Blackbaud Data Privacy Framework Certification Notice

Blackbaud, Inc. and all of its controlled U.S. subsidiaries (collectively, “Blackbaud”) comply with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union (EU), the United Kingdom (UK), and Switzerland to the United States (U.S.). Blackbaud is subject to the investigatory powers of the Federal Trade Commission (FTC), and Blackbaud has certified to the U.S. Department of Commerce that it adheres to the Data Privacy Framework Principles (the “Principles”).

Blackbaud’s U.S. subsidiaries also adhering to the Principles are: JG US, Inc.; JGCrowdfunding USA, LLC; YC Blocker 1, LLC; YourCause Holdings, LLC; YourCause, LLC; BB Real Property Development, LLC; BBHQ1, LLC; EverFi, Inc.; Click 4 Compliance, LLC; Lawroom.com; BB Tuition Management LLC; and BB US-DCL, LLC.

If there is any conflict between the terms in this, or any other Blackbaud privacy policy, and the Principles, the Principles shall govern with respect to personal data transferred to the U.S. from the EU, the UK, and Switzerland. To learn more about the Data Privacy Framework and to view our certification, please visit https://www.dataprivacyframework.gov/s/.

Blackbaud’s participation in the Data Privacy Framework applies to all personal data that is subject to the Principles and is received from the EU and the European Economic Area (EEA), the UK, and Switzerland. Blackbaud will comply with the Principles with respect to such personal data. “Personal data” means information relating to an identified or identifiable natural person.

Types of Personal Data Collected and Purposes for the Collection and Use of Personal Data

Blackbaud collects and uses different types of personal data depending on the area of the business, which are described below.

Blackbaud as a Data Controller

We collect personal data that you provide to us, either by creating a Blackbaud account, using the website, submitting “Contact Us” forms, or otherwise interacting with us (like at conferences and trade shows). We may collect data about you from third parties. We also collect personal data that you provide to us when you are asked to register for a Blackbaud ID and when you use the Services you access through BBID, including your name, email address, phone number, IP address, and organization you’re affiliated with that has contracted for the Services you are using BBID to access. Blackbaud collects data in the following categories:

CATEGORIES EXAMPLES
Identifiers Name, postal address, email, IP address
Commercial or transactions information Your organization’s purchase of our Services
Internet/Solutions activity Your interaction with our websites or Solutions
Professional information Role at your organization

 

We also collect cookies for a number of purposes—for example, to maintain continuity during a user session, to gather data about the usage of our website for research and other purposes, to store user preferences for certain kinds of information or to store a username or encrypted identification number. Blackbaud also collects aggregated site-visitation statistics using cookies.

We may use personal information to allow a user to sign into the secure portion of our website or a Blackbaud Solution; to send individuals information that they request about Blackbaud Services; to provide the Services and to process customer payments; to contact individuals about promotions, news and updates, or thought leadership; to develop, improve, and test our website and the Blackbaud Services; and to comply with our legal obligations and to identify and remediate suspected or actual fraudulent activity or security incidents.

Target Analytics

Blackbaud’s Target Analytics® business provides data intelligence to nonprofit customers to help them identify and engage constituents to support their missions. This business collects personal information on individuals at least 18 years old from data compiling companies, non-private websites containing publicly available information, and government entities. For Target Analytics®, we collect the following categories of personal information:

CATEGORIES EXAMPLES
Personal and Online Identifiers Name; alias; postal address; email address; or similar identifiers.
Categories of personal information described in Cal. Civ. Code § 1798.80(e) and § 1798.140(v)(1) Physical characteristics or description; Telephone number.
Commercial or transactions information Examples include records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Internet or other electronic network activity information Examples include online interests, such as information about categories of consumer interests derived from online usage; and information on a consumer’s interaction with a website, application, or advertisement.
Professional or employment-related information Examples include current or past job history.
Inferences about your predicted characteristics and preferences Examples include inferences drawn to create a profile about you reflecting your preferences, characteristics, behavior, attitudes; and median age, wealth rating and median income.
Other information about you that is linked to the personal information above Examples include any personal information not captured by one of the enumerated categories of personal information listed above that may be linked to the personal information above.

 

We collect this data for business purposes of internal research, internal operations, auditing, detecting security incidents, debugging, short-term and transient use, fulfilling and improving our Services, quality control, and legal compliance. We also collect this data for commercial purposes—to share such information with our nonprofit customers. We sell the foregoing categories of information to nonprofit organizations.

JustGiving

Blackbaud’s JustGiving business provides a platform for online giving, fundraising, and crowdfunding.

JustGiving collects basic contact information about users to set up an account, including name, address and email address. JustGiving also asks users to register a username and password.

Alternatively, users may authorize JustGiving to collect basic personal details from a secure online source (e.g., Google, Facebook, PayPal or a sponsor charity). If a user chooses to login via Facebook, JustGiving will obtain access to the user’s Facebook public profile information and email address.

Where a user creates a Crowdfunding Page, JustGiving will also collect the user’s title (if provided), date of birth, telephone number and personal bank account details.

To enable JustGiving to process donations, we will collect basic payment information as well as the donor’s name, home address and email address.

A user may decide to provide JustGiving with information about others (or authorize JustGiving to collect this information on the user’s behalf from the user’s social networks or email contacts list).

JustGiving collects personal information when a user registers their interest to be informed about Charity Places for an Event or when a user applies for a Charity Place for an Event. This will include information such as the user’s name and email address, and any additional questions which help the charity to review the user’s application.

JustGiving also collects information about use of our Services through the use of cookies, including IP address, mobile device identifier, how much time a user spends on the site, and what a user does, likes, or views.

EVERFI

EVERFI’s digital learning platform offers educational courses on different critical skills in the K-12, Higher Education, and Adult markets.

Where you register with us, or communicate to us, depending on the Service, we may collect the following information:

  • Contact information and common identifiers;
  • Login details;
  • Employment details (depending on the offering);
  • Education history;
  • Demographic information; and
  • Preferences.

With respect to our K-12 market, we may collect the following data:

  • Date of birth (to support COPPA compliance), which is only stored as an over/under 13 flag within EVERFI’s system;
  • First name and first initial of last name (for under 13);
  • First name and last name (for over 13); and/or
  • Email address (only for over 13).

EVERFI educational assessments and surveys may ask questions based on race, ethnicity, and/or sexual preference. This information is considered a “sensitive” or “special category” data under applicable privacy laws; therefore we only collect it where you choose to provide this information and consent to us receiving it – the questions are always optional.

When we receive the surveys, we take steps to fully de-identify it and will only share responses on a fully de-identified and aggregated basis.

EVERFI also collects information automatically about users via a variety of methods, such as cookies, web beacons, JavaScript, and log files. This information may include user IP addresses, browser types, domain names, device type, time stamp, referring URL and other log file information; user activities within the Service; aggregate and statistical information regarding overall server/visitor traffic and navigation patterns for the Service.

If you want to request a demo of any Service and/or have a conversation with one of our product experts to learn how EVERFI can power your education initiatives, you may provide us with:

  • Contact information;
  • Job details; and
  • Communications preferences.

We use third party service providers to enhance and enrich our marketing database of business professionals who have requested further information on our products.

EVERFI generally uses the information we collect as follows:

  • To provide the Service directly to learners (where applicable);
  • To create log-in details for learners and to communicate with you about your use of the Service (including via email);
  • To respond to inquiries, to send you surveys, to fulfill your requests, and for other customer service or internal purposes;
  • To troubleshoot any technical issues you might experience while using our Service;
  • Where you are a business professional (e.g. sponsoring organization such as a financial institution or higher education institution i.e. a university), to send you communications about digital courses, services and other information;
  • To better understand how users access and use our Service, in order to improve our Service;
  • To develop aggregated reports and related analysis regarding user activities;
  • To tailor the educational content and information that we may send or display to you, to offer personalized help and instructions, and to otherwise personalize your learning experience while using our Service;
  • To comply with applicable legal obligations; and
  • Where we believe it is necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of our Terms of Use or our Privacy Policy.

Human Resources Data

Blackbaud collects personal information from job applicants, employees, and contractors for human resources purposes. This data may include name and contact details; details of education, career history, and qualifications; citizenship information; date of birth, gender, marital status, race/ethnicity, and military service information; financial information; benefit election details; government-issued documentation numbers; and medical information. Blackbaud needs to keep and use information about you for normal employment purposes. This information will be held and used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully, and appropriately.

Blackbaud as a Solution Provider

Blackbaud also processes personal data that is stored by our customers within Blackbaud’s Solutions, the categories of which are determined by our customers.

Personal Information Disclosed to Third Parties

We may disclose personal information to our affiliated organizations and subsidiaries, and to service providers who render services on our behalf. We also may disclose personal information if required by law or to enforce our legal rights or defend us against a legal claim or for the identification or remediation of suspected or actual fraudulent activity or security incidents. We may share personal information in connection with a sale or reorganization of Blackbaud. We may also share personal data if it is necessary to act in urgent circumstances to protect the safety of Blackbaud customers, website visitors, or the public.

In addition to the above, with respect to our Target Analytics® business, we sell the categories of personal information described above to nonprofit organizations. For our JustGiving business, we may share personal data with fundraisers, Crowdfunding Page creators, charities, and event partners and companies. For our EVERFI business, we may share the information we collect with Authorized Entities (if you access the Service through, or are granted access to the Service by, a school, school district, college, university, person, institution, employer, or other organization); social media (if a user chooses to share information such as assessment scores through social media outlets, such as Facebook and Twitter); Third-Party Sponsors (where EVERFI works with third-party sponsors to bring the Service to some users free-of-charge, and in such situations, EVERFI will only share anonymized and/or aggregated user information with those third-party sponsors unless consent is obtained); and third parties for advertising purposes, such as advertising networks, analytics and social media networks (solely in the case of teacher personal information in our K-12 market).

Your Rights

Blackbaud provides consumers, customers, suppliers, and others with reasonable access to the personal data maintained about them. We also provide a reasonable opportunity to correct, amend or delete that information where it is inaccurate. We may limit or deny access to personal data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles.

With respect to personal data we share with third parties (other than those acting as an agent or service provider), we provide consumers, customers, suppliers and others located in the EEA, the UK, and Switzerland with an opportunity to opt out of such sharing, as well as an opportunity to opt out of the use of personal data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.

To exercise any of these rights, please email privacy@blackbaud.com.

Compelled Disclosure

Blackbaud may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Liability in Cases of Onward Transfer

As described above, we may share personal data with service providers we have retained to perform services on our behalf. Blackbaud has responsibility for the processing of personal information it receives under the Data Privacy Framework and subsequently transfers to a third party acting as an agent or service provider on its behalf. Blackbaud shall remain liable under the Principles if its service providers that it engages to process such personal information do so in a manner inconsistent with the Principles, unless Blackbaud proves that it is not responsible for the event giving rise to the damage.

Inquiries and Complaints

If you believe Blackbaud maintains your personal data in one of the services within the scope of our Data Privacy Framework Certification, you may address any questions or concerns regarding our compliance by emailing us at privacy@blackbaud.com. Blackbaud will respond within 45 days.

If you do not receive timely acknowledgement of your complaint from Blackbaud, or if we have not addressed your complaint to your satisfaction, commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (EU DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA),  and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the Principles. The services of the EU DPAs, the UK ICO, the GRA, and the FDPIC are provided at no cost to you.

With respect to residual claims concerning our handling of personal data received in reliance on the Principles, individuals also have the ability to invoke binding arbitration with the EU-U.S. Data Privacy Framework Panel.

Effective Date

This Data Privacy Framework Certification Notice is effective as of November 8, 2023.