1. Scope

This Privacy Policy describes the information that Thinking About Thinking, Inc. (the "Organisation", "we", "our", or "us") collects from visitors to thinkingaboutthinking.org and its subdomains, and how we use and protect that information. It is incorporated into and forms part of our Terms and Conditions.

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, the Organisation is the data controller for the personal data described in this policy. We may update this policy from time to time and will note any change by updating the effective date above and, where the change is material, by posting a notice on the website or contacting affected individuals.

2. Information We Collect

We collect information in two main ways:

Information you give us directly. When you write to us, apply to the Ambassador Programme, register for an event, subscribe to our newsletter, make a donation, or otherwise correspond with the Organisation, you may provide information that identifies you. This may include your name, postal address, email address, telephone number, professional or institutional affiliation, and, in the case of donations, the billing information required to process the gift. We refer to this as "Personally Identifiable Information".

Information collected automatically. When you visit the website, our hosting provider and analytics tools may collect information such as your IP address, browser type and language, the pages you visit, the time and date of your visit, and the referring website. We may use cookies and similar technologies to recognise returning visitors and improve the site.

3. How We Use Information

We use Personally Identifiable Information to operate the Organisation and its programmes, including: to correspond with you and answer your enquiries; to process your donations and issue receipts; to administer the Ambassador Programme, the Fellowship, and our events; to send the periodic newsletter to those who have requested it; and to inform supporters of forthcoming activities, where they have indicated they wish to be informed.

We use automatically collected information to operate and improve the website, to understand how visitors use the site, to detect and prevent fraud and abuse and to comply with our legal obligations.

4. Lawful Bases (UK/EU Visitors)

For visitors in the United Kingdom and the European Economic Area, the lawful bases on which we process Personally Identifiable Information include: (a) your consent, where given (for example, for the newsletter); (b) the performance of a contract or agreement with you (for example, the administration of a donation or event registration); (c) compliance with legal obligations; and (d) our legitimate interests in operating, securing and improving the Organisation and its programmes, where those interests are not overridden by your rights.

5. When We Share Information

We do not sell your Personally Identifiable Information.

We share information with the following categories of third parties, and only to the extent necessary for them to perform a defined function on our behalf:

• ·Stripe, Inc. processes donations and recurring gifts on our behalf. Payment-card information is handled by Stripe and is not stored on our servers. Stripe's privacy practices are described at stripe.com/privacy.
• ·Hosting and analytics providers (including Vercel) provide the infrastructure on which the website runs and the tools by which we measure traffic in aggregate.
• ·Email and CRM providers may handle the sending of our newsletter and the administration of correspondence with ambassadors, fellows and supporters.
• ·Professional advisors including auditors, accountants and legal counsel, where necessary for the operation of the Organisation.
• ·Government and law enforcement bodies, where we are required to do so by law or where we believe in good faith that disclosure is necessary to protect the rights, safety, or property of the Organisation or any other person.

We require third parties to handle information in a manner consistent with this policy and applicable law and not to use information for any purpose other than the services they provide to us. In the event of a merger or transfer of substantially all of the Organisation's assets, information may be transferred to the successor, subject to the same protections.

6. Cookies and Similar Technologies

We use a small number of cookies and similar technologies to make the website function correctly, to remember your preferences, and to understand site usage in aggregate. You can control cookies through your browser settings; some site functions may not work correctly if cookies are disabled.

Some browsers transmit "Do Not Track" signals. We do not currently change our practices in response to those signals, although our third-party providers may.

7. Third-Party Sites

The website contains links to sites that we do not operate, including the personal and institutional pages of fellows, ambassadors and contributors. This Privacy Policy does not apply to those sites and we are not responsible for their content or their handling of personal information. We encourage you to read the privacy policies of any third-party site you visit.

8. Security

We take reasonable administrative, technical and physical measures to protect Personally Identifiable Information from loss, misuse and unauthorised access. Donations are processed on Stripe's secure infrastructure using TLS encryption. We restrict access to information internally to those who need it to perform their roles.

No system is perfectly secure. We cannot guarantee the security of information transmitted to or from us over the internet and any such transmission is at your own risk.

9. Your Choices and Rights

Email and newsletter. You may unsubscribe from the newsletter at any time by following the unsubscribe link in any issue, or by writing to the address below.

Access, correction, deletion. You may request access to the Personally Identifiable Information we hold about you, ask us to correct or delete it, or ask us to restrict its processing. We will respond as required by applicable law.

UK and EU visitors. You have additional rights under the UK GDPR and the EU GDPR, including the right to data portability and the right to object to processing for direct marketing or based on legitimate interests. You also have the right to lodge a complaint with the data protection authority of the country in which you live or work.

California residents. Under the California Consumer Privacy Act (as amended by the CPRA), you have rights to know, delete, correct and opt out of the sale or sharing of personal information. We do not sell personal information.

10. International Transfers

We are based in the United States and our service providers may be located there or in other jurisdictions. If you are accessing the website from outside the United States, please be aware that your information may be transferred to, stored and processed in the United States and other jurisdictions whose data-protection laws may differ from those of your home country. Where required, we implement appropriate safeguards for international transfers.

11. Children

The website is not directed to children under the age of 13, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please write to us so that we may delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of the page reflects the most recent revision. Where the change is material, we will provide notice through the website or by other reasonable means.

13. Contact

Questions regarding this Privacy Policy, requests to exercise your rights, or complaints should be directed to:

See also: Terms and Conditions