Data Protection Framework
- European Union (EU) General Data Protection Regulation (GDPR) of 2018
- European Union (EU) Enforcement and Modernisation Directive (OMNIBUS) of 2020
- Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD) of 2020
- South Africa’s Protection of Personal Information Act (POPIA) of 2020
- the California Consumer Protections Act (CPPA) of 2018
- the California Privacy Rights Act (CPRA) of 2020
- the Virginia Consumer Data Protection Act (CPDA) of 2021
- the Colorado Privacy Act (CPA) of 2021
- the Connecticut Data Privacy Act (CTDPA) of 2022
- the Utah Consumer Privacy Act (UCPA) of 2022
The Imagination Factory has completed applicable Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) for activities related to this website, and these are available upon request from the Imagination Factory’s Data Protection Officer (see Section 9).
1. Customer and Citizen Data
You may decide to send us your personal information via this website if you are seeking more information, requesting to attend one of our events, requesting access to our support ticket system, making payments for our Services, or for other similar purposes. Your decision to disclose your personal data is entirely voluntary, and by doing so, you are providing us with specific consent to use your personal data only for the purposes for which you have disclosed it to us.
We will at all times handle and store your personal data in accordance with industry best practice aligned with ISO/IEC 27001, the international standard for information security. This includes the activities and procedures undertaken by our own personnel and authorized third parties (see Section 5), and the technical controls which we have implemented to prevent unauthorized access, compromise or theft of information from our applications, supporting computer systems and premises.
We use information about you as mentioned above and as follows:
- To provide our Services–for example, to set up and maintain your account, host your website, backup and restore your website, or charge you for any of our paid services;
- To further develop our Services–for example by adding new features that we think our users will enjoy or will help them to create and manage their websites more efficiently;
- To monitor and analyze trends and better understand how users interact with our Services, which helps us improve our Services and make them easier to use;
- To monitor and protect the security of our Services, detect and prevent fraudulent transactions and other illegal activities, fight spam, and protect the rights and property of IFI and others;
- To communicate with you (with you specific consent to do so) about Services / promotions offered by IFI, solicit your feedback, or keep you up to date on IFI and our products; and
- To personalize your experience using our Services, provide content recommendations and serve relevant advertisements.
How We Share Information
We do not sell our users’ private personal information. We share information about you in the limited circumstances spelled out below and with appropriate safeguards on your privacy:
- Third Party Vendors: We may share information about you with third party vendors who need to know information about you in order to provide their services to us. This group includes vendors that help us provide our Services to you (like payment providers that process your credit and debit card information) and those that help us understand and enhance our Services (like analytics providers). We require vendors to agree to privacy commitments in order to share information with them.
- As Required by Law: We may disclose information about you in response to a subpoena, court order, or other governmental request.
- To Protect Rights and Property: We may disclose information about you when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of IFI, third parties, or the public at large. For example, if we have a good faith belief that there is an imminent danger of death or serious physical injury, we may disclose information related to the emergency without delay.
- With Your Consent: We may share and disclose information with your consent or at your direction. For example, we may share your information with third parties with which you authorize us to do so, such as the social media services that you connect to your site through our Publicize feature.
- Aggregated and De-Identified Information: We may share information that has been aggregated or reasonably de-identified, so that the information could not reasonably be used to identify you. For instance, we may publish aggregate statistics about the use of our Services.
- Other Site Owners: If you have an account and leave a comment on a site that uses our Services, your IP address and the email address associated with your account may be shared with the administrator(s) of the site where you left the comment.
- Published Support Requests: And if you send us a request (for example, via a support email or one of our feedback mechanisms), we reserve the right to publish that request in order to help us clarify or respond to your request or to help us support other users.
Information Shared Publicly
Information that you choose to make public is–you guessed it–disclosed publicly. That means, of course, that information like your public profile, posts, other content that you make public on your website, and your “likes” and comments on other websites that may use our Services, are all available to others. We provide a stream of public data (like posts and comments) from sites that use our Services to provide that data to subscribers, who may view and analyze the content, but do not have rights to re-publish it, publicly. Public information may also be indexed by search engines or used by third parties. Please keep all of this in mind when deciding what you would like to share.
2. Sensitive Personal Data
GDPR specifies a set of personal data categories which are considered to be “sensitive”, and which require special consideration by Data Controllers. This website, and any services available from this website, do not knowingly collect or process any sensitive personal data, and supporting Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) are available upon request from the Imagination Factory’s Data Protection Officer (see Section 9).
3. Children’s Personal Data
This website, and any Services available from this website, are not directed to children under the age of 13. If you learn that a child under the age of 13 has provided us with their personal information without having parental consent, please contact the Imagination Factory Data Protection Officer (see Section 9) immediately so that we can take appropriate action.
4. IFI Customer and EU, Brazil and/or South Africa Citizen Data Rights
As prescribed within data protection regulations, you have several rights connected to the provision of your personal data to the Imagination Factory using this website. These include your rights to request that the Imagination Factory:
- confirms to you what personal data it may hold about you, if any, and for what purposes
- changes the consent which you have provided in relation to your personal data
- corrects any inaccurate or incomplete personal data which may be held about you
- provides you with a complete copy of your personal data for you to move elsewhere
- stops processing your personal data, whilst an objection from you is being resolved
- permanently erases all your personal data promptly, and confirms to you that it has done so (there may be reasons why we may be unable to do this)
If/when an individual contacts the company requesting this information, this is called a Subject Access Request (SAR). Subject Access Requests from individuals should be made by email, addressed to the data controller at firstname.lastname@example.org. The data controller can supply a standard request form, although individuals do not have to use this.
Individuals may be charged $10 per subject access request. The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handing over any information. To contact Imagination Factory, please see Section 9 below.
If the Imagination Factory does not address your request, or fails to provide you with a valid reason why it is unable to do so, you have the right to contact your country’s Information Commissioner’s Office to make a complaint.
5. Declaration of Sub-Processing
To make an informed decision on whether to provide your personal data to the Imagination Factory using this website, we need to make you aware of three organizations that act as Data Processors for us in the provision of our services to you:
- WP Engine, Inc., a provider of secure hosting services, based in the United States
- CloudFlare, Inc., a provider of content delivery network services, based in the United States
- Amazon, Inc. (AWS), a provider of cloud storage services, based in the United Stages
- Google, LLC. & Google Ireland ltd., provider(s) of web fonts, spam reduction & analytics services, based in the United States & Ireland respectively
- FontAwesome, Inc., a provider of web symbols/icons, based in the United States
- Paypal, Inc. & Braintree, Inc., provider(s) of secure payment processing, based in the United States
- Rock Lobster, LLC., a provider of online form processing software, based in the Japan
- MyLiveChat, a provider of web chat & messenger application services, based in the Canada
- Automattic, Inc., a provider of content management and ecommerce software, based in United States
All listed comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
The activities within which each of these Data Processors participates have been recorded within the applicable Imagination Factory Privacy Impact Assessments (also known as Data Protection Impact Assessments under GDPR) and these are available upon request from the Imagination Factory’s Data Protection Officer (see Section 9).
6. Website Cookies
If you do not want these cookies to be served on your device, you are able to disable them by changing the settings on your browsers or third-party software can allow you to block cookies while you use this Website site. If you want to know how to do this, please look at the menu on your browser, or visit www.allaboutcookies.org for more information about cookies and how you can turn them off. Or, you can use third-party “anonymizer” services to mask information in your cookies, or even general data such as your IP address. In such cases you would not be able to take advantage of most of the personalization Services offered by IFI. Please note that if you do decide to disable cookies you may not be able to access this Website, some of the features of this Website or this Website may not function properly. By continuing to use this Website you consent to the relevant cookies being set on your device.
7. External Links
This website may include relevant hyperlinks to external websites not controlled by Imagination Factory. Whilst all reasonable care has been exercised in selecting and providing any such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and we cannot be responsible for any damages or consequences caused by your use of them.
9. Contacting Imagination Factory
The Data Protection Officer
the Imagination Factory, Inc.
15 Ionia Ave. SW, Suite 220
Grand Rapids, MI 49503