Purpose is committed to protecting your privacy and compliance with all relevant legislation, including the General Data Protection Regulation (GDPR), where this applies to EU citizens, and the EU-US Privacy Shield.
1. THE DATA WE COLLECT ABOUT YOU
We will typically collect personal data from you where you register to support campaign or where you are engaged by Purpose or our clients for campaigning purposes (Activists), where you are a client of ours (Customers), or where you are a website user that browsers or interacts with pages relevant to Purpose or our clients (Website users). We use different methods to collect data from and about you including the following:
Contact Details. You may give us your Contact Details by filling in forms or by corresponding with us by post, phone, email or otherwise. This will include information such as your phone number, physical address, email address, etc. This includes personal data you provide when you:
• apply for our services;
• subscribe to our service or publications;
• request marketing to be sent to you;
• give us feedback or contact us.
Personal Details. This information could be collected directly from you through forms when you interact with on our website or through campaigns undertaken by our clients. It could also be collected directly as research performed by ourselves, our clients or other third parties. It may also be inferred from your browsing history, as collected by Technical Data (see below). Generally, it will include:
- Country or location;
- Employer or role;
- Purchase history;
- Contact preferences (for marketing purposes)
Special Category or Sensitive Personal Data. In some cases, we could be collect special category or sensitive personal data directly from you through forms when you interact with on our website or through campaigns undertaken by our clients. We will usually only collect this with your explicit consent. Such information could includes sexual orientation, ethnicity, religious affiliation and/or refugee status.
Technical Data. Similarly to other websites, we may also collect information from your device and store it in log file, as you interact with our website or websites hosted by our third party partners or cookies embedded in our website, in order to support your website experience and interactions with us. This information could include data on your IP Address, Location, device identifiers and information on links that you click on or content that you view.
Third parties or publicly available sources. We will receive personal data about you from various third parties as set out below:
(a) Our clients, which include various NGOs and government organisations and whose campaigns you interact with;
(b) Analytics providers, such as Google Analytics, based outside the EEA; and
(c) Third party providers that we might use, such as marketing or advertising partners.
2. HOW WE USE YOUR PERSONAL DATA
Generally, we use your personal data for the purpose for which we obtained it which include the following:
- Personal details and Contact Details– as necessary for contacting you in the context of the delivery of products or services, and administering such products and services. We may also use Personal details for sending you any updates in relation to campaigns you have engaged with. This may include to contact you for marketing and advertising in relation to campaigns you have shown an interest in.
Such data could also be used to compile user profiles used in the context of campaigns.
- Sensitive Personal Data –as part of our clients campaigns, in order to design a target audience for such campaigns, compiling user profiles and/or provide our clients with feedback from the campaign’s audience.
- Technical Data – collected as you interact with our website or websites hosted by our third party partners, and used to develop an understanding of what users’ interests are, to help with the targeting of our web pages and campaign communications and advertisements.
Profiling. We may undertake profiling based on data collected from individuals, in order to build up a profile of
their interests and ensure that campaigns are targeted suitably to them. This processing may also involve automated decision-making in order to allocate particular categories of interests to groups of individuals.
Typically, we anonymise any personal data used for the creation of anonymous or ‘lookalike’ profiles for our clients. However, this profiling may also involve assigning particular categories of interests to individuals and/or targeting them on the basis of their interests.
We take steps to ensure that any automated decision-making involving targeting or micro-targeting that is carried out to individuals on the basis of our campaigns does not adversely affect or prejudice particular groups of people. Where we believe this processing may cause such effects, such as in relation to children or using sensitive personal data, we take steps to avoid carrying out this processing unless one or more safeguards apply.
3. ON WHICH LEGAL BASIS DO WE PROCESS PERSONAL DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
This applies where you have given us consent to the processing. Typically, this will include where you have provided information to us or our clients in the course of engaging with our campaigns. It will also include where you have given us consent to send marketing information to you or have consented to the installation of cookies that might collect Technical data on your device. Additionally, we will generally only collect Sensitive Personal Data with your explicit consent, whether this consent is collected by Purpose or our third
We will take active steps to collect your consent or to ensure our clients have collected it. Where you have given consent, you have the right to withdraw consent to marketing at any time by contacting us or opting out. For more information, see the section on your Legal Rights.
We may rely on our legitimate interests (or those of a third party) – including in the context of research for campaigns and/or compiling a picture of your interests, improving our business operations and engaging in direct marketing, where your interests and fundamental rights do not override those interests. Typically, this will include where we contact you in the course of our business activities or engage in research on the targetaudience for our campaigns.
Performance of a contract
We may also process your data for the performance of a contract you have with us – for example, in the course of products and services where a contract is agreed.
We may also store your personal data where we need to comply with a legal obligation – in particular, in the course of products and services we offer or receive, the retention of relevant data for tax purposes.
4. HOW LONG WE KEEP IT FOR
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.
We will retain the following data for the applicable periods below.
5. WHERE WE STORE YOUR PERSONAL DATA
Your personal data may be stored on our systems within the European Economic Area (EEA) and may also be transferred or stored on our secure servers which are located in the United States.
Purpose complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Purpose has certified to the Department of Commerce that it adheres to the Privacy Shield
Third Party Providers
We may also transfer your personal data to our clients and third-party database providers.
These are discussed further in the section below.
6. DISCLOSURES OF YOUR PERSONAL DATA
We may share your personal data with the parties set out below for the purposes outlined above. This could include for storage purposes, for the administration of relevant contracts, to ensure that this information is used to target appropriate advertisements to you, and for our legal obligations. Such third parties could include:
- Our clients, for whom we conduct campaigns for, and who act as joint controllers with Purpose over
personal data used for campaign purposes.
- Third party advertising providers, including those operating websites.
- Service providers, IT and system administration services.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy,
banking, legal, insurance and accounting services.
We may also transfer your personal data to our clients and third-party database providers in order to store personal data and perform our operations using such systems. Some of these are based in the UK and others may also transfer, store and process your personal data outside the European Economic Area (EEA), subject to suitable and secure safeguards. These may include:
- Marketing and database providers (such as Salesforce, based in the USA; Action Network, based in the
USA; Mailchimp, based in the USA; and Dropbox, based in the USA)
- HR systems providers (including Namely, based in the USA; and Greenhouse, based in the USA)
- Finance system providers (including Nexonia, based in Canada; Sage Intacct, based in the UK;
Quickbooks, Intuit, based in the UK; Expensify, based in the USA; Hellosign, based in the USA)
We may also be legally required to share information with the following third parties:
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom, who require
reporting of processing activities in certain circumstances.
- Public authorities who make lawful requests for the disclosure of information by Purpose, including to meet national security or law enforcement requirements
- The Department of Commerce, Federal Trade Commission (FTC), the Department of Transportation or any other U.S. authorised statutory body, where they request such information in relation to the EU- U.S. Privacy Shield agreement, for the purposes of any investigations by such organisations, or for national security or law enforcement purposes.
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
7. SAFEGUARDS FOR PERSONAL DATA TRANSFERS
Where we use such third-party providers as listed in Section 6, we take steps to enter into agreements to ensure that such third parties have the adequate safeguards in place, which include:
a) General Transfer requirements. Generally, where data has been transferred from Purpose Europe to other third parties outside the EEA, we will ensure that any clients or third-party providers who
receive such data have the appropriate measures to ensure secure transfers in place. Purpose will not transfer any data to such third parties until these arrangements have been verified. These may
include ensuring that one of the following mechanisms are in place:
- EU-U.S. Privacy Shield Agreement
- EU-approved Standard Contractual Clauses
b) Liability for Onward Transfer. Where we transfer personal data to third-party providers as listed in
Section 6, Purpose will generally be liable for these parties’ non-compliance with certain legislation,
including the Privacy Shield Principles. Purpose will take steps to audit such third parties for
compliance with the Privacy Shield Principles prior to engaging them for the provision of any services to ensure they have the adequate measures for data transfers in place before permitting any data transfers to be made. In particular, we will ensure such parties enter into agreements with us, which will include requirements to maintain similar safeguards equivalent to the GDPR and Privacy Shield Principles and, where appropriate, that personal data is only processed on the terms and in
accordance with the rights set out in this Privacy Notice.
c) Processor requirements. Additionally, where Purpose engages a processor to carry out data
processing on our behalf, we will remain liability for the processor’s non-compliance with the GDPR
and other data protection legislation, unless such parties are responsible for not complying with
provisions of the GDPR and other data protection legislation specifically directed to processors or
where it has acted outside or contrary to our lawful instructions. We do not allow our third-party
providers to use your personal data for their own purposes and only permit them to process your
personal data for specified purposes and periods, and in accordance with our instructions. Purpose
with enter into agreements Clients or third-party providers to ensure that they accept such all third
parties to respect the security of your personal data and to treat it in accordance with the law, and to
notify us if any security breaches occur. Purpose will also audit such third parties for compliance wit these adequate safeguards prior to engaging them for the provision of any services.
8. YOUR LEGAL RIGHTS
Under certain circumstances, you have rights under the GDPR in relation to your personal data, upon request:
- Request access to your personal data (commonly known as a “data subject access request”). This
enables you to receive a copy of the personal data we or our Third Party Partners hold about you and
to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any
incomplete or inaccurate data we hold about you corrected, though we may need to verify the
accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully. However, you may not have the right to exercise this if we are required to process your data for legal or contractual obligations.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us
to use or where we used the information to perform a contract with you.
- Object to processing of your personal data where you feel it impacts on your fundamental rights and freedoms, by contacting us to inform us of this.
- Object to any onward data transfers from our U.S. Office to third parties other than our trusted processors, as well as for using your personal data for a purpose other than its original purpose. However, this right is not available where the onward transfer is required for data to be sent to our agent(s) for the provision of our services to you, by relevant legislation, court order, supervisory authorities or pursuant to litigation. You should exercise this by contacting us at email@example.com
- Opt-out from any processing in the following situations:
o The right to opt-out from having campaigns or advertisements targeted at your interests. To
exercise this, please click here.
o The right to opt-out from marketing communications or newsletters we may send to you.
You should exercise this by contacting us at firstname.lastname@example.org or click on the Opt Out
in the marketing email you received.
o The right to opt-out of any cookies we use, even to those you have consented to. For more
information on this, please see the Cookies section above.
NO FEE USUALLY REQUIRED
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
WHAT WE MAY NEED FROM YOU
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
TIME LIMIT TO RESPOND
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
9. PRIVACY SHIELD QUERIES
In compliance with the Privacy Shield Principles, Purpose to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Purpose at: email@example.com. We will respond to your complaint or inquiry within 45 days of receipt.
Purpose has further committed to refer unresolved Privacy Shield complaints to JAMS as an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit JAMS for more information or to file a complaint. The services of JAMS will be provided at no cost to you.
Purpose commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.
You may have the option to use a binding arbitration mechanism for the resolution of your complaint under certain circumstances, provided you have a) raised your compliant directly with Purpose and provided us the opportunity to resolve the issue; b) made use of the independent dispute resolution mechanism with the appropriate organisation(s) above; c) and raised the issue through your relevant data protection authority and allowed the Department of Commerce an opportunity to resolve the complaint at no cost to you. The binding arbitration will be handled by the International Centre for Dispute Resolution’s American Arbitration Association, available here.
For the purposes of the Privacy Shield, Purpose is also subject to the jurisdiction of the Federal Trade Commission (FTC) in the United States.
A cookie is a small text file that is downloaded onto your computer when you visit our website and allows us to recognise you as a user. Typically, these contain two pieces of information: a site name and unique user ID. All information these cookies collect is aggregated and anonymous. Cookies are essential to the effective operation of our website. Cookies make the interaction between you and the website faster and easier.
Cookies may also be set by the website you are visiting (first party cookies) or they may be set by other websites who run content on the page you are viewing (third party cookies).
We will generally collect information through the following types of cookies:
- Essential Cookies: Cookies that are strictly necessary to enable you to move around our websites
or to provide certain basic features, including website security and collecting user consent for
cookies (e.g. CloudFlare, Purpose consent cookies);
- Preferences: Cookies to enhance the functionality of the website by storing your preferences,
such as in relation to information on your region, information entered into certain forms, etc.
(such cookies are not currently in place on our website);
- Statistics: Cookies that monitor the popularity of sections of our website to generate web
analytics and for compiling reports on website activity, which may or may not collect personal
information (e.g. Google Analytics);
- Marketing: Cookies that track users and display advertisements relevant to them, and which may also collect information on what your viewing interests are on the basis of your pages viewed and your interaction with various content on different web pages (e.g. Facebook cookies).
Through cookies, we may also collect your Internet protocol (IP) address, device identifiers, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Internet or this website or websites associated with our third party partners. We may also collect data about your interests and preferences which we receive in relation to web pages you have viewed and your interactions with various web pages, as collected through our cookies and cookies installed by our third-party providers to track you online.
The cookies are stored for a period of 13 months maximum unless you clear their cache and the cookies themselves.
Opting Out of Cookies
You may access our Cookie Consent Notice to decline cookies at any time subsequently here (<insert hyperlink to the relevant section of the Cookie Notice>).
You can manage the cookies stored on your device as well as stop cookies from being installed on your browser. For more information on how to manage cookies usage on your device, please let us refer you to information found on these topics on allaboutcookies.org, more specifically by clicking on the links below:
- Managing the Cookies Stored on Your Device;
- Stop Cookies from Being Installed on your Browser.
Please note that if you prefer to block some or all of the cookies Purpose uses, you might lose some of our website’s functionality.
11. FURTHER DETAILS
DATA PROTECTION OFFICER
- You can contact us at firstname.lastname@example.org at any time.
- For purposes of compliance with the law, the entity that is collecting your data is Purpose Global PBC, 115 5th Avenue, 6th Floor, New York, NY 10003
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
ICO contact details
Email address: email@example.com
Postal address: Information Commissioner’s Office (ICO)
Telephone number: +44 (0) 303 123 1113
Additionally, for the purpose of disputes related to the Privacy Shield, Purpose have committed to the mechanisms outlined in Section 8 above.
We keep our Privacy Notice under regular review. This version was last updated in August 2019.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
13. THIRD-PARTY LINKS