Carnegie Hero Fund Commission
Notice of Privacy & Information Security Practices
Effective Date: October 7, 2014
This Notice endeavors to provide a general description of our privacy practices and does not waive any of our legal rights or defenses. This Notice is incorporated into and forms part of our Terms & Conditions, which outline other terms and conditions that you agree to when using this Site or otherwise dealing with us in a situation where we collect Personal Information.
By using our site, or by supplying Personal Information to us online or offline, you agree and consent to the collection, use, disclosure and other processing of your personal information as outlined in this Notice, including (without limitation) supplying the specific consents listed in “Special Consents.” If you do not want to agree, do not supply any Personal information to us (on or off the Site) and do not use the Site.
To make reading this easier to understand, we use capitalized terms that have a longer definition. In addition to terms defined above of or as we go along, here are some basics:
“Aggregate Data” means information that we reasonably believe has been “de-identified” or “anonymized.” We will have that belief when the information (a) is not PI, or (b) might once have been PI but no longer is, or (c) would, in order to make the information PI, need to be combined with other data and take resources we don’t have, control or intend to use.
“Disclose” (and variations like “Disclosure”) means any or all of this: collecting, receiving, accessing (or barring access), verifying or investigating, fulfilling, processing, assembling, combining, aggregating, analyzing, revealing, displaying, sharing, making available, transferring, storing, logging, destroying, enforcing, selling or leasing or licensing, and otherwise voluntarily or involuntarily using or dealing with Personal Information except as prohibited by applicable law.
“Personal Information,” “personal information” or “PI” means information we’re required by law to protect and that: (a) personally identifies you, or (b) does not personally identify you but reasonably may be used to identify you or your computer or other device and a law requires us to treat said information as personally identifying you. PI does not include Aggregate Data or information that is publicly available (e.g., if you include PI in material you post on a publicly accessible page, that PI will become public information upon its posting).
What Personal Information do we collect directly from you?
Below are examples of types of PI we collect directly from you. What and why we collect it may change as we, technologies or applicable laws change, but we will always endeavor to collect and Disclose PI for purposes consistent with applicable law in the circumstances (and reserving all of our rights under such laws).
- Contact PI. We collect name, postal and email address, telephone and other contact information to contact you (such as if you sign up for our newsletter or request an annual report).
- Hero and Rescue Information. If you nominate a hero or supply information about a rescue, we initially collect this kind of information about you, the nominee, the person rescued, or eye witnesses: name, age, email, postal address, occupation, telephone and information about the heroic attempt (that might or might not be PI). Our initial form allows you to volunteer more information, but please do not supply sensitive PI. We may use the initial PI to make preliminary decisions or to investigate. Our investigations involve collection of extensive details which can include PI. For example, we may request completion of forms with many questions about the rescue and everyone involved, including PI (such as height and weight of a victim or rescuer so that we can get a better understanding of the scale of the heroism). You do not have to supply any of that PI, but lack of it may affect our ability to investigate to our standards.
- Awardee PI. The Fund often has an ongoing relationship with awardees, so we collect additional PI and updates from them and their families.
- PI about others. As noted, sometimes you will be asked to supply PI about others. Before doing that, get their permission for application of this Notice to their PI.
- PI you give us that we didn’t request (such as PI you voluntarily put into a message to us).
What Personal Information do we collect from others or, indirectly, from you?
Below are examples of types of PI we collect indirectly from you or other sources. In fact, some of the information might not be PI and if it isn’t, our use of the term does not make it PI.
Collected from Other Sources About You
- Research PI. When a hero is nominated, we research the nomination and do interviews.
- PI from public records and other publicly available sources (e.g., phone books, industry or trade organization directories, lawfully accessible social network pages and so on).
Automatically collected from what you do/use
- PI from website cookies or other technologies. See “What about cookies and other Technologies?” below.
- PI from service providers that provide services for us (“Third Party Providers”)
What about cookies and other Technologies; Opt in/Out Choices or DNT?
What kind of PI do we collect?
The following provides examples of the kinds of PI we collect:
- browser type, access device type (e.g., phone, tablet, laptop or whatever), operating system, IP address, unique device identifier(s)
- domain name from which you came; when, how long, where and what you do on our Site, including clicks you make and acts you take; patterns (e.g., how often you come back to our Site or what Site features you tend to use); third party Technologies such as from Third Party Servicers (see “What Third Party Services do we tend to use?”).
How do we indirectly collect that PI?
A cookie is a small text file that we or others put on the hard drive of your access device. There are several kinds and here are a few that we use now or might use later:
Session Cookies: allows our Site to collect information about what you do during a browsing session each time you visit. These cookies are temporary and are set to be deleted when you leave.
Functional or Persistent Cookies: these cookies last more than a session and are set to expire in a set number of days. They allow the Site to remember choices you make and can be used to provide services you have specifically requested.
Performance Cookies: a persistent cookie which is set to expire in a set number of days. It collects data such as for managing performance and design issues.
We reserve the right to change and use lawful Technologies from time to time. Technologies can differ depending upon browsers, access devices and other variables, i.e., our descriptions might not necessarily be accurate. Our goal is to let you know that some kind of Technology is going to be put on your device. If you use social media credentials or widgets on our Site (such as clicking on any (if any) “Like” button), social media provider Technologies will also collect information that could be or become PI (see their privacy policies).
Choice: E-mail Communication: DNT
We may offer some items you can sign up to receive electronically. By signing up, you expressly consent to receiving the items at issue electronically, i.e., you opt into receiving them by electronic means. Each e-mail that is required to do so will include an opt-out feature and instructions on how to unsubscribe if you do not wish to receive future such e-mails from us. You may contact us at our Legal Notices Address to stop receiving them or can unsubscribe using the link included in the e-mail or by sending an e-mail to firstname.lastname@example.org or by telephoning us at 412-281-1302 or 800-447-8900 (toll free). You can also sign up for some items that we mail by postal mail such as our newsletter and annual report—if you want to cancel your consent to receiving those you can call us at the above phone numbers.
Users of some online services want to opt-out of “behavioral” or similar advertising (e.g., tracking your online activities over time or across websites or online services in order to deliver advertising targeted to your interests). We don’t intend to do that kind of advertising.
Some browsers have “Do Not Track” (“DNT”) settings intended to let your browser tell websites not to track you for various reasons (such as for behavioral or “cross site” advertising). Our Site won’t necessarily work the same if you block our Technologies. At least one state wants us to tell you whether we honor DNT signals. We do not because of reasons like these: the “DNT” concept is not clearly defined and honoring a DNT signal might mean we could not collect the data described in this Notice or that is allowed by law or is relevant to fraud prevention. Even if we honor a signal, we do not commit to doing so and our efforts might not be successful. For example, even if we honor a DNT signal tracking might not stop for reasons like these: not all Technologies are controlled by browsers and not all settings will last; even if a setting is honored for one purpose data might still be collected for another; and third parties might not honor your or our settings.
What do we do with the Personal Information we collect?
We Disclose collected PI to pursue and protect our existing and future mission, operations, obligations and rights and in support of the activities described in sections regarding the kinds of PI we collect. Please see the sections about the kinds of PI we collect as some of those also contain information about our Disclosures of PI; you should also review any disclosures that we supply in addition to this Notice in order to supplement it or to deal with a particular situation. In addition, we reserve the right to Disclose it for all lawful purposes, subject to applicable law. For example, we may make Disclosures, subject to applicable law:
- To conduct our investigations regarding who the Fund should honor or support as a hero. We use the PI we collect to do this and we also combine it with other lawfully available information, public or private. If a nominee becomes a hero, we will collect PI relevant to the scope and type of support that we offer to the hero.
- To engage in activities and transactions relating to the reason we collected the PI in the first place (e.g., if we collected nomination PI we’ll use it, now or later, for everything relating to nominations, nominees, post nomination matters and historical matters etc.).
- To make common uses that an ordinary reasonable person should expect or that are commonly allowed or not prohibited by applicable law. By “common uses” we mean uses that should be apparent or relevant in the context of our services, the reasons PI was collected or the ways businesses ordinarily operate. For example, and subject to applicable laws, we will Disclose PI:
- To meet our obligations and enforce our rights, to make Disclosures to third parties who help us (e.g., suppliers, service providers, information technology providers, mailing and other business process providers, outsourcing providers, other Third Party Servicers and so on), and to operate and improve our business;
- For security, fraud prevention, and authentication and verification, including (without limitation) searching public records or publicly available information (such as information on the Internet that the public can see) and participating in industry or private (profit or non-profit) research, databases and other activities (such as sharing of information to attempt to prevent or decrease fraud);
- To respond to questions or requests or to contact you for lawful purposes, including for lawful surveys;
- To parties we deal with (or parties they deal with) who reasonably need the data to do their jobs;
- To deal with an activity or contract, to obtain additional PI from you or from other lawful sources, to combine PI with other PI or information and otherwise to advance knowledge.
- For example:
- if we or a service provider collects payment information we will Disclose it to payment processors and others involved with payments (e.g., banks, networks, card organizations, fraud prevention services or researchers etc.) and to protect ourselves or others, including Disclosure to law enforcement or regulators;
- if we collect PI to help determine who you are or your authority, we may do things like checking it against records of ours or others, keeping a copy, and Disclosing it in disputes (e.g., lawsuits or investigations);
- we might Disclose PI we think might be helpful to research done by us or others for non-profit or profit purposes (e.g., to help find common patterns or characteristics about Heroes, about where to reduce or increase funding, or about something else);
- To persons appearing to have a lawful interest in the PI (e.g., a delivery company dealing with a claim involving you);
- To comply with applicable law, including keeping records of PI for as long as required or that we believe is advisable;
- For the kinds of purposes appearing in laws or regulations as exceptions to your ability to “opt-out” of Disclosures. An example is the FTC’s regulation implementing privacy rules for financial institutions. It lists many reasons that those institutions may make Disclosures or not offer an “opt-out” choice. You can see those reasons at 16 C.F.R. § 313.14 and § 313.15 (and that list is hereby incorporated into this Policy);
- In an endeavor (without undertaking a duty) to prevent harm or damage to you, us or others (including without limitation, Third Party Servicers, licensors and other customers and individuals); and
- To make additional Disclosures that are consistent with the context or relationship of our transactions with you (or your principal) or that are required or allowed by law, regulation or guidance etc.
- To make extraordinary uses such as for a merger or bankruptcy etc. By “extraordinary uses” we mean that we may Disclose PI in out-of-the-ordinary circumstances or emergencies, subject to applicable law. There is no clear line between ordinary and extraordinary, but here is an example: we may Disclose PI to third parties with whom we might explore or engage in an atypical transaction like a reorganization, sale of assets, merger (or the like), bankruptcy and other non-routine transactions.
- To put you on relevant lists (e.g., a newsletter list). Here we mean that we may (subject to applicable law) create lists of customers or others who contact us or sign up for communications or other things we might do now or later (e.g., newsletters, blogs, feeds, alerts or something else). We would use those lists to fulfill the request, to contact such persons (including you), and for other lawful purposes. In doing so, we may Disclose PI to our Third Party Servicers (such as a mailing house or supplier). We may treat these lists as assets and although we ordinarily would not plan to sell them, we might do so in extraordinary circumstances.
To Third Party Servicers that offer Third Party Services (see “What Third Party Services do we tend to use?”).
To make secondary uses to the extent not prohibited by applicable law. By “secondary uses” we mean that when you provide PI for one purpose, you agree that it may be used for other lawful purposes that we believe are reasonably related or that are not prohibited by law.
For other purposes that are not in this Notice but that are related to any of the above or our mission (e.g., such as for a survey or notice of an event for a Hero).
To respond to legal process or the like. By “legal process” we mean things that we might have to do to comply with laws or the like. Examples include things like subpoenas (private, grand jury or other), warrants, identity theft requests, requests for information about an anonymous speaker, investigative demands (from law enforcement, regulators or others), or national or international security letters or demands etc. Sometimes the law will preclude us from telling you about the legal process. In other circumstances we might be allowed to tell you but it might not be practical or advisable to do so. We will determine in our sole discretion whether to make an allowed contact (e.g., we might give you notice of a subpoena so that you can go to court and obtain an order allowing us not comply). You agree that we may do all of the foregoing. We also reserve the right voluntarily to comply or cooperate with law enforcement or regulators or the like (e.g., if we think that doing so might help protect someone (including you, us or others) or property (of ours, yours, or others)).
What Third Party Services do we use?
Third Party Services will change over time and we may update this Notice. We will endeavor to obtain from Third Party Services with whom we contract, agreements that are consistent with this Notice and applicable laws, but we will not necessarily have contact or contracts with all third parties. Even when we do, we cannot force them to enter into the exact contract we want and we cannot control whether they might breach a contract or applicable law.
What about security of Personal Information?
The security of your personal information is important to us, so we use what we believe are commercially reasonable security measures to protect PI and to control unauthorized access to it. A reality of our digital age, however, is that security measures are seldom infallible, attacks on security change, accidents happen and individuals (including but not limited to employees) might fail to follow policies or contracts, so we do not guarantee security.
If you want to access, update, correct or delete PI that we hold about you, you may call us at 412-281-1302 or 800-447-8900 (toll free) or write us at Our Legal Notices Address. You can and should update your contact information so that we can communicate with you when we want to contact you or when you’ve asked us to do so. You agree to tell us within 48 hours if you cancel or change your number or email address so that we can stop relying on them.
Subject to applicable law, we may deny a request to alter (including delete) data (subject to applicable law) and you agree to supply identifying information to help us authenticate you. You will not be able to change or delete all PI, e.g., you won’t be able to alter PI that:
- we already Disclosed or commingled with other information;
- you are not supposed to alter or that might jeopardize us, others or rights if you do so, subject to applicable law;
- we need (e.g., to document an investigation, prevent or respond to fraud or so that we can demonstrate we or a service provider acted appropriately).
We will determine in our good faith discretion (subject to applicable law) what PI may be altered and how. We may keep records of the original PI and alterations and Disclose any of that for lawful purposes. When PI is eligible for “deletion” or “removal” or the like, you agree that unless otherwise expressly required by law, we need not actually delete or remove it. Instead, we may curtail access to it until it is gone (such as by being overwritten), or we may keep it, but program it to be invisible to visitors.
We keep PI for as long as we think necessary or advisable, subject to applicable law, and reserve the right to retain it to the full extent not prohibited by law (e.g., we usually will at least retain it for the length of a statutes of limitations). We may discard PI in our discretion, so you agree to retain your own records of any PI that you want to be able to keep or access.
You may make a request for us to alter eligible PI by writing us at Carnegie Hero Fund Commission,
Our Legal Notices Address
436 Seventh Avenue, Suite 1101, Pittsburgh, PA 15219-1841 (“Our Legal Notices Address”). If applicable law requires us to accept requests by other means (e.g., if a law requires us to allow notices by email), use the foregoing address to learn about those other means (e.g., to learn about any email address we use for notices under such a law). We will honor requests in our discretion or as required by law. We may alter the PI or allow you to do so within a reasonable time, but no less time than we or our Third Party Servicers need to process or alter databases in the ordinary course of business. Currently, we do not charge for responding to alternation requests, but reserve the right to do so subject to applicable law. If we have a duty to require third parties to delete or cease using PI, you agree that we may satisfy it by sending them notice to do so.
What happens when you leave our Site or online service?
What special consents do we request?
You need particularly to consent to a few items that some laws want us to emphasize. You particularly consent to the following:
Data Transfers: This Notice explains that we and others will make Disclosures and transfers of PI into and out of the United States worldwide, including Canada. You expressly consent to that.
Cookies and Other Technologies: This Notice explains that cookies and/or other Technologies may be stored on or access your computer or other access device. You consent to that and to Disclosure of PI or other information so collected (subject to this Notice and applicable laws).
Electronic Notice if There is a Security Breach: If we or any of our Third Party Servicers are required to provide notice of a data security breach, you agree that we (or they) may do so voluntarily or when required by posting notice on the Site, sending notice to an “e” address we have for you (e.g., an email address) or by any other method allowed by law or contract.
You may withdraw any or all of the consents above by: (1) writing us at Our Legal Notices Address and telling us which consents you withdraw and the date you plan to do so; (2) ceasing all use of the Site and any other services of ours or that are relevant to your consent. We will use commercially reasonable efforts to cease further Disclosures of PI covered by withdrawal, subject to our rights and applicable law. We will make those efforts within a time reasonably allowing us to process your request. Currently, we do not charge for processing withdrawals but reserve the right to do so in good faith.
Withdrawal does not apply to PI Disclosed or relied upon before your notice or withdrawal or if the withdrawal would violate a law or contract. If you withdraw and then do something inconsistent (e.g., again use our Site), we will assume you have changed your mind and we will rely once again on all of your previous consents (subject to applicable law) or on any new consents relating to your new actions.
What about children?
Federal Children’s Online Privacy Protection Act (“COPPA”): Our Site or other services are not intended to be used by children under the age of 13 and we do not want to collect information from children. If a child’s parent or a guardian believes their child may have provided PI to us, write us at Our Legal Notices Address and we will use commercially reasonable efforts to delete that PI, subject to applicable law and this Notice. For more information about children’s privacy on the internet, you may wish to visit http://www.consumer.ftc.gov/articles/0031-protecting-your-childs-privacy-online.
What about identity theft?
If you believe you are a victim of identity theft, you may be entitled by law to request certain information from us. You can do this by writing us at Our Legal Notices Address. If we receive a request, we will then explain what information we require in order to respond. Once we have all of the required information, we will supply, without charge, any information we then have that we are legally required to provide (subject to applicable law, and reserving all rights and defenses).
What about amendments?
As explained in the Terms & Conditions, you agree that we may change this Notice in our good faith discretion from time to time by posting the substitute version and changing the effective date on our Site. You agree to check that date from time to time to ensure that you are aware of any updates or changes in this Notice. After the new effective date, your use of the Site or provision to us of PI or your failure to terminate any account or other relationship you might have with us, shall constitute your agreement to the then posted version. Subject to applicable law, amendments will apply to PI that we already have and PI obtained after amendment.
What about enforcement?
This Notice is part of the Terms & Conditions. If there is an express conflict between the Terms & Conditions and this Notice, the latest version of this Notice will control. As a contract, we and you are bound by this Notice. If you think we are in default, you may contact us at Our Legal Notices Address.