Effective as of January 1, 2020
Phone2Action, Inc., doing business as Capitol Canary (the “Company”, “we”, “us”, “ours”) is committed to protecting your privacy. We have prepared this Privacy Notice (or “Notice”) to describe to you our practices regarding our collection and use of your Personal Data (as defined below). This Privacy Notice provides information about the types of information we collect from our Services and website and what we may do with that information.
In this Notice, we will outline and describe the following with respect to the Personal Data that we collect:
- What information we collect
- How we collect it
- How we use it
- With whom we share your information
- What we disclose internationally
- How long we keep your information
- Your rights under the law
- The security of your information
- Our Data Privacy Officer
- Our policy regarding children
- Information for California Residents
You will note that throughout this Notice we use words that are capitalized. These are special terms that are defined. Those definitions are set forth at the end of this Notice, in Section XII.
I. What information we collect
A. Information you provide:
If you are just browsing the Capitol Canary website, we do not ask you to enter any personal information about yourself unless you complete a Company form. If you wish to take action in any campaigns powered by our technology, the personal information that you provide can include your name, title, physical address (including zip code), email address, and phone number. We also collect information in the form of the content that you submit during your use of our Platform, which may include photos, your personal comments and positions on topics, which could include political information and other information of a sensitive nature that you choose to submit. We may also collect your user name, or handle, from Facebook or Twitter when you connect to us from them or wish to connect to them from us. We may also combine information you provide with Personal Data we collect automatically (as further described in Part I, Section B below) and with Data we receive from third-parties. We may also associate information you provide with information we collect about you from different devices, browsers and platforms.
“Cookies” are small pieces of information that a website sends to your devices while you are viewing a website. We may use both session Cookies (which expire once you close your web browser) and persistent Cookies (which stay on your computer until you delete them) to provide you with a better experience with our Platform. Persistent Cookies can be removed by following your Internet browser directions. If you choose to disable Cookies, some aspects of our Services may perform differently, for instance, you will need to re-enter your information each time you return to use the Services.
We do not offer third-party advertising on our website, therefore we do not respond to “do not track signals” or other mechanisms that might enable website visitors to opt out of tracking on the Capitol Canary site.
C. Information collected from third-parties:
In addition to the information that we collect as described above, we also collect information about you from our third-party integrators and vendors. These parties are used by us to run our Platform and integrate our Services with our Clients, so that you can take action and participate in campaigns through our Platform. The information that we collect through these channels includes your geo location data, derived from the address that you submit, legislative data, such as your legislative or political district, candidate and elected official information, voter registration and polling location.
II. How we collect your information
We collect your Personal Data in a number of ways, and this section will describe those methods.
A. Your direct interaction with us: We collect your Personal Data when you interact directly with us by coming to our website to browse or to enter information in a campaign that uses our Platform.
B. From our Clients: Another way we collect your Personal Data is from our Clients who contract with us to use Capitol Canary services. If you provide your information via a campaign that uses our Platform, we will collect the information you provide on the form such as name, e-mail address and the full content of your message, including attached files, and other information you provide. This method of Personal Data submission to us could occur (i), for instance if you complete a form created by a client but powered by Capitol Canary, or (ii) where the Client captures the Data you enter and then transmits that Data to us.
C. From Third-Party Technologies and Social Network Sites:
We may receive Personal Data about you from other sources with which you have interacted, such as through third-party technologies that are integrated into the Services like Alexa, which is owned by Amazon, or through social networks like Facebook or Twitter when you grant us permission to access these technologies to further use Capitol Canary Services. Further, we may associate this Personal Data obtained from these sources with the other Personal Data we have collected about you from other sources as described in this Notice. We do not control or supervise how these third-parties process your Personal Data, and any information request that you have regarding the disclosure of your Personal Data from them to us should be made directly to those third-parties.
D. Third-party analytics:
Third-parties who provide us with analytics services for our Platform and Services may collect some of the information described in Section I, including, for example, IP address, access times, browser type and language, device type, device identifiers and Wi-Fi information. For instance, we use Google Analytics and similar services to perform certain analytical tasks about our web user’s activities. We use the User-ID feature of Google Analytics to combine behavioral information across devices and sessions (including authenticated and unauthenticated sessions).
III. How we use your information and the Legal Basis for sharing it
We may use your information to:
- Process information you have submitted on a form either through one of our Client’s campaign forms on a Capitol Canary website form; via text message, voice recognition, conversational messaging system, or via phone call.
- Seek your views or comments on the Services we provide;
- Send you marketing materials and information about other Capitol Canary products with your consent;
- Provide, create and maintain a trusted and safer environment and comply with our legal obligations.
Applicable laws require us to have a “legal basis” for using and sharing your information. These legal bases include the following:
- Your consent - to fulfill your express requests.
- To carry out our legitimate interests in our Platform. “Legitimate interests” is a concept in data protection law which essentially means we have a good and fair reason to use your Personal Data and we do so only if our interests are not overridden by your fundamental rights and freedoms. We sometimes require your Data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and that does not materially impact your rights, freedom or interests.
- To fulfill our obligations with you when the processing is necessary to perform a contract with you, like the Terms of Service.
- To measure the adequate performance of our interactions with you, and to comply with applicable laws.
- To promote the safety and security of the Services, our users, and other parties. For example, we may use the information to protect against fraud and abuse, respond to a legal request or claim, conduct audits, and enforce our terms and policies.
IV. How we share your information
A. With your consent:
Where you have provided express and unambiguous consent, we share your Personal Data as described at the time of consent. This form of consent is also given when you take action on a client campaign or when you sign a petition. We do not otherwise share any of your Personal Data that identifies you, except as instructed by you.
The specific ways in which you consent to share Personal Data that you provide to us is when we enable you to send individual e-mails and related messages to lawmakers, regulatory agencies, and other organizations and leaders that are the target of a campaign through our Platform. These messages may include your full name, e-mail address, mailing address and other contact information you may have provided as part of the submission. You are solely responsible for the specific message(s) you send using our Services.
For certain campaigns that you completed some of your information may be made public, including without limitation your name, city, and state (“Public Petition Information”). All other information you have been asked to provide will not be made public.
Based on our legitimate interest to operate and promote our Platform we may display parts of the Platform (e.g., a campaign web form and your postings on it) on sites operated by our Clients, using technologies such as widgets or via APIs. If your postings are displayed on a Client’s site, information from your posting may also be displayed.
Information you share publicly through our Platform may be indexed through third party search engines, such as Google or Bing. We do not control the practices of third party search engines, and they may use caches containing your outdated information. You acknowledge that Personal Data that you submit when you take action on our Platform through our website or Services may be available, via the internet, around the world. We cannot prevent the use (or misuse) of such Personal Data by others.
B. Third-Party Sub-Processors:
We use third-party Sub-Processors (including contractors and service providers) to provide the Services and to help with our operations, which may require that these Sub-Processors have access to and use your Personal Data. For example, we may use a third-party to communicate with you (via telephone, email, or SMS) to provide customer support, to receive additional Data about you, and to perform analytics and other work that we may need to outsource. The Sub-Processors are bound by law and/or contract to protect the confidentiality and security of Personal Data, and to only process your Personal Data to provide requested services and only act on our documented instructions.
C. Third-Party websites:
D. De-identified information about you:
We may also share aggregated or de-identified information (i.e., information that does not personally identify you directly), or statistical information about you, including statistical data and historical use data, with others for a variety of purposes, including for their own uses, for example, for improving their services for you and others, or for educational purposes. Your Personal Data will not be shared on an individual, identifiable basis under these circumstances, nor can you ask us to restrict this type of sharing, since it does not identify you.
E. As required by law or legitimate business interest:
In addition, we may disclose your Personal Data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. Likewise, we may disclose your Personal Data to our professional advisers as reasonably necessary for the purposes of managing risks, obtaining professional advice, or the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative or out-of-court procedure. Also, we may share some or all of your Personal Data in connection with or during negotiation of any merger or similar transaction involving sale or transfer of some or all of our business or assets. If another company acquires our company or assets, that company will possess the Personal Data collected by us and will assume the rights and obligations regarding your Personal Data as described in this Privacy Notice.
V. We disclose your Personal Data internationally
A. Our Headquarters:
Our headquarters is in the United States. Whether or not you live in the United States, information we collect from you will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from foreign officials, including the European Union under Article 45 of the GDPR. We rely on derogations for specific situations as set forth in Article 49 of the GDPR. In particular, for EEA residents, we collect and transfer to the U.S. Personal Data only: (i) with your consent; (ii) to perform a contract with you; (iii) to conclude or perform a contract with another person in the furtherance of your or our legal interests (such as with a Client); (iv) or to fulfill a compelling legitimate interest of ours in a manner that does not outweigh your rights and freedoms. We strive to apply suitable safeguards to protect the privacy and security of your Personal Data and to use it only consistent with your relationship with Capitol Canary and the practices described in this Privacy Notice.
While many of our third party Sub-Processors are global companies with operations in the EEA, Some of the third-party Sub-Processors with whom we share Personal Data are located outside of the EEA. Certain third countries have been officially recognized by the European Commission as providing an adequate level of protection. You can find the list of these countries at the following address: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en. Transfers to third-parties located in other third countries outside the EEA take place using an acceptable data transfer mechanism, such as the Privacy Shield for transfers to self-certified US organizations, the EU Standard Contractual Clauses, Binding Corporate Rules, approved Codes of Conduct and Certifications or in exceptional circumstances on the basis of permissible statutory derogations.
Please contact our Data Privacy Officer at the address or phone number listed below, in Section IX, if you want to receive further information about these Sub-Processors.
VI. How long we keep your Personal Data
Your Personal Data is stored by us on the servers of the cloud-based database management services that we engage, located in the United States. We retain your Personal Data collected as reasonably necessary to fulfill the purposes for which we collected it, and to comply with our legal obligations. Personal Data of EEA residents that remains inactive (you do not take any action or are contacted within 1 full year) will be deleted.
In no event will we keep your Personal Data for longer than is strictly necessary for the purposes defined in this Notice. For more information on where and how long your Personal Data is stored, please contact our Data Privacy Officer at the address or phone number listed below, in Section IX.
VII. Your rights in relation to your Personal Data
A. For United States Residents and others not living in the EEA:
You have the rights provided under the laws applicable to where you live. Additionally, you can ask us questions about the Personal Data that we have relating to you, ask us to correct any of that Personal Data if it is wrong and you can verify that with us.
B. For Residents of the EEA:
If you reside within the EEA, the GDPR applies. This law provides certain rights for Data Subjects. Under the conditions set by this law, you may be able to exercise the following rights regarding your Personal Data, subject to the exceptions provided by the GDPR (see also Section IX on who to contact to exercise those rights):
You have the right to access your Personal Data. You can obtain from us confirmation if Personal Data is being Processed, the purpose of Processing, the categories of Data, the legal basis of the Processing, information on recipients of the Data and the non-EU countries in which they are located, and the safeguards put in place for the transfer of Data to non-EU countries. If you have chosen to connect to a social network like Facebook or Twitter, you can remove permission for the app by changing your account settings with them. You are responsible for keeping your personal information up-to-date.
You have the right to request us to correct inaccurate Personal Data and to have incomplete Data completed, but only to the extent that the Data is still under our control and has not yet been transmitted to a campaign or petition target.
You have the right to object to the Processing of your Personal Data for compelling and legitimate reasons relating to your particular situation, except in cases where legal provisions expressly provide for that Processing, or when upon your initial request, the Personal Data has already been transmitted by us to a target of a campaign or petition identified by you.
You may request your Personal Data that you have provided to us and which is still retained by us, in a structured, commonly used and machine-readable format, and you have the right to request that we transmit it to other data controllers or processors without hindrance. This right only exists if the Processing is based on your consent or on a contract between us, and the Processing is carried out by automated means.
You may request to restrict Processing of your Personal Data if: (i) you contest the accuracy of it – for a period we need to verify your request; (ii) the processing is unlawful and you oppose the erasure of it and request restriction instead; (iii) we no longer need it, but you tell us you need it to establish, exercise or defend a legal claim; or (iv) you object to Processing based on public or legitimate interest – for a period we need to verify your request. Please note that this right is limited to the extent that the Data is still under our control and does not apply to any Data that has already been transmitted to a campaign or petition target at the time of your request.
You may request to have your Personal Data erased if: (i) it is no longer necessary for the purposes for which we have collected it, (ii) you have withdrawn your consent and no other legal ground for the Processing exists, (iii) you objected and no overriding legitimate grounds for the Processing exist, (iv) the Processing is unlawful, or (v) erasure is required to comply with a legal obligation. Please note that this right is limited to the extent that the Data is still under our control and does not apply to any Data that has already been transmitted to a campaign or petition target at the time of your request.
7. Right to lodge a complaint:
You also have the right to lodge a complaint with a supervisory authority, in particular in the EEA member state of your residence, place of employment, or the location where the issue that is the subject of the complaint occurred.
8. Right to refuse or withdraw consent:
VIII. Security of your information
To help protect the privacy of your Personal Data collected by us, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your Personal Data to those employees who need to know that information to provide the Services. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of personal data processed by the services. We commit to taking appropriate disciplinary measures to enforce our employees' privacy responsibilities.
IX. Questions, concerns or complaints - Contact Details
The contact information for our Data Privacy Officer is:
1500 Wilson Boulevard, Suite 700
Arlington, VA 22209
X. A note about Children
We do not intentionally gather Personal Data from visitors who are under the age of 13 through our Platform. If a child under 13 submits Personal Data to Company and we learn that the Personal Data is the information of a child under 13, we will attempt to delete the information as soon as possible. If you believe that we might have any Personal Data from a child under 13, please contact us at firstname.lastname@example.org.
XI. Important Information for California Residents
This section applies only to California residents. It describes how we collect, use and share Personal Information of California residents in operating our business, and their rights with respect to that Personal Information. For purposes of this section, “Personal Information” has the meaning given in the California Consumer Privacy Act of 2018 (“CCPA”) but does not include information exempted from the scope of the CCPA.
Your California privacy rights. As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
- Information. You can request the following information about how we have collected and used your Personal Information during the past 12 months:
- The categories of Personal Information that we have collected.
- The categories of sources from which we collected Personal Information.
- The business or commercial purpose for collecting and/or selling Personal Information.
- The categories of third parties with whom we share Personal Information.
- Whether we have disclosed your Personal Information for a business purpose, and if so, the categories of Personal Information received by each category of third party recipient.
- Whether we’ve sold your Personal Information, and if so, the categories of Personal Information received by each category of third party recipient.
- Access. You can request a copy of the Personal Information that we have collected about you during the past 12 months.
- Deletion. You can ask us to delete the Personal Information that we have collected from you.
- Nondiscrimination. You are entitled to exercise the rights described above free from discrimination. This means that we will not penalize you for exercising your rights by taking actions such as denying you services; increasing the price/rate of services; decreasing service quality; or suggesting that we may penalize you as described above for exercising your rights.
How to exercise your rights
You may exercise your California privacy rights described above as follows:
- Right to information, access and deletion. You can request to exercise your information, access and deletion rights by:
- Visiting: Data Request Form
- Calling us toll free at 1-844-888-7668
- Emailing: email@example.com
We will need to confirm your identity and California residency to process your requests to exercise your information, access or deletion rights. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.
Personal Information that We Collect, Use and Share
|Identifiers||Service-related third parties / Professional advisors / Authorities and others / Business transferees||None|
|Commercial Information||Service-related third parties / Professional advisors / Authorities and others / Business transferees||None|
|Online Identifiers||Service-related third parties / Professional advisors / Authorities and others / Business transferees||None|
|Internet or Network Communication||None|
We describe the sources from which we collect this information in the section above entitled How we collect your information; and the business and commercial purposes for which we collect this information in the section above entitled How we use your information and the Legal Basis for sharing it.
“Clients” “Client” means a customer of Capitol Canary, who engages the Company, among other things, to use the Company services and platform to operate advocacy or outreach campaigns where Advocates take action by entering their information
“Data Subject” means you, or any natural person to whom any Personal Data relates.
“EU” means the European Union, and “EEA” means the European Economic Area, which includes the EU plus Iceland, Liechtenstein and Norway; for purposes of this Notice, any reference to the EEA will also include Switzerland, even though it is not a member of either the EU or the EEA.
“GDPR” means the General Data Protection Regulation, which is the EU regulation that governs the protection of the Personal Data of EEA residents and balances that protection against the free movement of that Data.
“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Personal Data includes “Special Categories of Personal Data”.
“Processing” means any activity that involves the use of Personal Data. It includes obtaining, recording or holding the Data, or carrying out any operation or set of operations on it including organizing, amending, retrieving, using, disclosing, erasing or destroying it.
“Processor” also means us, or any other natural or legal person (including corporations, partnerships or other business entities) which, acting alone or jointly with others, Processes Personal Data for a controller or a party with whom you deal directly and is primarily responsible for the security of your Data and your privacy rights.
“Services” means collectively the Capitol Canary platform (“Platform”) and related services.
“Special Categories of Personal Data” includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.
XIII. Changes and updates to the Privacy Notice