LAST REVISED: January 12, 2023
2. INFORMATION YOU PROVIDE TO US
(a) General. We collect Personal Data you voluntarily provide us. You may give us your Personal Data in the following ways: (i) create an account, (ii) sign up for newsletters, (iii) send us an e-mail, and/or (iv) use our Services. For example, we may collect your name, the names of children you register to use the Library, email address, account password, telephone number, postal address including city, state and zip code, and any other information you choose to provide. Our primary goals in using data we collect are to provide and improve our Services, to provide quality Customer service, to respond to you, and to enable users to effectively navigate our Site. We may collect Personal Data and Non-Personal Data about you and process the same as set forth herein.
(b) Personal Data. “Personal Data” means data that allows someone to identify or contact you, including, for example, your name, address, telephone number, e-mail address, as well as any other non-public information about you that is associated with or linked to any of the foregoing data.
3. NON-PERSONAL DATA
(a) “Non-Personal Data” means data that is not associate with or linked to your Personal Data; Non-Personal Data does not, by itself, permit the identification of individual persons.
(b) Personal Data. “Personal Data” is generally used either to respond to requests that you make, or to aid us in serving you better, however more specifically, we may use your Personal Data in the following ways:
- To provide you and registered children Services and information you request from us;
- To improve the quality of experience when you interact with Services;
- To send you a welcome e-mail and verify ownership of the e-mail address provided when you create an account and/or when you register a child;
- To send you administrative e-mail notifications, such as information about Services, security or support and maintenance advisories;
- To analyze your requests and usage patterns so we may enhance and improve Services;
- For benchmarking and research related purposes associated with the use and performance of Services; and
4. PURPOSES FOR WHICH WE USE PERSONAL DATA
We may collect, use, store, and transfer the following data in connection with providing
you the Services you request:
- Name, address and phone number of the Authorized Adults;
- Registered Child’s name and delivery address;
- Authorized Adult’s Email Address(es);
- Registered Child’s Date of Birth;
- Registered Child’s Gender;
- Credit card and/or debit card information (for processing transactions);
- Cookies (as specified herein)
5. CHANGE OF PURPOSE
We only use Personal Data for the purposes for which we collect it, unless we reasonably determine we need to use it for additional reasons compatible with the original purpose. Please note we may process your personal data without your knowledge or consent where such is required or permitted by law.
6. DISCLOSURE OF PERSONAL DATA
a. Dolly Parton’s Imagination Library Affiliates. When you create an account and register a child we will share the provided Personal Data with the Dolly Parton Imagination Library Partner (“Partner”) who is best able to provide Services you.
c. Other Disclosures. Regardless of any choices you make regarding your Personal Data, we may disclose Personal Data if we believe in good faith that such disclosure is necessary: (i) in connection with any legal investigation; (ii) to comply with relevant laws or to respond to subpoenas or warrants served on us, our Partners, or third-party service providers; (iii) to protect or defend our rights, property, and/or other users of Services; (iv) to investigate or assist in preventing any violation or potential violation of the law or breach of this Agreement, and/or (v) in connection with any merger, financing, acquisition or dissolution transaction, or proceeding involving sale, transfer, divestiture, or disclosure of all or a portion of the Foundation or its assets.
7. NON-PERSONAL DATA
The following are types of Non-Personal Data we may collect throughout Services, including through our Site:
b. Log Data. When you visit our Site, we automatically collect technical and statistical data about your visit, such as your browser type, internet service provider (ISP),referring/exit pages, operating system, date/time stamp, and/or clickstream data, the pages you visit and any search terms you use (“Log Data”). We will use and share Log Data for any purpose including industry analysis, demographic profiling, and other purposes.
c. Pixel Tags. We may use “Pixel Tags” (also referred to as clear gifs, web beacons, or web bugs). Pixel Tags are tiny graphic images with a unique identifier, similar in function to cookies that are used to track online movements of users. In contrast to Cookies, which are stored on a user’s computer hard drive, Pixel Tags are embedded invisibly in web pages. Pixel Tags also allow us to send e-mail messages in a readable format, and they tell us whether e-mails have been opened to ensure that we are sending only messages that are of interest to our users. We may use this information to reduce or eliminate messages sent to users. We do not tie the information gathered by Pixel Tags to Personal Data.
d. IP Address. We also collect your public IP address when you visit our Site. We may use your public IP address in order to determine whether certain requests are fraudulent or frivolous and we may automatically cross-reference your public IP address with your domain name (usually the domain name of your ISP or employer). Because you may be visiting our Site from your personal residence, your IP address and any associated domain name are treated as “Personal Network Information” instead of Personal Data. “Log Data” does not include Personal Network Information. Although such Personal Network Information may be used to administer and maintain Services, it is not shared with any third parties, except as described above in the sections titled “Third-Party Service Providers,” and “Other Disclosures.” Please note: depending on your jurisdiction your IP address may be considered personal data. In all such cases, it will be accordingly treated as such.
d. IP Address. We may use Non-Personal Data for any reason, including to: (i) administer our Site for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; (ii) improve our Site to ensure content is presented in the manner most effective for you and for your device; (iii) allow you to participate in interactive features of our Site, when you choose to do so; (iv) as part of our efforts to keep our Site safe and secure.
8. AGGREGATED DATA
After removing any personally identifying information from within the set of Personal Data, Personal Network Information, and Log Data we collect from you, we may combine that information with information we collect from other users and customers (collectively the “Aggregated Data”) in order to improve the quality and value of our Services and to analyze and understand how our Site is used. We may share Aggregated Data with third parties for industry analysis, demographic profiling, and other purposes.
When you access or use Services, we automatically collect information about you, including:
a. Access Your Information. You can access any of the Personal Data that we collect online and maintain it either online or by requesting access from us at the e-mail or regular mail address specified in the Contacting Us section below. We use this procedure to better safeguard your information. You can correct factual errors in your Personal Data by sending us a request detailing the error and the factually correct information.
b. Request Your Information Be Deleted. You can ask us to erase or delete all or some of your Personal Data. You may place a request via the e-mail or regular mail address specified in the Contacting Us section below. We will take reasonable steps to verify your identity before proceeding with deletion. Provided we are able to verify your identity, we will delete all Personal Data about you that we are not legally required to maintain within 30 days of receiving your request. Please realize if you initialize this request while you have outstanding requests or transactions processing, those requests or transactions may be canceled.
c. Opt Out. Depending on your jurisdiction you may partially or wholly opt-out of having your personal data processed by the Foundation, by requesting such via the contact information in the Contacting Us section below. Please include “opt-out” in the subject line of each opt-out notification along with a short description specifying how you would like to limit or restrict the processing of your Personal Data. Please note that restricting the processing of your personal data will likely impact your ability to access and use Services. You may also opt out of providing us certain information in the following ways:
- Google Analytics. You may opt out of Google Analytics by following this link.
- Google AdWords. Google AdWords remarketing service is provided by Google. You can opt out of Google Analytics for Display Advertising and customize the Google Display Network ads by visiting the Google Ads Settings page.
Our privacy practices are consistent with the Federal Children’s Online Privacy Protection Act (“COPPA”). We do not intentionally collect Personal Data from visitors to our website who are under the age of 13, or from individuals who are not of the age of majority. If a child under the age of majority submits Personal Data to us and we learn that the Personal Data is the information of a minor child, we will attempt to delete the information as soon as possible. If you believe that we might have received any Personal Data from a minor, please contact us at the e-mail or physical address in the Contacting Us section below.
By registering a child for Services, you agree that we may collect, store, use, and process that child’s Personal Data for the purposes described herein. If we learn that a user is a minor, we will take reasonable measures to obtain consent by contacting the Authorized Adult, if possible, and shall, if consent cannot be or is not obtained, take reasonable measures to delete such information from our databases and not use such information for any purpose (except where necessary to protect the safety of the child or others as required by law). We will only ask for Personal Data that is reasonably necessary for the use of Services and will store such Personal Data for only as long as reasonably necessary to fulfill these purposes.
An Authorized Adult may later view the child’s Personal Data and correct or remove the information, in whole or in part; instruct us to discontinue all use of the child’s Personal Data and/or not to communicate further with the child; or revoke or modify the consent, by contacting us at the e-mail or physical address in the Contacting Us section below and including the child’s name and email address and the parent or guardian’s name and email address. Please visit http://www.ftc.gov/privacy/privacyinitiatives/childrens.html for information from the Federal Trade Commission or from the ICO https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/children/ about protecting children’s privacy online.
11. EU-U.S. PRIVACY SHIELD FRAMEWORK AND SWISS-U.S. PRIVACY SHIELD FRAMEWORK
In compliance with the Privacy Shield Principles, The Foundation commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact The Foundation at:
The Dollywood Foundation
Attn: Data Protection Officer
111 E Main St, 2nd Floor
Sevierville, TN 37862, USA
Email: [email protected]
The Foundation has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland.
In the event we are unable to resolve your dispute; we will cooperate with a panel established by the E.U. Data Protection Authority to assist with resolving your claim(s) and/or issue(s). In certain instances, described at the following website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
12. SECURE DATA TRANSFER (From the European Union to the United States)
Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework and The Dollywood Foundation maintains self-certification.
To further comply with this ruling, the Dollywood Foundation of the UK and The Dollywood Foundation (USA) have implemented additional agreements in the form of Standard Contractual Clauses as the mechanism of secure data transfer. Following the UK’s departure from the European Union, the EU Standard Contractual Clauses continue to be valid until such time as new UK Standard Contractual Clauses are published.
13. CALIFORNIA USERS PRIVACY RIGHTS
a. California Shine the Light Act Pursuant to Section 1798.83 of the California Civil Code, residents of California have the right to request from a business with whom the California resident has an established business relationship, certain information with respect to the types of personal information the business shares with third parties for direct marketing purposes by such third party and the identities of the third parties with whom the business has shared such information during the immediately preceding calendar year.
To request a copy of the information disclosure provided by us pursuant to Section 1798.83 of the California Civil Code, your request must include contact us at the e-mail or regular mail address specified in the Contacting Us section below with “California Privacy Request” in the first line.
Please note that under this law, we are not required to respond to your request more than once a calendar year, nor are we required to respond to any request that is not sent to the designated e-mail or mailing address.
b. California Do Not Track Disclosure. Do Not Track is a privacy preference that some users may set in their web browsers. When a user turns on a browser’s Do Not Track signal, the browser sends a message to websites requesting them not to track the user. At this time, we do not recognize or respond to Do Not Track browser settings or signals and we will still receive information. As a result, we may still collect information about you and your internet activity, even if you use a Do Not Track signal.
It is possible some or all of our third-party advertising partners or members of their affiliate network may participate in consumer opt-out programs. To learn more about internet-based advertising and consumer opt-out programs go to http://aboutads.info/choices/ or http://www.networkadvertising.org/choices.
14. USERS OUTSIDE THE UNITED STATES
may be less stringent than the laws in your country. By providing Personal Data, you consent to such international transfer.
b. Canadian Privacy Rights. If you are a citizen of Canada and have questions about the accuracy of information we have collected about you, you can have access to that information in order to verify and update it, unless we are permitted or required under applicable laws to refuse your access to such information. You may contact us at the e-mail or regular mail address specified in the Contacting Us section below to request access to Personal Data we have about you, or to obtain further information about our privacy policies or practices.
c. U.K. Privacy Rights. U.K. users have the right to ask us to amend or limit the processing of their Personal Data, (as defined by U.K. law) and in particular not to process their Personal Data for marketing purposes. We will inform you (before collecting your personal data) if we intend to use your Personal Data for such purposes or if we intend to disclose your Personal Data to any third party for such purposes. You can exercise your rights to prevent such processing by checking certain boxes on the forms we use to collect your Personal Data. You can also exercise the right at any time by contacting us at the e-mail or regular mail address specified in the Contacting Us section below.
The U.K. Data Protection Act 2018 (“the DPA 2018”) gives users from the U.K. the right to access information held about you. Your right of access can be exercised in accordance with the DPA 2018. To find out more about your rights under the DPA 2018 and GDPR, follow the link to the ICO website – https://ico.org.uk/your-data-matters/
15. CALIFORNIA USERS AND RESIDENTS
Pursuant to California Civil Code Section 1789.3, any questions about pricing, complaints, or inquiries must be addressed to our agent for notice and sent via certified mail to: [email protected] Lastly, California users are also entitled to the following specific consumer rights notice: The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 North Market Blvd., Sacramento, CA 95834, or by telephone at (916) 445-1254 or (800) 952-5210.
16. EUROPEAN RESIDENTS
a. Contact Us for Assistance. If you reside in the E.U. and have questions or concerns regarding the use or disclosure of Personal Data. You should first, contact us at the e-mail or regular mail address specified in the Contacting Us section below. We will promptly investigate and attempt to resolve all complaints regarding our use of Personal Data.
b. Additional Rights. If you live in the European Economic Area (“EEA”), or a similar international area, you may have additional privacy rights available to you under applicable laws. We will process your requests in accordance with applicable data protection laws. If you would like to exercise any of the below rights, please contact us at the e-mail or regular mail address specified in the Contacting Us section below so that we may consider your request in accordance with applicable law:
- Request Access to Your Personal Data. You may have the right to view or receive a copy of the Personal Data we maintain about you.
- Request Correction of Your Personal Data. You may have the right to correct any incomplete or inaccurate Personal Data we hold about you.
- Request Erasure of Your Personal Data. You may have the right to the erasure of Personal Data that we hold about you. Note, however, we may not always be able to comply with your request of erasure for specific legal reasons of which you will be notified, if applicable, at the time of your request.
- Object to Processing of Your Personal Data. You may have the right to request that we stop processing your Personal Data, if you believe that it impacts your fundamental rights and freedoms, or to stop sending you marketing communications.
- Right to Withdraw Consent. You may have the right not to provide or withdraw your consent at any time. Withdrawal will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you.
- Request Restriction of Processing Your Personal Data. You may ask us to suspend the processing of your Personal Data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request Transfer of Your Personal Data. You may request the transfer of your Personal Data to you or to a third party. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
17. INTERNATIONAL TRANSFERS AND DATA PROCESSING AGREEMENT
a. International Data Transfer. Information, including information collected in the EEA may be transferred, stored and processed by us and our service providers in the United States and other countries whose data protection laws may be different than the laws of your country. We will protect your Personal Data in accordance with this Policy wherever it is processed and take appropriate steps to protect the information in accordance with applicable laws.
b. Data Processing Agreement. We use and protect Personal Data you provide us in accordance with applicable laws.
18. ADDITIONAL INFORMATION ABOUT YOUR RIGHTS
a. General. You may modify the information you have provided to us at any time through your account. You can also opt-out of receiving marketing communications, deactivate, or delete your account at any time.
b. No Fee Usually Required. You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, we may charge a $10 USD (or equivalent currency) fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
c. What We May Need From You. When exercising your rights or otherwise assisting you, we may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
d. Time Limit to Respond. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
19. INFORMATION SECURITY
We are concerned with safeguarding your information. We employ (and require our Service Providers to maintain) generally accepted standards of organizational, administrative, physical, procedural, and technological measures designed to protect your information from improper loss or misuse, and unauthorized access, disclosure, alteration, and destruction during processing. If you have any questions about the security of your Personal Data, you can contact us at the e-mail or regular mail address specified in the Contacting Us section below.
However, please note that no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, although the Foundation complies with its legal obligations in respect of the security of your Personal Data we cannot guarantee its absolute security. We take reasonable and industry standard measures to help protect your information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction.
20. DATA RETENTION POLICY
a. General. The Dollywood Foundation, Inc. is committed to keeping personally identifiable information from Dolly Parton’s Imagination Library participants for a limited time by adhering to a model that retains information only as long as necessary to allow for research and program reporting.
Program Affiliate Access:
The full registration record will be maintained in the Book Order System from date of registration up to the month of child’s 5th birthday. Upon month of child’s 5th birthday, program Affiliates are able to access an amended record, with the child’s name and account email removed, for 12 months. Upon the month of child’s 6th birthday, the registration record is no longer available to program Affiliates in the Book Order System.
The Dollywood Foundation, Inc. Access:
The full registration record is maintained in the Book Order System for program administration, research and program reporting from date of registration up to the month of child’s 11th birthday. Upon month of child’s 11th birthday, The Dollywood Foundation, Inc. will anonymize the registration record, permanently deleting all personally identifiable information (PII), and retain the anonymized record in the Book Order System for program reporting until the Dollywood Foundation ceases operation.
b. Aggregated Data. After removing any personally identifying information from within the set of Personal Data, we may combine that information with information we collect from other users and customers (collectively the “Aggregated Data”) in order to better understand and analyze Services. We may share Aggregated Data with third parties for industry analysis, demographic profiling, and other purposes.
23. CONTACT US
The Dollywood Foundation
Attn: Data Protection Officer
111 E Main St, 2nd Floor
Sevierville, TN 37862, USA
Email: [email protected]