As of January 2024
Please note that the Harold Grinspoon Foundation is based in the United States. The Harold Grinspoon Foundation is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and complies with all relevant international, federal, and state laws regarding the collection, storage, usage, and transfer of personal data and information.
The Harold Grinspoon Foundation commits and adheres to the Principles defined in the EU-U.S. Privacy Shield as set forth by the U.S. Department of Commerce (DOC) regarding the collection, use, and retention of personal data and information.
This privacy notice is provided in a layered format, so you can click through to the specific areas set out below. Alternatively, you can download a pdf version of the policy here.
1. HOW YOUR PERSONAL DATA IS COLLECTED
2. THE PERSONAL DATA WE COLLECT ABOUT YOU
3. HOW WE USE YOUR PERSONAL DATA
4. DISCLOSURES OF YOUR PERSONAL DATA
5. INTERNATIONAL TRANSFERS
6. DATA SECURITY
7. DATA RETENTION
8. YOUR RIGHTS UNDER THE UK GENERAL PROTECTION REGULATION (GDPR)
10. CONTACT US
How your personal data is collected
- Direct interactions. You may give us personal data when you:
- Enroll in the PJ Library program;
- create an account on our website;
- subscribe to our service or publications;
- request marketing to be sent to you; or
- give us some feedback.
- Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.
The personal data we collect about you
When enrolling, renewing or donating on our site, we may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, last name, and username or similar identifier, , as well as the name and birthday of the child being enrolled in the program.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial and Donation Data includes bank account and payment card details.
- Profile Data includes your username and password, purchases or orders made by you, preferences, feedback and survey responses.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We do not collect Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
If a parent is signing up for the PJ Library service, we may collect information about children. In such a case, we will request that the child’s parent or legal guardian consents to such processing.
How we use your personal data
Following is a table with the applicable legal bases we rely on to use your personal data.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
Type of data
Lawful basis for processing including basis of legitimate interest
For the purposes of your enrolment and the administration of the site
Performance of a contract with you
To carry out services under our contracts with you
(c) Marketing and Communications
Performance of a contract with you
To improve customer service
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Necessary to our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and maintain our activities and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a) Necessary for our legitimate interests (for running our charity, provision of administration and IT services, network security, and to prevent fraud)
To contact you (including sending information and updates relating to any order, questions or requests) or for the provision of customer services
(e) Marketing and Communications
Necessary for our legitimate interests (to study how users use our products/services, and to develop them)
To use data analytics to improve our website, products/services, marketing, user relationships and experiences
Necessary for our legitimate interests (to define types of users for our products and services, to keep our website updated and relevant and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
Necessary for our legitimate interests (to develop our products/services)
|Promotional marketing communication regarding products, services and offers that may be relevant for you
(e) Profile Data
|Third-party marketing from organizations outside the Harold Grinspoon Foundation group
(b) Marketing and Communications
What does each legal basis mean?
- Consent: You have given clear consent for you to process your personal data for a specific purpose. You can choose to withdraw your consent using specific features provided to enable you to withdraw consent, like an email unsubscribe link.
- Contract: Processing your data is necessary for performing services under a contract, or because we have asked you to take specific steps before entering into that contract.
- Legitimate interests: Processing your data is necessary for our legitimate interests or the legitimate interests of a third party, provided those interests are not outweighed by your rights and interests. In each case, these legitimate interests are only valid if they are not outweighed by your rights and interests.
You can ask us or third parties to stop sending you marketing messages at any time by contacting us.
Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of enrolling in the PJ Library program.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosures of your personal data
We may disclose personal data to fulfill our contractual obligations to you and to direct contractors and authorized service providers that perform certain services on our behalf. Our contractors and service providers are prohibited from using your personal data for their own purposes and may only use data we share with them for specified purposes and in accordance with our instructions.
These contractors and service providers include:
- Service providers acting as processors:
1. Prism The Gift Fund, a registered charity based in the UK (number 1099682). PJ Library UK is a restricted fund under the auspices of Prism the Gift Fund.
2. Central Mailing Services (CMS), a company incorporated in England and Wales with company number 03720150, which provides logistical assistance for the PJ Library mailing services in the UK.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the UK and/or the US who provide banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
The personal data we collect is processed at our offices in the United States. By submitting your personal data, you agree to this transfer, storing or processing by us. Where your information is transferred outside the UK, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards*and that it is treated securely and in accordance with this Privacy Notice.
We may transfer your personal information outside the UK, including but not limited to, the following reasons:
- To store it.
- To enable us to provide services to you and fulfil our contract with you. This includes order fulfilment, processing of payment details, and the provision of services.
- Where we are legally required to do so.
- In order to facilitate the operation of our business, where it is in our legitimate interests, and we have concluded these are not overridden by your rights.
*Safeguards could include but are not limited to data minimization of transfer; anonymization to reduce identifiability; data encryption to render data transferred unintelligible; and risk assessments against all data transfers, regardless of the adequacy mechanism.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. However, no system of safeguards can guarantee the security of your personal information.
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When the retention of your personal data is no longer required for these purposes, we will either delete or anonymize it.
Your rights under the UK General Data Protection Regulation (GDPR)
Under data protection law, you have rights and you are not required to pay a fee for exercising your rights. If you make a request, we have 30 calendar days to respond to you, and may be able to extend the time limit to complete your request by a further two months. Please note that we must verify your identity before we are able to process any of the requests described in this Section, and in our discretion, deny your request if we are unable to do so.
- Right of Access: You have the right to obtain confirmation whether your personal data is being processed, and, where that is the case, obtain a copy of your personal data.
- Right to Rectification (Correction): You have the right to correct inaccurate personal data and the right to have incomplete personal data completed.
- Right to Erasure (Right to be Forgotten): You have the right to request we erase your personal data.
- Right to Restriction of Processing: You have the right to restrict the processing of your personal data.
- Right to Data Portability: You have the right to request the transfer of your personal data directly to you or to another organization in a structured, commonly used, and machine-readable format.
- Right to Object: You have the right to object to the processing of your personal data.
You have the right to lodge a complaint regarding our use of your data: If your request or concern is not satisfactorily resolved, you may approach your local data protection authority:
EU - https://ec.europa.eu/info/law/law-topic/data-protection_en
UK – If you are a resident of the UK, you can approach the ICO:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Under specific circumstances these rights may be limited. For example, if fulfilling your request would reveal personal data about another individual, or if you ask us to delete personal data which we are required by law to keep or which we need to defend claims against us. If there is an exception to fulfilling your request, we will communicate clearly and fully with you about the reason.
To exercise any of these rights, please contact us by using the contact details under the “Contact Us” section below.
Changes to this privacy notice
We will post any adjustments to the Privacy Notice on this page, and the revised version will be effective when it is posted. Please check the “Last Updated” legend at the top of this page to see when this Privacy Notice was last revised. If we materially change the ways in which we use or share information previously collected from you, we will notify you by email or other communication.
Full name of legal entity: The Harold Grinspoon Foundation, a 501c3 non-profit organization. Name or title of data privacy contact person: Alex Zablotsky
Email address: alex[at]hgf.org
Postal address: 67 Hunt Street, Suite 100, Agawam, MA 10001
Full name of legal entity: PJ Library
Name or title of data privacy contact person: Lauren Hamburger
Email address: privacy[at]pjlibrary.org.uk
Postal address: 44A Albert Rd, London NW4 2SJ, UK