If you are within or are a resident of the European Economic Area (the “EEA,” which includes the 27 European Union Member States, Iceland, Lichtenstein and Norway), Switzerland or the United Kingdom (“UK”) (collectively, the “EU”), NEFA is the responsible party with respect to Personal Data (defined below) collected through the Services. If you have any questions or concerns at any time, please do not hesitate to contact us at 145 Tremont Street, 7th Floor, Boston, MA 02111; or via e-mail at firstname.lastname@example.org.
This Policy covers how NEFA uses and treats information collected and received from you when you visit and interact with the Sites, use the Portal or otherwise utilize our Services. This Policy provides details on NEFA’s privacy practices in relation to the Services, including:
- What kinds of personal data are collected from you through your use of the Services and how this is done;
- Who collects your personal data depending on how you use the Services;
- How your personal data will be used;
- With whom your personal data may be shared or disseminated, under what circumstances this can occur, and what type of information is shared;
- The security measures that are in place to protect against the loss, misuse, or unintentional disclosure and destruction of your personal data;
- How you can access, review, edit, request deletion, and exercise other rights you have regarding personal data that NEFA has collected from you, when appropriate; and
- Who to contact if you have any questions regarding this Policy and our practices regarding the collection and use of your information.
This Policy is effective as of July 10, 2019.
1. General Privacy Considerations
Personal data (“Personal Data”) is generally defined as any type of information that, by itself or in combination with other information, could be used to identify you, could be reasonably associated with you, or information that may be used to gain access to your personal accounts. Examples of Personal Data include, but are not limited to, your name, address, telephone number, e-mail address, username and password, Internet protocol (“IP”) addresses or other online identifiers, credit/debit card number or other financial information, professional or employment-related information, office address and other business information, demographic information, state and/or federal identification numbers (e.g., social security number), etc., or any combination thereof.
Based upon this Policy, you can, in some instances, make an informed choice as to the information you wish to share with us. As a general matter, we take reasonable precautions to protect your privacy, when appropriate, depending on the information to be protected. We cannot and do not, however, guarantee absolute privacy. As detailed in this Policy, certain information that you provide to NEFA, including Personal Data, may be disclosed and displayed publicly in certain areas of the Services for users and other third parties to use as they see fit. This disclosure, however, only relates to your information as an artist, cultural organization, or member of the creative community. We do not make your user account information public. You may be able to refuse to supply certain Personal Data, with the caveat that refusing to do so may prevent you from engaging in certain Services-related activities.
This Policy only applies to information that we collect from the Services identified above, and does not apply to information that we may collect in any other forums or by other methods. Also, to the extent that our Services contain any content which conflicts with the terms of this Policy, this Policy shall control. This Policy does not apply to the privacy practices of any state agency or other organization with which NEFA may be affiliated or from which we may receive funding, data, or other resources. We make no representations and are not responsible for the privacy, information collection, disclosure, and data aggregation practices of another entity or organization. This Policy also does not apply to any other websites or databases for which NEFA or other users may provide links. NEFA is not responsible for the privacy practices and data collection policies for such external sites. Please consult the appropriate policy of each such external site or database if you have any questions about its privacy practices.
2. Policy Revisions
We may update this Policy from time to time in response to changing legal, technical or business developments. When we update our Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make. Your continued use of the Services after any changes are made to this Policy constitutes your acceptance of the changes. If any of the changes are unacceptable to you, you should cease using the Services.
We will obtain your consent to any material Policy changes if and when this is required by applicable data protection laws. If you do not opt-in to such material changes, your information will continue to be used in a manner that is consistent with the version of this Policy under which it was collected, or the information will be deleted.
3. What Information We Collect and How We Do It
Information can generally be collected on the Sites or through the Services in two ways: (1) Information that is knowingly and voluntarily input and sent by you; and (2) information that is collected automatically. If you decide to use the functions and features of the Services, you may be required to input certain Personal Data at various times. In addition, as described below, the Services automatically collect some information from you when you use and interact with them.
For example, depending upon what you want to use the Services for and how you use them, you may be required to disclose your e-mail address and other information about yourself and/or your organization. This would be a voluntary disclosure by you of Personal Data. Such information may be available to others from your e-mail service provider in certain circumstances (which you likely provided when you first opened your e-mail account). Thus, Personal Data could be disclosed to other users or third parties who use the Services. The transmission of an e-mail or other communication voluntarily initiated by you to NEFA or to another user can also transmit Personal Data about you. You should not send Personal Data via unencrypted e-mail, particularly information which you deem to be sensitive or confidential. Furthermore, any information that you provide about yourself in any posting intended to be viewed by others will result in the voluntary disclosure by you of your Personal Data. Any such information voluntarily provided by you could also be disclosed and disseminated to others outside of your intended recipient or audience.
A. INFORMATION PROVIDED VOLUNTARILY
There are areas of the Services where we may ask you to provide NEFA with Personal Data. For example, we collect Personal Data (and other related information) such as name, mailing and/or shipping address(es), e-mail address, telephone number, credit/debit card number or other payment information, company/organization name, occupation or job title, and areas of interest from you when you:
- Set up a user account for the Services;
- Make grant requests or online donations;
- Communicate with NEFA or contact us with questions, comments, concerns or other inquiries;
- Apply for a job; and/or
- Sign up for NEFA’s mailing list.
B. INFORMATION COLLECTED AUTOMATICALLY
The automatic collection of information refers to information collected from you that does not require you to intentionally provide information in response to particular prompts or fields. For example, a site may use "cookies." A cookie is a small text file placed automatically on your computer's web browser that is used to recognize users who have previously visited the site. In general, these cookies are persistent, and may reside and be stored on your computer after you last accessed the site (or until you delete or otherwise disable the cookies). A site may also use temporary cookies called "session cookies," which are stored for a single user session with the site and are deleted as soon as the user's browser is shut down.
We automatically collect your IP address. An IP address is a unique series of numbers that identifies each computer connected to the Internet. An IP address can be used to provide information such as the date and time of a user's visit, the availability of requested files, the popularity of various site functions, and the amount of information transmitted to each user from a site. Presently, NEFA uses your IP address to address the frequency of your use of the Sites and to determine the frequency with which certain pages and functions of the Sites are accessed. This will allow us to improve the Sites' functionality and to determine which features generate the most interest. If you access or use the Services and are not a registered user, only a particular computer is identified through its IP address, so your usage of the Services is not generally matched with your other Personal Data in such circumstances.
We will not routinely attempt to match your particular IP address to any Personal Data that you may provide to NEFA on your own, except in certain exceptional situations. For example, in instances where NEFA reasonably suspects or determines that the Services are being used for any unacceptable, inappropriate, or illegal purposes, information relating to your use of the Services may be disclosed to other parties as is necessary to investigate the matter. Such information may also be disclosed pursuant to any authorized law enforcement investigation, or in order to avoid imminent physical harm to any person or harm to any NEFA property.
4. How We Use and/or Disseminate Your Personally Identifiable Information
Once Personal Data is collected through your use of the Services, regardless of how often you use it, NEFA will make certain uses of such Personal Data for our own internal and administrative purposes. More specifically, NEFA may use your Personal Data and other information to:
- Maintain proper organizational records and other relevant records;
- Administer and secure your user account;
- Process your grant requests and online donations;
- Respond to your questions, comments and other inquiries;
- Send you newsletters and other updates;
- Deliver the Services;
- Communicate with you regarding additional uses of your Personal Data beyond the scope of this list;
- Improve the content and general administration of the Services;
- Perform internal operations on the Services (e.g., fraud prevention);
- Troubleshoot software issues and operational problems with the Services;
- Conduct data analysis and testing; and/or
- Monitor usage of the Services.
NEFA may publish certain Personal Data or other information we collect from you when you provide us with data through the Services to funders we partner with, who may then use it to support arts projects in and around New England.
Except as noted herein, NEFA does not sell or share your Personal Data with any person or entity outside of NEFA.
a. Third Party Service Providers
NEFA contracts with certain third-party service providers to provide the Services. We provide third party service providers with information in our control so that services can be performed on NEFA’s behalf according to the terms of our agreement with the respective service provider. We do not purposely or knowingly disclose your Personal Data to third party service providers unless we are required to do so or we have your consent.
NEFA uses Pantheon to provide hosting and administration services for the Services. All information you provide to NEFA is processed by Pantheon and stored, in large part, in its servers and on other media. While Pantheon does not solicit this information from you, it does passively collect your information due to its hosting activities and may, in certain circumstances, disclose and make use of it. NEFA does not control and is not responsible for Pantheon’s conduct and for any disclosures that it may make. More information on how Pantheon collects, processes and stores data can be found at https://pantheon.io/privacy. If you have any questions or concerns about Pantheon’s privacy practices, you may contact Pantheon at email@example.com or you may call 855.927.9387. Please note that by visiting the Pantheon website, a persistent or temporary cookie may be placed on your web browser which could be used to analyze your usage of that particular site.
NEFA uses hosting and data storage service providers, such as SalesForce, to process and store data related to your use of the Services. More information on how SalesForce collects, processes and stores data can be found at https://www.salesforce.com/company/privacy/.
NEFA uses donation/payment processors, such as SoapBox, to process online donations you make on or through the Service. More information on how SoapBox collects, processes and stores data can be found at http://www.picnet.net/privacy.
NEFA uses event registration vendors, such as EventBrite, to process any online registrations you make on or through the Services for events operated or sponsored by NEFA. More information on how EventBrite collects, processes and stores data can be found at https://www.eventbrite.com/support/articles/en_US/Troubleshooting/eventbrite-privacy-policy?lg=en_US.
NEFA uses survey providers, such as SurveyMonkey, to process responses you provide to surveys and other questionnaires provided on or through the Services. More information on how SurveyMonkey collects, processes and stores data can be found at https://www.surveymonkey.com/mp/legal/privacy-policy/.
NEFA may share certain portions of Personal Data and other information with its vendors in order to make the Services function properly. This may include sharing Personal Data and other information with:
- Our bulk mailing providers, such as JLS, to mail you NEFA publications and other materials (more information available at http://www.jlsms.com/); and/or
- Our email service providers, such as Constant Contact, to send you newsletters and other online communications to which you have subscribed (more information available at https://www.endurance.com/privacy/privacy).
You may be able to opt-out of NEFA sharing your Personal Data with the entities identified above by sending NEFA a detailed email using the contact details provided under the “Contact Information” heading below, unless the sharing of your Personal Data is necessary to perform one of the following business purposes:
- Counting ad impressions and evaluating their effectiveness;
- Detecting and protecting against security incidents or other malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for such activity;
- Debugging or troubleshooting to identify and repair errors that impair the functionality of the Services;
- Short-term, transient uses related to an existing interaction you are engaged in with NEFA;
- Maintaining or servicing your accounts, processing payments/donations or fulfilling your orders or other transactions you authorize, verifying your information, providing advertising or marketing services and related analytic services;
- Undertaking internal research for technological development and demonstration; or
- Undertaking activities to verify or maintain the quality or safety of a service that is owned, manufactured, manufactured for, or controlled by NEFA, and to improve, upgrade, or enhance such service.
B. INVESTIGATIONS REGARDING VIOLATIONS OF NEFA’S TERMS AND CONDITIONS OF USE
As stated in more detail in the Terms and Conditions of Use (“TCU”), it is your responsibility to ensure that you use the Services responsibly and in accordance with our Unacceptable Use and Content Policy ("Use and Content Policy"). If NEFA receives a complaint from another user or other third party, or otherwise learn that you are using the Services inappropriately or posting content in violation of the Use and Content Policy, whether intentionally or not, we may access your Personal Data and other information to determine, in our sole discretion, the validity and substance of such a complaint. If NEFA reasonably deems the complaint to have merit or if it requires further investigation, Personal Data relating to your use of the Services may be disclosed to other parties as we deem appropriate to determine if a violation of the TCU has occurred. Such information may also be disclosed pursuant to any authorized law enforcement investigation or other legal process, regardless of whether it was initiated by NEFA or another party. For example, if NEFA receives a subpoena or court order, we may be required to disclose the information to the appropriate authorities.
We may also take other remedial actions with respect to your use of the Services or content that you post or upload to the Services, as described in the TCU. We may also access your information if you contact us and give us permission to do so. In addition, if you provide NEFA with Personal Data, NEFA may match and/or aggregate this with other information and data about you that we already have in our possession. Furthermore, NEFA may also have certain disclosure obligations to the federal government due to our involvement with the National Endowment for the Arts or to the state governments with whom we partner or affiliate, as described above.
C. OTHER DISCLOSURES
If you contact NEFA via e-mail or letter regarding the Services and we are not the appropriate party regarding the subject of your inquiry, we may forward and disclose your communication to the appropriate party for the matters referred to therein. This could include our service provider, a vendor, a funding organization, or a state arts agency, for example. For instance, if you contact NEFA and have specific questions about our funding or the grant process, we may forward your communication to another party for consideration.
NEFA may also share your Personal Data with a third party if NEFA’s ownership status changes, such as if it is acquired by another entity.
Other than what is referenced above, the Personal Data and other information collected from you is not shared with nor sold to any person or entity outside of NEFA. By providing to NEFA the Personal Data and other information referenced above, you agree that NEFA may use, sell and share such Personal Data and other information in accordance with the terms of this Policy.
5. Security and Retention
We use appropriate technical and organizational measures to protect the Personal Data that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your Personal Data.
While NEFA takes the issue of protecting your Personal Data seriously, you should exercise discretion in what information you disclose and/or transmit to the Sites or through the Services. NEFA cannot guarantee that information sent over the Internet is fully secure, and therefore the transmitted information may be intercepted by others before it reaches NEFA. If you are concerned about sending information to NEFA over the Internet, please send the information by mail or call us to make other arrangements. NEFA is not responsible for the security of information sent over the Internet.
Certain areas of the Services, however, are only accessible by password and are not available to the general public. You are responsible for selecting and maintaining the confidentiality of your password and account information. Any sharing of your password and account information is done at your own risk. In addition, Pantheon, our service provider, will be making back-up copies of the Sites at regular intervals.
NEFA retains Personal Data only for as long as necessary to fulfill the stated purpose for which the Personal Data was collected or otherwise processed, and thereafter for a variety of legitimate legal or business purposes. These may include retention periods that are: (i) mandated by law, contract or similar obligations applicable to NEFA’s operations; (ii) for preserving, resolving, defending or enforcing our legal/contractual rights; or (iii) needed to maintain adequate and accurate organizational and financial records. We will delete your Personal Data as soon as the respective purpose for its use is not applicable anymore and no legal obligation to retain such data exists.
If you have any questions about the security or retention of your Personal Data, you can contact us using the contact details provided under the “Contact Information” heading at the bottom of this Policy.
6. Legal Basis for Processing Personal Data
Our legal basis for collecting and using the Personal Data described above will depend on the type of Personal Data at issue and the specific context in which we collect it.
However, we will normally collect Personal Data from you only where we have your consent to do so, where we need the Personal Data to perform a contract with you, or where the processing is necessary to fulfill legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect Personal Data from you or may otherwise need the Personal Data to protect your vital interests or those of another person.
If we ask you to provide Personal Data to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Data is mandatory or not (as well as of the possible consequences if you do not provide your Personal Data).
Similarly, if we collect and use your Personal Data in reliance on our legitimate interests (or those of any third party), we will make clear to you at the relevant time what those legitimate interests are.
If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Data, please contact us using the contact details provided under the “Contact Information” heading, below.
7. Review of Collected Personal Data/Your Rights and Choices
You have certain rights regarding your Personal Data, namely the rights to:
- access details on the Personal Data that NEFA holds about you at any time;
- update and correct any inaccurate Personal Data that NEFA holds about you;
- request erasure of your Personal Data;
- request restrictions on NEFA’s processing of your Personal Data.
- object at any time to NEFA’s processing of Personal Data concerning you;
- withdraw any consent (with effect for the future) for marketing activities or the processing of Personal Data that you might have provided to NEFA;
- opt-out of the sale of your Personal Data under certain circumstances;
- request the portability of Personal Data that you have provided to NEFA; and
- not be discriminated against, in terms of the services and prices offered on or through our Services, because you exercised these rights regarding the collection, use and sharing of your Personal Data.
If you would like to review, edit, delete or obtain a copy of any of the Personal Data NEFA holds about you, if you wish NEFA to stop using your Personal Data in the manners specified in this Policy, or if you would like to exercise the rights listed above in any other way, please contact us using the contact details provided under the “Contact Information” heading, below.
Even if you correct, update, or replace Personal Data that NEFA has collected about you, your outdated information may still exist indefinitely in other forums or on other sites as they may archive your information for an indeterminate period of time. This may also occur even if you no longer use the Services and/or if you delete your Personal Data from the Services in its entirety. Therefore, please be as specific as possible in your request. If the request relates to information that NEFA needs to make the Services function properly for you, you may not be able to use the Services properly moving forward.
Under the General Data Protection Regulation (“GDPR”), if you are within or are a resident of the EU, then you also have the right to lodge a complaint about NEFA’s processing of your Personal Data with a supervisory authority. In particular, you may lodge a complaint in the Member State where you live or work or where the alleged violation took place.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. Requests can also be made using the contact information supplied below.
We collect only the information that is reasonably required in connection with the Services. NEFA reserves the right to maintain proper organizational records as required by law, or for otherwise legitimate interests to the extent permitted by law, even if such records contain your Personal Data.
NEFA does not knowingly collect any information from minors, nor are the Services directed at or intended for minors. If a minor somehow uploads/posts information to the Services that is publicly available, and the minor subsequently wants that same information deleted, the minor has a right to request that said information be removed from public viewing. A minor may email firstname.lastname@example.org and request that any such information be removed. Any removal of content by NEFA does not ensure or guarantee complete or comprehensive removal of the content in all places. The content may have been shared or reposted by other parties, or certain laws may require maintenance of the content or information.
NEFA does not respond to nor recognize “do not track” or similar technical requests you may activate through your computer or browser settings.
8. Children's Information
The Services are intended for individuals 18 years of age and older.
The Services are not directed at, marketed to, nor intended for, children under 13 years of age. NEFA does not actively market, target, or direct our efforts to, or knowingly collect Personal Data from, children under 13 years of age. The content and use of the Services are intended for adults only. If NEFA learns that any information was provided through the Services by a person younger than 13 years of age, NEFA will delete the information immediately.
9. California Residents
10. Links to Other Websites and Online Services
NEFA may also allow interaction between the Services and other sites, mobile apps or other online locations which provide social media sharing services. This may include the “Like” button or other plugins available through the Services that allow you to share information with persons outside of the Services. Please consult the privacy policies of those third-party providers before using them to make sure you are comfortable with the level of sharing.
11. International Concerns
If you are outside of the United States, you are responsible for complying with any local laws regarding your use of the Services, and any related data collection. You also agree and acknowledge that by providing any information, including Personal Data, through the Services, that such information will be transmitted to, and stored in, the United States.
If you are a resident of the EU, the Personal Data that we collect from you may be disclosed to and processed by staff operating outside the EU. Disclosure will be to individuals who work for NEFA, our related organizations, and companies with which we have contracted to process or store this data on NEFA’s behalf. By providing us Personal Data on or through the Services, you are indicating your consent for your Personal Data to be sent and stored outside the EU.
The individuals and organizations that receive Personal Data as a result of international transfers out of the EU must follow our express instructions with respect to the use of Personal Data and they must comply with appropriate security measures to protect your information.
12. Contact Information