ROTARY’S PRIVACY POLICY
Introduction
Rotary International and The Rotary Foundation of Rotary International (individually or collectively, “Rotary” or “we”) respect your privacy and are committed to protecting it through our compliance with this privacy policy (“Policy”). Maintaining protection of the data entrusted to our care by our constituents is of the utmost importance to Rotary.
This Policy describes the types of data we may collect from you or that you may provide and describes our policies and practices for collecting, using, protecting, and disclosing that data.
Please also see Appendix A: EU Privacy Notice if you are located in the European Union or European Economic Area.
This Policy may change from time to time (see Changes to Our Privacy Policy section), so check the Policy periodically for the most current version. If you have any questions about the meaning or interpretation of this Policy, the English-language version of this Policy is the official text.
Data We Collect About You
We collect several types of personal data that can be used to identify you (“Personal Data”), including your:
- Name
- Postal address
- Email address
- Telephone number
- Donation history
- Payment cardholder data
- Sensitive authentication data
- Internet connection
- Equipment used to access our Website and usage details
Depending on the type of interaction that you have with Rotary, we may also collect your:
- Gender
- Birth year
- Marital status
- Spouse’s or parents’ name
- Occupation
- Employer
- Wealth data
- Photographs/images
Under limited circumstances, we may collect highly sensitive personal data, such as government ID numbers and/or health information.
How We Collect Your Data
We collect Personal Data from:
- Users of our Website
- Members of Rotary and Rotaract clubs
- Donors to The Rotary Foundation
- People who attend Rotary events
- People who participate in Rotary’s programs
We collect this data:
- Directly when you provide it to us through any interaction offline or in person
- From our website Rotary.org (our “Website”)
- From other Rotary websites that link to this Policy
- When you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this Policy
- Automatically, as you navigate through the Website (data collected automatically may include usage details, IP addresses, and information collected through cookies and other tracking technologies)
- When you become a member of a Rotary club or Rotaract club
- When you use our services
- When you participate in our programs or sign up for and/or attend any events that we host
- From third parties we contract with to provide services on our behalf, such as event organizers, travel service providers (used by the Rotary International Travel Service, or RITS), payment processing services, email marketing services, and software providers; these service providers may change, or new service providers may be added without notice to you
- When you interact with us in another way, for example, contacting us with an inquiry
- From publicly available resources
Data You Provide to Us
We collect data you provide when you interact with Rotary, either through our Website or any interaction offline or in person. That data includes:
- Personal data that you provide by making an inquiry or joining as a member of a Rotary or Rotaract club; this includes data provided when registering to Rotary.org through My Rotary.
- Personal data you provide when participating in services available on our Website, including in:
- The Brand Center
- The Grant Center
- The Learning Center
- Rotary Club Central
- Rotary Global Rewards
- Rotary Ideas
- Rotary Shop
- The Service Project Center
- Personal data you provide when you enter a contest or promotion sponsored by us
- Personal data you provide when you report a problem with our Website
- Records and copies of your correspondence (including email, social media posts, and other electronic messages), if you contact us
- Your responses to surveys that we might ask you to complete for research purposes
- Your registration to attend and/or participate in Rotary events
- Personal data you provide when making a donation
- Personal data you provide when submitting applications, for example, for grants, fellowships, or scholarships
- Biographical or other data you provide to us, your Rotary club, or your Rotary district (for example, if you choose to put your name forth as a candidate for an office in a Rotary club, Rotary district, or RI)
- Details of transactions made through our Website and details of the fulfillment of your orders (you may be required to provide financial personal data before placing an order through our Website)
- Your search queries on our Website
Features that are developed in the future may result in the collection of additional new personal data.
You also may provide data to be published or displayed (hereinafter, “posted”) on public areas of the Website or transmitted to other users of the Website or third parties (collectively, “User Content”). Your User Content is posted on the Website and transmitted to others at your own risk. We limit access to certain pages and you may set certain privacy settings for this data from your account profile. However, we cannot control the actions of other Website users with whom you may choose to share your User Content.
Usage Details, IP Addresses, Cookies, and Other Technologies
As you navigate through and interact with our Website, we may automatically collect certain data about your equipment, browsing actions, and patterns, including:
- Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on our Website
- Information about your computer and internet connection, including your IP address, operating system, and browser type
When you are not signed in to a My Rotary account, the data collected in this way is anonymous. It is aggregated into statistical data to help us improve our Website and to deliver a better and more personalized service by enabling us to:
- Estimate our audience size, browser statistics, popularity of content, and usage patterns
- Speed up your searches
- Recognize you when you return to our Website
We use cookies (or browser cookies) for this automatic data collection. A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
When you are signed in to a My Rotary account, we collect usage data that is tied to your individual account. This data is collected to improve site functionality and to tailor site behavior and content to you, and we process this personal data in accordance with this Policy.
Third-party Advertiser Use of Cookies and Other Tracking Technologies
Some advertisements and offers on Rotary Global Rewards are served by third-party advertisers, ad networks, and ad servers. Additionally, some of the applications accessible from, or on, our Website may be owned by third parties. These third parties may use cookies alone or in conjunction with other tracking technologies to collect data about our users. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or offer on Rotary Global Rewards, you should contact the responsible advertiser directly.
How We Use Your Personal Data
We use data that we collect about you or that you provide to us, including any personal data:
- To present our Website and its contents to you
- To provide you with information, products, or services that you request from us
- To offer and fulfill our core business purposes, which include:
- Fulfilling Rotary’s obligation to Rotarians, Rotaractors, and other individuals
- Financial processing
- Supporting The Rotary Foundation, including fundraising efforts
- Facilitating convention and special event planning
- Communicating key organizational messages through Rotary publications and other materials
- Supporting the programs and membership of Rotary
- Complying with any legal obligations
- Preserving Rotary’s legacy by building and maintaining accurate archives that effectively document Rotary’s history
- To fulfill any other purpose for which you provide it
- To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection
- To notify you about changes to our Website or any products or services we offer or provide through it
- To allow you to participate in interactive features on our Website
- To store information about your preferences, allowing us to customize our Website according to your individual interests
- To help us develop and test updates to this Website and other Rotary applications that support Rotary’s core business purposes
- In any other way we may describe when you provide the personal data
- For any other purpose where we have your consent
Disclosure of Your Personal Data
We may disclose aggregated data about our users, and data that cannot be used to identify any individual, without restriction.
We may disclose personal data that we collect or you provide as described in this Policy:
- To the Rotary club or Rotaract club in which you are a member (if applicable), as well as the assigned Rotary district
- To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them, including:
- Travel service providers, such as airlines, hotels, ground transport, and travel agencies
- Companies that produce, publish, and/or ship Rotary publications and Rotary branded goods and other merchandise
- Online shop vendor
- Payment processing vendors
- Financial institutions and fiscal agents when processing financial transactions, such as expense reimbursements
- Software and applications used for administrative functions such as providing online forms/surveys/applications, newsletter services, online learning, webinar/teleconference services, electronic voting
- Cloud-based databases used for administrative functions
- Rotary convention host committees and other event organizers and vendors
- Email distribution services
- To third parties to promote Rotary or for the third party to market their products or services to you if you have consented to these disclosures. We contractually require these third parties to keep personal data confidential and use it only for the purposes for which we disclose it to them.
- If you do not want us to share your personal data (even when anonymized) with unaffiliated or non-agent third parties for advertising or promotional purposes, you can send an email stating your request to rotarysupportcenter@rotary.org.
- To fulfill the purpose for which you provide it
- For any other purpose disclosed by us when you provide the data
- With your consent
We may also disclose your personal data:
- To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
- If disclosure is necessary or appropriate to protect the rights, property, or safety of Rotary, Rotarians, Rotary clubs, Rotary districts, or others. This includes exchanging personal data with other companies and organizations for the purposes of fraud protection and credit risk reduction.
Rotary Foundation Donor Privacy Personal Data
Rotary will not sell, trade, or share a Rotary Foundation donor’s personal data, including their name, phone number, email, or physical address, with non-Rotary entities, nor will it send donors mailings on behalf of other unrelated organizations. This policy applies to all donor data received by Rotary, both online and offline, as well as any electronic, written, or oral communication. Rotary occasionally uses third-party vendors to manage and process donor data. These vendors are bound by strict confidentiality agreements.
Accessing and Correcting Your Personal Data
You may access and correct your data by:
- Visiting your account profile page on My Rotary, if you are a registered user on this Website. See Rotary’s Frequently Asked Questions for additional information.
- Emailing rotarysupportcenter@rotary.org to request access to, correct, or delete any personal data that you have provided.
We may choose not to accommodate a request to change or delete data if we believe the change or deletion would violate any law or legal requirement or cause the data to be incorrect.
If you delete your User Content from the Website, copies of your User Content may remain viewable in cached and archived pages, or might have been copied or stored by other Website users. Proper access and use of data provided on our Website, including User Content, is governed by our Terms of Use, although for EU/EEA-based individuals this does not prejudice your mandatory rights under EU Protection Law (see Appendix A: EU Privacy Notice).
Children Under the Age of 16
Our Website is not intended for children under 16 years. We do not knowingly collect personal data from children under 16 without parental consent. No one under age 16 may provide any personal data to or on our Website.
If you are under 16, do not:
- Use or provide any personal data on our Website or on or through any of its features
- Register on our Website, make any purchases through our Website
- Use any of the interactive or public comment features of our Website, or
- Provide any personal data about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use.
If we learn we have collected or received personal data from a child under 16 without verification of parental consent, we will delete that personal data. If you believe we might have any personal data from or about a child under 16, please contact us at rotarysupportcenter@rotary.org.
Data Security
We have implemented technical and operational measures designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure. Additionally:
- When developing new or enhancing existing systems and processes, Rotary implements appropriate data protection throughout its data processing operations.
- All personal data you provide to us is stored on password-protected databases on our secure servers behind firewalls and we use Secure Sockets Layer (SSL) to ensure that the transmission of sensitive data for payments and contributions is encrypted and appropriately safeguarded.
- Employees are trained on the importance of data security and focus specifically on practices for protecting against unauthorized disclosure of personal data.
- We have a documented incident response plan for promptly acting upon events that violate Rotary’s security or privacy policies, should they occur, and this plan is reviewed and updated on an ongoing basis.
The safety and security of your personal data also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. Passwords registered with our Website are encrypted to ensure protection against unauthorized access to your personal data.
Unfortunately, the transmission of personal data via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to our Website or over any public network. Any transmission of personal data is at your own risk. Without prejudice to any mandatory legal obligations to which we may be subject, we are not responsible for circumvention of any privacy settings or security measures on our Website.
Changes to Our Privacy Policy
Rotary may change, add, modify or remove portions of this Policy at any time, which shall become effective immediately upon posting on this page. The date the Policy was last revised is identified at the bottom of the policy. It is your responsibility to review this Policy for any changes. By continuing to use our Website, maintain your membership in our clubs, use our services, or participate in our programs, you agree to any changes in the Policy.
Contact Information
Rotary is headquartered in Illinois, in the United States. If you have any questions about Rotary’s privacy protection policies or practices, please contact us at privacy@rotary.org.
Last modified: 25 June 2019
Appendix A: EU Privacy Notice
If you are a resident of the European Union (EU) or European Economic Area (EEA) whose personal data we collect, the following additional information applies.
Introduction
If you are an EU or EEA resident and Rotary knowingly collects your personal data, we will do so in accordance with applicable laws that regulate data protection and privacy. This includes, without limitation, the EU General Data Protection Regulation (2016/679) (“GDPR”) and EU member state national laws that implement or regulate the collection, processing and privacy of your personal data (together, “EU Data Protection Law”).
This EU privacy notice (“EU Privacy Notice”), which should be read in conjunction Rotary’s Privacy Policy, provides additional information as required under EU Data Protection Law on how we handle or process the personal data we collect and who we may share it with.
This Privacy Notice also provides information on your legal rights under EU Data Protection Law and how you can exercise them.
How Personal Data is Collected
Because of the global nature of Rotary and our clubs, Rotary may hold and process personal data that is collected from clubs, districts, and partner organizations around the world, including within the EU/EEA.
This also means that if you contact the Rotary network and are a resident in the EU/EEA, your personal data may be transferred from the EU/EEA to Rotary headquarters in the United States, and may also be accessed and processed from Rotary’s international offices in Australia, Brazil, India, Japan, South Korea, and Switzerland.
U.S. data privacy laws are currently not considered to meet the same legal standards of protection for personal data as those set out under EU Data Protection Law. However, to safeguard personal data received from the EU/EEA, we transfer personal data to the U.S. or other third countries only under an approved contract or another appropriate mechanism that is legally authorized under EU Data Protection Law. If you use the RI Reporting Portal to report a Severe Incident (as defined below), the transfer will be based on your consent and you will be informed accordingly prior to submitting the personal data.
This is to make sure that the personal data that Rotary receives and processes (as it relates to residents of the EU/EEA) is properly safeguarded in accordance with similar legal standards of privacy provided by EU Data Protection Law.
Direct Marketing
If Rotary provides direct marketing communications to individuals in the EU/EEA regarding services and/or events that may be of interest, this will be done in accordance with EU Data Protection Law. Where we contact individuals for direct marketing purposes by SMS, email, social media, and/or any other electronic communication channels, this will only be with the individual’s consent or in relation to similar services to services that the individual has purchased (or made direct inquiries about purchasing) from Rotary before.
Individuals may also object or withdraw consent to receive direct marketing from us at any time, by contacting us at privacy@rotary.org.
Reporting Portal for Severe Incidents
As part of the Rotary’s youth protection policies, any individual is asked to notify us of allegations or incidents of abuse or harassment of youth (with or without a sexual reference) or targeted contact with youth with intent to abuse (known as grooming) (collectively, we refer to this as a “Severe Incident”). The notification shall be made via the RI Reporting Portal. The form includes information about the incident itself (location, relationship to a Rotary program, description, actions taken (including notification of law enforcement and parent/guardian), the clubs and districts involved, and whether professional assistance was provided. Finally, the subject of the reporting is the first name, surname, and Rotary affiliation of an alleged/confirmed offender.
Please do not submit other data than those requested in the form. Especially, please refrain from mentioning persons other than the alleged/confirmed offender by name in the “description” field.
We use the abovementioned data to contact the district to determine what specific actions the district has taken. If we determine that the actions taken are not sufficient and the district is unwilling to follow instructions, we may take action at our discretion to protect the participant. The data may be also used to determine that the district is in violation of the Rotary Youth Protection Policies. Once it is confirmed that there is a founded suspicion against an individual to have been involved in the Severe Incident, this data will be entered into our database. The data of youth volunteer applicants within the district will be compared with the database in order to effectively exclude the participation of individuals who have an entry in the database. The data of individuals that have been expelled from Rotary membership is compared against the data of applicants for membership to prevent re-entry into a Rotary or Rotaract club globally. Only our staff with special designation to receive youth protection reports will have access to the information provided.
The collection of data when there is a Severe Incident is first and foremost for the purpose of youth protection, i.e. to prevent persons who are under a founded suspicion to have caused a Severe Incident from continuing to participate in Rotary youth programs in the future, either as hosts or as voluntary supporters in the context of the youth program. The aim is also to prevent such persons that have been expelled from Rotary membership from being readmitted by other clubs or from participating in an in-person Rotary event, such as the International Convention. Finally, the purpose of reporting a Severe Incident is to maintain and enforce a uniform minimum standard of youth protection in all Rotary districts worldwide, regardless of the existence or quality of locally applicable rules. Individuals that have been found to have been involved in a Severe Incident cannot be a Rotary or Rotaract club member or attend in-person Rotary events. The reporting of a Severe Incident is in line with Rotary reporting obligations and thus serves to support clubs in complying with Rotary’s youth protection policies and to enable the exercise of supervisory powers over local clubs and districts, as they may lose their eligibility to participate in youth programs.
The legitimate interest here lies in the desire to ensure the protection of minors, the prevention of further Severe Incidents, the desire to exclude members who have violated Rotary’s youth protection policies, and to ensure uniform standards in all clubs and districts worldwide.
Lawful Grounds on Which We Collect and Process Personal Data
We process your personal data, relying on one or more of the following lawful grounds under EU Data Protection Law:
- When you have freely provided your specific, informed, and unambiguous consent for Rotary to process your personal data for particular purposes
- Where we agree to provide services to you to set up and perform our contractual obligations to you and/or enforce our rights
- Where we need to process and use your personal data in connection with our legitimate interests and need to effectively manage and operate our global organization consistently across all territories. We will always seek to pursue these legitimate interests in a way that does not unduly infringe on your legal rights and freedoms and, in particular, your right to privacy; and/or
- Where we need to comply with a legal obligation or to establish, exercise, or defend legal claims
Please also note that some of the personal data we receive and that we process may include what is known as “sensitive” or “special category” personal data about you, for example, personal data regarding your ethnic origin or political, philosophical, and religious beliefs. This is not the type of data that Rotary or its clubs routinely collect, but if we process this sensitive or special category data, we will do it only in situations where:
- You have provided us with your explicit consent to use it
- We have a legal obligation to process this data in accordance with EU Data Protection Law
- It is needed to protect your vital interests (or those of someone else), such as in a medical emergency
- You have clearly chosen to publicize this information; or
- It is needed in connection with a legal claim that we have or may be subject to
Disclosing Your Personal Data to Third Parties
We may disclose your personal data to certain third-party organizations that are processing data solely in accordance with our instructions (“Data Processors”), such as companies and/or organizations that support our business and operations (for example, providers of web or database hosting, IT support, payment providers, event organizers, agencies we use to conduct fraud checks, or mail management service providers), as well as professionals we use such as lawyers, insurers, auditors, or accountants. We use only those Data Processors that can guarantee to us that they have put adequate safeguards in place to protect the personal data they process on our behalf; these guarantees are established by entering data processing agreements that contain appropriate data transfer mechanisms (such as the inclusion of “Standard Contractual Clauses”) or provisions where the Data Processors state they are certified under the EU-US Data Privacy Framework).
In certain circumstances, for example, if you travel on Rotary business, we may also disclose your personal data to third parties called “Data Controllers.” These third parties may include travel agencies, airlines, car rental agencies, and hotels. Because of the nature of the business of the Data Controllers, they will make their own determinations as to how they process your personal data. As Data Controllers, they are required to follow the EU Data Protection Law and are required to protect personal data with adequate safeguards and provide you with notice if their processing goes beyond the instructions Rotary provided. The types of external third-party Data Controllers listed above may handle your personal data in accordance with their own procedures, and you should check the relevant privacy policies of these companies or organizations to understand how they may use your personal data.
Data collected via the RI Reporting Portal will not be shared with other Data Controllers; they will be processed, however, by our Data Processor Customer Expressions Corp., 300 March Road, Suite 501, Ottawa, ON, Canada K2K 2E2.
Other than as described above, we will treat your personal data as private and will not routinely disclose it to third parties without your knowing about it. The exceptions are in relation to legal proceedings or where we are legally required to do so and cannot tell you (such as a criminal investigation). We always aim to ensure that your personal data is used only by third parties we deal with for lawful purposes and who observe the principles of EU Data Protection Law.
How Long We Retain Your Personal Data
Rotary retains your personal data for as long as necessary in the circumstances — for instance:
- As long you are a member of a club or have a relationship with our network
- For a reasonable period to send you donation information, program information, and marketing materials where we have regular contact with you, or
- As may be needed to enforce or defend contract claims or as is required by applicable law.
Rotary has adopted a Records Management Policy (which we may make available on request). The criteria we use for determining the relevant retention and disposal periods we adopt are based on the purpose for which we hold data and the reasonable expectations of those whose personal data we collect in these circumstances, taking into account various legislative requirements and guidance issued by relevant EU regulatory authorities. For example, we retain the names of alleged/confirmed offenders reported via the RI Reporting Portal for 10 years from the date of entry in the database.
In accordance with the above retention policy, the personal data that we no longer need will be disposed of and/or anonymized so you can no longer be identified from it.
History and archives
To preserve Rotary’s history and legacy, Rotary retains historical and archival information about its clubs, which may also include limited personal data of its members.
Your Personal Data Rights
In accordance with your legal rights under EU Data Protection Law, you have a “subject access request” right, under which you can request information about the personal data that we hold about you, what we use that personal data for and who it may be disclosed to, as well as certain other information.
Usually we will have one month to respond to a subject access request. However, we reserve the right to verify your identity, and we may, in case of complex requests, require an additional two months to respond. We may also charge for administrative time in dealing with any manifestly unreasonable or excessive requests. We may also require additional information to locate the specific data you seek, and certain legal exemptions under EU Data Protection Law may apply when we respond to your subject access request.
Under EU Data Protection Law, EU/EEA residents also have the following rights, which you may exercise by making a request to us in writing:
- That we correct your personal data if it is inaccurate or incomplete
- That we erase your personal data without undue delay if we no longer need to hold or process it
- To object to any automated processing (if applicable) that we carry out in relation to your personal data
- To object to our use of your personal data for direct marketing
- To object to and/or to restrict the use of your personal data for a purpose other than those set out above unless we have a compelling legitimate reason; or
- That we transfer personal data to another party where the personal data has been collected with your consent or is being used to perform services under a contract with you and is being processed by automated means
So we can fully comply, please note that these requests may also be forwarded to third-party data processors that are involved in the processing of your personal data on our behalf.
If you make a request and are not satisfied with our response, or you believe that we are illegally processing your personal data, you have the right to complain to the Office of the Information Commissioner in the United Kingdom.
Controller
The controller for the processing of your personal data is Rotary International, One Rotary Center, 1560 Sherman Avenue, Evanston, IL 60201-3698, USA. If you would like to exercise any of the rights set out above, please contact us at privacy@rotary.org.
Last modified: 22 July 2024