Non Personal Information
When you visit the Site, we receive non-personal information (“Non PII”), which is information about things like your IP address, browser and operating system. This is done through “cookies,” which are small files with unique ID numbers to simplify your logging in and staying logged into a website and using services there.
There are two types of cookies: (1) those cookies you bring with you when you visit the Site and (2) cookies that either automatically attach or that we have created. Our cookies—i.e., the ones we have created—are used to remember you when you login after the first time and to provide you with the Site information (such as locations of specific sections) to enable you to visit multiple section. Our cookies do not allow us to learn your real name and address. We will explain below how you can change that process.
Some information created by cookies involves how users such as you navigate the Site. That information is also used by third party services we use, such as Google Analytics. Those services do not enable us to identify you. You can change your browser setting, as described below.
Applicable law essentially defines personal information as information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device. Naturally, this information could include your name, email address, credit card information and other information that could identify you, whether by itself or together with other information.
Personal information does not include:
- Publicly available information from government records
- De-identified or aggregated consumer information (such as Non PII)
- Information excluded from the scope of applicable law, such as: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
- Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.
Credit Card/Payment Information
When you subscribe to certain services that come with a fee, then you provide credit (or debit) card information, which we never see. This information goes right to the payment processors and not us.
Collection of your Personal Information
We obtain your information when you sign up or login on the Site or send us an email or letter and by doing so provide us with personal information. In order to better provide you with products and services offered on the Site, NRF Institute may collect personally identifiable information, such as your:
- First and Last Name
- E-mail Address
- Phone number
If you elect to subscribe to NRF Institute’s products and services, you will provide payment information (e.g., a credit card), but that goes from you to the payment processors, as noted above. Additionally, persons might provide personal information when they contact us for other reasons, such as proposing a new product or service or engaging with us on legal matters.
We do not collect any personal information about you unless you voluntarily provide it to us.
Use of your Personal Information
We use the information in several ways. Several important points:
We do not sell or lease your personal information or permit it to be used for any commercial purposes.
We also use the information only for the purpose for which it was received. For example, if you provide us with emergency contact information, then we would use it only to assist you in that emergency.
We use personal information for one or more of the following business purposes:
- To provide you with information or services that you request from us, to send you periodic updates or our services or products or to communicate with you for other common-sense uses, such as alerting you of changes, etc.
- To improve the Site, including R&D, testing, product development, bug fixes and the like.
- To protect the community and its members and our team when we think there is a risk and to comply with law.
For those who visit the Site, register, login or otherwise use the Site, we use such information for the following purposes: to simplify your login; to improve the Site, including customizing to your preferences; to respond to technical support requests; to inform you of certain things in the community or changes in the Site, (such as new material available on the Site, certain procedures or your use and your account(s) or otherwise get in touch with you for reasons related to the Site.
Sharing Information with Third Parties
NRF Institute does not sell, rent or lease its customer lists to third parties.
NRF Institute may share data with trusted partners to help perform statistical analysis, send you email or postal mail, provide customer support, or arrange for deliveries. All such third parties are prohibited from using your personal information except to provide these services to NRF Institute, and they are required to maintain the confidentiality of your information.
NRF Institute may disclose your personal information, without notice, if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on NRF Institute or the Site; (b) protect and defend the rights or property of NRF Institute; and/or (c) act under exigent circumstances to protect the personal safety of users of NRF Institute, or the public. By visiting the Site and/or using the Site, you consent to such disclosure.
Tracking User Behavior
NRF Institute may keep track of the pages our users visit within the Site in order to determine what NRF Institute services are the most popular. This Non-PII data is used to deliver customized content and advertising within NRF Institute to customers whose behavior indicates that they are interested in a particular subject area.
Automatically Collected Information
Non PII about your computer hardware and software may be automatically collected by NRF Institute. This information can include: your IP address, browser type, domain names, access times and referring website addresses. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding use of the NRF Institute website.
Security of your Personal Information
NRF Institute secures your personal information from unauthorized access, use, or disclosure. NRF Institute uses the following methods for this purpose:
- Encryption of login credentials stored on our servers
- Encryption of personal information when transmitting information from our servers to our apps, your web browsers, and our partners such as credit card processors using Secure Sockets Layer (SSL) protocol
We strive to take appropriate security measures to protect against unauthorized access to or alteration of your personal information. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, you acknowledge that: (a) there are security and privacy limitations inherent to the Internet which are beyond our control; and (b) security, integrity, and privacy of any and all information and data exchanged between you and us through this Site cannot be guaranteed.
External Data Storage Sites
We may store your data on servers provided by third party hosting vendors with whom we have contracted. Such external storage sites may include services operated by Amazon Web Services for cloud computing, and others.
Opting Out of Third Party Cookies
Your browser may be set to a default that accepts cookies, but usually you can modify those settings to reject cookies. If you do so, please understand that some of the features of the Site or parts of the Site might be disabled.
Deleting Your Information
If you send us a valid request to delete your information, then we will try to accommodate your request. Please keep in mind that under certain circumstances, we will not be able to do so if there is some need such as completing a transaction with you (e.g., adjusting or ending your subscription), responding to a request you have made or believe that we need to keep the information (securely) because of potential legal issues or other common-sense requirements. We will, of course, do so when required by applicable law.
Additional Privacy Matters under California Law
California law related to privacy includes what is known as the “Shine the Light” law (at Civil Code Section 1798.83), which gives users resident in California the right to prevent disclosure of their personal information to third parties for direct marketing purposes by those third parties. The law also requires companies with a web presence to respond to inquiries from such users about disclosure to such third parties as described above. Such companies can also choose an alternative, which is to follow a policy of not providing such personal information to third parties for direct marketing purposes.
California also adopted a law, known as the “Online Erasure” law (at Business and Professions Code Sections 22580-22582), which requires companies that maintain certain website or online services to allow registered users who are under the age of 18 and who are also residents of California to request that the company remove content such persons have posted.
Links to Other Sites
Do Not Track Notice
The Site does not respond to Do Not Track signals because the Site does not track the Site visitors across third party sites and over time to provide targeted advertising. Your browser should be able to set the Do Not Track signal on sites that do respond, thereby enabling you to inform them that you are not to be tracked.
For Visitors and Users Outside the US
However, we recognize the GDPR eight principles of the rights you have, which are:
- The right to be informed: Under the GDPR, individuals (also called “data subjects” under the GDPR) have the right to be informed about how companies collect and use their personal data, how long they plan to keep that data, and who they’ll share it with. Companies that collect data have to provide certain information to the data subjects, including the identities and contact details of the data controllers and data protection officers (if DPOs were appointed). We are the “data controller.” If we share your personal information with anyone, it will be done under a “data processing agreement” preserving your rights enumerated here.
- The right of access: You have the right to know exactly what information we have collected, how we’re storing and processing that data, and what we’re going to do with it, which we believe we have explained in this document, although we would try to provide you other information you request.
- The right to rectification (correction): You have the right to have incomplete data completed and incorrect data corrected.
- The right to erasure: You have the right to have personal data permanently deleted. This is also known as the “right to be forgotten.” In this case, we can’t argue that what are called our “legitimate interests” in processing your data outweigh your rights to have it erased. However, this right doesn’t apply if our processing of data that’s subject to an erasure request is necessary to comply with our legal obligations, e.g., processing your purchase of products or services and paying the processors.
- The right to restrict processing: If you can’t require that we, as the data controller, erase your personal information, you can restrict our ability in that role to process your data, but only under certain circumstances as outlined by the ICO (Information Commissioner’s Office) for your EU member state.
- The right to data portability: You have the right to obtain and reuse your personal data for your own purposes across different services. You can request that we, as the data controller, send the personal data files electronically to third parties. If technically feasible, we must provide the data in commonly used, machine-readable formats.
- The right to object: You have the right to object to the processing of your personal data in certain circumstances, e.g., if we use personal data for direct marketing, scientific and historical research, or to perform a task in the public interest. However, we may still process the data to establish or defend legal claims, or if we can demonstrate there are legitimate grounds that override individuals’ interests and rights.
- The right to not be subject to automated decision making: You have the right to demand human intervention, rather than having important decisions made by algorithms. We are required to inform you if you will be subject to algorithmic decision-making and let you know that you can opt out of it. We do not use any algorithms for decision-making or anything else. If that ever changes (which is unlikely), we will let you know and give you the option to opt out.
Changes to this Statement
1355 North Mentor Avenue, Suite 41126
Pasadena, CA. 91114
Effective as of August 1, 2023