUND HERE TERMS AND CONDITIONS
GENERAL DATA PROTECTION REGULATIONS (GDPR) SPECIFIC COMPLIENCE OVERVIEW:
We endeavor to use an “OPT IN” model as opposed to the previous “OPT OUT” model. This applies to Contact Forms, E-Commerce Registration and Checkout, Donation Forms, Comments, and elsewhere on the website if applicable. GDPR describes PII somewhat more broadly, for instance, things like your IP Address may be considered PII.
The core software for this site is GDPR compliant (as of Wordpress 4.9.6). We are able to produce for review, delete, or transfer your personal information upon request. That includes the personal data from the core, and all plugins that have "hooked" in to the deletion functionality, plus all data from plugins that have not "hooked" into the core yet. A uniform method is available for all data deletion. Please send requests to "exercise right to be forgotten", "review data we have on you", or "Transfer your data" by email to Data Deletion Request .
We keep a list of where all PII resides, both online and offline.
We do not send Personally Identifiable Information to third parties (See Section for GOOGLE) for more details. Our security software is GDPR Compliant. GOOGLE, Social Media and any third party software we use is GDPR Complaint.
WHAT PERSONAL INFORMATION DO WE COLLECT FROM THE PEOPLE THAT VISIT OUR BLOG OR WEBSITE?
When ordering, donating, registering, or shopping on our site, you may be asked to enter your name, email address or other details to help you with your experience. Note: you are first required to "OPT IN".
WHEN DO WE COLLECT PERSONAL INFORMATION?
We collect personal information from you when you fill out a form, Give a Donation, Leave a Comment, Register for E-Commerce, or at E-Commerce Checkout time, after you first "OPT IN".
HOW DO WE USE YOUR PERSONAL INFORMATION?
- To personalize your experience.
- To improve our website in order to better serve you.
HOW DO WE PROTECT YOUR INFORMATION?
Our website is scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to our site as safe as possible.
- We use daily Malware Scanning at the server level (website domain host).
- We use .htaccess to prevent unauthorized changes on our server.
- We do continuous Malware Scanning on the local Website itself.
- We scan daily for Plug in infection, and core software unauthorized changes.
- We block all known malicious IP addresses.
- We use a Firewall to prevent various attacks such as "Brute Force", "Man in the Middle", "Data Base Injection", and more.
- We continually scan (Real-Time) for viruses.
- Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all information you supply is encrypted via Secure Socket Layer (SSL) technology.
- We always block INVALID site login attempts.
- We implement a variety of security measures when a user places an order enters, submits, or enters their information to maintain the safety of your personal information.
- Our internal Security Company, Wordfence (Defiant Inc.), is GDPR compliant as of Wordfence 7.1.5. Wordfence's Data Privacy Agreement is here: Wordfence DPA
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website if EXIF GPS Data is included in image.
Only First Party cookies for tracking purposes are used. Please see section labeled GOOGLE. We use Google Analytics on our website. We use this technology in order to understand in aggregate how people use our website and to improve its functionality. We never use Ad Targeting or Remarketing.
There is no reason for third party cookies since we don't use Ad Targeting or Remarketing. See https://cookiepedia.co.uk/all-about-cookies to learn about cookies. Also see the the latest Cookie Law https://www.cookielaw.org/the-cookie-law/ .
You can choose to have your computer alert you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since every browser is a little different, look at your browser's Help Menu to learn the correct way to modify your cookies. Note, this action may diminish website functionality.
We do not sell or trade your PII to outside parties.
We do not include or offer third-party products or services on our website. We do link to PayPal Payment processor. They are GDPR compliant. We also link to Amazon Smile for Nonprofits (part of Amazon) that is also GDPR compliant.
RETAINING AND STORING VOLUNTEER (VOLUNTEER EMPLOYEES) INFORMATION:
The Photos, and the Biography text is provided by the volunteers themselves. Since it is freely provided, we consider that as consent to keep that information. We store no additional information on volunteers. At any time, if a volunteer wishes to withdraw (have the information deleted), they can do so by requesting in an email to Data Deletion Request.
Their information is protected from data breaches as described in section "How Do We Protect Your Information".
This is true for all volunteers, not only EU volunteers.
We use Social Connect icons, which do not collect data. We do not use Social Icons such as "Like" that may identify. No Social Icons on our site sends a Facebook Pixel for Facebook Advertising. Facebook itself is GDPR compliant. We do not use 3rd party Social Media plugins.
We use Google Analytics on our website. We use this technology in order to understand in aggregate how people use our website and to improve its functionality. We never use Ad Targeting or Remarketing.
GDPR in Google TAG Manager:
Before any data arrives at Google Analytics, all Personal Identification/Identifiable Information (PII) is screened out (it is never sent to Google Analytics). We never intend to send any PII in the first place, this is just an additional safeguard we have in place in case something slips through (all PII will just say "REDACTED"). For Global Data Protection Regulation (GDPR), we also ensure all IP addresses are not personally identifiable (that is the last digit is ZERO) before data is presented to Google Analytics. We set "advertising" to FALSE in Google TAG Manager prior to sending any data to Google Analytics. This is in addition to the Google Analytics Settings themselves.
GDPR in Google Analytics:
We have the Google Analytics Data Retention time (the length of time User Data and Event Data is kept) set to 14 months. (This is the shortest Retention Period Google allows).
We use "Anonymize" IP address so the IP address isn't identifiable for any visitors before the IP address is presented to Analytics, and as a safety measure, we set it in Google Analytics itself too.
We do not send any PII into Analytics. Instead any PII will say "REDACTED".
We do NOT use the Analytics "User ID" feature.
"Advertising" and "Remarketing" settings are OFF in Google Analytics, as a safety measure (although this is set to False in Google Tag Manager).
We mask/screen search terms that come into Analytics via Organic Searches (Name, Address, Password, Zip, Tel).
- Google Suite Data Processing Agreement Google Data Processing Agreement
- Google LLC Privacy Shield Certificate for US-EU Privacy Shield Framework, and Swiss-US Privacy Shield Framework Google Privacy Shield Certification
- Google intends to provide a tool to withdraw from Analytics. However, at present it isn't implemented. The other option for end users that exists now is Browser Controls, or an Analytics Opt Out browser Add On. See below.
OPTING OUT (EVEN THOUGH WE DON'T USE THE "ADVERISING OR "REMARKETING" FEATURES IN GOOGLE):
USERS CAN SET PREFERENCES FOR HOW GOOGLE ADVERTISES TO YOU USING THE GOOGLE AD SETTINGS PAGE. ALTERNATIVELY, YOU CAN OPT OUT BY VISITING THE NETWORK ADVERTISING INITIATIVE OPT OUT PAGE OR BY USING THE GOOGLE ANALYTICS OPT OUT BROWSER ADD ON.
Google Analytics Opt Out Browser Add On Analytics Opt Out Browser Add On
CALIFORNIA ONLINE PRIVACY PROTECTION ACT:
ACCORDING TO CALOPPA, WE AGREE TO THE FOLLOWING:
Users can visit our site anonymously.
Can change your personal information:
- By emailing us at Data Deletion Request
HOW DOES OUR SITE HANDLE DO NOT TRACK SIGNALS?
We honor Do Not Track Signals and will Not Track, plant cookies, or use advertising when a Do Not Track (DNT) browser mechanism is in place.
DOES OUR SITE ALLOW THIRD-PARTY BEHAVIORAL TRACKING?
It's also important to note that we allow third-party behavioral tracking for the purposes of improving the visitor experience, but never for ad targeting or remarketing. See section "GOOGLE" for additional information.
COPPA (CHILDREN ONLINE PRIVACY PROTECTION ACT):
When it comes to the collection of personal information from children under the age of 13 years old, the Children's Online Privacy Protection Act (COPPA) puts parents in control. The Federal Trade Commission, United States' consumer protection agency, enforces the COPPA Rule, which spells out what operators of websites and online services must do to protect children's privacy and safety online.
We do not market to anyone, specifically children under the age of 13 years old.
FAIR INFORMATION PRACTICES:
The Fair Information Practices Principles form the backbone of privacy law in the United States and the concepts they include have played a significant role in the development of data protection laws around the globe. Understanding the Fair Information Practice Principles and how they should be implemented is critical to comply with the various privacy laws that protect personal information.
IN ORDER TO BE IN LINE WITH FAIR INFORMATION PRACTICES WE WILL TAKE THE FOLLOWING RESPONSIVE ACTION, SHOULD A DATA BREACH OCCUR:
We will notify the users via in-site notification
- Within 7 business days
We also agree to the Individual Redress Principle that requires that individuals have the right to legally pursue enforceable rights against data collectors and processors who fail to adhere to the law. This principle requires not only that individuals have enforceable rights against data users, but also that individuals have recourse to courts or government agencies to investigate and/or prosecute non-compliance by data processors.