This Privacy Statement applies to all information collected through your communications with the Myasthenia Gravis Foundation of America (MGFA), whether electronic, written or oral; information collected through mobile applications (“Apps”) or MGFA websites (“Sites”); as well as any other information about you that we may collect offline or receive from third-parties (collectively, social media tools, Apps, Sites, and offline or third-party information are referred to as the “Services”). By accessing our content and resources or providing your information to us, you accept and agree to the practices described in this Privacy Statement.
Here is how we handle information about your visit to our website or mobile app:
Information Collected and Stored Automatically
If you do nothing during your visit but browse through the website or mobile app, do searches, read pages, or download information, we will automatically gather and store certain information about your visit. This information does not identify you personally. No information about users/visitors will be sold, shared, or utilized in any commercial way. We automatically collect and store only the following information about your visit:
- The Internet domain (for example, "company.com" if you use a private Internet access account, or "yourschool.edu" if you connect from a university's domain) and IP address (an IP address is a number that is automatically assigned to your computer whenever you are surfing the Web) from which you access our website;
- the type of browser and operating system used to access our site;
- the date and time you access our site;
- the searches you make;
- the pages or screens you visit; and
- if you linked to this site from another web site, the address of that web site.
We use this information to help us make our site and mobile app more useful to visitors -- to learn about the number of visitors to our site, what part of the site they are interested in, how long they use the site, and the types of technology our visitors use. If you engage in more meaningful or intensive activities on the website such as, for examples, downloading information or actively responding to events or “calls to action,” then the MGFA may collect information that identifies you as an individual or information which is linked or linkable to you as an individual or household, which will collectively be referred to throughout this Privacy Statement as “Personal Information.” Personal Information may include but is not limited to contact information, demographic information, health and financial information, as well as call recordings and transcripts.
Sometimes we write a small file on the user's computer called a "session cookie." Session cookies automatically expire when users leave a Web site; session cookies retain information only during the session or for the purpose of completing a particular online transaction, without any capacity to track users over time and across different web sites. Please note that cookies could potentially be replicated by sophisticated technology groups, but there is some risk in all online applications or websites. But, our donation pages are completely secure and protected by an external processing gateway. Other than a session cookie, and the six items described above, we do not obtain any information from the user or the user's computer. We do not use "persistent cookies" and fully comply with the HHS IRM Policy for Usage of Persistent Cookies, HHS-IRM-2000-0009; this policy prohibits the use of persistent cookies and permits the use of session cookies.
How We May Use Your Personal Information
If You Send Us Personal Information
If you send us e-mail, or send a message via our "Feedback," or enter personal information on any form (such as registration, donation, or volunteer forms) found on our website, online community, or mobile app, your identity and the contents of your message will be stored in a secure external database system in perpetuity, and is covered by the Privacy Act. Be assured that:
- The information will not be shared with or sold to anyone not on the staff of the Myasthenia Gravis Foundation of America unless permission to do so is granted by the constituent.
- Your e-mail address will not be provided to any third party unless permission to do so is granted by the constituent.
- MGFA does not share, sell, trade, or rent your personal information with/to others.
We use this information to:
- Consider your suggestions.
- Possibly respond directly to you for clarification.
- Process your request for materials if you make one.
- Try and answer your questions if you ask them.
- Send you information regarding MGFA.
- Solicit donations.
- Engage in legitimate marketing activity and promotions.
- Solicit opinions and perceptions through surveys or polls.
Date Collection, Utilization and Processing for Constituents Outside the United States
What is the General Data Protection Regulation?
The laws in some countries require us to tell you about the lawful grounds we rely on to collect, use, disclose, and otherwise process your Personal Information. To the extent those laws apply, our lawful bases for processing your Personal Information is in support of our legitimate interests, where those interests are not overridden by your fundamental rights and freedoms. The GDPR is a comprehensive data privacy regulation enacted by the European Union (EU) to govern how companies obtain and process personal information in the EU. As a new and improved version of the 1995 Data Protection Directive, the GDPR strives to keep up with the growing demands for internet privacy in the world today. To do this, the law extends its reach to include organizations outside the region, so long as they offer products/services to, or collect personal information from EU citizens.
Basically, the GDPR:
- Harmonizes data protection laws across all 28 EU member states into one centralized source,
- Reinforces individual privacy rights regarding the protection of personal data, and
- Imposes fines and other punishments on violators
- The GDPR's Definitions
- To comprehend and appropriately comply with the GDPR, you need to understand how the law defines its terms. Let's briefly go over the essentials.
Personal data is any information that can directly or indirectly distinguish a person. Although the law doesn't provide an exhaustive list of what should be considered personal data, here are the more obvious ones:
- Identification numbers
- IP/email addresses
- Web cookies
- Images or videos
- Bank details
- Anonymized data may also fall under this definition if a person can be easily identified from it.
Sensitive Personal Data
Under the GDPR, sensitive personal data is a unique class of personal information that comes with stricter regulations due to its intrusive nature. It includes but is not restricted to the following:
- Biometric data
- Genetic data
- Sexual orientation
- Political opinions
- Philosophical/Religious beliefs
- Racial/Ethnic data
Processing is a delicate term under the GDPR. It refers to any activity or operation (whether electronic or manual) carried out on personal data. Cited examples include:
- Collecting data
- Recording data
- Storing or organizing data
- Modifying data
- Using data
- Disclosing data
- Restricting data
- Erasing data
With that said, just assume everything you do with a person's data can be labeled as processing.
We collect and process data under the lawful basis of consent, and our processing activities are considered legal only after getting clear, affirmative consent from our data subjects outside of the United States. This lawful basis promotes the GDPR mission to give more control to data subjects. Consent is now more deeply regulated under the GDPR. According to the law, consent must be clear, specific, unambiguous, and characterized by an approving action. We strive to obtain explicit consent from data subjects. Additionally, consent is easy to withdraw and given only by users over the age of 13 or else approved by a parent.
Individual Rights Under the GDPR
As an organization subject to the regulation, we observe and help exercise the individual user rights under the GDPR. They include:
- Right to be informed – We notify users about how we obtain and process their data in a brief, intelligible, and easily accessible form.
- Right of access – We allow users to obtain information about how we use, store, or disclose their data.
- Right of rectification – We let users correct inaccurate information about displayed in our records.
- Right to erasure – We promptly delete users' data at their request.
- Right to restrict processing – We stop processing users' data at their request.
- Right to data portability – We allow users to transfer a copy of their data to another company.
- Right to object - In certain instances, users can object to the processing of their personal data.
- Rights related to automated decisions – We protect users from automated decisions by granting a review when requested.
If you are within the European Union, you have the following rights:
- You have the right to request from the MGFA access to your Personal Information, and the rectification of inaccurate Personal Information concerning you.
- You have the right to request that the MGFA not subject your Personal Information to automated processing.
- You have the right to obtain from the MGFA the erasure or the restriction of processing of your Personal Information in certain circumstances, including when the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, except when the MGFA is required by law to maintain or otherwise process your Personal Information, for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another person.
You may exercise these rights by contacting the MGFA using the contact information provided below.
If you are within the European Union, you also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of an alleged infringement of the applicable data protection law. However, we encourage you to contact us first at firstname.lastname@example.org and we will try to resolve your concerns.
If you would like to submit a data access, correction, restriction, or deletion request, you can do so by contacting us at email@example.com and we will process such request with respect to any Personal Information that we are able to link to you individually based on the information that you can provide to us. These rights and options that you have with respect to Personal Information are subject to limitations and exceptions under applicable law.
Our Commitment To Children's Privacy
Protecting the privacy of the very young is especially important. For that reason, we adhere to the 1998 Children's Online Privacy Protection Act (COPPA). (For more information visit the Federal Trade Commission's COPPA site at http://www.ftc.gov/privacy/coppafaqs.shtm. The MGFA web-pages are not directed at children but recognize children may, at times, utilize the service of the web-pages in sending personal information to the MGFA National Office. Whenever we receive such information or inquiries from those we actually know are under 13, we obtain parental consent before any personally identifiable information is collected, used or disclosed. MGFA does not knowingly contact or solicit donations from individuals under 18 years of age. However, that may be occasionally unavoidable if an outside source gave us information but we did not collect or append age information to its lists.
Online registration and information such as credit card numbers will be secured using a commercially accepted method of encryption. However, while we employ reasonable security measures to protect your personal information, please be aware that no method of electronic transmission is completely infallible, and we cannot guarantee its absolute safety. If you become aware of any breach of Site security, please contact us immediately.
We may disclose personally identifiable information to the proper authorities if we become subject to a subpoena or court order, or if we are otherwise legally required to disclose such information. We also may use and disclose information about you to establish or exercise our legal rights, to enforce the Terms and Conditions of Use, to assert and defend against legal claims, or if we believe such disclosure is necessary to investigate, prevent, or take other action regarding actual or suspected illegal or fraudulent activities or potential threats to the physical safety or well-being of any person. If all or part of MGFA is merged or otherwise transferred to another entity, we may transfer the personally identifiable information you provided to us to such entity as part of that transaction.
MGFA Donor, Visitor, or Mobile App User Confidentiality Policy
The Myasthenia Gravis Foundation of America (MGFA) recognizes that in order to efficiently operate, the organization requires the maintenance and management of extensive donor and prospect records. These records may contain sensitive information that has been shared with or developed by MGFA staff or volunteers on a confidential basis. (“Records,” as used herein, is construed to mean all files, including electronic data, containing information on donors or prospective donors to MGFA) donors and prospects may be attracted to MGFA on the basis of its ability to assure temporary or permanent anonymity. Protecting donor and visitor confidentiality is an essential part of providing good service and support to donors. MGFA maintains the highest level of confidentiality with respect to donor and user information. Additionally, care is taken to preserve confidentiality of discussions that take place and information that is shared in the course of conducting MGFA business.
This policy codifies the position of MGFA on confidentiality.
1. Confidentiality of Records: The Chief Executive Officer shall have ultimate responsibility for maintaining the confidentiality of donor and prospect records, as well as fund information. Records will normally be available to staff and only select volunteers as needed to fulfill their duties. At the discretion of the Chief Executive Officer, staff may make all or part of any record available to MGFA’s Board of Directors and other related parties to assist them in executing their specific responsibilities. MGFA auditors, legal counsel and other contractors are authorized to review donor/prospect and fund records as required for the purposes for which they are engaged. All persons accessing donor/prospect or fund records in the conduct of MGFA business shall maintain the confidentiality of said records. This applies to agency endowment funds as well as to other types of funds. Staff may share information with donors, fund beneficiaries, and grantees pertaining to their own gifts, funds, grants, etc. Except in those instances, any copies of confidential information shall not be held outside MGFA’s offices for extended periods, and are to be destroyed as soon as possible.
2. Publication of Donor Names: MGFA gives donors the ability to opt out of printing their names in the MGFA annual report and in other appropriate listings. MGFA will not publish the specific amount of any donor's gift without the permission of the donor. Unless otherwise specified in the document, donors making gifts to MGFA by bequest or other testamentary device are deemed to have granted such permission.
3. Memorial/Tribute Gifts: The names of donors of memorial or tribute gifts may be released to the honoree, next of kin, or appropriate member of the immediate family, unless otherwise specified by the donor. Gift amounts are not to be released without the express consent of the donor.
4. Anonymous Gifts: The Chief Executive Officer is authorized to accept anonymous gifts to MGFA, and to handle them appropriately. The name of the donor and size of the gift will be withheld from the Board of Directors at the discretion of the Chief Executive Officer and the donor’s discretion. All Board members will respect the anonymity of any such gift.
5. Giving Categories: If giving categories have been stipulated for a specific fund drive, challenge grant, or project, or as part of MGFA’s ongoing recognition program, then the donors, unless they otherwise specify, are deemed to have given permission for MGFA to publish their names associated with the particular giving category. Similarly, MGFA may publish giving categories associated with donor names in its annual report, and unless a donor specifies otherwise.
6. No Disclosures to Third Parties: Except as otherwise set forth herein, MGFA shall not release to third parties or allow third parties to copy, inspect or otherwise use MGFA records or other information pertaining to the identification of a donor or donor's gifts. No disclosures to third parties of such information, including addresses and demographic information, shall be made without the donor's consent, except where required by law.
7. Confidentiality of Society Business: Discussions that take place in the context of MGFA’s operations require discretion, including discussions pertaining to grant-making, personnel issues, development activities, operational fundraising, investment management, etc. The positions or statements of individual board members, advisors, or staff should not be discussed outside of official MGFA meetings and processes. Likewise, the content of MGFA’s business, including documents or MGFA analyses of documents, should not be discussed or shared outside official meetings and processes.
8. Public Disclosure: MGFA will comply with both the letter and spirit of all public disclosure requirements, including the open availability of its Form 990 Tax Return. This Confidentiality Policy shall not be construed in any manner to prevent MGFA from disclosing information to taxing authorities or other governmental agencies or courts having regulatory control or jurisdiction over MGFA. However, all staff, volunteers, and contractors must hold strictly confidential all information of a private nature, including, but not limited to, all items explicitly discussed in this policy.
Social Media Interfaces. If you elect to engage with our social media tools like Facebook, Google+, LinkedIn, Twitter, or others, personal Information from your social media account may be shared with us, which may include personal information that is part of your profile or your friends’ profiles; in addition, if you log-in to our website using your social media account, use a “like” button or use other social media features while visiting our website, those social media companies may collect information about you. Your interactions with social media companies and the use of their features are governed by their privacy policies.
In addition to the other uses described in this section, we may also use your information as you expressly authorize us to do so.
Do Not Track Disclosure. Some web browsers have a “Do Not Track” feature that lets a user have the browser notify websites that the user does not want to have his or her online activities tracked. MGFA’s website currently does not respond to such browser-initiated signals. Regarding any potential external tracking, please consult external website policies regarding their tracking practices and their responses to Do Not Track signals.
In the Event of a Data Breach - Notify of Data Breaches
Under the GDPR, a personal data breach is defined as: "A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed" In the event a data breach occurs, MGFA informs the proper supervising authority (the MGFA CEO and Executive Board of Director members) within seventy-two hours of discovering it.
We will also inform the concerned data subjects if the breach may threaten their rights and freedoms. MGFA will distribute an email notice (and potentially a mail notice) to all impacted contacts. Our notice will contain the following information:
- The nature of the breach.
- The name and contact details of the DPO or similar information.
- The possible ramifications.
- The recommended steps to take in order to manage the breach.
The MGFA will also work with proper law enforcement agencies and information technology agencies or entities to rectify or research the breach and will secure or delete data or records as needed or requested by contacts or legal entities.
Upon request, we will provide you with the information we maintain about you so that you may request corrections. This information will be sent via postal mail, which we believe is the most secure method of communication. Please contact us by email at firstname.lastname@example.org or in writing at:
Security and Privacy Requests
290 Turnpike Road
Westborough, MA 01581
To protect your privacy and security, we will take reasonable steps to verify your identity before providing information or making corrections.
We are committed to protecting the security of your personal information and to honoring your choices for its intended use. To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we strive to maintain physical, electronic, and administrative safeguards.
Our site provides users the opportunity to opt-out of receiving communications from MGFA at the point where we request information about the visitor. The MGFA allows the following options for removing your information from our databases. Anyone opting out will not receive future communications from us.
- Send an email to email@example.com
- On all email communications, constituents or contacts have the ability to “unsubscribe” from communications at the bottom footer of every email.
- Send mail to the following postal address to request to be taken off communications lists:
Myasthenia Gravis Foundation of America
290 Turnpike Road
Westborough, MA 01581
Links to Other Sites
Questions About Our Privacy and Confidentiality Policy?
Myasthenia Gravis Foundation of America
290 Turnpike Road
Westborough, MA 01581