Privacy Policy

This privacy policy explains the process in which CiviCRM LLC (“CiviCRM”, “we”, “us”) obtains, uses, stores and handles data acquired either directly through our website(s) or indirectly through related services, products or websites. The CiviCRM privacy policy (“this policy”) complies with the California Consumer Privacy Act (“CCPA”, 2018) as well as the General Data Protection Regulation (“GDPR”, 2018) implemented in the European Union. 

CiviCRM is an open source project (CiviCRM license) that produces software for nonprofit and civic sector organizations. CiviCRM LLC, the originator and legal entity behind the CiviCRM open source project, is a California-based Limited Liability Company which employs individuals and contractors throughout the world.  All individuals and contractors are aware of and are required to adhere to this privacy policy.  

For personal information contained in this policy which is used by CiviCRM, CiviCRM is the data controller under European Union data protection legislation. For personal information contained in this policy which is used by our Partners in connection with CiviCRM.org services, then the relevant partner(s) will be the data controller under European Union data protection legislation.

This policy does not apply to the practices of companies that may be affiliated with CiviCRM but that CiviCRM does not own or control, or to people that CiviCRM does not employ or manage.

This policy does not apply to any of our products or services that have a separate privacy policy.

Rights & Principles

With respect to general privacy and specifically to this privacy policy, we adhere to the following basic principles:

  • We strive to be transparent and open in how we collect, use and share your data.
  • We focus on collecting only the most essential data necessary to facilitate your use of our services.
  • We offer opportunities for you to provide additional information but we do not require it.
  • We store data for as long as we have good reason to keep it.
  • We try to make it easy for you to control your data.

We believe that users (“you”) benefit from privacy policies that ensure transparency and control over personal data. Therefore:

  • You have the right to access your information that we have collected and store; you have the right to request a copy of the information we have about you;
  • you have the right to ask us to rectify any inaccuracies in information about you that we have collected and store; 
  • you have the right to ask that we transmit your data that we have collected on you, to another provider (if technically feasible);
  • you have the right to ask that we restrict processing of your data; you have the right to withdraw consent to the processing of your data;
  • you have the right to request that we remove information about you that we have collected and store; 
  • if, at any time, you have concerns about how we have used your personal information, you have the right to complain to a privacy regulator.

Application & Definitions

This policy applies to any personal information that you enter into your account on the primary website for CiviCRM (https://civicrm.org, “civicrm.org”) as well as information that you enter on related websites that may be directly and indirectly be associated with CiviCRM or services that are provided on behalf of CiviCRM. 

Examples include:

  • Registration at civicrm.org and sites directly related to civicrm.org such at https://chat.civicrm.org and https://lab.civicrm.org.
  • Engagement on related services, such as CiviCRM Spark, over which we have direct control.
  • Registration at CiviCRM-related event websites or attendance at meetups, trainings and/or participation in webinars.

‘Personal information’ (“data”, “information”) is defined as any piece of data that can be used to identify you as an individual and excludes data that may identify you as a representative of a legal entity.

Public postings to civicrm.org or related sites, direct email communications to domains under our control, and engagement on social media platforms, all of which may expose personally identifiable information, are not considered personal information and are not the type of information protected by this privacy policy.

How We Use Information

We use information that we obtain to:

  • Monitor and protect the integrity of our websites and services, and to prevent fraudulent or illegal activities.
  • Analyse and improve the performance and effectiveness of our websites and our services.
  • Personalize your experience on our websites and services, and to directly communicate with you.
  • Facilitate transactions, be they informational and/or financial, on behalf of users of our websites and/or paid services.

Children

Due to the nature of our services, we do not offer online services to children. Therefore, we do not identify it as relevant to control the age of users signing up for services.

Nonetheless, we honor The Children’s Online Privacy Protection Act (“COPPA”) of April 21, 2000. COPPA applies to any individually identifiable information about a child that is collected online, such as full name, home address, e-mail address, telephone number or any other information that would allow someone to identify or contact the child. 

CiviCRM does not knowingly collect information on any person under 18 years of age. We request that children under 18 (years old) do not provide information to us without the consent of a parent or guardian.

Information We Collect

We collect information about you when it is relevant to do so for the use, maintenance or improvement of our services. We collect information in three primary manners:

  1. Directly through transactions, such as website registrations, in which you provide information.
  2. Automatically through 3rd party services, such as website analytics.
  3. Automatically through anonymous pingbacks generated through installations of CiviCRM, the software, with which you may be associated.

Information You Provide to Us

Examples of information that you may directly provide to us include:

  • basic contact information through website or event registration, such as name, email address, and username;
  • financial information generated through the processing of financial transactions, such as billing address and transaction identification;
  • specific information necessary for proper accommodations during event registration, such as dietary information or information related to clothing size;
  • information related to your employment and your use of CiviCRM, both current and historical, such as you employer name and your job title;
  • information that expresses your views, opinions or beliefs, such as survey responses or answers to technical questions.

Financial information, such as credit card numbers, is not stored in our systems and is managed by and governed by the data policies of the payment processors we use.

We do not ask for, require, or otherwise track information that is unnecessary to the operation of CiviCRM, such as social security numbers, or equivalent, gender or date of birth.

Information We Collect Automatically

We collect some information automatically through use of our services, through third party services and through pingbacks from installations of our software.

Information We Collect Through Our Services

In addition to data that we explicitly ask for during user interaction, such as name, email, phone, etc., we collect data that browsers, devices, and servers typically make available including IP addresses and language preferences that may be required for the optimal use or general operation of our services. We may approximate device location based on IP addresses.

Information acquired in this manner is not automatically associated with any personally identifiable record or related information. Said information is not anonymised and could be used for the purpose of identification should there be an operational or legal requirement to do so.

Information We Collect Through 3rd Party Services

CiviCRM uses 3rd party software to monitor and deliver our services. We do not own or control these 3rd parties and therefore cannot ensure that their policies of data collection, storage and use are in compliance with CCPA or GDPR. You should review their rules and policies when using third party software not developed by CiviCRM. We can provide a complete and up to date list of 3rd parties we use by request to info@civicrm.org.

We use website analytics software (Google Tag Manager, Google Analytics) to track website user engagement and related behavior for the purpose of improving our services. Data collected includes IP addresses, unique device identifiers, browser types, device types, operating systems, etc. as well as behavioral data such as clicks, page views, durations, visit dates, etc.

Analytics are used to gauge interest in the overall project as well as to determine the effectiveness of websites under our control. Analytics are not used in any way to personally identify users and therefore are not governed by this privacy policy. Users may avoid analytics tracking by declining the use of cookies.

Information from Cookies & Other Technologies

CiviCRM may use technologies such as cookies, Pixel tags, web beacons, or similar, which are typically small blocks of code placed on website and emails, to help us identify, track usage, access preference for our services, and otherwise track and understand campaign effectiveness and/or deliver targeted advertising.

Sharing Information

We do not sell, trade, give or otherwise share our users’ private personal information without direct consent and knowledge. We do share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy:

Subsidiaries, Employees, and Independent Contractors

We may disclose information about you to our subsidiaries, our employees, subprocessors (both inside and outside of the EEA) and individuals who are our independent contractors that need to know the information in order to help us provide our services or to process the information on our behalf. We require our subsidiaries, our employees and our subprocessors (both inside and outside of the EEA) and individuals to follow this Privacy Policy for personal information that we share with them.

Third Party Vendors

We may share information about you with third party vendors who need to know information about you in order to provide their services to us and to you. This group includes vendors that help us provide our services to you (like payment providers that process your credit and debit card information) and those that help us understand and enhance our services (like analytics providers). When possible, we require vendors to agree to privacy commitments in order to share information with them.

As Required by Law

We may disclose information about you in response to a subpoena, court order, or other governmental request.

To Protect Rights and Property

We may disclose information about you when we believe that doing so is reasonably necessary to protect the rights of CiviCRM, third parties, or the public at large. For example, if we believe that there is an imminent danger of death or serious physical injury, we may disclose information related to the emergency without delay.

With Your Consent

We may share and disclose information with your consent or at your direction. 

Aggregated and De-Identified Information

We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For example, https://stats.civicrm.org.

Published Support Requests

We may share information if you send us a support request (for example, via a support email or through our support forums). We reserve the right to publish that request in order to help us clarify or respond to your request or to help us support other users.

Information Shared Publicly

Information that you choose to make public is disclosed publicly. That means, of course, that information within any content that you make public, including your name, email, user ID, etc., on any of the digital platforms that we create or maintain on your behalf are all available to others. Public information may also be indexed by search engines or used by third parties.

Security

While no online service is 100% secure, we work very hard to protect information about you against unauthorised access, use, modification, or destruction.

  • We use physical, electronic, and procedural safeguards to protect personal information that you have shared with us.
  • We use standard methods of authentication to ensure that you may access, control and secure your data.
  • We use industry-standard SSL-encryption to protect data and data transmissions. Please note that using an SSL is not a guarantee that information may not be accessed, disclosed, altered or destroyed by a breach of firewalls, secure server software, and the like.

If CiviCRM learns of a security breach, we may attempt to notify you electronically so that you can take appropriate protective steps. By using  our sites, products, and services or providing personal information to us, you agree that we can communicate with you electronically regarding security, privacy, and administrative issues relating to your use of those sites, products, and services. We may post a notice on our applicable web sites if a security breach occurs. If this happens, you will need a web browser enabling you to view the applicable Web sites. We may also send an email to you at the email address you have provided to us in these circumstances. Depending on where you live, you may have a legal right to receive notice of a security breach in writing. To receive free written notice of a security breach (or to withdraw your consent from receiving electronic notice), you should notify us at info@civicrm.org.

Data Storage

All and any information that we gather from you is stored and processed on our secure servers or those of our trusted partners. We implement strict technological and procedural measures to keep your data safe and secure.We only store your data for as long as we need it to provide you with the services that you require, after which they are either deleted or anonymized. We may keep anonymized data regarding financial transactions, such as past invoices and/or contributions made to CiviCRM.

At any point in time you have the right to request that we delete or obfuscate any data that may be used to identify you as an individual. However, please bear in mind that by doing so, you may be required to cancel all or a part of the services that we provide you as we may not be able to provide you with that service without certain data.

Changing Your Preferences and Personal Information

You can edit your account information with CiviCRM at any time. Most personal information you may provide is entirely optional. You can delete your account by visiting the applicable account deletion page; however, please note that some personal information, primarily your contact information, may remain in our records to the extent necessary to protect our legal interests, to maintain a history of past financial transactions or document compliance with regulatory requirements.

You have several choices available when it comes to managing information about you:

  • Limit the Information that You Provide: If you contact us you can choose not to provide the optional information. Please keep in mind that if you do not provide this information we may not be able to fully respond to you.
  • Opt-Out of Electronic Communications: You may opt out of receiving promotional messages from us. Just follow the instructions in those messages. If you opt out of promotional messages, we may still send you other messages, like those about your account and legal notices.
  • Set Your Browser to Reject Cookies: At this time, CiviCRM does not respond to “do not track” signals across all of our Services. However, you can usually choose to set your browser to remove or reject browser cookies before using CiviCRM’s websites, with the drawback that certain features of CiviCRM’s websites may not function properly without the aid of cookies.

Privacy Policy Changes

CiviCRM may change this privacy policy periodically. CiviCRM encourages visitors to frequently check this page for any changes to its Privacy Policy. If we make changes, we will notify you by revising the change log below, and, in some cases, we may provide additional notice (such as adding a statement to our homepage or sending you a notification through e-mail or your dashboard).

Contacting CiviCRM

We reply personally to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).

If you have a concern regarding any CiviCRM website, product, or service, or if you have specific concerns about this policy, or if you object to any sharing of your personal information that may be permitted under this policy, you may do so by writing to us via email at info@civicrm.org. Alternatively, we can be reached at our postal mail address.

We will take reasonable steps to accommodate your requests as they relate to the operation of CiviCRM. In some instances, it may be that honoring your requests will interfere with or preclude your ability to use our websites, products, or services or may require us to terminate our relationship with you.

Data Protection Officers

Tim Otten
2367 24th Avenue
San Francisco, CA 94116
United States

Josh Gowans
Rua das Adelas 17, 1esq.
Lisboa 1200-007
Portugal

CiviCRM’s privacy policy is available under Creative Commons Sharealike license. You are free to copy, modify and use it for your own use. Your version of this policy should include language that reflects your practices, processes and organizational information.