At Bromley & Kentley, we take your privacy seriously and know you do too. This Privacy Policy (“Policy”) is here to help you understand how we collect, use, disclose, and process your personal data. We also describe Your Rights and Choices with respect to how we process your personal data. Please read this Policy carefully.
WHO WE ARE
This is the Policy of Bromley & Kentley LLC (“Bromley & Kentley,” “us,” “our,” or “we”), a Washington State limited liability company (LLC).
APPLICABILITY
This Privacy Policy applies to our “Services”, which include our websites that link to/post this Privacy Policy, including any subdomains or mobile versions (the “Site(s)”) and mobile applications (the “Mobile App(s)”).
AGREEMENT
This Policy is incorporated into the Terms of Use governing your use of any of our Services. Any capitalized terms not defined in this Privacy Policy will have the definitions provided in our Terms of Use.
Following notice to you or your acknowledgment of this Privacy Policy (including any updates), your continued use of any of our Services indicates your consent to the practices described in this Policy.
THIRD PARTIES
Bromley & Kentley is a service provider for camps and other clients (“Clients”). Our Services enable our clients to connect with, support, and provide services to parents, client customers, as well as the Client’s administrators and staff. In each case, we provide a platform for use by Clients, and this Policy reflects the data processed and activities undertaken through our Services. However, the Policy does not apply to the Client’s own uses of your data, including processing they may choose to undertake that is not described in, or different from, this Policy.
This Policy also does not apply to information processed by other third parties, for example, when you visit a third-party website or interact with third-party services, unless and until we receive your information from those parties. Please review any third parties’ privacy policies before disclosing information to them. See our list of third parties below for more information regarding our sources and recipients of personal data.
COLLECTION AND USE OF PERSONAL DATA
DATA WE COLLECT
We collect and process the following types of information, including data that relates to identified or identifiable individuals (“Personal Data”) (note, specific Personal Data elements listed in each category are only examples and may change):
Identity Data: Personal Data about you and your identity, such as your name, ID/driver’s license number, Passport, gender, marital status, date of birth, social security number, photo/avatar, username, and other Personal Data you may provide on applications, registration forms, or as part of an account profile (e.g. biographical information).
Transaction Data: Personal Data we collect in connection with a transaction or purchase, such as the item you purchased, the price, the delivery location, zip code, and other similar information.
Contact Data: Personal Data used to contact an individual, e.g. email address(es), physical address(es), phone number(s), or social media or communications platform usernames/handles, as well as a name or other salutation.
Financial Data: Personal Data relating to financial accounts or services, e.g. a credit card, bank, or other financial account numbers, and other relevant information you provide in connection with a financial transaction.
Device/Network Data: Personal Data relating to your device, browser, or application e.g. IP addresses, MAC addresses, application ID/AdID/IDFA, identifiers from cookies, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies.
Location Data: Personal Data relating to your precise location, such as information collected from your device’s GPS or other precise localization service.
Special Category Data: Personal Data revealing racial, national, or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, health information, or information relating to sex life or sexual orientation.
Face Recognition Data: Personal Data that is generated in connection with an analysis of a photo or other image for purposes of using automated systems to identify an individual in another image, e.g. a facial map or similar analysis of facial geometry. Face Recognition Data may include Special Category data to the extent revealed in the creation or processing of the Face Recognition Data.
Custom Content: Custom Content: Information that a user provides in a free text or other unstructured format, or pursuant to custom fields created by a Client; this may include Personal Data or Special Category Data to the extent provided by the user.
HOW WE COLLECT PERSONAL DATA
We collect Personal Data from various sources based on the context in which the Personal Data will be processed:
You: We collect Personal Data from you directly, for example, when you input information into an online form, sign up for a waiting list, register, or contact us directly.
Your Device: We may collect certain Personal Data automatically from your devices. For example, we collect Device/Network Data automatically using cookies and similar technologies when you use our Services, access our Sites, or when you open our marketing communications.
Service Providers: We receive Personal Data from third parties with whom we have a relationship in connection with a relevant transaction, or who collect information on our behalf.
Data we create or Infer: We (or third parties operating on our behalf) create and infer Personal Data (such as Inference Data) based on our observations or analysis of other Personal Data we process, and we may correlate this data with other data we process about you.
PROCESSING OF PERSONAL DATA
USER ACCOUNT REGISTRATION
Users may register and create an account on our Services. When you register, we process certain Personal Data such as Identity Data and Contact Data. We may also process certain Financial Data if you choose, for example, to purchase products and services through our Service. We use Identity Data and Contact Data as necessary to create, maintain, and provide you with important information about your account. Financial Data provided at registration will be used only as necessary to process transactions at your request or to store payment information for future purchases.
CLIENT AND FAMILY APPLICATION/REGISTRATION
Client’s users may submit inquiries, camper or event applications, medical and other forms, and register with Clients through our Services. When you submit an application or register with a Client, we process certain Personal Data on behalf of the Client, which typically includes Identity Data, Contact Data, and Financial Data, and if requested by the Client, Custom Content and Special Category Data.
We use all Application/Registration data as necessary to provide our Services to the Clients, including in connection with the assessment of applications and prospective applicants, and creation of the Client-camper or Client-applicant relationship. Financial Data provided in connection with any application/registration will be used only as necessary to process transactions you request. Subject to your rights and choices, we may also use Identity Data, Contact Data, and Custom Content on behalf of Clients: (i) in connection with the maintenance of camper or event attendee records, which may include family/guardian relationships, emergency contact information, mailing addresses, etc.; (ii) to provide marketing or other communications between Clients and parents or event organizers and attendees; and (iii) along with Special Category Data, in accordance with your consent provided to the Client (e.g. to provide health services, adjusting meal options, etc.), and where permitted by law, to maintain records relating to the health and treatment of campers or event attendees by the Client.
PURCHASES AND DONATIONS
On behalf of the Client, we process Transaction Data, Identity Data, Financial Data, and certain Contact Data when you complete a purchase from or donate to a Client through our Services. Note, all purchases and donations are processed by a third party on behalf of us or the Client, however, we and/or the Client may obtain any Personal Data processed by that third party.
On behalf of the Client, we use the Transaction Data, Identity Data and Contact Data as necessary to complete and provide you with important information regarding your transaction, or in connection with certain recordkeeping the Client may wish to undertake. Financial Data is used only as necessary to process your transaction, and if you request, we may store your Financial Data for future purchases.
CLIENT COMMENTS, MESSAGING AND CUSTOM CONTENT
On behalf of the Client, we process Identity Data, Contact Data, and if provided, Custom Content when you use our Services to fill out forms relating to Clients, message the Client, or send a message to a camper, or if you otherwise submit any Custom Content (e.g. on a comment board or other free form content submission form).
On behalf of the Client, we use Identity Data and Contact Data as necessary to carry out the processes and transactions you request. Subject to your rights and choices, we may also use Identity Data to improve our Services and, on behalf of the Client, we may make certain Custom Content and Identity Data, including information (such as name) derived from analysis of faces that appear in photos, contained in Client photos and videos available on our Site for viewing by parents, event organizers and Client Administrators.
We do not screen messages, comments or other postings for personal or inappropriate content.
EVENTS, PLANNING AND CLIENT ACTIVITIES
On behalf of the Client, we may process Identity Data and Contact Data, and if requested by the Client, Custom Content and Special Category Data in connection with the management of events, trips, and other activities at the Client, as well as Client administration.
On behalf of the Client, we use this personal data as necessary for the Clients to manage these activities. Subject to your rights and choices, we may also use Identity Data, Contact Data, and Custom Content on behalf of Clients: (i) in connection with the maintenance of event-related administrative camper or event attendee records, e.g. Client and event scheduling and attendance records, building/room/bus/seat assignments or other data relating to transportation use, counselor assignments, event description/destination, etc., and (ii) along with Special Categories Data, in accordance with your consent provided to the Client (e.g. to provide health services, adjusting meal options, etc.).
MOBILE APPS
If you use our Mobile Apps, we process certain Personal Data, which typically includes Identity Data, Contact Data, Device/Network Data, and, with your consent, Location Data. Note, you may also be able to complete purchases, register for an account, or enroll in marketing communications through our Mobile App. If you use our photo recognition feature, we’ll process information as set forth in the “Facial Recognition Services” section below, including Facial Recognition Data.
We process the Identity Data, Contact Data, and Device/Network Data as necessary to create your account and deliver the Service and fulfill your requests. Subject to your rights and choices, we may use the Identity Data, Contact Data, Device/Network Data, and Location Data to improve our services, and we may process this Device/Network Data and Location Data on behalf of the Client in connection with counsel location awareness features or other location services the Client may offer.
FACIAL RECOGNITION SERVICES
As part of our Service, we may allow parents, guardians, campers or event attendees to search for pictures of their camper or themselves in images uploaded by the Client. To do so, parents, guardians, campers or event attendees upload an image of their camper or themselves, which is then compared to the photos that have been uploaded by the Client, and matching images are then sent or shown to that user. As part of this process, we process Identity Data, Face Recognition Data, and Special Category Data (to the extent revealed in the photo).
If you consent to the use of this service, we will process the Identity Data, Face Recognition Data and Special Category Data only as necessary to identify the camper in the photos uploaded by the Client and display those images to the camper, their parent or guardian, or event attendee. You can revoke your consent at any time as set forth in the your rights and choices section below. Note, we may use third party software for the purpose of facial recognition and comparison, and the foregoing information will be disclosed to this third-party processor in connection with this service. Face Recognition Data will be retained only for so long as necessary, usually for 1 year following the upload of the image.
You may not upload images to which you do not have the right to have processed in accordance with the above. When you upload a photo, you represent and warrant that you have all necessary rights to process the images as set forth above.
STAFFING DATA
We may process Identity Data, Financial Data and Contact Data as well as certain Special Category Data on behalf of our Clients in connection with an application to be a Client’s administrator, counselor, volunteer, or otherwise join or support a Client’s team, and where requested by the Client, in connection with criminal, professional, credit or other background checks relating to an applicant.
Staffing data is used as is requested by the Client, as necessary in connection with these activities, or as required by law. Financial Data is collected and may be stored for payroll or reimbursement purposes, or as otherwise necessary in the context of the staffing relationship. Subject to your rights and choices, we process this Personal Data on behalf of the Client, in connection with Clients’ activities in relation to the assessment, creation, maintenance, and termination of the staffing relationship, or in connection with various background checks relating to a prospective staff member.
Bromley & Kentley may maintain relationships with background check providers, and Clients may direct Bromley & Kentley to assist in the request, fulfillment, and storage of background check information. However, Clients are the controllers of such information and are responsible for obtaining applicants’ consent, ensuring the legal rights of applicants, and for their use of background check data.
ADMINISTRATION DATA
On behalf of the Client, we may process Identity Data, Financial Data and Contact Data as well as certain Special Category Data in connection with administrative information collected by Clients, such as invoicing, expense reporting, financials, or other internal processes. This information may include medical information of certain staffers campers or event attendees, or other similar Special Category data, to the extent provided by the staffer, camper, parent or attendee.
On behalf of the Client, we process Identity Data, Financial Data and Contact Data primarily in connection with Clients’ internal business activities in relation to the analysis and internal reporting of Client financials, performance, or other activities. All administrative data will be used as is required by the Client as necessary in connection with these activities, or as required by law. Financial Data is collected and may be stored for payroll or reimbursement purposes, or as otherwise necessary in the context of the staffing relationship. Subject to your rights and choices, we may process the Special Category Data in connection with the individual’s consent, or as otherwise permitted by law.
COOKIES AND SIMILAR TECHNOLOGIES
We, and certain third parties, may process Device/Network Data when you interact with cookies and similar technologies. We may receive this data from third parties to the extent allowed by the applicable partner. Please note that the privacy policies of third parties may apply to these technologies and information collected.
In connection with our legitimate interests in providing and improving the user experience and efficiency of our Services, and understanding information about the devices and demographics of visitors to our Services, we use this information (i) for “essential” or “functional” purposes, such as to enable various features of the Services such as your browser remembering your username or password, maintaining a session, or staying logged in after a session has ended; (ii) for analytics and site performance purposes, such as tracking how the Services are used or perform, how users engage with and navigate through the Services, what sites users visit before visiting our Services, how often they visit our Services, and other similar information; and (iii) for the purpose of displaying advertisements via retargeting to those users who visited our Site or who may be interested in our Service.
Some of these technologies can be used by third parties to identify you across platforms, devices, sites, and services. Clients may also have access to information, such as reports and analytics, generated through these services.
BUSINESS PURPOSES OF PROCESSING
In addition to the processing described above, we generally process Personal Data for several common purposes in connection with our business. For example:
Operate our Services and Fulfill Obligations: We process any Personal Data as is necessary to provide the Services, and as otherwise necessary to fulfill our obligations to you, e.g. to provide you with the information, features, and services you request.
Personalization/Customization: We process Personal Data (excluding Facial Recognition Data or Special Category Data) as necessary in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Services may be customized to you so that it displays your or a Client’s name, to reflect appearance or display preferences, display recent or commonly used features or data, or other similar functionality.
Internal Processes and Service Improvement: We process Personal Data (excluding Facial Recognition Data or Special Category Data) as necessary in connection with our improvement of the design of our Services, understanding how our Services are used or function, for customer service purposes, in connection with the creation and analysis of logs and metadata relating to service use, and for ensuring the security and stability of the Services. Additionally, we may use Personal Data to understand what parts of our Service are most relevant to users, how users interact with various aspects of our Services, how our Services perform or fail to perform, etc., or we may analyze use of the Services to determine if there are specific activities that might indicate an information security risk to the Services or our Users.
MARKETING COMMUNICATIONS
Data: We may process Identity Data and Contact Data in connection with email marketing communications, including (i) on behalf of Clients, when you register for an account, and choose to enroll, or are enrolled by the Client, to receive marketing communications; (ii) on behalf of Clients, when you open or interact with, a Client’s electronic marketing communications; (iii) on our own behalf when you contact us directly, or express an interest in our products and services; and (iv) on our own behalf when you open or interact with our marketing communications.
Uses: We use Identity Data and Contact Data as necessary to provide marketing communications, and consistent with our legitimate business interests, we may send you marketing and promotional communications if you sign up for such communications or purchase services from us. See Your Rights and Choices for information about how you can limit or opt out of this processing.
AGGREGATE ANALYTICS
We process Personal Data (excluding Facial Recognition Data or Special Category Data) as necessary in connection with our creation of aggregate analytics relating to how our Services are used, company and investment trends, to understand how our service performs, and to create other reports regarding the use of our Services, demographics of our Users, and other similar information and metrics. The resulting aggregate data will not contain information from which an individual may be readily identified. This processing is subject to users’ rights and choices.
COMPLIANCE, HEALTH, SAFETY & PUBLIC INTEREST
Note that we may, without your consent or further notice to you, and to the extent required or permitted by law, process any Personal Data subject to this Policy for purposes determined to be in the public interest or otherwise required by law. For example, we may process information as necessary to fulfill our legal obligations, to protect the vital interests of any individuals, or otherwise in the public interest or as required by a public authority. Please see the data sharing section for more information about how we disclose Personal Data in extraordinary circumstances.
OTHER PROCESSING OF PERSONAL DATA
If we process Personal Data in connection with our Services in a way not described in this Policy, this Policy will still apply generally (e.g. with respect to Users’ rights and choices) unless otherwise stated when you provide it.
DATA SHARING
GENERALLY
Information we collect may be shared with a variety of parties, depending upon the purpose for and context in which that information was provided. We generally transfer Personal Data to the following categories of recipients:
Clients: We process data on behalf of Clients and may share your Personal Data with Clients to the extent such information was provided to us for processing on their behalf. For example, any forms, applications, messages, or other material may be processed by us for Clients, and all Personal Data processed on behalf of the Client may be available to the Client and its users. These parties may engage in direct marketing, or other activities that are outside our control.
Service Providers: In connection with our legitimate business interests or other business purposes, we may share your Personal Data with service providers or sub processors who provide certain services or process data on our behalf. For example, we may use cloud-based hosting providers to host our Sites or disclose information as part of our own internal operations, such as security operations, internal research, etc.) We disclose Special Category Data and Face Recognition Data to service providers only with your consent where required by law.
Affiliates: In order to streamline certain business operations, develop products and services that better meet the interests and needs of our customers, and inform our customers about relevant products and services, we may share your Personal Data with any of our current or future affiliated entities, subsidiaries, and parent companies.
Corporate Events: Your Personal Data may be processed in the event that we go through a business transition, such as a merger, acquisition, liquidation, or sale of all or a portion of our assets. For example, Personal Data may be part of the assets transferred, or may be disclosed (subject to confidentiality restrictions) during the due diligence process for a potential transaction.
Legal Disclosures: In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, or in the vital interests of us or any person. Note, these disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.
YOUR RIGHTS AND CHOICES
YOUR RIGHTS
Applicable law may grant you rights in your Personal Data. These rights vary based on your location, state or country of residence, and may be limited by or subject to our or our Client’s rights in your Personal Data. In cases where we process Personal Data on our own behalf, you may exercise rights you have by contacting us. All rights requests we receive directly must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you log in to your account or verify that you have access to your account or the email on file in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.
YOUR CHOICES
You may have the following choices regarding the Personal Data we process, to the extent required under applicable law:
Consent: If you consent to processing, you may withdraw your consent at any time, to the extent required by law.
Direct Marketing: You have the choice to opt-out of or withdraw your consent to processing related to direct marketing communications. You may have a legal right not to receive such messages in certain circumstances, in which case, you will only receive direct marketing communications if you consent. You may exercise your choice via the links in our communications or by contacting us re: direct marketing.
Location Data: You may control or limit Location Data that we collect using our Mobile App by changing your preferences in your device’s location services preferences menu, or through your choices regarding the use of Bluetooth, WiFi, and other network interfaces you may use.
Online Advertising: You may opt out or withdraw your consent to behavioral advertising. You must opt out of third-party services directly via the third party. For example, to opt out of Google’s use of cookies, visit Google’s Ads Settings, here. If you wish to take steps to opt-out of tracking by certain online advertisers, you can visit the Digital Advertising Alliance’s opt-out page at http://www.aboutads.info/choices or the Network Advertising Initiative at www.networkadvertising.org/optout_nonppii.asp.
Other Processing: You may have the right under applicable law to object to our processing of your Personal Data for certain purposes. You may do so by contacting us re: data rights requests. Note that we may not be required to cease processing based solely on an objection.
NOTE REGARDING CLIENTS’ DATA
In many cases, Bromley & Kentley acts a processor of Clients’ Personal Data. We may notify Clients of your data rights requests; however, we may be unable to directly fulfill rights requests regarding Personal Data unless we control or have the necessary rights of access. Bromley & Kentley may not have access to or control over all or some Personal Data controlled by Clients. Please contact the Client directly for data rights requests regarding Client-controlled information, and we will assist the Client as appropriate in the fulfillment of your request. Please note that, to the extent we make interfaces available for you to directly control your data, these will take effect only with respect to the data we control, and you may need to contact the Client regarding your request.
SECURITY
We follow and implement reasonable security measures to safeguard the Personal Data we process. While we may require our service providers to follow certain security practices, we do not have control over and will not be liable for third parties’ security processes. We do not warrant perfect security and we do not provide any guarantee that your Personal Data or any other information you provide us will remain secure.
DATA RETENTION
We retain Personal Data for the periods stated above, or if none, for so long as it remains relevant to its purpose or for so long as is required by law (if longer). As we process Personal Data on behalf of Clients, we may retain information for the periods requested by the Client or delete information at the Client’s request. We will review retention periods periodically, and if appropriate, we may pseudonymize or anonymize data held for longer periods.
MINORS
Our Services are intended for use by Clients, event organizers and attendees and campers’ parents and are neither directed at nor intended for direct use by individuals under the age of 16. Further, we do not knowingly collect Personal Data directly from such individuals. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.
INTERNATIONAL TRANSFERS
We operate and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. does not provide the same legal protections guaranteed to Personal Data in the European Union. Accordingly, your Personal Data may be transferred to the U.S. pursuant to the EU-U.S. Privacy Shield Framework, the Standard Contractual Clauses, or other adequacy mechanisms, or pursuant to exemptions provided under EU law.
YOUR EU/EEA PRIVACY RIGHTS
Users of our Services in the EU/EEA/Switzerland (and certain other countries) may have the following rights:
Access: You may have a right to know what information we collect, use, disclose, or sell, and you may have the right to receive a list of that Personal Data and a list of the third parties (or categories of third parties) with whom we have received or shared Personal Data, to the extent required and permitted by law.
Rectification: You may correct any Personal Data that we hold about you to the extent required and permitted by law.
Delete: To the extent required by applicable law, you may request that we delete your Personal Data from our systems. We may delete your data entirely, or we may anonymize or aggregate your information such that it no longer reasonably identifies you. Contact us as part of your request to determine how your Personal Data will be erased in connection with your request.
Data Export: To the extent required by applicable law, we will send you a copy of your Personal Data in a common portable format of our choice.
Right to Object: Where we process Personal Data on the basis of our legitimate interests, you can object to that processing to extent allowed by law. Note that we must only limit processing where our interests in processing do not override an individual’s interests, rights, and freedoms, or the processing is not for the establishment exercise, or defense of a legal claim.
Right to Restrict: You may have the right to restrict processing of your Personal Data where the accuracy of the Personal Data is contested, the processing is unlawful but you object to deleting the Personal Data, or we no longer require the Personal Data, but it is still required for the establishment, exercise, or defense of a legal claim, or while we assess an objection to processing.
Automated Processing: To the extent we process Personal Data using automated means (if any), or where otherwise required by law, you may opt-out of, or revoke your consent, to this processing or elect to have an individual review any of the results of processing.
Regulator Contact: You may have the right to file a complaint with regulators about our processing of Personal Data. To do so, please contact your local data protection or consumer protection authority.
YOUR PRIVACY RIGHTS
Right to Know: You may have the right to request any of following, for the 12 month period preceding your request: (1) the categories of Personal Data we have collected about you, or that we have sold, or disclosed for a commercial purpose; (2) the categories of sources from which your Personal Data was collected; (3) the business or commercial purpose for which we collected or sold your Personal Data; (4) the categories of third parties to whom we have sold your Personal Data, or disclosed it for a business purpose; and (5) the specific pieces of Personal Data we have collected about you.
Right to Delete: You may have the right to delete certain Personal Data that we hold about you, subject to exceptions under applicable law.
Right to Non-Discrimination: You may have the right to not to receive discriminatory treatment as a result of your exercise of any rights conferred by the CCPA.
Direct Marketing: You may request a list of Personal Data we have disclosed about you to third parties for direct marketing purposes (if any) during the preceding calendar year.
Opt-Out of Sale: If we engage in sales of Personal Data (as defined by applicable law), you may direct us to stop selling or disclosing Personal Data to third parties for commercial purposes. At this time, we do not sell Personal Data.
SUBMISSION OF RIGHTS REQUESTS
You may submit requests by contacting us (see below for summary of required verification information).
VERIFICATION OF RIGHTS REQUESTS
All rights requests must be verified to ensure that the individual making the request is authorized to make that request, to reduce fraud, and to ensure the security of your Personal Data. We may require that you provide the email address we have on file for you (and verify that you can access that email account) as well as an address, phone number, or other information we have on file, in order to verify your identity. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.
SUPPLEMENTAL DATA PROCESSING DISCLOSURES
Categories of Personal Data Disclosed for Business Purposes: We may disclose to Service Providers for “business purposes” the following categories of Personal Data: Identity Data; Transaction Data; Contact Data; Financial Data; Device/Network Data; Location Data; Special Category Data; Face Recognition Data; and Custom Content.