Privacy and Personal Data Policy (GDPR)

Nonprofit Builder – Personal Data Policy

This policy describes how we use Personal Data Policy, with whom we share it, your rights and choices, and how you can contact us about our privacy practices. 

This policy is related to the Nonprofit Builder website, which is operated by Imaginate Solutions Sàrl (Switzerland) (referred to henceforth as Imaginate).

Please take a moment to read this Personal Data Policy carefully. If you have any questions about it, please contact us at daniel@nonprofitbuilder.org.

Last updated: 17 February 2019

1. What is the Nonprofit Builder?

The Nonprofit Builder is a resource website for capacity building (organisational development) of nonprofit organisations. Its aim is to make it easier for Oak grantees to access capacity building support, and as part of a wider project to make nonprofit capacity building more efficient, collaborative and accessible. It currently contains a directory of vetted consultants who provide organisational development services to nonprofits, a directory of trainings, and a resource library. 

2. Who can access the Nonprofit Builder?

Only logged-in members can access the contents of the Nonprofit Builder, with the exception of the Resource library, which is open to the public. Members include foundations (currently Oak Foundation, PackardFoundation and Laudes Foundation), nonprofits (currently only the grantees of these foundations upon invitation) and consultants in the capacity builder database.

3. Personal data we collect

Personal Data is any information that relates to an identified or identifiable individual. 

The Personal Data that you provide directly to us through nonprofitbuilder.org will be apparent from the context in which you provide the data. In particular: 

  • When you register for a Nonprofit Builder account we collect your full name, email address, and account log-in credentials. 
  • When you fill-in our online form to publish a consultant’s profile in the directory, we collect your full name, work email, country of residence, and anything else you tell us about your skills and work experience.
  • When you register for our mailing list, we will collect your full name and work email.

If you are a consultant, in the future we may also collect information about your work with nonprofit members as part of our quality assurance. This information is strictly confidential and will be transmitted through an encrypted channel and stored encrypted in our database.

We also use a WordPress plugin called WP Security Audit Log that allows us to track activities of logged in visitors. We use it primarily to detect intrusion attempts but we also use it a basic tool to count visitors and see which pages are most visited (17.02.2020).

We have also installed a plugin called GEO my WP which allows consultants to specify their location on a map, so that potential clients can easily see consultants located in their area (17.02.2020).

4. How we use personal data

We use your personal data to allow members to log into the website and access its databases. If you are a consultant, we use the personal data you contribute to your profile to allow you visitors to understand your services and to contact you to hire you.

5. How we disclose personal data. 

Nonprofit Builder does not sell or rent Personal Data to marketers or unaffiliated third parties.

We share your Personal Data with trusted entities, as outlined below. 

a. Our Users. We share Personal Data with Users as necessary to maintain a User account and provide the Services. 

b. Service providers. We share Personal Data with a limited number of our service providers. We have service providers that provide services on our behalf, such as identity verification services, website hosting, software development, website maintenance, email delivery, and auditing services. These service providers may need to access Personal Data to perform their services. We authorize such service providers to use or disclose the Personal Data only as necessary to perform services on our behalf or comply with legal requirements. Our service providers are predominantly located in United States of America, such as WP Engine.

c. Compliance and harm prevention. We share Personal Data as we believe necessary: (i) to comply with applicable law; (ii) to enforce our contractual rights; (iii) to protect the rights, privacy, safety and property of Imaginate, you or others; and (iv) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.

6. Your data protection rights

Depending on your location and subject to applicable law, you may have the following rights with regard to the Personal Data we control about you: 

  • The right to request confirmation of whether we process Personal Data relating to you, and if so, to request a copy of that Personal Data (with the exception of consultant reviews which will remain confidential); 
  • The right to review, correct, or amend your personal information, or to delete that information where it is inaccurate, and delete your whole account. You may do this at any time by logging in to your account and clicking the Profile or My Account tab.
  • The right to request that we erase your Personal Data in certain circumstances provided by law; 
  • The right to request that we export to another company, where technically feasible, your Personal Data that we hold in order to provide Services to you. 

Where the processing of your Personal Data is based on your previously given consent, you have the right to withdraw your consent at any time. You may also have the right to object to the processing of your Personal Data on grounds relating to your particular situation. 

7. Process for exercising data protection rights.

In order to exercise your data protection rights, you may contact us as described in the Contact Us section below. We take each request seriously. We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your Personal Data. If you feel that you have not received a satisfactory response from us, you may consult with the data protection authority in your country.

8. Security

We make reasonable efforts to ensure a level of security appropriate to the risk associated with the processing of Personal Data. We maintain organizational, technical and administrative measures designed to protect Personal Data within our organization against unauthorized access, destruction, loss, alteration or misuse. These measures include:

  • Malware scanning and removal
  • Protection against denial of service attacks
  • Automated installs of latest software
  • Daily backups 
  • Enforcement of the use of strong passwords.

Your Personal Data is only accessible to a limited number of personnel who need access to the information to perform their duties. 

Administrators will inform users within 72 hours of any breach affecting their accounts or profiles.

Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of your account has been compromised), please contact us immediately. 

9. Retention

We retain your Personal Data as long as we are providing the services to you. We retain Personal Data after we cease providing Services to you, even if you close your Stripe account, to the extent necessary to comply with our tax, legal and regulatory obligations, but no longer than 5 years.

10. International Data Transfers

Our Users come from all over the world. As they browse the directories, we will be transferring Personal Data that they counties where they are located, which may have data protection rules that are different from those of your country.

11. Links To Other Websites. 

The directories in the Nonprofit Builder provide the ability to connect to other websites. These websites may operate independently from us and may have their own privacy notices or policies, which we strongly suggest you review. If any linked website is not owned or controlled by us, we are not responsible for its content, any use of the website or the privacy practices of the operator of the website.

12. Legal domicile and applicable law

The legal domicile for any litigation is the Canton of Vaud, Switzerland. The applicable law is the Swiss Federal Data Protection Act and the Data Protection Ordinance. With regards to users in the European Union, General Data Protection Regulation (GDPR) also applies.

13. Changes to the User Agreement

All users will be notified by email of any change to this Personal Data Policy, with at least 30 days notice. Changes will also notified on the Nonprofit Builder website.

13. Contact us 

The contact person for all requests and questions related to personal data should be directed to Daniel D’Esposito, at daniel@nonprofitbuilder.org.

****