Last updated: Wednesday, December 17th, 2025
1. What this covers
This notice explains what happens when you visit our websites or apps (together, “Sites”), including cookies and similar technologies. For donors/supporters, see the Donors & Supporters Notice.
2. Data we collect automatically
- Technical data: IP address, device and browser type/version, operating system, basic device settings, time zone, language, referrer URL.
- Usage data: pages viewed, links clicked, session duration, error/debug logs.
- Approximate location: derived from IP for security/logging (city/region level).
- Consent records: your cookie choices, timestamps, and (where applicable) consent identifiers from our consent management platform (CMP).
3. Cookies and similar technologies
We use cookies, SDKs and pixels to run the Sites and understand performance.
- Strictly necessary cookies operate without consent (e.g., load balancing, security, consent logging).
- All other cookies (e.g., analytics, performance, marketing) are set only with your consent. You can change or withdraw consent anytime using Manage Cookies (link in footer). See our Cookie Notice for details.
Important: IP addresses and online identifiers can be personal data in the EU/UK. We do not describe analytics data as “anonymous.”
4. Analytics
We load analytics only after you consent via the CMP. We apply data minimization settings (e.g., truncated IP, limited retention, disabled advertising features). International transfers and safeguards are described on our International Transfers page and in Vendors & Transfers.
5. Social media, embeds and thirdparty content
Our Sites may include embedded content (e.g., video players), share buttons or pixels. These third parties may set their own cookies if you consent. Please review their privacy information as well.
6. Do Not Track
We honor your choices expressed via our CMP. Browser “Do Not Track” signals are not yet standardized, so we do not act on them alone.
7. Security
We use appropriate technical and organizational measures, including HTTPS, access controls, encryption in transit, and logging/monitoring.
8. International transfers, retention and rights
When we transfer EU/UK personal data outside your region, we use recognized safeguards:
- Adequacy & Frameworks. We rely on adequacy decisions where available. For U.S. recipients that are certified.
- Standard Contractual Clauses / IDTA. For other transfers, we use the EU Standard Contractual Clauses (2021) and, for the UK, the International Data Transfer Agreement (IDTA) or UK Addendum, plus transfer impact assessments and technical measures.
Minimization & security. We minimize what we transfer, use encryption, restrict access, and keep detailed logs.
