1. Data Controller and Regional/National Representatives
|Data Controller||CHANGE.ORG, PBC
Data Protection Officer:[email@example.com]
For decision makers located in the EU/UK: Also the petition starter(s) identified in the petition that designates you as a decision maker
|EU Representative||Change.org, PBC, as Data Controller responsible for your personal information, has appointed Change.org, Servicios Promocionales España, S.L. to be its Representative in the European Union. You may contact our European Union Representative at:
and/or by means of the following e-mail address: [firstname.lastname@example.org]
|UK Representative||Change.org, PBC, as Data Controller responsible for your personal information, has appointed Change.org Worldwide Limited to be its Representative in the United Kingdom. You may contact our United Kingdom Representative by means of the following e-mail address: [email@example.com]|
|Change.org India’s Grievance/Nodal Contact Officer||Change.org’s Grievance Officer email: [GrievanceOfficer.firstname.lastname@example.org]|
2. Information we collect
For Website users, petition starters and petition signers
To run our service and show you relevant content we need to know a little about you and your interests. Here we outline what information Change.org collects, and how we collect it.
When you sign or create a petition via our Change.org platform, an account is created for you; all of your activities on Change.org are then tied to this account. In the chart below, we’ve detailed the information we may collect about you, depending on your activities on the platform, and how we obtain this information.
|What we collect||How we collect it|
|Your name.||We require you to provide a chosen name when you create a Change.org account.|
|Your email address.||We require you to provide an email address when you create a Change.org account.|
|Your password.||We require you to enter a password when you create a Change.org account.|
|Your IP address. Your “IP Address” is a designator that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP).||An IP Address may be identified and logged automatically in our server log files whenever you use our platform and services, along with the time of your visit and the specific page(s) that you visited.|
|Your postal address.||You may choose to provide your postal address when you create a Change.org account. Providing this information is not required to use the service.|
|Your telephone number.||You may choose to provide your telephone number when you create a Change.org account. Providing this information is not required to use the service.|
|Your city.||We use the IP service Maxmind to suggest your city from your IP address, in order to show you local petitions that may be of interest. You can change this information if it is displayed incorrectly. We do not share your information with Maxmind. Providing a city is required to use the service.|
|Your country.||As mentioned above, we use the IP service Maxmind to suggest your city from your IP address, in order to show you local petitions that may be of interest. This enables us to determine your country. We do not share your information with Maxmind. Providing a city is required to use the service.|
|Your profile picture.||You may choose to upload a profile picture when you create an account, or at any time. Providing this information is not required to use the service.|
|Your specific activities on or connected to the Change.org platform. These might include petitions you have started or signed, shared, or promoted, or whether you decide to become a Change.org member.||When you are signed in or identified as a particular Change.org user, your activities on or connected to the Change.org platform are automatically associated with your account.|
|Any other information you voluntarily submit.||You may be offered the choice to provide other information to us. For example, we may collect information when you respond to user surveys or provide information if we assist you by telephone. Providing this information is not required to use the service.|
|Your unique mobile device ID number if you access our services via a mobile application.||When you download and use any mobile applications we develop, we’ll collect your unique device ID and all your account and activity information will be tied to that unique device ID. In addition, we may track and collect app usage data, such as the date and time the app on your device accesses our servers and what information and files have been downloaded to the app. This information may be associated with your account.|
|The name of the browser you use to access Change.org.||Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows PC or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Change.org platform you are using. Collecting this information helps us build and deliver the best possible version of Change.org to you.|
|Your social media account ID, and information shared with us via your social media account.||We may obtain certain information through your social media accounts connected to your Change.org account, if you choose to link them. Linking a social media account is not required to access the service. For example, if you log in to Change.org via Facebook, we ask for your permission to access certain information about your Facebook account, activities, and friends. Social media sites make information available to all apps through their API, such as friend lists. The information we receive depends on what information you or the social media site decide to give us.|
|Information inferred about the issues you care about based on your activities on the platform.||As part of our efforts to connect people to causes that interest them, petitions you sign might be tagged by our users or by us as particular cause areas. For example, a petition may be tagged as “animal rights” or “women’s rights.” If you sign one petition tagged in a particular cause area, we may infer that you would be interested in other petitions tagged in the same way. We may also send you petitions that are relevant to your general geographic area.|
|Currently in the United States only, we use information available in public records, or other publicly available databases, such as civic data APIs which help match citizens with the elected officials who represent them at all levels in government.||In the United States, we receive data from the “Google Civic Information API” that contains lists of federal congresspeople, state legislators, and governors. That data is integrated into our platform to enable users in the United States to accurately target the correct decision maker for their petition. We also use this data to match petitions from a particular district to the right political representative. We do not share any user data via the “Google Civic Information API.” In the future, we may carry out similar activities in other countries, subject to applicable law.|
|The currency of any contributions made through Change.org.||We infer your currency based on your country.|
For decision makers
If you are named as a decision maker for a petition, we may process your personal information. In the chart below, we’ve detailed the information we may collect about you.
Please note that if you create an account on our Website, the above section “For Website Users, Petition Starters and Petition signers” will also apply to you.
|What we collect||How we collect it|
|Your name.||If you are named as a decision maker, your name may be provided to us.|
|Your email address.||If you are named as a decision maker, your email address may be provided to us.|
|Your office, title, or organization||If you are named as a decision maker, your office, title, or organization may be provided to us.|
|Your profile picture.||If you are named as a decision maker, your public profile photo may be added.|
|Any other information you voluntarily submit.||You may decide to respond to a petition that identifies you as a decision maker. Your response will be published on the petition webpage.|
|Currently in the United States only, we use information available in public records, or other publicly available databases, such as civic data APIs which help match citizens with the elected officials who represent them at all levels in government.||In the United States, we receive data from the “Google Civic Information API” that contains lists of federal congresspeople, state legislators and governors. That data is integrated into our platform to enable users in the United States to accurately target the correct decision-maker for their petition. We also use this data to match petitions from a particular district to the right political representative. We do not share any user data via the “Google Civic Information API.” In future, we may carry out similar activities in other countries, subject to applicable law.|
Please note that if you are a prominent public figure, a decision-maker profile Web page may be created using the above mentioned information.
Some of the information above reveals your specific identity, or is directly tied to your specific identity, such as your name and email address. Some of this information does not reveal your specific identity, or does not directly relate to you, such as your browser and device information or information collected through cookies. If we ever combine non-personally identifiable information with personally identifiable information, the combined information will be treated by us as personally identifying information and protected accordingly.
Our services are not directed to people under the age of thirteen (13) or under the legal age of consent in your country of residence (for example, in some countries, you must be age 16 years or older), and we do not knowingly collect personal information from them unless otherwise permitted by law.
3. How we use your information
For Website users, petition starters and petition signers
Here are the ways we might use your information to run our platform, provide our services and serve you better content.
We and our service providers may use your information for our legitimate business interests in providing a petition platform that enables people to connect with issues of interest. Our legitimate business interests are explained below, alongside examples of how your information may be used for these purposes.
|Providing the functionality of our platform. We engage in these activities to manage our contractual relationship with you.||To send administrative information to you, for example, information regarding our services and changes to our terms, conditions, and policies.To ensure that our site and apps function properly and are optimized for your computer or device and to store your preferences and settings.|
|Fulfilling your specific requests through the platform. We engage in these activities to manage our contractual relationship with you.||To allow you to create petitions, sign petitions, join “topics” or “movements” (groups of similar petitions), to follow their progress, and to manage petitions (including publishing your name and/or signature). To allow you to participate in other activities on Change.org platforms, sites and apps, as well as to complete and fulfill your transactions with us.To allow you to send email messages that you choose to send to your email contacts through our platform, such as to share a petition. By using this feature, you guarantee that you have the right to use and provide us the names and email addresses you submit.To facilitate the social sharing functionality that you choose to use, such as sharing content and petitions through the Change.org platform and other social media platforms, like Facebook and Twitter.|
|Analyzing personal information for business reporting and providing personalized services. We provide personalized services either with your consent or because we have a legitimate interest.||To personalize your experience by presenting petitions, campaigns, and offers tailored to you based on information we have collected from you.We may anonymize, de-identify and/or aggregate information and use such information to better understand and serve our users or for optimization of our marketing and targeting efforts. For example, we may compile statistics like the percentage of our users in a state or country who care about animal rights, or the age range of those users, or to analyze the performance of particular emails.|
|Sharing marketing communications that we believe may be of interest to you. We engage in this activity with your consent, or to manage our contractual relationship with you.||Communications related to petitions you’ve signed, other petitions that may be of interest, or petitions relevant to your location.Editorial communications about specific issues or about Change.org.Communications about contributions to causes or about crowdfunding for a specific petition.Communications about becoming a member or subscriber of Change.org.If you choose to provide your telephone number or postal address, which are not required, we may contact you by phone, SMS, or postal mail about the Change.org contribution programme or other ways you can support campaigns.Invitations to Change.org events.To allow you to participate in events and similar promotions and to administer these activities. Some of these activities have additional rules, which could contain additional information about how we use and disclose information about you, so we suggest that you read these rules carefully.Most marketing communications will be sent via email and sometimes via social media.We might remind you about particular petitions or the Change.org contribution programme, if you have not completed starting or signing or joining.|
For decision makers
We may use your information for our legitimate business interests in providing a petition platform that facilitates the exercise of the right to petition and enables people to connect with issues of interest, and inform you about a petition that identifies you as a decision maker and your possibility to respond to such petitions.
|Facilitating the exercise of the right to petition||
4. Who may receive your information
Here we outline who may receive your information when it is shared either by you via the platform, or by us.
a. The Change.org community
- All information you post on our platform (such as petitions you create, reasons for signing a petition, your posts on the Change.org Community message boards, your response to a petition that identifies you as decision maker, etc.) will be visible to other users. When you provide information to us, you declare that such information is truthful, that you have the legal right to share it, and that you are aware of the risks associated with sharing personal information concerning third parties.
- If you choose to send messages or connect with others through our platform about petitions you have signed, shared, or that identify you as a decision maker, you disclose your personal information to the recipient of your message. Our platform provides an open forum for communication by users all around the world. We do not monitor, verify, or perform any background check on campaign starters, petition signers, or other users of Change.org.
- Similar to traditional paper petitions, we consider an online petition to be a public expression of support for an issue. Therefore, your name, general geographic location (i.e., city, state, country), and a link to your Change.org user profile may be displayed on the landing page for any petition you sign, and on related areas of our platform. This information will be viewable to any visitor, including the media, search engines, and other organizations that provide archival internet activities. If you do not wish to have your support for a petition to be public, we recommend you do not sign the petition. If you do not wish to have your name displayed on a petition landing page, you may select the option not to display your name and comment publicly on the petition page.
- Your first name, last name, city and/or postcode, and the day that you signed will be shared with the person who initiated a petition you have signed, even if you select the option not to display your name and comment publicly. This is extremely important for petition starters to demonstrate the legitimacy of their signatures to the decision makers they are working to influence. If you do not wish to have this information shared with the person who initiated the petition, please do not sign the petition.
- The petition starter may choose to share your name and general geographic location with the intended decision maker who is the recipient of their petition. For example, the intended decision maker may be your congressman/woman when the petition concerns an issue relevant to him or her. If you do not wish to have this information shared with the petition recipient, you should not sign the petition.
- If you sign a petition started by an NGO or other organization, you will be presented with the option of sharing your email address with that NGO or organization to receive direct email updates from them (not via the platform) should you choose to provide your consent for such sharing. Such organizations are not Change.org’s commercial partners and are in no way affiliated with Change.org. Enabling our users to interact directly with organizations, if those users consent to this connection, is part of our goal of helping people to stay informed on the causes that matter to them. We may revoke an organization’s access to this option in response to reports of abuse.
b. Your connected social media platforms
- You may voluntarily share information on message boards, chats, profile pages, blogs, and other services to which you are able to post information and materials (including the Change.org pages on Facebook and other social media platforms). Please note that any information you post or disclose through these services will become public information, and may be available to other Change.org users, social media platform users and to the general public. We urge you to be very careful when deciding to disclose any information about yourself via the social sharing features of our platform. For more details regarding posting content to our platform, please see our Terms of Service.
c. Our business entities and service providers
We may share your information with third parties for the following purposes:
- The Change.org Charitable Foundation and its local chapters that operate in certain countries. Local chapters may contact you if you are within their country, as part of The Change.org Foundation’s mission to build social movements that create transformational change.
- Our suppliers, subcontractors, and business partners (“service providers”): We may share information about you with our service providers who process information to provide services to us or on our behalf. We have contracts with our service providers that prohibit them from sharing the information about you that they collect or receive with anyone else or from using such information for other purposes.
d. Legal and administrative obligations
We may use and disclose your personal information as necessary or appropriate, especially when we have a legal obligation or legitimate interest to do so:
- Fraud prevention: We may use and disclose the information we collect from and about our users as we believe necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, privacy, rights, or property of us, our users, or others.
- Law enforcement purposes: If requested or required by government authorities such as law enforcement authorities, courts, regulators, or otherwise to comply with the law (which may include laws outside your country of residence), we may have to disclose information we have about our users. We also may use and disclose information collected about you in order to exercise or protect legal rights or defend against legal claims.
- Sale or merger of our company: We have no plans to sell our business. In this unlikely event, we may use, disclose, or transfer your personal information to a third party if we or any of our company affiliates are involved in a corporate restructuring (e.g., a sale, merger, or other transfer of assets, including in connection with any bankruptcy or similar proceedings).
5. Your privacy choices
Please note that you can edit your privacy settings and the emails you receive from Change.org at any time through our “Privacy and Preferences” page or by contacting our Help Desk.
When you sign or create a petition via our Change.org platform, an account and user profile page are created for you. Any petitions that you sign will not appear on your user profile by default. Any petitions that you have started and published will appear on your user profile by default. You can change your Privacy settings by clicking here https://www.change.org/account_settings/privacy, or logging in to your account, clicking on “Settings,” and selecting “Privacy and preferences”. If you no longer want to receive marketing-related emails from Change.org going forward, you may opt out of receiving these by following the instructions contained in any such email or by logging in to your account, clicking on “Settings,” and selecting “Privacy and preferences.” We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages (such as updates about your account or service changes), from which you cannot opt out.
If you are a data subject in the EU/UK, you may have the following rights under applicable laws:
- Right of access: You can ask us to provide you with information about our processing of your personal information and give you access to your personal information;
- Right to rectification: If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified;
- Right to erasure: You can ask us to delete or remove personal information where there is no lawful reason for us continuing to store or process it, where you have successfully exercised your right to object to processing, where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons that will be notified to you, if applicable, at the time of your request;
- Right to restrict processing: You can ask us to suspend the processing of your personal information if, (i) you want us to establish the data’s accuracy; (ii) where our use of the data is unlawful but you do not want us to erase it; (iii) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (iv) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Right to object: where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation that makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Right to data portability: You have the right, in certain circumstances, to ask us to provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Right to withdraw consent at any time: where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.
- Right to opt out from receiving marketing communication: You may opt out of receiving these by following the instructions contained in any such email; by logging in to your account, clicking on “Settings” and selecting “Privacy and preferences”; or by contacting our Help Desk. We will comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing-related emails from us, we may still send you important administrative messages (such as updates about your account or service changes), from which you cannot opt out.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the personal data or where certain exemptions apply.
If you have such rights and your request complies with the requirements under applicable laws, we will give effect to your rights as required by law.
To exercise any rights you may have under applicable privacy laws, you can edit your privacy settings and the emails you receive from Change.org at any time through our “Privacy and Preferences” page; contact us using the contact details indicated below or get in touch with our Help Desk. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Although we urge you to contact us first to find a solution for every concern you may have, you may have the right to lodge a complaint with your competent data protection authority. Contact details of EU Data Protection Authorities can be found here: https://edpb.europa.eu/about-edpb/about-edpb/members_en
6. Data retention and security
We take a lot of measures to protect your personal information. If you suspect someone else is using your account, let us know by contacting our Help Desk.
We will retain your Personal Information for as long as needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include the length of time we have an ongoing relationship with you and provide our services to you, our legal obligations or whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation, or regulatory investigations).
7. Cross-border transfers
Change.org is a global organization with offices around the world, so your information may be transferred across borders when you use the Platform. We have put in place measures to comply with laws regulating cross-border transfers.
Change.org is a global organization. Your personal information may be stored and processed outside of your place of residence in countries that are subject to different standards of data protection. In particular, you should be aware that your personal information may be shared with, and transferred to, Change.org PBC and affiliates, third-party business partners, and service providers who are located outside the European Economic Area (EEA) or the United Kingdom. We will take appropriate steps to ensure that transfers of personal information are in accordance with applicable laws.
Some recipients of your personal data may be located in countries outside the EEA and/or the UK for which the European Commission or UK Government (as and where applicable) has not issued adequacy decisions in respect of the level of data protection in such countries (“Restricted Countries”). For example, the United States is a Restricted Country. Where we transfer your personal data to a recipient in a Restricted Country, we will either:
- enter into appropriate data transfer agreements based on so-called Standard Contractual Clauses approved from time-to-time under GDPR Art. 46 by the European Commission, the UK Information Commissioner’s Office or UK Government (as and where applicable); or
- rely on other appropriate means permitted by the EU/UK GDPR, which establish that such recipients will provide an adequate level of data protection and that appropriate technical and organizational security measures are in place to protect personal data against accidental or unlawful destruction, loss or alteration, unauthorized disclosure or access, and against all other unlawful forms of processing.
8. Links to other websites
Our website may contain links to other websites, which may have privacy policies or notices that differ from ours. We are not responsible for the collection, processing or disclosure of personal information collected through other websites. We are also not responsible for any information or content contained on such websites. Links to other websites are provided solely for convenience. Your usage and browsing on any such website are subject to that website’s own policies. Please review the privacy notices posted on other websites that you may access through our website. We may provide you with additional or different privacy notices in specific instances which describe how your personal information is collected and used for a specific service.
9. California Consumer Privacy Act
a. What is CCPA?
At Change.org, we have worked to ensure our practice is compliant with the requirements of the California Consumer Privacy Act (CCPA). The CCPA gives consumers the right to know when their personal information is being collected about them and for what purpose, the right to opt out of the sale of their data to third parties and the right to request that their data be deleted from any website they have used. The new law comes into effect on January 1, 2020.
We are committed to being clear with our users about what personal information we collect, how we use it and their rights relating to accessing or deleting it. We also want to make clear that we do not sell any of the personal information we collect about our users.
The information we will provide to individual users on request will relate to data collected over the preceding 12 months. The information and product updates provided here reflect the CCPA as it currently stands and are subject to change based on updated regulations from the California Attorney General.
b. What categories and specific pieces of personal information do we collect about you?
c. What are the categories of sources from which the personal information is collected?
d. What is the business or commercial purpose for collecting or selling personal information?
e. Do we sell your personal information?
Change.org does not sell the personal information of any of our users and we have not sold data in the last 12 months.
f. Do we pass on your data to third parties for a business purpose?
g. Your right to know about personal information collected or disclosed
You have the right to request a personal information report which details all of the data we hold about you from the last 12 months. We will confirm that we have received your request within 10 days.
You can contact us to request a personal information report via our Help Desk or by emailing us at email@example.com.
Where possible, we will provide your personal information report to you within 45 days. If we need more time to process your request, we will contact you to let you know why and ensure that you receive your report no later than a further 45 days from the first deadline.
Your personal information report will contain the following data:
- Sources of information
- Purpose for which it was collected
- Third parties it was disclosed to
- Purpose for disclosure
To protect your personal information, we have security measures in place to ensure that no one other than you can access your personal information report.
You have the right to delegate your request for a personal information report to an agent. If you do choose to use this method, we will ask you to confirm your identity and that your agent has permission to act on your behalf.
h. Your right to request deletion of your personal information
You have the right to request the deletion of all of the personal information we hold about you. We will confirm that we have received your request within 10 days.
You can contact us to request deletion of your personal information via our Help Desk or by emailing us at firstname.lastname@example.org.
Within 45 days of your request, we will delete all of the personal information we hold about you and send you a report detailing how we have completed your request. In some circumstances we may need to keep data because of legal obligations. We will not use this data for any business purpose.
You have the right to delegate your request for the deletion of your personal information to an agent. If you do choose to use this method, we will ask you to confirm your identity and that your agent has permission to act on your behalf.
10. CARU COPPA Safe Harbor Program (“CARU COPPA Safe Harbor”)
As part of the CARU COPPA Safe Harbor, we are subject to audits and frequent monitoring of our website and other enforcement and accountability mechanisms administered independently by CARU.
If you believe that we have not responded to your inquiry or your inquiry has not been satisfactorily addressed, please contact CARU at:
CARU COPPA Safe Harbor
112 Madison Avenue, 3rd Floor
New York, NY 10016
11. Policy updates and contacting us
This policy may change over time. We’ve included here our contact information, but the best way to get in touch with us is through our online Help Desk.
We welcome questions, concerns, and feedback about this policy. If you have any suggestions for us, feel free to let us know by contacting our Help Desk. You can also write to the following address:
548 Market Street
Private Mailbox #29993
San Francisco, CA 94104-5401
Carrer de Santaló, 10, 1st Floor
If you are a decision maker and want to get in touch with the petition starter, you can post a public response on the petition page on the Change.org platform, or you can contact us using the contact details mentioned above and we will forward your message request to the petition starter.
For Change.org India, you can contact our Grievance/Nodal Contact Officer at: [GrievanceOfficer.India@change.org].
Thanks for supporting change in your community — we can’t wait to see what you’ll change next!