DATE LAST MODIFIED. May 23, 2023
2. WHO WE ARE
The Site is operated by the Oprah Winfrey Charitable Foundation, PO Box 29610, Los Angeles, CA 90029 and (“OWCF”, “us”, “our”, or “we”). We may be reached by email at OWCF_Inquiries@harpo.com.
3. SCOPE & ACKNOWLEDGEMENT
Your use of our Site indicates your acknowledgment of the practices described in this Policy.
4. COLLECTION AND USE OF PERSONAL DATA
Personal Data We Collect
In order to provide our Site, we may collect and process information that relates to identified or identifiable individuals (“Personal Data”). We collect and process the following categories of Personal Data (note, specific Personal Data elements are examples and may change):
Identity Data – Personal Data about you and your identity, such as your name or IP address.
Contact Data – Identity Data used to contact an individual, e.g. email address, physical address, or phone number.
Device/Network Data – Personal Data relating to your device, browser, or application e.g. device identifiers, identifiers from cookies, session history, and Site navigation metadata, and other data generated through applications and browsers, including via cookies and similar technologies.
General Location Data – Non-precise location data, e.g. location information derived from IP addresses.
Inference Data – Personal Data we create or use as part of a profile reflecting your preferences, characteristics, aptitudes, market segments, likes, favorites or your interests.
User Content – Personal Data included in content provided by users of the Site in any free-form or unstructured format, such as in a “contact us” box, free text field, in a file or document, or messages to us.
How We Collect Personal Data
We collect Personal Data from various sources based on the context in which the Personal Data will be processed:
Data we collect from you – We collect Personal Data from you directly, for example, when you input information into an online form, or contact us directly.
Data collected automatically – We may collect certain Personal Data automatically. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use our Site, access our Site, or when you open our marketing communications.
Data we receive from service providers – We receive Personal Data from service providers performing services on our behalf.
5. DATA PROCESSING CONTEXTS / NOTICE AT COLLECTION
When you use our Site, we automatically collect and process Identity Data and Device/Network Data. We use this data as necessary to initiate or fulfill your requests for certain features or functions through our Site, such as delivering pages, logging activities for security purposes, etc. We may also process this Personal Data for our Business Purposes (described below).
Informational or Promotional Emails
We may process Identity Data, Device/Network Data, and Contact Data in connection with email communications relating to our Site, or if we send you promotional communications. You may receive such email communications if you contact us, choose to receive them, or interact with us in a way that allows us to send you those communications. We may also automatically collect Device/Network Data when you open or interact with those communications so that we can better understand engagement with our communications. We may also process this Personal Data for our Business Purposes (described below).
When you contact us through the Site using a contact us box or via email, we process Personal Data such as Identity Data, Device/Network Data, and any Personal Data contained within any User Content. We use Identity Data, Contact Data, and User Content as necessary to communicate with you about the subject matter of your request and related matters. We may also process this Personal Data for our Business Purposes (described below).
Cookies and Similar Tracking Technologies
- the IP address of the device you use to connect to the internet (which may include information about your geographic location)
- for “essential” purposes necessary for our Sites to operate (such as maintaining user sessions, content delivery, and the like);
- for “functional” purposes, such as to enable certain features of our Sites (for example, to allow a customer to maintain an online shopping cart); and
- for “analytics” purposes and to improve our Sites, such as to analyze the traffic to and on our Sites (for example, we can count how many people have looked at a specific page, or see how visitors move around the Site when they use it, to distinguish unique visits/visitors to our Sites, and what website they visited prior to visiting our Site, and use this information to understand user behaviors and improve the design and functionality of the Site).
We may also process this Personal Data for our Business Purposes. See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.
6. PURPOSES OF PROCESSING
In addition to the processing described above, we generally process Personal Data for several common purposes in connection with our business. For example, we process your Personal Data. Please see below for more information regarding the purposes for which we process your Personal Data.
Operate our Site and Fulfill Obligations – We process any Personal Data as is necessary to provide the Site, and as otherwise necessary to fulfill our obligations to you, e.g. to provide you with the information, features, and Site you request.
Internal Processes and Service Improvement – We may use any Personal Data we process through our Site as necessary in connection with our improvement of the design of our Site, understanding how the Site is used or functions, for customer service purposes, in connection with the creation and analysis of logs and metadata relating to Site use, and for ensuring the security and stability of the Site. Additionally, we may use Personal Data to understand what parts of our Site are most relevant to users, how users interact with various aspects of our Site, how our Site perform or fail to perform, etc., or we may analyze use of the Site to determine if there are specific activities that might indicate an information security risk to the Site or our users.
Aggregate Analytics – We process Personal Data as necessary in connection with our creation of aggregate analytics relating to how our Site is used, the pages and content users view, and to create other reports regarding the use and performance of our Site, and other similar information and metrics. The resulting aggregate data will not contain information from which an individual may be readily identified.
Compliance, Safety & Public Interest – Note that we may, without your consent or further notice to you, and to the extent required or permitted by law, process any Personal Data subject to this Policy for purposes determined to be in the public interest or otherwise required by law. For example, we may process information as necessary to fulfill our legal obligations, to protect the vital interests of any individuals, or otherwise in the public interest or as required by a public authority. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.
Corporate Events – Your Personal Data may be processed as part of routine corporate operations, as part of corporate reorganizations, or any business transition, such as a merger, acquisition, liquidation, or sale of assets.
Other Processing of Personal Data – If we process Personal Data in connection with our Site in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to your rights and choices) unless otherwise stated when you provide it.
We and certain third parties process Personal Data to further our commercial or economic interests (“Commercial Purposes”) depending on the context of collection and your rights and choices.
7. DATA SHARING
Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer data to the categories of recipients or in connection with specific business purposes, described below.
Service Providers – In connection with our general business operations, product/Site improvements, to enable certain features, and in connection with our other lawful business interests, we may share Personal Data with service providers or subprocessors who provide certain services to us, or process data on our behalf. For example, we may use third party hosting providers to host our sites or content, and we may disclose information as part of our own internal operations, such as security operations, internal research, etc.
Corporate Events – Your Personal Data may be disclosed to a third party in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
Affiliates – In order to streamline certain business operations and develop products and Site that better meet the interests and needs of our customers, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.
8. YOUR RIGHTS & CHOICES
Applicable law may grant you rights in your Personal Data. These rights vary based on your location, state/country of residence, and may be limited by or subject to our own rights in your Personal Data. You may submit requests to exercise rights you may have by contacting us at OWCF_Inquiries@harpo.com.
All rights requests we receive directly must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. For example, we may require that you verify that you have access to the email on file in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.
Note: We are able to fulfill rights requests regarding Personal Data that we control or process. We may not have access to or control over Personal Data controlled by third parties. Please contact the third party directly to exercise your rights in third party-controlled information.
You may have the following choices regarding the Personal Data we process, to the extent required under applicable law:
Consent – If you consent to our processing of Personal Data, you may withdraw your consent at any time. You may be required to close your account in order to withdraw consent where your consent is necessary to perform essential aspects of our Site.
Email Marketing – You have the choice to opt-out of or withdraw your consent to email marketing communications. You may exercise your choice via the links in our communications.
We implement and maintain reasonable security measures to safeguard the Personal Data you provide us. However, we sometimes share Personal Data with third parties as noted above, and though we may take certain measures to help ensure the security of your Personal Data, we do not control third parties’ security processes. We do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.
10. DATA RETENTION
We retain information for so long as it, in our discretion, remains relevant to its purpose, and in any event, for so long as is required by law. We will review retention periods periodically, and may sometimes pseudonymize or anonymize data held for longer periods, if appropriate.
Our Site is neither directed at nor intended for use by minors under the age of majority in the relevant jurisdiction. Further, we do not knowingly collect Personal Data from such individuals. If we learn that we have inadvertently done so, we will promptly delete it.
12. INTERNATIONAL TRANSFERS
We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be processed in the U.S. The U.S. may not provide the same legal protections guaranteed to Personal Data in foreign countries. Contact us for more information regarding transfers of data to the U.S.
13. CHANGES TO OUR POLICY
We may change this Policy from time to time. Please visit this page regularly so that you are aware of our latest updates. Your use of the Site following notice of any changes indicates acceptance of any changes.
15. REGIONAL SUPPLEMENT
US State & California Privacy Rights & Choices
Under the California Consumer Privacy Act (“CCPA”) and other state privacy laws, residents of certain US states may have the following rights, subject to regional requirements, exceptions, and limitations.
Confirm – Right to confirm whether we process your Personal Data. Access/Know – Right to request any of following: (1) the categories of Personal Data we have collected, sold/shared, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the purposes for which we collected or sold/shared your Personal Data; (4) the categories of third parties to whom we have sold/shared your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.
Portability – Right to request that we provide certain Personal Data in a common, portable format.
Deletion- Right to delete certain Personal Data that we hold about you.
Correction – Right to correct certain Personal Data that we hold about you.
Non-Discrimination – California residents have the right to not to receive discriminatory treatment as a result of your exercise of rights conferred by the CCPA.
List of Direct Marketers – California residents may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes during the preceding calendar year.
Remove Minors’ User Content – Residents of California under the age of 18 can delete or remove posts using the same deletion or removal procedures described above, or otherwise made available through the Services. If you have questions about how to remove your posts or if you would like additional assistance with deletion, contact us using the information below. We will work to delete your information, but we cannot guarantee comprehensive removal of that content or information posted through the Services.
Submission of Requests
You may submit requests as follows (please review our verification requirements section). If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at OWCF_Inquiries@harpo.com. We will respond to any request to appeal within the period required by law.
Categories of Personal Data Disclosed for Business Purposes
For purposes of the CCPA, we have disclosed to Service Providers for “business purposes” in the preceding 12 months the following categories of Personal Data, to the following categories of recipients:
Category of Personal Data
- Contact Data
- Device/Network Data
- Identity Data
- Inference Data
- General Location Data
- User Content
Category of Recipients
- Service Providers; Affiliates; Corporate Events; Lawful Recipients
The controller of Personal Data relating to residents of the UK/EEA/Switzerland/South Africa is: Oprah Winfrey Charitable Foundation, PO Box 29610, Los Angeles, CA 90029
Rights & Choices
Residents of the EEA, UK, Switzerland, and South Africa have the following rights. Please our review verification requirements. Applicable law may provide exceptions and limitations to all rights.
Access – You may have a right to access the Personal Data we process.
Rectification – You may correct any Personal Data that you believe is inaccurate.
Deletion – You may request that we delete your Personal Data. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you.
Data Export – You may request that we send you a copy of your Personal Data in a common portable format of our choice.
Restriction – You may request that we restrict the processing of personal data to what is necessary for a lawful basis.
Objection – You may have the right under applicable law to object to any processing of Personal Data based on our legitimate interests. We may not cease or limit processing based solely on that objection, and we may continue processing where our interests in processing are appropriately balanced against individuals’ privacy interests. In addition to the general objection right, you may have the right to object to processing:
- for profiling purposes (if any);
- for direct marketing purposes (if any); and
- involving automated decision-making with legal or similarly significant effects (if any).
Regulator Contact – You have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.
Submission of Requests
Access, Rectification, Data Export, Deletion, Restriction, or Correction
Lawful Basis for Processing
Performance of a contract
Description of Basis & Relevant Purposes
The processing of your Personal Data is strictly necessary in the context in which it was provided, e.g. to fulfill your subscription or perform an agreement you have with us, to provide products and services to you, to open and maintain your user accounts, or to process requests.
Relevant Contexts / Purposes / Disclosures
- Contexts where Personal Data is processed for purposes listed below
- Cookies and other tracking technologies (strictly necessary)
- Operation of Site
- Public Disclosure
- Service Providers
This processing is based on our legitimate interests. For example, we rely on our legitimate interest to administer, analyze and improve our Services, to operate our business including through the use of service providers and subcontractors, to send you notifications about our Services or your subscriptions, for archiving, recordkeeping, statistical and analytical purposes, and to use your Personal Data for administrative, fraud detection, audit, training, security, or legal purposes. See the Business Purposes of Processing section above for more information regarding the nature of processing performed on the basis of our legitimate interests.
- Contexts where Personal Data is processed for specified legitimate interests or purposes listed below
- Internal Processing and Service Improvement
- Security and Incident Detection
- Aggregated Analytics
- Corporate Events
- Marketing Communications
- Service Providers
- Data Aggregators
This processing is based on your consent. You are free to withdraw any consent you may have provided, at any time, subject to your rights/choices, and any right to continue processing on alternative or additional legal bases. Withdrawal of consent does not affect the lawfulness of processing undertaken prior to withdrawal.
Contexts where Personal Data is processed for purposes listed below:
- Cookies and other tracking technologies (except strictly necessary)
- Marketing communications
Compliance with legal obligations
This processing is based on our need to comply with legal obligations. We may use your Personal Data to comply with legal obligations to which we are subject, including to comply with legal process. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for compliance purposes.
- Compliance, Safety, Public Interest
- Lawful Recipients
Performance of a task carried out in the public interest
This processing is based on our need to protect recognized public interests. We may use your Personal Data to perform a task in the public interest or that is in the vital interests of an individual. See the Business Purposes of Processing section above for more information regarding the nature of processing performed for such purposes.
- Compliance, Safety, Public Interest
- Lawful Recipients
We process data in the United States, and other countries where our subprocessors are located. In cases where we transfer Personal Data to jurisdiction that have not been determined to provide “adequate” protections by your home jurisdiction, we will put in place appropriate safeguards to ensure that your Personal Data are properly protected and processed only in accordance with applicable law. Those safeguards may include the use of EU standard contractual clauses, reliance on the recipient’s Binding Corporate Rules program, or requiring the recipient to certify to a recognized adequacy framework. You can obtain more information about transfer measures we use for specific transfers by contacting us using the information above.