Privacy Policy

Privacy Statement

Revised January 16, 2020 (Added CCPA Compliance section)

Introduction

When you entrust your personal information to a web site, you expect the operators of that site to demonstrate that they have earned your trust. Maintaining your privacy and the security of your personal information is our highest priority.
 
This Privacy Policy explains how Gembrook Systems, LLC ("Gembrook") d/b/a ClubExpress ("ClubExpress"), an Illinois Limited Liability Company, collects, stores, uses, and discloses information about you. Our customer is Carderock Springs Swimming Club, Inc., which has signed up and paid for the ClubExpress service.
 
We offer our services to membership-based organizations (clubs and associations) to help them run their operations, including their website, events, finances, and communications. These operations include the collection, storage, and processing of data on current and expired members of each organization, as well as non-members who add themselves to the organization's database by completing an Add-Me form, registering for an event, making a donation, volunteering, or other means, including being added manually by an administrator of the organization (for example, if you're a member of the Press or a local government or public safety official.)
 
Carderock Springs Swimming Club, Inc. and ClubExpress are committed to meeting and exceeding all relevant international, federal, and state laws and industry guidelines regarding your personal information and how it is protected.
 
Please note that privacy laws differ widely between countries and, within countries, between states and smaller jurisdictions. Because a club or association using ClubExpress may be located anywhere in the world and may have members or non-members from anywhere, and because their website may be accessed from anywhere in the world, ClubExpress will follow the strictest possible rules. This Privacy Policy has been updated in accordance with the requirements of the European Union's General Data Protection Regulations ("GDPR").
 
In the context of the GDPR, Carderock Springs Swimming Club, Inc. shall be considered to be the Data Controller and Gembrook shall be considered to be the Data Processor.
 
Gembrook is based in the United States and our servers are hosted in the US. No matter where you are located, you consent to the transferring to, and processing of, your information in the US.
 
This Privacy Policy applies only to this website and the functionality and services provided by ClubExpress. This website may contain links to other websites not controlled by Carderock Springs Swimming Club, Inc. or by Gembrook, and the policies and procedures described herein do not apply to these other websites.
 
Note also that privacy laws and regulations are continually evolving and this Privacy Policy may be modified at any time to account for new and stricter provisions. Your continued membership in Carderock Springs Swimming Club, Inc. and/or your continued use of this website, whether as a member or non-member, confirms your agreement to abide by the provisions of the current Privacy Policy. As described below, you also have the right and ability at any time to resign from the organization and to have your personal information removed from its databases.
 

What We Collect and How We Use It

This site stores personal information about you, including your name, contact information (addresses, phone numbers, email address, work information, etc.), demographic data (date of birth, gender, etc.), and, for members only, a user name and password to allow you to log in and access member-only content. Depending on which functions have been enabled by Carderock Springs Swimming Club, Inc., it may also collect, store, and display other information, including but not limited to:
  • Your original membership sign-up and subsequent renewals
  • Your event registrations
  • Your donations
  • Your online payments and payment history
  • Biographic and other information specifically to share with other members
  • Business information specifically to share with the public
  • Links to your social networking accounts for the purposes of sharing club or association information with others in your networks
  • Information posted in online discussion forums and surveys
  • Volunteering and committee assignments
  • Downloading of documents and photos from the website
  • Uploading of documents and photos to the website
  • Completing custom forms for specific club or association purposes
  • Posting classified ads or available jobs
  • Maintaining your certifications and continuing education training
  • Purchasing products through an E-commerce storefront
  • Registering for interest groups
  • Whether you have opened emails sent to you from the platform
This information is provided by you as you interact with the website and its various screens and dialogs. Some information is required by your club or association in order to maintain accurate and complete records, for legal protections, or to allow the organization to provide its services to you. Other information is optional or dependent on your participation in specific activities or programs.
 
Carderock Springs Swimming Club, Inc. uses this information to run the club or association, to provide services for members, to maintain accurate and complete financial records, to fulfill its legal obligations in accordance with laws pertaining to non-profits, to promote the club or association in the general community, to strengthen and grow the organization, to communicate with you about news and activities, and to advocate for issues that are important to members.
 
Within this website, only authorized administrators appointed by Carderock Springs Swimming Club, Inc. have access to personal information on members. ClubExpress cannot control who these administrators are or what they do with this information. However, our agreement with Carderock Springs Swimming Club, Inc. strongly discourages organizations from selling or trading personal data to third parties, but if they do so, you always have the ability to opt-out from such lists.
 
ClubExpress may collect and access personal information when you contact our Customer Support team by email or phone to get help with using the features of this website. ClubExpress does not otherwise collect personal information for its own purposes. All personal information is collected on behalf of the clubs or associations that have signed up to use the ClubExpress platform.
 
This website also collects information when you log in and as you navigate around the site, using standard Internet technologies (such as IP addresses, log files, access dates and times, language and other formats, session cookies, pixel tags, other tracking technologies, and reading your computer or mobile device type, operating system, browser version, etc.) We use this information for the following purposes:
  • To provide and maintain our service
  • To help us improve our products and services
  • To manage the performance of our platform
  • To perform accounting and billing activities
  • For the following security and data protection purposes:
    • To detect, investigate and prevent fraudulent use of the platform
    • To detect, investigate and prevent abuse and other illegal activities
    • To detect, investigate and block security breaches
    • To protect the rights, intellectual and physical property of Gembrook
    • To protect the rights and intellectual property of others
    • To provide you with a safe online environment
  • To manage and resolve legal claims
  • To protect and enforce our legal rights
Your club or association may enable a ClubExpress module that provides discussion forums. Please remember that any information disclosed in these forums may become public. You should exercise caution regarding personal information when you write messages in a public discussion forum.
 
Your club or association may enable a ClubExpress module that allows a third party, from an external website, to verify your membership in Carderock Springs Swimming Club, Inc. using a special interface and by providing credentials that you have supplied to that party. Your use of their website and the provision of these credentials is governed by their Privacy Policy. In providing them with your credentials for this website, you have consented to allow them to use this data to verify your membership status.

Using the ClubExpress Mobile App

Your club may also enable a ClubExpress mobile app that provides special functions for members using mobile devices such as a smartphones and tablets, running on both iOS and Android. When you download the mobile app for your club and device, we may request permission to use various features on your mobile device:
  • Calendar - We request access to your calendar so that we can add/edit events on your device. Calendar events are only added when you touch the "add event" icon. We never automatically add or edit events on your device without user interaction.
  • Location - We request permission to access your device location for the "Meets" functionality within the ClubExpress mobile app. Your device location is stored on our servers when you touch the "Update my position" button. Your device location is displayed to other users for the specified time limit. After that time limit expires, your location is no longer displayed to other users. Your device location is automatically hidden and not requested unless you explicitly touch "show me on this device" or "update my position. We do not retain this data or share it with your club or association or any third parties.
  • Microphone - We never store or retain any information from your microphone or record any audio from the microphone. Our app will request permission to use your microphone as a general "media" permission request.
  • Phone - We request access to your phone so that if users tap or touch a phone number the keypad/dialer will become preloaded with the phone number you touched. We never store or retain any contact logs or phone numbers you may have touched. This general permission allows us to access information about your device such as screen orientation or unique identifiers. We do not retain this data or share it with your club or association or any third parties.
  • Contact Logs - We never request or keep any information from your device’s contact logs.
  • Notifications - We request permissions to send notifications so that you are notified when a new message is posted to a Chat channel.
  • Storage - We request permission to access device storage so that we can save files to your device or display them temporarily. Files are only downloaded or displayed when you explicitly touch a file name or "download" button. Files are never automatically sent to the device without your knowledge. Your device will automatically cache some files in storage for better performance.
  • Carrier/Network information - We never share or keep any information regarding your carrier or network information.
  • Camera - Your device camera can be accessed when adding a photo to a Chat message. Our app will request permission to use your devices’ camera in the event that you choose this option.
  • Cookies - We use "session" cookies to keep you logged in while you use the ClubExpress mobile app to keep session information about who you are while you are logged in. Session cookies disappear when you log out or close the app. We do not keep any session information or financial information in Persistent cookies.

What is our Legal Basis for Collecting and Processing this Information

As noted above, Carderock Springs Swimming Club, Inc. is the controller of this data. It collects and stores your personal information in order to manage your membership in the club or association and/or your participation in the organization's activities. Any of the following activities provide clear indication of your intent to establish a relationship with this club or association, thereby allowing them to collect and store your personal information:
  • When you pay a membership fee to join or renew
  • When you register for an event
  • When you make a donation
  • When you purchase product from the organization's storefront
  • When you request to be added to the organization's mailing list
  • When you log in to the website as a paid-up member to participate in the organization's activities
As noted below, you also have the right to cancel this relationship with the club or association at any time, and to have your data removed from their website and data repositories, subject to the organization's rights to maintain accurate and complete records of its operations.
 
As noted above, ClubExpress is the Data Processor for this data. Carderock Springs Swimming Club, Inc. has signed a legal agreement with us to use the ClubExpress platform, which provides methods for maintaining and processing this data. We manage the security and integrity of this data and access to it.

Sharing of Information

Information about you will only be shared based on the provisions of this Privacy Policy.
 
The ClubExpress platform is designed to allow clubs and associations to run their operations online, including promoting themselves to the public. An organization running on ClubExpress may choose to make certain user information (generally limited to your name but, in some cases, also showing contact information) visible on the public side of its website, available to anyone who visits the site. This information may include, but is not limited to:
  • Your membership in a committee, interest group, or chapter
  • Your registration for an event
  • Your registration for a volunteering activity
  • Photos that you have uploaded to the website
  • Your participation in a Member or Business Directory
Members who log in to their organization's website may have access to more information about other members. Depending on how the website and various functions are configured, you may have the ability to control what information is shown.
 
We recommend that you survey the organization's website to see what information is visible to the public or to other members, to ensure that you are comfortable with this level of sharing. You always have the option to not participate in the activities that involve sharing.
 
Clubs and associations have the ability to define "Administrators" from within the organization who have access to all data on the website, as well as "Coordinators" who have some but not all administrative rights. These members assume the responsibility on behalf of the organization, to protect the privacy and integrity of this data.
 
Your club or association may share member and non-member data with vendors who assist in the operation of the organization. For example, a vendor may help to manage a large event and will need to know who has registered and paid to attend the event or specific activities within the event.
 
ClubExpress may share information with service providers and vendors that help us run the platform, including hosting the computers on which the platform runs, merchant processing companies to handle credit card payments, address verification and geocoding services, Google Analytics for traffic and usage intelligence, and consultants that help us secure, maintain, and enhance the platform in different ways. This information sharing will be strictly limited only to what is necessary for the vendor to perform its service(s) and said vendors and service providers are subject to strict contractual and confidentiality obligations barring them from using it for any other purposes.
 
ClubExpress may also share your information as part of a financial transaction such as a sale of the company, merger, consolidation, liquidation, or reorganization. In any such event, the acquirer will be subject to our obligations under this Privacy Policy.
 
Within ClubExpress itself, only authorized employees who are trained in our privacy policies and procedures and in the proper handling of confidential customer information, have access to your data.
 
We may retain and disclose information about you to third parties if we believe such disclosure is required by applicable international, federal, or state law or regulation, or by the order of a competent legal authority (such as a court order), or as part of an audit. We may also disclose information if we believe that your actions are inconsistent with our Terms of Service or internal policies, or if necessary to defend against a real or perceived threat or fraud against Gembrook and its employees or contractors, or a club or association running on the ClubExpress platform, or to prevent abuse of the platform.

What ClubExpress Will Not Do

Neither ClubExpress nor club officers have direct access to your password or credit card information. This data is encrypted by the system using state of the art technologies and cannot directly be accessed. If you forget your password, Carderock Springs Swimming Club, Inc. or ClubExpress can reset it at your request. You will then be required to change it when you next log in.
 
You have the option to not store your credit card information in our system. If you select this option, you will need to re-enter it for each transaction. Once your card has been authorized using an encrypted transfer, we only retain the first 4 and last 4 digits in accordance with Payment Card Industry (PCI) regulations and for reporting purposes.
 
ClubExpress will not independently contact you regarding new features or products or other service offerings unless you are listed as an official club contact, responsible for your club's relationship with us. We do not send unsolicited email (aka spam) to email addresses in your club's database.
 
ClubExpress will not sell or otherwise share your name or any contact information with any third parties, including partners, advertisers or service providers, except as necessary to fulfill your explicit requests. For example, when you renew your membership and pay online using a credit card, we must share data with the credit card processing company to approve the transaction. But we will never sell or share this data for marketing or revenue purposes.
 
ClubExpress may generate and provide aggregate statistics about our club customers and their members, online traffic patterns and related information to customers and partners, but this information will not contain data which is individually identifiable or which can be linked back to a specific person, family, or business organization member.
 
Behind the scenes, you should know that other organizations are also using the same software and computers to manage their operations. Information collected through your membership in one organization is never visible to members or administrators of other organizations. Unfortunately, if you are a member of more than one organization running on the ClubExpress platform, you have to maintain your information separately for each organization. But we think that the added security from keeping them completely separate is worth the small extra effort.

Other Things We Do To Protect You

ClubExpress's servers are hosted by an independent hosting company in their secure data center behind a firewall. Only authorized personnel have physical access to these computers. We take care to promptly install all service packs and security updates, and the data is backed up nightly. We continually test our platform to ensure that security is maintained. Confidential data is transmitted using SSL/TLS encryption; our SSL Certificates are issued by Comodo, one of the most respected names in Internet security.
 
We utilize various other technical and operational measures to protect your data stored and maintained in the ClubExpress platform on behalf of the Carderock Springs Swimming Club, Inc.. However, no method of electronic storage or data transfer is completely secure or error-free. In particular, email sent to or from this website may not be secure, and you should take particular care in deciding what information you communicate via email to other club or association members or officers, or to ClubExpress. We strongly encourage you to use a strong username and password, to keep this information well protected and not share it with anyone, and to log out of your user account and close your web browser when finished accessing Carderock Springs Swimming Club, Inc.'s website on a shared or unsecured device or network.

Data Retention Policy

Carderock Springs Swimming Club, Inc. has a compelling business reason to maintain accurate and complete records of its operations, including everything associated with memberships, events, fundraising, and member usage of the organization's website. There may not be a time-limit to this policy.
 
ClubExpress will retain this information while you are an active or expired member of the Carderock Springs Swimming Club, Inc. or have participated in their activities as a non-member, for the following reasons:
  • To allow you to use the ClubExpress platform
  • To allow you to review and update your information stored in the platform
  • To allow you to opt-out of receiving communications from the organization or to request that your information be deleted (see below.)
  • To ensure that we respect your communication preferences
  • To maintain accurate membership and other records
  • To maintain accurate financial and accounting records
  • To better understand how the platform is used so that we can provide you with a secure, reliable, and high-performing experience
  • To detect and prevent abuse of the platform, or illegal activities or breaches of this Privacy Policy, our Terms of Use, or the Subscription Agreement
  • To comply with applicable government legal and financial requirements
Note that data may persist for an additional time in other formats exported from this website for backup and data analysis purposes. Once data has been exported, it moves outside Gembrook's control and becomes the responsibility of Carderock Springs Swimming Club, Inc.. Requests for correction, deletion or a limitation on processing (see below) will be forwarded to your club or association so that exported data can also be updated.

Your Rights and Options

If you are a member of Carderock Springs Swimming Club, Inc., you have the right to log in to the website to view and update your contact information, transaction and payment histories, event registration and volunteering history, credit card information if stored in the system, and other data that is part of your membership record. You also have the right to change your privacy settings at any time, including opting out of receiving general announcements and excluding yourself from lists provided to third parties for marketing or fundraising purposes.
 
If you are a non-member of Carderock Springs Swimming Club, Inc., you have the right to view any of your personal data stored in the platform, and to update any inaccuracies. You also have the right to change your privacy settings at any time, including opting out of receiving general announcements and excluding yourself from lists provided to third parties for any purpose. Requests should be submitted by email to the organization's designated Data Privacy Officer (DPO) or general contact address, which can be found on the Contact Us page.
 
Both members and non-members have the right to request that their information be deleted from the organization's digital records. For members, this implies that you are resigning your membership. For members, this request can be submitted through your Profile screen. For both members and non-members, this request can also be submitted from the email Opt-Out screen, or via email to the organization's designated DPO.
 
Both members and non-members also have the right to object to the processing of their information, to request a restriction on its processing, or to withdraw their consent for future processing. Because such processing is an integral part of the organization's operations, such requests will be treated as delete requests. Note also that such actions typically cannot have a retroactive effect.
 
Such requests will not affect the lawfulness of any processing conducted before the request was received, nor will it affect subsequent processing based on a reliance on lawful grounds other than consent, such as the compelling business reasons of the organization.
 
When such a request is received, it will be logged in the system and Carderock Springs Swimming Club, Inc. will be notified. They have 30 days to accept or decline the request. If they decline it, they must provide you with a reason. If they accept it, or if they take no action within 30 days, your information will be flagged for deletion within 7 days. Information that does not have a compelling business reason to be retained (such as your full contact information, biography, answers to additional member data questions, uploaded photos, etc.) will be deleted. Information that does have a compelling business reason to be retained (such as transaction and payment records, event registrations, E-commerce storefront orders, and donations) will be anonymized.
 
You also have the right to complain to your local Data Protection Authority ("DPA") about the collection and processing of your data. For more information, please contact your local DPA directly.

Privacy Shield

ClubExpress complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. ClubExpress has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
 
In compliance with the Privacy Shield Principles, ClubExpress commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact ClubExpress using the contact information below.
 
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted. ClubExpress also complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
 
ClubExpress has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning data transferred from the EU and Switzerland.
 
The Federal Trade Commission (FTC), an independent agency of the United States government, has jurisdiction over ClubExpress’s compliance with Privacy Shield.

Compliance with CA Consumer Privacy Act (CCPA)

The CCPA provides consumers (CA residents) with specific rights regarding their Personal Information. This section describes these rights and explains how to exercise them.
 
Within the context of the CCPA, ClubExpress is a “Service Provider”. We store and process personal information on behalf of Carderock Springs Swimming Club, Inc.. ClubExpress does not sell, barter, trade, or share your personal information with third parties (except to fulfill the business operations of Carderock Springs Swimming Club, Inc., such as to process a credit card), and has no ownership rights over your personal information.
 
ClubExpress and Carderock Springs Swimming Club, Inc. may collect the following types of Personal Information:
  • Your name, nickname, postal address, phone numbers, email address, website, spouse and family information, work information, and emergency contact information.
  • Information that is specific to your membership in Carderock Springs Swimming Club, Inc. such as professional qualifications, education, interests, and affiliations.
  • Geolocation data.
  • Participation in club or association activities, such as (but not limited to) event registrations and attendance, volunteering, files downloaded, pages viewed, discussion forum and chat participation, emails received, text messages received, continuing education and certifications, collectible items owned, resources used, storefront items purchased, and surveys taken.
  • Activity on the Carderock Springs Swimming Club, Inc. website.
ClubExpress and Carderock Springs Swimming Club, Inc. may engage certain trusted third parties to perform functions and provide services to us, including hosting, database storage and management, credit card processing, and direct marketing. We may share your Personal Information with these third parties but only to the extent necessary to perform these contracted functions and provide these services. We require these third parties to maintain the privacy and security of the Personal Information they process on our behalf.
 
You have the right to see what Personal Information Carderock Springs Swimming Club, Inc. has collected about you and how this information is used. If you are a member, you can log into the website to view and update your personal Profile. Non-members who have added themselves to the database (for example, by registering for an event) can go to the Contact Us page on the website and submit a request to see this information. We may require you to verify your identity before providing this information. But once this is done, it will be provided within 45 days.
 
You have the right to see the following information:
  • What categories of personal information we collected about you;
  • The sources of this personal information;
  • The business purpose for collecting this personal information;
  • If we have shared this personal information with any third parties.
You have the right to request that personal information collected about you be deleted. For more information, see the “Your Rights and Options” section above.
 
You have the right of Non-Discrimination. For exercising your CCPA rights described above, we will not deny you goods or services, charge different prices for goods or services, or provide you with a different level of goods services.

Other Provisions

This website is not intended for unsupervised access by children under the age of 13. We will not knowingly collect information from site visitors of this age group. We encourage parents to talk to their children about their use of the Internet and the information they disclose online.
 
If at any time you have questions, comments, or concerns about this Privacy Policy, the information practices of this website, or your rights please contact our Data Protection Officer at:
Gembrook Systems, LLC
1051 Perimeter Drive, Suite 350
Schaumburg, IL 60173
Phone: 1-866-HLP-CLUB (457-2582)
Email: privacy@clubexpress.com