Privacy Information Notice
This policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and what choices you have. It relates to all our business activities, not just this website.
We may change this policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our services, you’re agreeing to be bound by this policy.
Any questions regarding this policy and our privacy practices should be sent by email to firstname.lastname@example.org, or via the other methods on our contact page.
Summary in plain language
You have a right to know how we handle your data, and you have a “right to be forgotten.” At the CPA, we wholeheartedly agree with these rights.
The new General Data Protection Rules (aka “GDPR”) is a law effecting businesses, including websites, worldwide. Effective May 25, 2018, it requires all organizations that store information about a person (which identifies that person specifically, or can be used to do that) to explicitly state how, where, why and so on. Further, that person can demand the information be removed.
That’s what all the legal information below points out. However, in plain terms, here it is: we need your information to process you as a member or take donations online. If you ask us to delete your information, you are effectively saying that you no longer wish to be a member. (This is of course true for any membership-based organization, not just the CPA.)
We use MailChimp (an email service) to send out our “focus” newsletter, and to keep you informed of the events for which you joined. We need to gather your name, address and so on to process your membership payments and maintain our rolls. (We do -not- keep your credit card information, however our payment processor, Stripe.com, does.)
In short, to even function as a membership organization, we obviously need to keep your membership information. We have some on our server; MailChimp has some, and Stripe has some. Google analyzes our website traffic, but keeps no personally identifying data. We make occasional use of PayPal. We use WordFence, a security plugin to keep us from being hacked, and WP Security Audit Log to record logins in case some bad-guy does get in. EventBright handles ticket sales, and CaFÉ runs some of our annual competitions. We will never share your information with anyone, and it is our understanding the same applies for the others listed.
If you have privacy concerns, or requests you may call our office, or email email@example.com.
(If you’d like to see a sample actual report of a member’s information, you can scroll to the bottom of this page. You’ll see that it is pretty much the bare minimum..)
Here is the full text of our privacy statement:
1. Who are we?
We are the Center for Photographic Art, a 501(c)3 non-profit corporation for the preservation and furtherance of the the skills required for the art of photography.
The Center for Photographic Art, is located in The Sunset Center, Carmel, CA 93921.
Our mailing address is
The Center for Photographic Art
PO Box 1100
Carmel, CA, 93921
To contact us by email, address your email to firstname.lastname@example.org
Full contact details can be found in the footer at the bottom of every page on this site, including this one.
2. How do we collect information from you?
We obtain information about you when you contact us to subscribe to our newsletter, or enter one of our contests. If you purchase a membership, photograph or tickets to an event online, that will also require us to get personal information.
3. What information do we collect & how is it used?
We collect information to allow us to fulfil our obligations to you, and to respond to business enquiries. For example, we need your mailing address to send out purchases, or more information, such as address and phone, if required by Stripe, our payment processor. You may be asked for email address, phone and other information if you enter a contest, so that we may contact you if you win, or for other contest-related purposes.
Some information, such as a user name, password and email address are required by WordPress to add you as a user. We also keep membership information, such as what level of membership applies to your account. Purchasing a membership, or a photograph, tickets or other items online, or engaging in any financial relationship with us, will generate a unique order record on our site. In doing so, you agree that we may contact you regarding that transaction and related issues. If you have made a donation, you agree that we may contact you in the future.
The law prohibits us from, and we do not keep credit card numbers. Credit card numbers may be kept by Stripe, our payment processor, as necessary for renewing subscriptions and as required by law. In some cases, PayPal processes transactions. Each of these institutions has data-retention requirement proscribed by US law. Please contact PayPal or Stripe for more information.
We keep your membership information until you delete it yourself, or instruct us to remove it. Memberships expired for more than a year are removed from our records periodially.
Some information, such as your email address, is also shared with MailChimp, our email processor. That is a separate list maintained by them, although we do have control over individual entries. You may remove yourself from this mailing list by clicking the “unsubscribe/remove” link at the bottom of every email sent by Mailchip. You may also email us and have us remove you from the list. Removal from this list will prevent you from receiving most emails updating you about events. It does not remove your membership records with us, and does not prevent us from sending administrative emails regarding your membership per se.
3.0. Sensitive Data
We do not gather sensitive personal data (e.g. health, genetic, biometric data; racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sexual orientation, and criminal convictions). We expressly request that you do not provide any such sensitive data to us.
3.1. Children’s information
Our services are not directed to children under 13. If you learn that a child under 13 has provided us with personal information without consent, please contact us.
3.2. Third Parties
We will not give, sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
We may pass your information to third party service providers who we have engaged for the purpose of completing tasks and providing services to you on our behalf, such as sending our monthly newsletter or processing credit cards. We disclose only the personal information that is necessary to deliver the service.
We also use a number of 3rd party services to help us fulfil our contractual obligations – for example, our computers are backed up to various locations, as described below.
3.3. Data Retention Details
The following outlines the personal data we collect and for what purpose. The table also outlines the 3rd parties the data is processed by or shared with, and how long the data is stored for:
Email: contact information; To allow initial and ongoing contact with prospects, clients, suppliers, etc. Kept by WordPress engine and MailChimp. Shipping labels are kept in an Excel spreadsheet for office use. Kept until request for deletion.
Passwords: Client log-in details for various services, including membership. Allows users to log in and access member services> kept in WordPress database using the WordPress provided encrypting algorythm. Kept until request for deletion.
Backup: Our entire site, including all user information, is backed up daily. Backups of our website, in full, are stored on Microsoft OneDrive, BlogVault and are duplicated on the website host drive at Dreamhost. Kept on a rotating basis in perpetuity.
We also use Google Analytics: Website visitor behavior (anonymized – full IP address is NOT stored) NO personal data is stored. No user identifiable information is stored. Google’s “user-id” is not used. All Google Ad-tracking is disabled. Session information is deleted automatically after 14 months.
WordFence: this security software reads IP addresses to generate security warnings and prevent hacking. Entries are kept for 30 days, and are automatically pruned (deleted) by the system.
Security Audit Log: tracks IP address to provide an audit trail in case of hacking. Entries are kept for 30 days, and are automatically pruned by the system.
4. Controlling your information
You have certain rights concerning the information we hold about you. If you wish to exercise these rights, please contact us, including your email address in the first instance (your email address is the unique identifier we use to identify your account).
Note that paid members of the Center for Photographic Art may log in to their own account and control the information we have on file without needing to contact us. You may change or remove most information from the membership panel.
4.0. Requesting a copy of your information
You may request a copy of any data we hold about you. Upon request, we will provide a CSV file (which you may open in a program such as Microsoft Excel or any text editor) containing the personal data we hold on record about you.
4.1. Updating or correcting your information
The accuracy of your information is important to us. If you change email address, or any of the other information we hold is inaccurate or out of date, please log in to your account online and make the necessary corrections; or you may contact us so we can correct our records.
4.2. Deleting your information
You have the right to request erasure of your personal information. Unless there is a compelling reason for the data not to be erased (for example, if we need to use that data to fulfil our contractual or legal obligations), your personal data will be deleted on request.
If you delete, or request deletion of, information necessary for us to identify you as a member of CPA, your membership will, of necessity, also cease.
4.3. Automated decision making
We do not use any personal information for automated decision making or profiling; your data is not subject to automated decision making or profiling.
5. Use of ‘cookies’
Google Analytics: Google Analytics sets cookies to help us accurately estimate the number of visitors to the website and what content is most popular. This helps to ensure that our website is responding to your needs in the best way possible.
WordPress Comments: When you leave a comment on our blog, three cookies are set to store your name, email address and website. This is so that if you wish to leave another comment, you won’t have to re-type this information. (Comments are currently disabled, so this does not apply.)
Temporary cookies: infrequently used to track action from one page to the next. No personal information is involved.
By using and browsing the Center for Photographic Art website, you consent to cookies being used in accordance with this policy.
If you do not consent, you must turn off cookies in your browser or refrain from using the site. Most browsers allow you to turn off cookies. To do this, look at the ‘help’ menu on your browser. Switching off cookies should not noticeably restrict your use of this website, although it may preclude you from some services which require online payments.
The Center for Photographic Art takes security seriously. In order to protect your information from loss, misuse or unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. These steps include the following:
Password best practice (we do not accept trivial passwords, such as “passW0rd” or “iloveyou.”)
Security best practice concerning devices (PCs, laptops, mobile devices), online accounts, website hosting, physical access and storage
Staff training and accountability on data protection
Two-factor authentication for site administrators.
This website runs on a dedicated server with extremely limited access. The server is located in a highly secure facility in Virginia, USA.
7. Data Breaches
Where appropriate, the Center for Photographic Art will promptly notify you of any unauthorized access to your personal information.
If you wish to raise a complaint on how we have handled your personal information, you can contact us directly and we will investigate the matter. Email us at email@example.com.
Sample privacy report
This is an actual report for a sample member. It’s here to literally show you the information we keep.