Security and Privacy Policy

Manifesta’s mission is to provide people everywhere with the digital tools they need to create the change they want to see, without sacrificing the need to protect your privacy and security online. Our Privacy Policy explains how we obtain information from you and what we do with it. (This Policy takes effect on May 24, 2018.)

1. Information we collect

What we collect How we collect it
Your name. We require you to provide a chosen name when you create a Manifesta account, or sign a petition.
Your email address. We require you to provide an email address when you create a Manifesta account, or sign a petition.
Your password. We require you to enter a password when you create a Manifesta account, or sign a petition.
Your IP address. Your “IP Address” is a designator that is automatically assigned to the computer that you are using by your Internet Service Provider (ISP). An IP Address may be identified and logged automatically in our server log files whenever you use our platform and services, along with the time of your visit and the specific page(s) that you visited.
Your postal address. You may choose to provide your postal address when you create a Manifesta account. Providing this information is not required to use the service.
Your telephone number. You may choose to provide your telephone number when you create a Manifesta account. Providing this information is not required to use the service.
Your country. We use the  ControlShift Labs service to suggest your country from your IP address, in order to show you local petitions that may be of interest. You can change this information if it is displayed incorrectly.
Your profile picture. You may choose to upload a profile picture when you create an account, or at any time. Providing this information is not required to use the service.
Your specific activities on or connected to the Manifesta platform. These might include petitions you have started or signed, shared or promoted, or whether you decide to become a Manifesta member. When you are signed in or identified as particular Manifesta user, your activities on or connected to the Manifesta platform are automatically associated with your account.
Any other information you voluntarily submit. You may be offered the choice to provide other information to us. For example, we may collect information when you respond to user surveys or provide information if we assist you by telephone. Providing this information is not required to use the service.
Your unique mobile device ID number if you access our services via a mobile application. When you download and use any mobile applications we develop, we’ll collect your unique device ID and all your account and activity information will be tied to that unique device ID. In addition, we may track and collect app usage data, such as the date and time the app on your device accesses our servers and what information and files have been downloaded to the app. This information may be associated with your account.
The name of the browser you use to access Manifesta. Certain information is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type (Windows PC or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version, and the name and version of the Manifesta platform you are using. Collecting this information helps us build and deliver the best possible version of Manifesta to you.
Your social media account ID, and information shared with us via your social media account. We may obtain certain information through your social media accounts connected to your Manifesta account, if you choose to link them. Linking a social media account is not required to access the service. For example, if you log in to Manifesta via Facebook, we ask for your permission to access certain information about your Facebook account, activities and friends. Social media sites make information available to all apps through their API, such as friend lists. The information we receive depends on what information you or the social media site decide to give us.
Information inferred about the issues you care about based on your activities on the platform. As part of our efforts to connect people to causes that interest them, petitions you sign might be tagged by our users or by us as particular cause areas. For example, a petition may be tagged as “reproductive rights” or “women’s rights”. If you sign one petition tagged in a particular cause area, we may infer that you would be interested in other petitions tagged in the same way. We may also send you petitions that are relevant to your general geographic area.
The currency of any contributions made through Manifesta. We infer your currency based on your country.
The transaction amount you contributed or received through a refund or otherwise. Your payment information including your credit card or bank number, expiration date, billing address and transaction amount is collected on our payment page by a third-party payment processor and will be subject to the third party’s privacy policy. We have no control over, and are not responsible for, the third party’s collection, use and disclosure of your personal information. We receive information on payment amount only; no other payment information is stored or saved within our systems.

Some of the information above reveals your specific identity, or is directly tied to your specific identity, such as your name and email address. Some of this information does not reveal your specific identity, or does not directly relate to you, such as your browser and device information. If we ever combine non-personally identifiable information with personally identifiable information, the combined information will be treated by us as personally identifying information and protected accordingly.

Our services are not directed to people under the age of sixteen (16), and we do not knowingly collect personal information from them.

2. How we use your information

Here are the ways we might use your information to run our platform, provide our services and serve you better content.

We and our service providers may use your information for our legitimate business interests in providing a petition platform that enables people to connect with issues of interest. Our legitimate business interests are explained below, alongside examples of how your information may be used for these purposes.

Purpose Examples
Providing the functionality of our platform. We engage in these activities to manage our contractual relationship with you.
  • To send administrative information to you, for example, information regarding our services and changes to our terms, conditions, and policies.
  • To ensure that our site and apps function properly and are optimized for your computer or device and to store your preferences and settings.
To fulfill your specific requests through the platform. We engage in these activities to manage our contractual relationship with you.
  • To allow you to create petitions, sign petitions, join “efforts” or  “campaigns” (groups of similar petitions) and to follow their progress. To allow you to participate in other activities on Manifesta platforms, sites and apps, as well as to complete and fulfill your transactions with us.
  • To allow you to send email messages that you choose to send to your email contacts through our platform, such as to share a petition. By using this feature, you guarantee that you have the right to use and provide us the names and email addresses you submit.
  • To facilitate the social sharing functionality that you choose to use, such as sharing content and petitions through the Manifesta platform and other social media platforms like Facebook and Twitter.
Accomplishing our business purposes. We engage in these activities to manage our contractual relationship with you, to comply with a legal obligation, because we have a legitimate interest, and/or with your consent.
  • For data analysis, for example, to improve the efficiency of our services.
  • For audits, to verify that our internal processes function as intended and are compliant with legal, regulatory, or contractual requirements.
  • For fraud and security monitoring purposes, for example, to detect and prevent cyber-attacks or attempts to commit identity theft.
  • For developing new products, features and services.
  • For enhancing, improving or modifying our platform.
  • For identifying usage trends, for example, understanding which parts of our platform are of most interest to users.
  • For determining the effectiveness of campaigns.
  • For operating and expanding our business activities, for example, understanding which parts of our platform are of most interest to our users so we can focus our energies on meeting our users’ interests.
  • For legal compliance. In rare circumstances, we may have to use and disclose information we have about our users in order to exercise or protect legal rights or defend against legal claims under applicable law.
Analysis of personal information for business reporting and providing personalized services. We provide personalized services either with your consent or because we have a legitimate interest.
  • To personalize your experience by presenting petitions, campaigns and offers tailored to you based on information we have collected from you.
  • We may anonymize, de-identify and/or aggregate information and use such information to better understand and serve our users or for optimization of our marketing and targeting efforts. For example, we may compile statistics like the percentage of our users in a state or country who care about animal rights, or the age range of those users, or to analyze the performance of particular emails.
To share marketing communications that we believe may be of interest to you. We engage in this activity with your consent, or to manage our contractual relationship with you.
  • Communications related to petitions you’ve signed, other petitions that may be of interest, or petitions relevant to your location.
  • Editorial communications about specific issues or about Manifesta.
  • Communications about contributions to causes or about crowdfunding for a specific petition.
  • Communications about becoming a member or subscriber of Manifesta.
  • If you choose to provide your telephone number or postal address, which are not required, we may contact you by phone, SMS, or postal mail about the Manifesta membership program or other ways you can support campaigns.
  • Invitations to Manifesta events.
  • To allow you to participate in events and similar promotions and to administer these activities. Some of these activities have additional rules, which could contain additional information about how we use and disclose information about you, so we suggest that you read these rules carefully.
  • Most marketing communications will be sent via email and sometimes via social media.
  • We might remind you about particular petitions or the Manifesta membership program, if you have have not completed starting or signing or joining.

3. Who may receive your information

Here we outline who may receive your information when it is shared either by you via the platform, or by us.

a. The Manifesta community

  • All information you post on our platform (such as petitions you create, reasons for signing a petition, or your posts on the Manifesta Community message boards) will be visible to other users. If you choose to send messages or connect with others through our platform about petitions you have signed or shared, you disclose your personal information to the recipient of your message. Our platform provides an open forum for communication by users all around the world. We do not monitor, verify, or perform any background check on campaign starters, petition signers, or other users of Manifesta.

  • Similar to traditional paper petitions, we consider an online petition to be a public expression of support for an issue. Therefore, your name, general geographic location (i.e. city, state, country), and a link to your Manifesta user profile may be displayed on the landing page for any petition you sign, and on related areas of our platform. This information will be viewable to any visitor, including the media, search engines, and other organizations that provide archival internet activities. If you do not wish to have your support for a petition to be public, we recommend you do not sign the petition. If you do not wish to have your name displayed on a petition landing page, you may select the option not to display your name and comment publicly on the petition page.

  • Your first name, last name, city and/or postcode, and the day that you signed will be shared with the person who initiated a petition you have signed, even if you select the option not to display your name and comment publicly. This is extremely important for petition starters to demonstrate the legitimacy of their signatures to the decision-makers they are working to influence. If you do not wish to have this information shared with the person who initiated the petition, please do not sign the petition.

  • The petition starter may choose to share your name and general geographic location with the intended decision maker who is the recipient of their petition. For example, the intended decision maker may be your congressman/woman when the petition concerns an issue relevant to him or her. If you do not wish to have this information shared with the petition recipient, you should not sign the petition.

  • If you sign a petition started by an NGO or other organization, you will be presented with the option of sharing your email address with that NGO or organization to receive direct email updates from them (not via the platform) should you choose to provide your consent for such sharing. Such organizations are not Manifesta’s commercial partners and are in no way affiliated with Manifesta. Enabling our users to interact directly with organizations, if those users consent to this connection, is part of our goal of helping people to stay informed on the causes that matter to them. We may revoke an organization’s access to this option in response to reports of abuse.

b. Your connected social media platforms

  • You may share your activities on Manifesta with friends on other social media sites, for example, sharing a petition you signed on Facebook. To do so, you must connect your Manifesta account with your social media account. In such case, you authorize us to share information with your social media account provider, and you understand that the use of the information we share will be governed by the social media site’s privacy policy. If you do not want your information shared with other social media users or with your social media account provider, please do not connect your social media account with your Manifesta account and do not use the social sharing features on the platform.

  • You may voluntarily share information on message boards, chats, profile pages, blogs, and other services to which you are able to post information and materials (including the Manifesta pages on Facebook and other social media platforms). Please note that any information you post or disclose through these services will become public information, and may be available to other Manifesta users, social media platform users and to the general public. We urge you to be very careful when deciding to disclose any information about yourself via the social sharing features of our platform.

c. Our business entities and service providers

We may share your information with third parties for the following purposes:

  • We may share your information with our affiliates to provide our services in different countries and for the purposes described in this Privacy Policy.

  • Manifesta and its consultants that operate in certain countries. Local consultants may contact you if you are within their country, as part Manifesta's mission to build social movements that create transformational change.

  • Our suppliers, subcontractors and business partners (“service providers”): We may share information about you with our service providers who process information to provide services to us or on our behalf. We have contracts with our service providers that prohibit them from sharing the information about you that they collect or receive with anyone else or from using such information for other purposes.

d. Legal & administrative obligations

We may use and disclose your personal information as necessary or appropriate, especially when we have a legal obligation or legitimate interest to do so:

  • Fraud prevention: We may use and disclose the information we collect from and about our users as we believe necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, privacy, rights, or property of us, our users, or others.

  • Law enforcement purposes: If requested or required by government authorities such as law enforcement authorities, courts, regulators, or otherwise to comply with the law (which may include laws outside your country of residence), we may have to disclose information we have about our users. We also may use and disclose information collected about you in order to exercise or protect legal rights or defend against legal claims.

  • Sale or merger of our company: We have no plans to sell our business. In this unlikely event, we may use, disclose, or transfer your personal information to a third party if we or any of our company affiliates are involved in a corporate restructuring (e.g., a sale, merger, or other transfer of assets, including in connection with any bankruptcy or similar proceedings).

4. Accessing or deleting your information

If you would like to request to review, correct, update, suppress, or delete personal information that has been previously provided to us by you, you may log in to your account, and update your profile information. You can also contact us via our contact form here and ask us to specify what personal information we have about you and to delete certain personal information about you from our records, or request to receive an electronic copy of your personal information for purposes of transmitting it to another company (to the extent this right to data portability is provided to you by applicable law). Please let us know what information you would like us to remove from our databases or otherwise let us know what limitations you would like to put on our use of your personal information. For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will respond to your requests consistent with applicable law, and we will try to comply with your request as soon as reasonably practicable. Please note that we may need to retain certain information for record keeping purposes and/or to complete any transactions that you began prior to your request. There may also be residual information that will remain within our databases and other records, but such residual information will no longer be tied to your identity. For example, if you created a petition, we will have records that other Manifesta users signed your petition. If you subsequently ask us to delete your information from our platform and databases, information related to those other users’ signatures cannot be removed and will remain in our records.

5. Data retention & security

We take a lot of measures to protect your personal information. If you suspect someone else is using your account, let us know by contacting our Contact page.

Security and privacy are a priority for MANIFESTA and also our partner – Control Shift. It’s a process that is continually being improved on and a committment that runs through everything – from how member data is stored to the tools provided to customers. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please contact us immediately.

We will retain your Personal Information for as long as needed or permitted in light of the purposes for which it was obtained. The criteria used to determine our retention periods include the length of time we have an ongoing relationship with you and provide our services to you, our legal obligations or whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Principles

Designed for Security
We use industry best practices for encryption, physical security, multi-factor authentication and segmentation of data. Security is a core part of our software design process, and one of the criteria we use during code review.

Automated
We automate everything. When security configuration is automated we can guarantee its correctness and repeatability. When infrastructure is automated, fewer people need access to sensitive data.

Available
All infrastructure is built to be highly available and resilient. Our architecture is designed to eliminate single points of failure with ample excess capacity so your campaigns keep running no matter what.

Transparent
We promptly notify customers of outages and security events through our status pages and proactively via email.

Details

Physical Security
ChangeSprout, Inc. stores customer data using Amazon Web Services, in their US-East region in northern Virginia, USA. This facility limits and audits physical access, and provides fire suppression, climate control and uninterruptible power supplies.

Backups
Databases are always replicated in a N+1 configuration to provide immediate failover in case of instance hardware failure. A full snapshot of all data is taken nightly, encrypted and shipped to Amazon Glacier and retained for 6 months. A complete offline and offsite backup is stored on an encrypted external disk rotated monthly into a bank safe deposit box.

Encryption
We use TLS/SSL encryption to protect data in transit across the internet, ensuring that our users have a secure connection from their browsers to our service. Remote access for systems administration is provided over encrypted VPN and encrypted SSH connections. Where possible data is encrypted at rest, and backups are always encrypted before they are stored.

Access & Authorization
ChangeSprout staff use multi-factor authentication, in addition to passwords, in order to access administrative interfaces of the ControlShift platform. Multi-factor authentication is also available to organization staff, though it is dependent upon the organization to ensure its use. Access to systems is limited to ChangeSprout staff who require access.

Member Data
While member data is collected using the platform, ChangeSprout Inc. does not own the data, nor do we process it except as directed by the Customer or as required for the operation of the platform. We treat member data as confidential information and take precautions to prevent the unauthorized disclosure, misuse, or loss of data. In addition to the other measures outlined above, we allow users to access and update their personal information to ensure its accuracy.

Onward Transfer
ControlShift only transfers member data to third parties when requested by the Customer or when required for the reliable operation of the platform. We limit the number of third parties we use to process member data and ensure that all third parties adhere to adequate data protection policies.

The third parties we currently send platform data to are: Amazon Web Services, Mailgun, Akismet, and Sendgrid. At the customer’s explicit request we may also send information to the customer’s chosen CRM and / or Segment, a service that provides data analytics. CRM and Segment integrations are optional and it is the responsibility of the customer to ensure that these services adhere to their country’s data protection regulations.

Unsubscribes
Emails sent from the ControlShift platform automatically include links to unsubscribe from communications. By default, this allows users to unsubscribe from communications about a specific campaign. However, for certain CRMs, the ControlShift platform also supports global unsubscribes – allowing the user to unsubscribe from all of the organization’s communications at once. Admin tools also allow Customer Staff to unsubscribe users manually.

6. Cross-border transfers

Manifesta is a global organization, so your information may be transferred across borders when you use the Platform. We have put in place measures to comply with laws regulating cross-border transfers.

Manifesta is a global organization. Your personal information may be stored and processed in any country where we have facilities or in which we engage service providers, and by using the platform you consent to the transfer of your personal information to countries outside of your country of residence, including the United States, which may have different data protection rules from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your personal information.

Some of the non-European Economic Area (“EEA”) countries are recognized by the European Commission as providing an adequate level of data protection according to EEA standards, and the full list of these countries is available here.  For transfers from the EEA to countries not considered adequate by the European Commission, we have put in place adequate measures, such as standard contractual clauses adopted by the European Commission to protect your personal information. You may obtain a copy of these measures by contacting us.

7. Third-Party Services

We’re not responsible for the privacy practices of third parties linked to from our Platform.

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any site or service to which our services link.  Our inclusion of a link on our services does not imply our endorsement of the linked site or service.

8. Policy updates & contacting us

This policy may change over time. We’ve included here our contact information, but the best way to get in touch with us is through our contact page.

We may change this Privacy Policy. The “Effective Date” legend at the top of this Privacy Policy indicates when it was last revised.  Any changes will become effective when we post the revised Privacy Policy on our platform.

We welcome questions, concerns, and feedback about this policy. If you have any suggestions for us, feel free to let us know by contacting our contact page.

In addition, you may contact us at dpo@manifesta.net.

Because email or postal communications are not always secure, please do not include credit card or other sensitive information in your emails or letters to us.

You may lodge a complaint with a supervisory authority competent for your country or region. Please click here for contact information for such authorities.

Thanks for supporting Manifesta.net.