Effective Date: August 9, 2018
In an attempt to address privacy concerns, including those mandated and required by GDPR, we have listed the following elements of our website that use, may use, or have used any private identifiable information and data submitted to our servers. We also explain how that data is/was used and what benefit it provided to you as a user of the system; whether that be in streamlining a better and cleaner user experience while visiting and using our site, or facilitating automation and other data-driven functionality as part of our goal of delivering and providing quality services and information to you.
We Don’t Store Passwords
While the Twins Days Festival site does collect personally identifiable information we never store any password because we do not offer a login area to our website to the public. This may change in the future, but for now we simply don’t require or save passwords. That means we never store any passwords you may have associated with your email addresses nor with your PayPal accounts. We ask that you don’t ever send us your passwords used on other systems because we have no use for them.
Secure & Encrypted Browsing (SSL)
Our website maintains and provides an SSL certificate which means that instead of “http” appearing in the address bar of a browser visitors will see “https” where the extra “s” stands for “secure.” This means that the web traffic both sent and received while visiting and interacting with our site is encrypted making it more difficult for malicious actors to try to acquire data as it is being transmitted. This protects you better than an unsecured website where items are sent in “plain-text” and can be stolen or captured. All pages of our website including both the public pages you see and the backend administrative pages you don’t see take advantage of this technology.
Various forms appearing on the public portion of our website that can be accessed, viewed, and interacted with ask for, and require, personally identifying information. These forms are meant to facilitate a more efficient method of transmitting data to our team than by filling out paper forms. In fact, they’re meant to eventually replace paper forms altogether. Accordingly, we need to ask for details that we previously asked on our paper forms such as, but not limited to, name, age, address, phone, email marital status, maiden name, and country. We also maintain a record of what type of sets of twins are registering, their gender, and how many multiples make up a set that is registering.
Other forms may ask more specific information related to that particular form and tailored to what its purpose is. For example, the registration form also asks about what photos are wanted, whether you want text lines to appear in the program, and whether you want a packet to be sent to you if you can’t attend the festival. Some forms, such as the golf outing form, may ask the gender division desired, and whether a vegetarian dinner is requested. As a final example, the talent show form requires a description of the act being performed.
Our various forms will collect personal information required to achieve the goal of that form. All data submitted on the form is sent to the Twins Days server and saved within our database as part of our System (discussed below). This database uses an obfuscated password (meaning a jumble of random letters and numbers and characters) and can only be accessed by the Twins Days staff and its developers and programmers who maintain the system. The information provided in these form submissions helps our staff streamline the collection of information for a given festival year, and organize the data in a logical fashion.
Having this data on our website allows us to automate processes and search for information which directly turns into a better user experience for festival attendees. For example, we can look up information for registrants, generate reports, print mailing labels for purchased photos, etc. Other associated data might also be kept about the forms you fill out including, date, time, internal notes related to your form submissions, and additional items discussed in the Private Forms section appearing next.
We use an administrative password-protected system responsible for collecting and maintaining all of our form data (“System”) and any data submitted on a Public Form, except for a contact form appearing on the contact page, sends that data to the System where it is saved. As discussed immediately above, any data submitted by a visitor then gets stored in our server for further use by our team in facilitating our annual festival.
Once a record is created for a submission on a particular form it then becomes a record accessible to our in-house administrative staff working at Twins Days. They are able to see all information related to that form submission and work with the data by updating, changing, and deleting it. They also have the ability to take certain actions such as emailing you a receipt from within the system if you need one sent to you. Each record has a unique ID assigned to it when created and this ID may relate directly within that table to your names, emails, and other identifiable information. Other data associated with the record is also kept including any admin-only notes (e.g. a staff note that a particular participant needs wheelchair access) that can help us better address your needs.
System users on the Twins Days staff also have the ability to create a record manually for participants of the festival who have not signed up through the website. This allows the staff to record purchases made elsewhere so that that information is centralized within the System and can be used to run comprehensive reports, and also look up and access registration and other form submissions in support calls or emails. Accordingly, information that may be put into the System by Twins Days administrative staff members who have proper access with an email and password includes: registration method, payment method, last 4 digits of a credit card, credit card type, credit card expiration, check number, check memo, check date, cash value. We will never ever store entire credit card numbers or bank account numbers within our system, period.
We may also keep track of whether you are a resident of the city of Twinsburg and whether payment has been made in full. From time-to-time we may add other fields to various forms within the system always meant to help facilitate a better response to our administration of the festival.
Record IDs & Tokens
After a record is created within the System it is assigned a unique raw ID from the database and a unique public ID associated with that year’s festival. Related with this public ID, but separate, is a unique token which is a hashed value (fancy word for random) that works in tandem with your public ID. When a form is submitted and a record created we will email you (and others who are designated as recipients on the form) a plain-text email that serves as a digital receipt that includes details about the record just created. It also will include your public ID near the top (e.g. TWINS-2018-00001) and a link to a page on our site that you can visit to review details. This URL that is provided is unique specifically to your record and includes in the URL the public ID and the token. When the page loads, if and only if the token correctly corresponds with the public ID, will the page be rendered to display the appropriate details associated with that given record. A failure to provide a valid token in the URL or vice versa with the public ID will result in the page not displaying any information. This tokenized URL provides you with easy access to view your information online while also preventing other individuals from referencing your registration surreptitiously and maliciously.
Our online payment processor is PayPal. When you use a form on our website that collects data and then redirects you to a PayPal page we send PayPal some data related to your purchase. This can include, but is not limited to, your name, an invoice number, an email address, an identifying token generated by our system, details about your purchase including the category of the item being purchased and the total cost of the purchase.
Any data you provide to PayPal while on their site, including your PayPal password and any credit card or other financial instrument information, is not provided to Twins Days. Upon a successful transaction with PayPal, their servers will send you back to our site, and also send a notification to our servers, about the successful payment. This information which we receive includes a PayPal transaction number, a verification of success, and a lot of other technical information which we do store. None of this information that is sent to us, however, includes sensitive or private information associated with the payment method or financial instrument used (e.g. we never see credit card numbers nor bank account numbers). We may be told what payment method was relied upon during the transaction (e.g. “instant”, “echeck”, etc.) but are not provided with account numbers or similar information.
Storing the transaction ID helps us better facilitate interactions with you as it relates to refunding amounts to you and/or looking up orders you have placed. This information is also sent via email to the recipients involved with a given purchase to help inform you of the purchase and let you know that we have successfully recorded the payment.
As referenced earlier, the Twins Days Festival site relies on Google Analytics for driving comprehensive analytics reports as it relates to our website traffic, activity, visits, and many other metrics that can be useful to us when determining how to improve and refine our site. Accordingly, some data associated with your visits will be recorded and shared with Google including, but not limited to, cookies, demographic data, potentially including age ranges, geographic location based off of IP addresses, IP addresses, browser types, device types, versions of browsers and devices and operating systems, time of access, pages requested, time spent on specific pages, URLs that may contain public IDs and tokens, receipt values which are public IDs, button clicks to help track conversion rates, etc. We are uncertain if any names or emails will be transmitted to Google in our use of their Google Analytics solution, but visitors should assume and anticipate that it is a possibility.
By using the site you agree to allow your information, including name and email, to be used by Twins Days for email campaigns and targeted newsletters to let you know about future news, updates, and notices related to the Twins Days Festival. In doing so, we may have to supply this information to our mass email service provider to facilitate our operations. Your information will never be shared with anyone else though—we will not sell your information or share it with advertisers. Our goal is to provide targeted dissemination of information you may care about. If such systems are used, you will always have the opportunity to opt-out of future emails and/or unsubscribe from select categories, or all categories, of information sent via email by our staff.
Scheduled & Unscheduled Backups
The Twins Days Festival site will be backed up regularly in various ways and with each method of backup also comes a duplication of your data to the specific entity responsible for that method of backup. Currently we anticipate three (3) backup methods that will result in your data being backed up in separate locations. The first location is with the website hosting provider company (or server) responsible for hosting the content. They automatically back up content and save on their server in case of a catastrophic crash. Website content and database information is included. The second method is software that backs up data to the server and also to a remote location designated and controlled by Twins Days staff and/or their service providers. The third is a manually backup performed from time-to-time by Twins Days service providers where the database is backed up to their systems and saved locally on development systems. In each instance described above the content and/or database is backed up to a secure password protect area only accessible to the Twins Days staff and their development staff.
Contact Pages & Other Forms
The Twins Days staff may from time-to-time create forms that are publicly available and that take advantage of software that harvests, records, and transmits contact information and details to the staff members outside the scope envisioned by the System. Such information may include personally identifiable details specific to that particular form and software being utilized. This data, whatever the purpose of the form, will be generally used by staff members to execute and achieve goals specific to that form’s existence. This contact information may be transmitted and shared among several staff members to help resolve and/or conclude action required by the initial submission; and where contact details are provided, may result in follow-up contact with the person submitting the form via other methods including email, phone, etc.
Your Data is Never 100% Safe
We live in a world today that is filled with bad actors, oftentimes well-funded and extremely motivated. No matter what safeguards and reasonable precautions we take to harden our systems, encrypt data, and use strong passwords, neither the Twins Days staff, nor any company or entity providing a website to the public, can guarantee 100% safety and protection from data theft or having your identity stolen. The purpose of this document is to explain to you plainly how we use the data you provide, how we store and secure the data you provide, what risks might be involved, and why it makes sense when doing a cost-benefit-analysis to choose ultimately to provide that data. But we ask you do so only if you’re comfortable. It is always your choice.
As it relates to retaining data within the System, and elsewhere in digital format such as exported Excel sheets, we expect to retain it for historical purposes indefinitely. This will help us determine needs and trends relating to our participants and also to help streamline registration even more in the future. From a logistical and administrative standpoint, it helps us respond better to our customers when we need to look up past information for them.
As a sole means of recourse for removing your personally identifiable information from our systems you can contact our Data Protection Officer (below) informing us of your desire to have information removed. Upon receipt of this request our staff will go through our system to obfuscate personally identifying information related to your specific records. We will never delete the actual records so we can continue to execute reports related to revenue and other demographics important to our services. Your name(s), email, address(es) (excluding state and country) will be obfuscated along with any payment details related to your purchase except for registration method and payment type.
In order to process your request for removal of personally identifiable information you are required to provide in your request a bulleted list of the public ID values of the records you want redacted and/or obfuscated. A request without reference to these values will result in no action being taken.
How to Contact Us
For purposes of the EU data protection law, Andrew Miller is the Data Protection Officer for Twins Days Festival. If you have any questions about how we collect, use, or store your data, you may contact him at:
Twins Days Festival Committee
Attn: Data Protection Officer
9825 Ravenna Rd.
Twinsburg, OH 44087
Changes to These Privacy & Data Protection Policies
This policy statement was updated on August 9, 2018. We will periodically review and revise our policies as needed in order to comply with GDPR, laws of the United States, and industry best practices.