Privacy Policy

The Chan Zuckerberg Initiative Foundation, a 501(c)(3) nonprofit private foundation (“CZIF,” “we,” “us,” or “our”), supports patient-led organizations driving forward research in rare disease. This Privacy Policy describes the types of information we collect and process when anyone accesses or uses the Services, as defined below (collectively “Users” or “you”), and how we use, disclose, and protect that information.

1. Applicability of this Privacy Policy

This Privacy Policy applies to visitors to https://synergies.rareasone.org/ (the “Website”), the “Other Services” (defined below), and any other products and projects of CZIF that state that this Privacy Policy applies to our collection of personal data (the “Services”). This Privacy Policy does not apply to products, programs, or activities of CZIF that do not incorporate this Privacy Policy by reference.

By accessing and using the Services, you are accepting the terms of this Privacy Policy, which may be updated and amended from time to time. By accepting this Privacy Policy, you agree that CZIF is the “controller” of your personal data provided to, collected by, or processed in connection with the Services. If you don’t agree with this Privacy Policy, do not access or use the Services.

2. What information do we collect?

We collect information from you when you visit the Website or use the Services.

From you

We collect certain information from you when you provide it to us directly. Specifically:

• User Support. If you email any @chanzuckerberg.com email address, including those published on our Website, with a support request or comment, you may provide us with personal identifiers such as your real name, email address, contact information, and/or a description of the issue so that we can properly respond to the request or comment.
• Surveys and Feedback. If you decide to respond to a survey or send us feedback, we may collect personal identifiers and information about your interests or preferences.
• Events and Training. If you register for an event or training, we may collect personal identifiers from you.
• Search. When you perform search queries on the Website, we will collect search terms that you input.

From your browser or device

When you use online services, certain information routinely gets created and logged automatically; the same is true when you visit our Website. When you access the Website, we collect:

• Log data. When you visit our Website (whether on your computer or on a mobile device), we gather certain internet or other electronic network activity information automatically and store it in log files. This information includes your IP addresses, your Internet Service Provider, referring/exit pages, date/time stamps, clickstream data, login/logout times, and duration of time spent on our Website.
• Device data. In addition to log data, we collect information about the device you’re using to access the Website; this includes the type of device, browser type, operating system, settings, unique device identifiers, and crash data.
• Cookie Information. We also use cookies (small text files sent by your computer or device each time you visit our Website that are unique to your device or your browser) and similar technologies. These cookies share internet or other electronic network activity information and general geolocation data with certain third parties. For example, we use analytics services that place cookies which collect information that allows us to understand how often you use the Website, where you are accessing the Website from, and events that happen on the Website. See this FAQ for more information about cookies and the choices you have to control them.

Sensitive personal information

Unless we state otherwise in a policy for certain products, programs, or activities of CZIF, we do not collect sensitive personal information about you, and thus we do not use or disclose your sensitive personal information.

3. What do we use your information for?

We use the data we collect about you for the following business purposes:

• To provide, maintain, and improve the Services, including understanding the content that our visitors find valuable, troubleshooting errors, advancing information security, and understanding website traffic patterns.
• To inform Users how to contact you if you provided your contact information along with your organization.
• To provide information you’ve requested.
• To directly communicate with you about your use of the Services or to respond to an email or submission from you.
• To inform our program, to measure the impact our program is making, and for research development.

4. Retention and deletion

We will keep your information only for as long as we believe that we need it for the purpose we have collected it (as described above) or to meet legal obligations, resolve disputes, maintain security, prevent fraud and abuse, enforce our agreements with you, or fulfill your request to unsubscribe from further messages from us. When your information is no longer needed, we will destroy, de-identify, or aggregate it.

5. Disclosing your data

Except in the instances listed below, we will not disclose your personal information to others unless you consent to it:

Service providers and vendors

CZI works with vendors, service providers, and other partners that help us provide the Website by providing services on our behalf. These services are, for example, sending emails, performing statistical analysis, database management services, database hosting, providing customer support software, survey providers, video communications services, and security. In the course of providing these services, our service providers may have access to your information, including personal information.

Legal and safety reasons

We may disclose information if we believe in good faith that it’s necessary (a) in connection with any legal investigation; (b) to comply with relevant laws or to respond to subpoenas or warrants served on us; (c) to protect or defend our rights or property or users of our Services or others; and/or (d) to investigate or assist in preventing any violation of the law.

CZIF entities

We may share your data with our affiliates, such as the Chan Zuckerberg Initiative, LLC (“CZI LLC”), who is our primary technology partner, focusing on the Service’s infrastructure, security, and compliance. In this role, CZI LLC is a data controller for all data referenced in this Privacy Policy. Affiliates does not include Meta for purposes of this policy; CZIF and Meta are independent entities.

Reorganization, sale or merger

We may disclose your information in connection with a merger, reorganization, or sale of all or a portion of our organization or assets related to CZI. In the event of a merger, reorganization or sale of assets, the buyer or other successor entity will continue to be bound by the terms of this Privacy Policy.

6. What privacy rights do you have?

Rights. You have the following rights with respect to the personal data we have about you:

• Delete data. You can ask us to erase or delete all or some of your personal data subject to our legal obligations and lawful exceptions.
• Change or correct personal data. You can also ask us to change, update, or fix inaccurate data in certain cases, subject to our legal obligations and lawful exceptions.
• Object to, limit, or restrict use of personal data. You can ask us to stop using all or some of your personal data (e.g., if we have no legal right to keep using it) or to limit our use of it (e.g., if your personal data is inaccurate or unlawfully held).
• Right to access and/or take your personal data. You can ask us for a copy of your personal data in machine-readable form.
• Right to notice. You have a right to receive notice of our personal information collection, use, retention, and disclosure practices at or before collection of personal information.
• The right not to be discriminated against. CZIF will not discriminate against you in any manner for exercising any of the above rights with respect to your personal data.

If you would like to exercise your right to any of the above, email us at privacy@chanzuckerberg.com. In the email, please provide us with your name, the country (and state if within the United States) in which you live, which of the above rights you would like to exercise, and sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information. If you would like an authorized agent to make a request for you, have that agent email privacy@chanzuckerberg.com with the above information along with additional information sufficient for us to verify that the authorized agent is acting on your behalf. Please also let us know if you have questions or concerns related to exercising any rights you have under applicable law to control your personal data.

If you would like to appeal a CZIF decision with respect to a request to exercise any of these rights, please email us at privacy@chanzuckerberg.com and explain the basis for your appeal.

If you wish to raise a concern about our use of your information (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority.

7. Data transfer

CZIF is based in the United States; when you engage with the Services, you are sending personal information into the United States which may have different data protection rules than those of your country. We process data both inside and outside of the United States.

8. Our legal bases

We will collect, use and disclose your personal information only where we have a legal right to do so. This Section explains our legal bases for processing personal information, including under GDPR.

8.1. Consent. We rely on consent to engage in certain data collection activities, such as when you sign up for our newsletter or you consent to displaying your contact information on the Website.

8.2. Legitimate interests. We rely on legitimate interests to process the data we collect when you browse our Website or you use the Services. We process this data based on our legitimate interest so that we can secure the Website, understand how our Website is being used, and improve the Services, and your legitimate interest in accessing our Website.

Where we rely on consent, you have the right to revoke your consent and where we rely on legitimate interests, you have the right to object by emailing us at privacy@chanzuckerberg.com. If you have any questions about the lawful bases on which we collect and use your personal information, please contact us via email.

9. Additional information for California residents

The California Consumer Privacy Act (“CCPA”) requires certain businesses to give California residents a number of rights regarding their personal information. We are offering these rights to you, including the right to have your personal information deleted (subject to certain exceptions), the right to change or correct your personal information, the right to limit the use or disclosure of your sensitive personal information (if applicable), the right to access your personal information, the right to opt-out of the “selling” or “sharing” of personal information (if applicable), and the right not to be discriminated against for exercising these rights.

These rights, and how to exercise them, are described in more detail in the Section titled “Choices and Rights” of this Privacy Policy. In addition to these rights, we give you a right to request the following information about your personal information that we have collected in the past 12 months:

The Right to know. This right allows you to request the following information about the personal information that we’ve collected about you in the past 12 months:

• Information about data collection
  • The categories of personal information that have been collected about you.
  • The categories of sources from which we have collected personal information.
  • The business purpose for which we have collected personal information.
• Information about data disclosure
  • The categories of personal information, if any, that have been sold, shared, or disclosed for a business purpose to third parties.
  • The categories of third parties to whom personal information was sold, shared, or disclosed for a business purpose.
  • Identification of the specific business purpose for disclosing the consumer’s personal information.

We have described in fuller detail in this Privacy Policy the personal information that we collect, how we use, and disclose it, but provide the following additional disclosure:

Information about data collection

• Information we collect. We have collected the following categories of personal information from consumers within the past 12 months: (1) identifiers; (2) professional or employment-related information; (3) internet or other electronic network activity; (4) geolocation data; and (5) information provided through survey responses or feedback or training sessions. We have not sold this information nor have we shared this information for behavioral advertising purposes.
• Sources of information. We obtain these categories of personal information from the sources described in the Section 2 above.
• Purposes of collection. We collect personal information for one or more of the following business purposes as described in the Section 3 above.

Information about data disclosure

• Information we disclose. We have disclosed the following categories of personal information within the past 12 months: (1) identifiers; (2) professional or employment-related information; (3) internet or other electronic network activity; (4) geolocation data; and (5) information provided through survey responses or feedback sessions. We have not sold this information nor have we shared this information for behavioral advertising purposes.
• Third parties to whom we disclose. The categories of third parties to whom we have disclosed this personal information are described in the Section 5 above.
• Purposes of disclosure. We disclose the personal information we collect about you for one or more of the following business purposes described in the Section 3 above.

10. Additional information for residents of Virginia, Colorado, Connecticut, and Utah

Virginia, Colorado, Connecticut, and Utah also have adopted privacy laws that give consumers certain rights, including the right to confirm whether controllers are processing the consumer’s personal data, the right to access that data, the right to obtain a copy of that data, the right to correct inaccuracies in that data, and the right to delete that data. As discussed above in Section 6, we provide these rights to all consumers, regardless of where they reside.

Additionally, these four states have adopted rights to opt-out of: (1) targeted advertising; (2) the sale of personal data; and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. We do not sell your data, use it for targeted advertising, or to profile you in furtherance of decisions that produce legal or similarly significant effects.

11. Other important information

Security of your information

Security of personal information is important to us. We implement security safeguards designed to protect your personal information, including reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, and destruction. Despite these efforts, we cannot guarantee that your data may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or administrative safeguards. Please notify us immediately at security@chanzuckerberg.com if you become aware of any security issues relating to our Services.

Third party links

We may include links to other organization’s websites on the Website. These third party websites have their own privacy policies and terms and conditions which are outside of our control and responsibility.

Children

The Services are not designed or intended for children under 16. We do not have knowledge that we have sold or shared the personal information of users under 16 years of age. If we become aware that we have the information of such children collected through the Services, we will promptly delete it.

Changes to our Privacy Policy

We may modify this Privacy Policy from time to time, and you can see when the last update was by looking at the “Last Updated” date at the top of this Policy. If we make material changes to it, we’ll provide you notice through this Privacy Policy. Your continued use of the Services after we publish a notice about changes to this Privacy Policy means that you acknowledge and agree to the updated Privacy Policy.

Contact information

If you have questions or complaints regarding this Privacy Policy, please contact us at privacy@chanzuckerberg.com.

To comply with article 27 of the GDPR and the UK-GDPR, we have appointed a representative who can accept communications on behalf of CZIF and CZI LLC in relation to personal data processing activities falling within the scope of the GDPR or the UK-GDPR. If you wish to contact them, their details are as follows:

European GDPR Representative:
Bird & Bird GDPR Representative Ireland
Deloitte House
Earlsfort Terrace
Dublin 2, Ireland D02 AY28
EUrepresentative.ChanZuckerberg@twobirds.com

UK Data Protection Representative:
Bird & Bird GDPR Representative Services UK
12 New Fetter Lane
London EC4A 1JP
United Kingdom
UKrepresentative.ChanZuckerberg@twobirds.com