1. Data Controller and Regional/National Representatives
|Data Controller||CHANGE.ORG, PBC
548 Market Street
Data Protection Officer: [firstname.lastname@example.org]
|EU Representative||Change.org, PBC, as Data Controller responsible for your Personal Data has appointed Change.org, Servicios Promocionales España, S.L. to be its Representative in the European Union.
You may contact our European Union Representative at:
and/or by means of the following e-mail address: [email@example.com]
|Change.org India’s Grievance/Nodal Contact Officer||Change.org’s Grievance Officer
2. Information we collect
To run our service and show you relevant content we need to know a little about you and your interests. Here we outline what information Change.org collects, and how we collect it.
When you sign or create a petition via our Change.org platform, an account is created for you; all of your activities on Change.org are then tied to this account. In the chart below, we’ve detailed the information we may collect about you, depending on your activities on the platform, and how we obtain this information.
|What we collect||How we collect it|
|Your name.||We require you to provide a chosen name when you create a Change.org account.|
|Your email address.||We require you to provide an email address when you create a Change.org account.|
|Your password.||We require you to enter a password when you create a Change.org account.|
|Your IP address. Your “IP Address” is a designator that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP).||An IP Address may be identified and logged automatically in our server log files whenever you use our platform and services, along with the time of your visit and the specific page(s) that you visited.|
|Your postal address.||You may choose to provide your postal address when you create a Change.org account. Providing this information is not required to use the service.|
|Your telephone number.||You may choose to provide your telephone number when you create a Change.org account. Providing this information is not required to use the service.|
|Your city.||We use the IP service Maxmind to suggest your city from your IP address, in order to show you local petitions that may be of interest. You can change this information if it is displayed incorrectly. We do not share your information with Maxmind. Providing a city is required to use the service.|
|Your country.||As mentioned above, we use the IP service Maxmind to suggest your city from your IP address, in order to show you local petitions that may be of interest. This enables us to determine your country. We do not share your information with Maxmind. Providing a city is required to use the service.|
|Your profile picture.||You may choose to upload a profile picture when you create an account, or at any time. Providing this information is not required to use the service.|
|Your specific activities on or connected to the Change.org platform. These might include petitions you have started or signed, shared, or promoted, or whether you decide to become a Change.org member.||When you are signed in or identified as a particular Change.org user, your activities on or connected to the Change.org platform are automatically associated with your account.|
|Any other information you voluntarily submit.||You may be offered the choice to provide other information to us. For example, we may collect information when you respond to user surveys or provide information if we assist you by telephone. Providing this information is not required to use the service.|
|Your unique mobile device ID number if you access our services via a mobile application.||When you download and use any mobile applications we develop, we’ll collect your unique device ID and all your account and activity information will be tied to that unique device ID. In addition, we may track and collect app usage data, such as the date and time the app on your device accesses our servers and what information and files have been downloaded to the app. This information may be associated with your account.|
|The name of the browser you use to access Change.org.||Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows PC or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Change.org platform you are using. Collecting this information helps us build and deliver the best possible version of Change.org to you.|
|Your social media account ID, and information shared with us via your social media account.||We may obtain certain information through your social media accounts connected to your Change.org account, if you choose to link them. Linking a social media account is not required to access the service. For example, if you log in to Change.org via Facebook, we ask for your permission to access certain information about your Facebook account, activities, and friends. Social media sites make information available to all apps through their API, such as friend lists. The information we receive depends on what information you or the social media site decide to give us.|
|Information inferred about the issues you care about based on your activities on the platform.||As part of our efforts to connect people to causes that interest them, petitions you sign might be tagged by our users or by us as particular cause areas. For example, a petition may be tagged as “animal rights” or “women’s rights”. If you sign one petition tagged in a particular cause area, we may infer that you would be interested in other petitions tagged in the same way. We may also send you petitions that are relevant to your general geographic area.|
|Currently in the United States only, we use information available in public records, or other publicly available databases, such as civic data APIs which help match citizens with the elected officials who represent them at all levels in government.||In the United States, we receive data from the “Google Civic Information API” that contains lists of federal congresspeople, state legislators and governors. That data is integrated into our platform to enable users in the United States to accurately target the correct decision-maker for their petition. We also use this data to match petitions from a particular district to the right political representative. We do not share any user data via the “Google Civic Information API.” In future, we may carry out similar activities in other countries, subject to applicable law.|
|The currency of any contributions made through Change.org.||We infer your currency based on your country.|
Some of the information above reveals your specific identity, or is directly tied to your specific identity, such as your name and email address. Some of this information does not reveal your specific identity, or does not directly relate to you, such as your browser and device information or information collected through cookies. If we ever combine non-personally identifiable information with personally identifiable information, the combined information will be treated by us as personally identifying information and protected accordingly.
Our services are not directed to people under the age of thirteen (13) or under the legal age of consent in your country of residence (for example, in some countries, you must be age 16 years or older), and we do not knowingly collect personal information from them unless otherwise permitted by law.
3. How we use your information
Here are the ways we might use your information to run our platform, provide our services and serve you better content.
We and our service providers may use your information for our legitimate business interests in providing a petition platform that enables people to connect with issues of interest. Our legitimate business interests are explained below, alongside examples of how your information may be used for these purposes.
|Providing the functionality of our platform. We engage in these activities to manage our contractual relationship with you.||
|To fulfill your specific requests through the platform. We engage in these activities to manage our contractual relationship with you.||
|Accomplishing our business purposes. We engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, because we have a legitimate interest, and/or with your consent.||
|Analysis of personal information for business reporting and providing personalized services. We provide personalized services either with your consent or because we have a legitimate interest.||
|To share marketing communications that we believe may be of interest to you. We engage in this activity with your consent, or to manage our contractual relationship with you.||
4. Who may receive your information
Here we outline who may receive your information when it is shared either by you via the platform, or by us.
a. The Change.org community
- All information you post on our platform (such as petitions you create, reasons for signing a petition, or your posts on the Change.org Community message boards) will be visible to other users. When you provide information to us, you declare that such information is truthful, that you have the legal right to share it, and that you are aware of the risks associated with sharing personal data concerning third parties.
- If you choose to send messages or connect with others through our platform about petitions you have signed or shared, you disclose your personal information to the recipient of your message. Our platform provides an open forum for communication by users all around the world. We do not monitor, verify, or perform any background check on campaign starters, petition signers, or other users of Change.org.
- Similar to traditional paper petitions, we consider an online petition to be a public expression of support for an issue. Therefore, your name, general geographic location (i.e., city, state, country), and a link to your Change.org user profile may be displayed on the landing page for any petition you sign, and on related areas of our platform. This information will be viewable to any visitor, including the media, search engines, and other organizations that provide archival internet activities. If you do not wish to have your support for a petition to be public, we recommend you do not sign the petition. If you do not wish to have your name displayed on a petition landing page, you may select the option not to display your name and comment publicly on the petition page.
- Your first name, last name, city and/or postcode, and the day that you signed will be shared with the person who initiated a petition you have signed, even if you select the option not to display your name and comment publicly. This is extremely important for petition starters to demonstrate the legitimacy of their signatures to the decision-makers they are working to influence. If you do not wish to have this information shared with the person who initiated the petition, please do not sign the petition.
- The petition starter may choose to share your name and general geographic location with the intended decision maker who is the recipient of their petition. For example, the intended decision maker may be your congressman/woman when the petition concerns an issue relevant to him or her. If you do not wish to have this information shared with the petition recipient, you should not sign the petition.
- If you sign a petition started by an NGO or other organization, you will be presented with the option of sharing your email address with that NGO or organization to receive direct email updates from them (not via the platform) should you choose to provide your consent for such sharing. Such organizations are not Change.org’s commercial partners and are in no way affiliated with Change.org. Enabling our users to interact directly with organizations, if those users consent to this connection, is part of our goal of helping people to stay informed on the causes that matter to them. We may revoke an organization’s access to this option in response to reports of abuse.
b. Your connected social media platforms
- You may voluntarily share information on message boards, chats, profile pages, blogs, and other services to which you are able to post information and materials (including the Change.org pages on Facebook and other social media platforms). Please note that any information you post or disclose through these services will become public information, and may be available to other Change.org users, social media platform users and to the general public. We urge you to be very careful when deciding to disclose any information about yourself via the social sharing features of our platform. For more details regarding posting content to our platform, please see our Terms of Service.
c. Our business entities and service providers
We may share your information with third parties for the following purposes:
- The Change.org Charitable Foundation and its local chapters that operate in certain countries. Local chapters may contact you if you are within their country, as part of The Change.org Foundation’s mission to build social movements that create transformational change.
- Our suppliers, subcontractors, and business partners (“service providers”): We may share information about you with our service providers who process information to provide services to us or on our behalf. We have contracts with our service providers that prohibit them from sharing the information about you that they collect or receive with anyone else or from using such information for other purposes.
d. Legal and administrative obligations
We may use and disclose your personal information as necessary or appropriate, especially when we have a legal obligation or legitimate interest to do so:
- Fraud prevention: We may use and disclose the information we collect from and about our users as we believe necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, privacy, rights, or property of us, our users, or others.
- Law enforcement purposes: If requested or required by government authorities such as law enforcement authorities, courts, regulators, or otherwise to comply with the law (which may include laws outside your country of residence), we may have to disclose information we have about our users. We also may use and disclose information collected about you in order to exercise or protect legal rights or defend against legal claims.
- Sale or merger of our company: We have no plans to sell our business. In this unlikely event, we may use, disclose, or transfer your personal information to a third party if we or any of our company affiliates are involved in a corporate restructuring (e.g., a sale, merger, or other transfer of assets, including in connection with any bankruptcy or similar proceedings).
5. Your privacy choices
You can edit your privacy settings and the emails you receive from Change.org at any time through our “Privacy and Preferences” page. If you want, you can ask us for the information we have about your account and even ask us to delete it all.
a. Account and email settings
When you sign or create a petition via our Change.org platform, an account and user profile page are created for you. Any petitions that you sign will not appear on your user profile by default. Any petitions that you have started and published will appear on your user profile by default. You can change your Privacy settings by clicking here https://www.change.org/account_settings/privacy, or logging in to your account, clicking on “Settings,” and selecting “Privacy and preferences”. If you no longer want to receive marketing-related emails from Change.org going forward, you may opt out of receiving these by following the instructions contained in any such email or by logging in to your account, clicking on “Settings,” and selecting “Privacy and preferences.” We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages (such as updates about your account or service changes), from which you cannot opt out.
b. Accessing or deleting your information
If you would like to request to review, correct, update, suppress, or delete personal information that has been previously provided to us by you, you may log in to your account, click on “Settings” and update your profile information.
You can also contact our Help Center via our contact form here and ask us to specify what personal information we have about you and to delete certain personal information about you from our records, or request to receive an electronic copy of your personal information for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law). Please let us know what information you would like us to remove from our databases or otherwise let us know what limitations you would like to put on our use of your personal information. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will respond to your requests consistent with applicable law, and we will try to comply with your request as soon as reasonably practicable. Please note that we may need to retain certain information for record keeping purposes and/or to complete any transactions that you began prior to your request. There may also be residual information that will remain within our databases and other records, but such residual information will no longer be tied to your identity. For example, if you created a petition, we will have records that other Change.org users signed your petition. If you subsequently ask us to delete your information from our platform and databases, information related to those other users’ signatures cannot be removed and will remain in our records.
c. Social media
You can edit or remove the permissions you have granted to Change.org to use information from your social media accounts by using your application privacy settings on your social media account If you have signed in on Change.org through Facebook connect, you are likely to have been cookied by Facebook. You can modify or change those cookies through the settings on your Facebook account. For more details on cookies, please see our Cookies Policy.
d. Third-party analytics companies and Cookies
We have provided details on the cookies we use and instructions for how you can opt out of these in our Cookies Policy, in the section titled “How do I manage Cookies?”.
6. Data retention and security
We take a lot of measures to protect your personal information. If you suspect someone else is using your account, let us know by contacting our Help Desk.
We will retain your Personal Information for as long as needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include the length of time we have an ongoing relationship with you and provide our services to you, our legal obligations or whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).
7. Cross-border transfers
Change.org is a global organization with offices around the world, so your information may be transferred across borders when you use the Platform. We have put in place measures to comply with laws regulating cross-border transfers.
Change.org is a global organization. Your personal information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the platform you consent to the transfer of your personal information to countries outside of your country of residence, including the United States, which may have different data protection rules from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your personal information.
8. Third-Party Services
We’re not responsible for the privacy practices of third parties linked to from our Platform.
9. California Consumer Privacy Act
a. What is CCPA?
At Change.org, we have worked to ensure our practice is compliant with the requirements of the California Consumer Privacy Act (CCPA). The CCPA gives consumers the right to know when their personal information is being collected about them and for what purpose, the right to opt out of the sale of their data to third parties and the right to request that their data be deleted from any website they have used. The new law comes into effect on January 1, 2020.
We are committed to being clear with our users about what personal information we collect, how we use it and their rights relating to accessing or deleting it. We also want to make clear that we do not sell any of the personal information we collect about our users.
The information we will provide to individual users on request will relate to data collected over the preceding 12 months. The information and product updates provided here reflect the CCPA as it currently stands and are subject to change based on updated regulations from the California Attorney General.
b. What categories and specific pieces of personal information do we collect about you?
c. What categories of sources from which the personal information is collected?
d. What is the business or commercial purpose for collecting or selling personal information?
e. Do we sell your personal information?
Change.org does not sell the personal information of any of our users and we have not sold data in the last 12 months.
f. Do we pass on your data to third parties for a business purpose?
g. Your right to know about personal information collected or disclosed
You have the right to request a personal information report which details all of the data we hold about you from the last 12 months. We will confirm that we have received your request within 10 days.
You can contact us to request a personal information report via our Help Desk or by emailing us at firstname.lastname@example.org.
Where possible, we will provide your personal information report to you within 45 days. If we need more time to process your request, we will contact you to let you know why and ensure that you receive your report no later than a further 45 days from the first deadline.
Your personal information report will contain the following data:
- Sources of information
- Purpose for which it was collected
- Third parties it was disclosed to
- Purpose for disclosure
To protect your personal information, we have security measures in place to ensure that no one other than you can access your personal information report.
You have the right to delegate your request for a personal information report to an agent. If you do choose to use this method, we will ask you to confirm your identity and that your agent has permission to act on your behalf.
h. Your right to request deletion of your personal information
You have the right to request the deletion of all of the personal information we hold about you. We will confirm that we have received your request within 10 days.
You can contact us to request deletion of your personal information via our Help Desk or by emailing us at email@example.com.
Within 45 days of your request, we will delete all of the personal information we hold about you and send you a report detailing how we have completed your request. In some circumstances we may need to keep data because of legal obligations. We will not use this data for any business purpose.
You have the right to delegate your request for the deletion of your personal information to an agent. If you do choose to use this method, we will ask you to confirm your identity and that your agent has permission to act on your behalf.
10. CARU COPPA Safe Harbor Program (“CARU COPPA Safe Harbor”)
As part of the CARU COPPA Safe Harbor, we are subject to audits and frequent monitoring of our website and other enforcement and accountability mechanisms administered independently by CARU.
If you believe that we have not responded to your inquiry or your inquiry has not been satisfactorily addressed, please contact CARU at:
CARU COPPA Safe Harbor
112 Madison Avenue, 3rd Floor
New York, NY 10016
11. Policy updates and contacting us
This policy may change over time. We’ve included here our contact information, but the best way to get in touch with us is through our online Help Center.
We welcome questions, concerns, and feedback about this policy. If you have any suggestions for us, feel free to let us know by contacting our Help Desk. You can also write to the following address:
548 Market Street
Private Mailbox #29993
San Francisco, CA 94104-5401
Carrer de Santaló, 10, 1st Floor
For Change.org India, you can contact our Grievance/Nodal Contact Officer at: [GrievanceOfficer.firstname.lastname@example.org].
You can contact our Help Desk for any data deletion or access requests. If you have detailed questions about Change.org’s data usage, you may like to contact our Data Protection Team at email@example.com.
Because email or postal communications are not always secure, please do not include credit card or other sensitive information in your emails or letters to us. You may lodge a complaint with a supervisory authority competent for your country or region.
For “Data Protection Authorities,” please click here https://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm for contact information for such authorities.
Thanks for supporting change in your community — we can’t wait to see what you’ll change next!