Effective as of: May 25, 2018
The International Mission Board (IMB) has created this Privacy Statement in order to explain IMB’s approach to privacy on IMB’s website, www.imb.org, as well as other websites owned and controlled by IMB. IMB’s Privacy Statement describes only IMB’s practices for gathering, using, and disclosing personally identifiable information collected by IMB solely at IMB’s website. IMB’s website may contain links to other websites that are not operated by IMB. IMB is not in any way responsible for the privacy practices, collection, use, or disclosure of personally identifiable information by such other websites, nor is IMB responsible in any way for the content of such other websites.
For purposes of this Privacy Statement, the term “IMB” includes all IMB offices worldwide, all IMB affiliates, all IMB employees and contractors subject to IMB control, and all partner entities owned or controlled by IMB.
IMB encourages its users to be aware when they leave IMB’s website and to read the privacy statements of each and every website that collects any personally identifiable information.
The Collection, Use, and Disclosure of Personally Identifiable Information
As used in IMB’s Privacy Statement, the phrase “personally identifiable information” is personal information that identifies a specific natural person and means: (a) a first and last name; (b) an address, including a street name, city or town, and zip code (but excluding a post office box); (c) an e-mail address; (d) a telephone number; (e) a Social Security number; (f) self-identified health information, and/or (g) an account number or credit card number (including but not limited to, banking account and routing numbers). In IMB’s Privacy Statement, the phrase “personally identifiable information” is abbreviated as “PII”.
The definition of PII will differ depending upon applicable law. In Europe, it will include all information that directly or indirectly relates to a user, and includes “personal data” as defined by the General Data Protection Regulation (GDPR). Where GDPR or other EU privacy laws apply to a user, this Privacy Statement details how a user can exercise user’s rights.
IMB is the owner of all PII that is collected by IMB on IMB’s website. IMB may collect PII from users, customers, and in responses to online surveys and group discussions at several different points on IMB’s website.
IMB will not sell or rent PII to other organizations in ways that are different from what is disclosed in this Privacy Statement or not permitted under the GDPR.
IMB may use PII to contact the user about IMB, the goods and services available on IMB’s website, and to provide information about other topics and discussion groups.
IMB may disclose PII to third parties as required or permitted by law.
IMB may share aggregate demographic information that does not contain PII.
“Legitimate Interest” under the GDPR
IMB will generally only collect European Union (EU) and European Economic Area (EEA) (comprised of EU member states, and Iceland, Liechtenstein, and Norway) based user’s PII when it is necessary for IMB’s “legitimate interests,” including but not limited to, fulfilling the missionary task, and performing IMB’s legitimate legal, employment, and business interests. IMB may also use user’s PII for the legitimate interest of providing goods and services, ministry needs, and processing donations. The table below provides some examples of how IMB uses user PII, and the legal basis for such use of user PII.
|How IMB Uses PII||The Types of PII||Legal Basis||Legitimate Interest|
|To contact users with information about the ministry activities of IMB||Identity Data; Contact information||Legitimate Interest||IMB may use user’s contact information to send user information about IMB activities that that he/she has requested|
|For electronic marketing communication||Identity Data; Contact Information; Marketing/Communication Data||Consent; Legitimate Interest||When users engage with IMB, the law permits IMB to send user relevant email marketing|
|For physical communication (e.g., post, telephone calls, etc.) and non-marketing electronic communication||Identity Data; Contact Information; Marketing/Communication Data||Legitimate Interest||To keep users informed of IMB’s ministry; To send users ministry information and resources that IMB believes would interest user|
|For contact management||Identity Data; Financial Data; Contact Information; Requests and Preferences; Demographics||Legitimate Interest||To manage participation in IMB’s ministry and contact management across the ministry|
|To improve user’s experience and allow log-in access to IMB affiliated websites and online portals||Identity data; Contact Information; Security Credentials||Contract; Legitimate Interest||To ensure that Users’ accounts on IMB’s websites and online portals are kept safe and private|
|For spiritual guidance and support||Identity Data; Contact Information about user’s beliefs and circumstances; Requests and Preferences||Legitimate Interests||To provide spiritual guidance and support; To allow IMB to pray for users; To provide users with resources and activities that will help them grow spiritually|
|For fund development||Identity Data; Financial Data; Financial Transaction Data; Contact Information; Information about user’s beliefs and circumstances; requests and preferences||Legitimate Interest||To provide opportunities for user to partner with IMB through financial giving, communication or prayer|
|To process donations||Identity data; Financial Data; Financial Transaction Data; Contact Information; Tax Status||Contract; Legitimate Interest||To securely receive user’s donation toward IMB’s charitable aims|
|For statutory reporting||Identity Data; Contact Information; Tax Status||Legal Obligations; Legitimate Interest||IMB may have obligations to report government authorities|
|To deliver goods and services||Financial Data; Financial Transaction Data; Contact Information||Contract||To provide user with goods or services that the user has purchased|
|To enable user to partake in a prize draw, sweepstakes, competition, or complete a survey||Identity Data; Contact Information; Marketing/Communication Data||Contract||To collect contact information to provide user with any prize they have one; To gather survey data that the user has provided voluntarily|
|To allow IMB to improve its tools; To maintain an audit trail of access to data; Troubleshooting; Data analysis; System maintenance||Historical Transaction Data; System Data; Audit Logs; Location Data||Legitimate Interest||To manage and protect access to IMB affiliated websites; To ensure that IMB’s services operate effectively and to track who is accessing user’s data|
|To respond to complaints and requests||Identify Data; Contact Information; Historical Transaction Data; Application Data||Legal Obligation; Legitimate Interest||To ensure that user’s concerns are addressed|
|For Ethnographic, Cultural, and Missiological Research||Identity Data; Contact Information; Information about user’s Personal Beliefs; Demographics||Legitimate Interests||IMB conducts extensive ethnographic, geographic information systems (GIS), and missiological research and data collection to improve missions and ministry efforts|
|To apply for, or participate in mission opportunities with IMB; To apply or participate as a volunteer||Identity Data; Contact Information; Application Data; Self-identified Health Information||Contract||In the application process, user must provide certain personal information to assess user’s suitability to serve as a missionary|
|To apply for Employment with IMB through a job application||Identity Data; Contact Information; Application Data; Information about user’s Personal Beliefs; Requests and Preferences; Security Credentials, Demographics; Employment Information; Self-identified Health Information||Contract; Legal Obligations||In the application process, users must provide certain personal information to facilitate employment|
Types of Data
To carry out the legitimate interests discussed above, IMB may collect, store, process and transfer different kinds of personal data about users, which IMB has grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from user and other details of products and services user have purchased from IMB.
- Technical Data includes internet protocol (IP) address, user’s login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices users use to access IMB’s network.
- Profile Data includes user’s username and password, user’s interests, preferences, feedback and survey responses.
- Usage Data includes information about how user use IMB’s website, and information technology products and services.
Special Categories of Data: IMB may also collect, store, process and transfer the following types of data that GDPR defines as “special categories” of more sensitive personal information:
- Information about user’s race or ethnicity, religious beliefs, gender, and marital status.
- Information about user’s health, including any medical condition, health and sickness records.
- Information about criminal convictions and offenses only where the law allows IMB to do so.
Government and Legal Requests
It may be necessary − by law, legal process, litigation, and/or requests from public and governmental authorities within or outside a user’s country of residence − for IMB to disclose PII. IMB may share PII if IMB has a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable terms of service, including investigations of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against imminent harm to the rights, property or safety of IMB, its users or the public as required or permitted by law.
Users may provide information to be published or displayed (hereinafter, “posted”) on public areas of IMB’s website, or transmitted to other users of the website or third parties (collectively, “User Contributions”). User Contributions are posted on and transmitted to others at user’s own risk. Although IMB limits access to certain pages, users must be aware that no security measures are perfect or impenetrable. Additionally, IMB cannot control the actions of other users of IMB’s website with whom a user chooses to share his/her User Contributions. Therefore, IMB cannot and does not guarantee that User Contributions will not be viewed by unauthorized persons.
IMB’s website uses IP addresses to help IMB analyze trends, administer IMB’s website, track user movement, and gather broad demographic information for aggregate use. IP addresses do not contain PII.
IMB’s website uses “cookies”. A “cookie” is a piece of data stored on a user’s hard drive that contains information about the user. A cookie does not contain and is not linked to PII while a user is on IMB’s website. For instance, by setting a cookie on IMB’s website, a user would not have to log in a password more than once, thereby saving time while on IMB’s website. If a user rejects the cookie, the user may still use IMB’s website, but would be limited in some areas of IMB’s website. Cookies can also enable IMB to track and target the interests of users to enhance their experience on IMB’s website.
In order to receive certain updates or use certain features on IMB’s website, a user may have to complete a registration form. During registration, a user may be required to provide PII, such as the user’s name and/or an e-mail address. If requested, it is optional for a user to provide demographic information (such as income level and gender) and unique identifiers which enable IMB to provide a more personalized experience on IMB’s website.
A user may subscribe to IMB’s newsletters or other publications on IMB’s website. In that case, IMB will request PII, such as the user’s name, mailing address, and/or an e-mail address. PII may be used to send such newsletters and may be used to contact the user about IMB, the goods and services available on IMB’s website, and to provide information about other topics and discussion groups.
IMB’s website includes an online catalog for customers to order goods and services related to IMB’s ministry, and contact forms for customers to request information and services. In such instances, IMB collects customer PII, such as a name, an e-mail address, a mailing address, an account number and/or credit card number.
Third Party Contractors
IMB may contract with third parties to provide services to IMB, including services relating to the internal operations of IMB’s website, the storage and retrieval of information, including PII, and other services. PII, on-line survey information, discussion group information, and aggregate demographic information may be maintained on IMB’s servers or on IMB’s third party contractor’s servers. IMB may use a third-party contractor to facilitate the serving of targeted content and may transmit data to the third party to facilitate this service. Except as may be required by law, IMB is not responsible for the acts of any such third parties with regard to their handling and treatment of PII.
Use of Shipping Companies and Credit Card Processing Companies
IMB may use shipping companies to ship orders and credit card processing companies to process and bill customers for goods and services related to IMB’s ministry. IMB may affiliate with other organizations to provide goods and services related to IMB’s ministry. When a user or customer signs up for or orders goods or services, IMB may share PII as necessary to provide such goods and services, and to provide information about IMB, the goods and services available on IMB’s website, and information about other topics and discussion groups. Except as may be required by law, IMB is not responsible for the acts of any of the entities discussed in this section with regard to their handling and treatment of PII. With respect to entities based in the EEA, whenever IMB transfers PII, IMB may use standard contractual clauses approved by the European Commission that protect the confidentiality of such PII to provide similar data protection as is available in Europe.
IMB’s website has security measures in place to attempt to protect against the loss, misuse, and alteration of information, including PII, which is under IMB’s control. However, because of the nature of the threats to the security of information, IMB cannot guarantee that it can prevent security breaches that could compromise information, including PII, which is under IMB’s control. The safety and security of PII also depends on the actions of the user. Where the user has been given (or where user has been chosen) a password for access to certain parts of IMB’s website, the user is responsible for keeping this password confidential. IMB urges users to be careful about giving information in public areas of the website, such as message boards. The information users share in public areas may be viewed by any user of the website.
Protection of Children
IMB is committed to the protection of children. IMB works to voluntarily comply with applicable provisions of the Children’s Online Privacy Protection Act of 1998 (COPPA) and its accompanying Federal Trade Commission regulations, which establish United States Federal law that protects the privacy of children using the Internet.
IMB develops missions materials for children, including pre-teens. IMB maintains web pages that are specially geared to the interests of younger children, and publish electronic newsletters and prayer letters in an effort to inform and develop their interest in all that God is doing around the world, including through the prayers and ministries of young children. There are many activities on the IMB site that children can participate in and enjoy without having to share personally identifiable information.
For those activities that require PII, such as newsletters or other resources, in compliance with the Federal Trade Commission’s Children’s Online Privacy Protection Act, IMB will require verifiable parental consent before collecting or using PII from children under the age of 13. With these activities, IMB will notify the respective parent of IMB’s Privacy Statement and obtain verifiable parental consent before collecting PII from the child, unless we collect only the child’s name and online contact information, which IMB will keep no longer than reasonably necessary, to (1) obtain parental consent or provide parents with notice; (2) respond directly on a one-time basis to a child’s specific request; (3) respond more than once to a child’s specific request along with providing parental notice of such use; (4) protect the safety of a child; or (5) comply with legal requirements. When we provide parents with notice and/or seek consent, we also give parents the ability to let IMB know if they do not want any further use made of the personally identifiable information we have collected from their child.
Parents can request to review or have deleted their child’s PII from IMB’s records, and refuse to permit further use of a child’s PII by writing to IMB at: www.imb.org/info/contact-us or Contact Center, ATTN: Privacy Statement, IMB, Box 6767, Richmond, VA 23230. Upon proper identification, a parent or legal guardian may review the PII that IMB has collected about their child, update their child’s contact details, request deletion, or refuse to allow further collection or use of the information.
The IMB will not condition a child’s participation in an activity on that child disclosing more PII than is reasonably necessary to administer the activity.
The IMB does not share PII from children under the age of 13 with any third party.
IMB opposes the use of unsolicited commercial email and mass posting to inappropriate newsgroups (spam) as a way to promote or advertise. IMB attempts not to send email to persons who are not related to IMB’s ministries or who have not otherwise requested contact from us, nor do we post advertisements to unrelated newsgroups. If user receives any unsolicited commercial email that appears to be from IMB or an employee of IMB, please notify IMB immediately.
IMB will reasonably investigate instances of unsolicited commercial email that appears to originate from IMB. If we find persons or entities using IMB’s name inappropriately, we will contact IMB’s lawyers and take reasonable steps, which may include legal action, to stop the unauthorized use of IMB’s name.
IMB has measures in place to attempt to require double opt-in, which means if someone receives a forwarded email or is added to an email list by another person or entity, the receiver of the forwarded email must nonetheless still agree to a subscription for themselves before they become a subscriber to that list.
User’s Rights under the GDPR
Users have the right of access (Art.15 GDPR), rectification (Art.16 GDPR), erasure (Art.17 GDPR), restriction of processing (Art.18 GDPR) and the right to data portability (Art.20 GDPR). In addition, users have the right to object to processing that is based on Art.6 (1)(f) GDPR. Users also have the right to lodge a complaint with the data privacy supervisory authority.
If a user has given IMB his/her consent to process personal data for specific purposes, this consent is the legal basis for processing user’s personal data. Consent can be revoked at any time without affecting the legality of the processing carried out on the basis of the consent until revocation. The revocation can take place form-free and should be directed if possible to the contact information provided in this policy.
Correcting Updating, and Removing Personally Identifiable Information
IMB will use reasonable efforts to provide a way for IMB’s website users and customers to request that IMB correct, update, or remove that respective user’s or customer’s PII in or from IMB’s database. If a user’s or a customer’s PII changes, or if a user or customer no longer desires IMB’s goods or services, such user or customer may contact IMB as directed in this Privacy Statement and request that IMB correct, update, or remove that respective user’s or customer’s PII in or from IMB’s database.
Under the GDPR, if a user is located in the EU or EEA, a user may request the following:
- Editing and updating personal information
- Accessing personal information
- Deletion of personal information
- Restriction of processing of personal information
- Objecting to certain types of data processing including automated decision making
- Portability of personal information
- Withdrawing consent – IMB primarily relies on legitimate business interests to process users’ data. Users have the right to withdraw any consent they may have given IMB at any time. IMB will comply with users’ requests promptly. However, the withdrawal of consent will limit IMB’s ability to provide users with IMB’s products and service.
IMB’s website provides users and customers the opportunity to opt-out of receiving further mailings and e-mailings from IMB at the point where IMB requests information about the user, customer, survey participant, or discussion group participant.
IMB’s website also provides users, customers, survey participants, and discussion group participants with the following options for removing their PII from IMB’s database and for notifying IMB that they do not want to receive future communications or services from IMB’s website by contacting IMB as directed in this Privacy Statement.
Users or customers wishing to contact IMB to update or removing their PII, to opt-out of newsletters or other mailings, to report a suspected breach of this Privacy Statement, exercise rights under the GDPR, or to inquire about any other of IMB’s privacy practices, should contact IMB in either of the following ways:
(a) The user or customer can contact IMB at www.imb.org/info/contact-us or GDPR@imb.org for GDPR matters, or (b) The user or customer can send IMB a request by United States mail to the following postal address:
Contact Center, Attn: Privacy Statement, International Mission Board, P.O. Box 6767, Richmond, VA 23230
Changes to IMB’s Privacy Statement
IMB may revise this Privacy Statement at any time without prior notice to users or customers and will post the revised Privacy Statement on the IMB website under “Privacy Statement”.