Privacy Policy Effective Date: October 1, 2023 Orr Group (“we”, “us”, or “our”), is a consulting firm, specializing in serving nonprofits and is located in Washington, DC, and New York City, NY. Orr Group is dedicated to protecting your data and maintaining your trust. We take various reasonable organizational, administrative, and technical measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. Our online Privacy Policy explains how we collect, use, disclose and secure the personal information we gather about you through our website, or when you interact with us online where the law requires that we disclose this information to you (“Privacy Policy”). You should read this Privacy Policy carefully and ensure that you understand it. By accessing, browsing, or otherwise using our website, you confirm that you have read, understood, and agree with the Privacy Policy. If you do not agree, you should not use our website. If you have any questions or concerns about our personal information policies or practices, you can contact us by the methods described in Section I. A. Scope This Privacy Policy This statement applies regardless of how our website is accessed and will cover any device by which we make our website available, or you choose to access our website. Third-Party Sites Our website may contain links to third-party websites. Our Privacy Policy does not apply to third-party websites; when we provide links, we are not responsible for any content of any third-party websites, or any links contained within them. If you click on a link to another website, you should read their privacy policy. Personal Data Personal Data is data or information that is identified or identifiable with a natural person (“Personal Data”). It may include your name, your email address, your physical address, your telephone number, usernames, and other information that may be used to identify you. A list of the types of Personal Data we collect can be found in Section D.1. Orr Group also collects some data that is not protected under data protection laws, and therefore is not Personal Data under this Privacy Policy. For individuals located in the United States, this may include: Information collected from publicly available sources (including information lawfully made available from government records and information we have reason to believe you lawfully made available to the general public). Information you provide to us through our Careers pages, including your name, contact information, job history, and other information contained on your resume or cover letter related to your employment. Though Orr Group is not subject to the same legal requirements with regard to this data, we strive to maintain the same level of care for all of the data we handle. Data We Do Not Collect. We do not collect the following information: Sensitive Data. Sensitive Data may include information about your racial or ethnic origin, religious or philosophical beliefs, health, sex life or sexual orientation, geolocation, citizenship or immigration status, genetic or biometric data, political opinions, or information concerning trade union membership. Orr Group does not collect this information. Any Data from Known Children. Orr Group does not direct its services or websites at children, and we do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us. If we ever do collect any of the above-listed information, we will seek your consent where we are legally required to do so. Changes to Our Privacy Policy We regularly review our Privacy Policy and update it as necessary to reflect feedback, changes in our operations, and/or our compliance obligations. We encourage you to periodically review this page for updates. B. Data Controllers & Data Processors Throughout this Privacy Policy, we refer to Data Controllers and Data Processors. This section will explain the difference and describe when Orr Group operates as a Data Controller, and when it operates as a Data Processor. Orr Group as the Data Controller A Data Controller determines why and how the data is processed (“Data Controller”). Processing is described in further detail below. This Privacy Policy primarily covers instances where Orr Group serves as a Data Controller. Orr Group is a Data Controller with respect to the data that we collect about you through our website. Orr Group as the Data Processor A Data Processor performs the processing actions on the data that it is given (“Data Processor”). Where we serve as a Data Processor for our [clients], we are responsible for the operations, which may include the collection, use, storage, disclosure, analysis, deletion or modification of data, performed on the Personal Data that our [clients] provide to us, at the direction of our [clients]. Where we serve as a Data Processor, it is our [clients], not Orr Group, who determine how and why Personal Data submitted to us is used. When we serve as a Data Processor, our processing activities are governed by a contract signed by us and our [client], and our [clients] may be responsible for disclosing to you what information is collected, the legal basis for collection, and your rights, when required by law. Under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act, Orr Group, where Orr Group processes Personal Data for a [client], we are referred to as a Service Provider. C. Your Data Rights Orr Group is committed to the data protection principals of lawfulness, fairness, and transparency. If you, your data, and Orr Group are covered by a specific data protection law or regulation, you may have certain rights with regard to your Personal Data. We have provided a summary of these rights (“Data Rights”) for your reference: Request access. You may have the right to obtain confirmation about whether we are processing your Personal Data and, if we are, access to a copy of that information. Request rectification. If you believe that the Personal Data in our records is inaccurate or incomplete, you may request that we correct any inaccurate or complete any incomplete Personal Data we hold. Request erasure. In certain circumstances where we no longer have a reason to continue processing your Personal Data, you may ask us to delete or remove your Personal Data from our records. This right is sometimes referred to as “the right to be forgotten.” Please note that when we are required to notify our Data Processors of your request, it may take some time for your data to be fully removed. Withdraw consent. When we are using your Personal Data based on consent, you may have the right to withdraw that consent at any time. Restrict processing. In certain circumstances, you may request that we restrict the processing of your data. Object to processing. You may have the right to object to processing of your data when it is processed based on our legitimate interests or your consent. Data portability. In certain circumstances, you may request that we transfer your Personal Data to you or to another Data Controller. Please note that these rights are not absolute and certain exemptions may apply to the requests you submit to us. The rights do not apply to all of the data we collect, store, and use, nor may every individual exercise these rights with regard to their Personal Data. D. How Orr Group Collects Your Data What We Collect & How We Collect Your Data Where we serve as the Data Controller, the categories of Personal Data that we collect include: Analytics Information. We collect analytics information as you navigate our website. We use Cookies (described below) which may collect information about your browser, Internet Protocol address, device, and your interactions with our website including unique views. This information is collected automatically through Cookies. Contact Information. When you submit your personal contact information to us through our Contact Us page, you provide us with Personal Data. This includes your name, email address, phone number, and other contact information. We collect this information when you sign up for our newsletter, when you request information about us, or when you voluntarily complete a form or survey. Other Information. Occasionally, we may send out surveys and questionnaires about our services, or you may choose to reach out to us directly. When you complete a survey or questionnaire or reach out to us directly, you provide us with whatever information you choose to disclose to us, which may be considered Personal Data, including Sensitive Data, under certain data security laws and regulations. This information is only collected when you voluntarily share it with us. When we serve as a Data Processor, our [clients] may also provide us with the Personal Data they control. Data Use We use your Personal Data for the following general purposes: To provide, update, maintain and protect our website and business, and to investigate and help protect security issues and abuse. To identify usage trends and determine the effectiveness of our promotional campaigns. To communicate with you. When you sign up for our communications, we use your personal information, including your name and email address, to send our newsletter, and other relevant communications to you. If you reach out to us with a specific request, comment or question, we may use that information to respond to you. To develop and share advertisements about our services that may be relevant to you. To evaluate the needs of prospective [clients] for fundraising consulting and other activities within the scope of our services. Legal Basis When we serve as a Data Controller, our collection and use of your Personal Data is based on one or more of the following legal bases: Consent. We collect and use your Personal Data based on your consent when you first visit our website and accept or reject Cookies and when you voluntarily submit your Personal Data to us when you sign up for our newsletter or contact us. Legitimate Interests. We may also collect and use your Personal Data when doing so is necessary for our legitimate interests relating to our consulting services. Compliance with a Legal Obligation. We may process data to comply with our legal obligations. For example, we may have a legal obligation to preserve or disclose your Personal Data if there is a valid request from a regulator, law enforcement, or court order. For the Exercise or Defense of Legal Claims. If you bring a claim against us, or we bring a claim against you, we may use the Personal Data we have for our defense, or in pursuit of our claim. Where Orr Group serves as the Data Processor for one of our [clients], our [client] is responsible for determining the legal basis for processing your Personal Data. Cookies We send cookies to your web browser when you visit our website. Cookies are small pieces of data that websites store on a device, that are used to collect information about you and your visit to our website (“Cookies”). Cookies can improve your browsing experience because they help our website remember your preferences to offer you a more personalized experience. They also help us understand how visitors are using our website. Cookies may be set by us or by our third-party partners. For more information about Cookies, please visit https://allaboutcookies.org/. Our website may collect the following types of cookies: Preference Cookies. These Cookies recognize when you return to our website. This enables us to personalize content for you and remember your preferences. Some of these Cookies may also be used to enable your interactions with us on the website. Strictly Necessary Cookies. These Cookies are essential for you to browse the website and use its features. They also enable our website to provide enhanced functionality and personalization. Performance Cookies. These Cookies collect information about how you use our website, like what pages you visit and what links you click on. This information cannot be used to identify you as it is aggregated and anonymized. These Cookies allow us to analyze activities on our website, such as traffic, and help us improve our functioning. Marketing. These Cookies are set by third-party sites, such as Google or LinkedIn. These cookies identify your browser and internet device and are used to build a profile of your interest and show you relevant advertisements on those sites. Analytics, Performance and Research. These Cookies allow us to analyze activities on our website, such as traffic, and may help us improve our functioning. You can disable cookies in your browser settings; however, some of our website features may not function properly as a result. E. Data Storage & Retention Your data is stored and processed on servers in the United States, and Orr Group accesses the data from the United States. Personal Data We retain your data as long as retention is necessary to comply with our contractual obligations, the type of Personal Data, the purposes of its collection and processing, and applicable law. We will delete your personal information when it is no longer necessary for the purpose for which it was collected, or upon your request, subject to the exceptions discussed in this Privacy Policy, or under applicable law, contract, or regulation. Cookies Cookies may be kept for varying lengths of time, depending on the type of Cookie. Generally, Cookies fall into one of two categories: Session Cookies. These Cookies only operate from the time you visit our website to the end of your browsing session. Once you close your browser, the Cookies are automatically deleted. Persistent Cookies. These Cookies stay on your device between browsing sessions. These Cookies usually stay on your browser for one month to two years, depending on the type of Cookie, though certain kinds may stay for longer. These Cookies tend to be Functional or Targeting, Marketing and Advertising Cookies. You may delete the Cookies that stay on your browser by accessing your browser’s settings, though our website will not remember your preferences if you do. F. Disclosure of Personal Data Service Providers Orr Group may disclose your Personal Data to our contracted service providers so that they can provide us with services, which may include IT and system administration and hosting. Google Analytics Users who visit this website and have JavaScript enabled are tracked through Google Analytics. Google Analytics allows us to gain insights into how you engage with our site and improve the functionality of our website. For more information about how Google uses this data, please visit Google Analytics Data Privacy and Security or Google’s Privacy & Terms. If you would like to opt-out of tracking by Google Analytics, please visit Google Analytics Opt-Out Page. MarketingCloudFX We use MarketingCloudFX software in order to better understand our users’ needs and to optimize our service and experience. The software is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. The software may use Cookies and other technologies to collect data on our users’ behavior and their devices. This may include personal information, including information about a device’s IP address, device screen size, device type (unique device identifiers), browser information, geographic location, and the preferred language used to display our website. The software stores this information on our behalf in a user profile. For more information about Cookies, please see Section D.4. Third Party Partners & Targeted Advertising We may provide your Personal Data to our third-party partners in a way that constitutes “selling” or “sharing” under a relevant data privacy law as necessary for our business purposes, including providing targeted advertising. This disclosure does not mean that we have actually sold or shared your specific Personal Data, or that we intend to sell or share your specific Personal Data in the future for any reason, including targeted advertising. If you, your data, and Orr Group are covered by a specific data protection law or regulation, you may be entitled to opt-out of the sale or sharing of your Personal Data and/or sharing of your data for Targeted Advertising. To do so, please follow the procedure described in Section H. G. Data Transfers Our webservers and hosting services are located in the United States. Personal Data you provide while located in the European Union (“EU”), the European Economic Area (“EEA”), the United Kingdom (“UK”), or in another international jurisdiction, may be transferred to the United States. If we transfer information from the EU, EEA, UK, or another country with cross-border transfer obligations, our service providers use Binding Corporate Rules, Standard Contractual Clauses, or other approved transfer mechanisms. H. Exercising Your Data Rights This section explains how you may exercise your Data Rights (described in Section C, above), when you are entitled to do so. The Data Rights and processes described in this section do not apply generally, and nothing in this section is intended to extend the Data Rights to you, or an admission that Orr Group is required to comply with any specific data protection law or regulation. Additionally, Orr Group is only required to respond to any requests you make when it is serving as the Data Controller—in cases where Orr Group is the Data Processor, you must reach out to the Data Controller to exercise your rights. If you are unsure if you and/or our Personal Data fall under a specific data protection law, please review the scope of the data privacy laws or consult with an attorney. Exercising Your Rights If you, your data, and Orr Group are covered by a specific data protection law or regulation, and wish to make a request or objection based on a Data Right, please contact us at the contact information listed in Section I. We may ask for additional information to verify your identity before we act on a request or objection. We have at least 30 days to respond to your request or objection from the date we receive it and will alert you if we exercise our right to take additional time to process your request. Please note that we may retain a copy of your communications, including your name and contact information, to help us resolve any issues you raise. Where Orr Group serves as the Data Processor, please reach out to the Data Controller to exercise any rights to which you may be entitled. Appeal If you, your data, and Orr Group are covered by a specific data protection law or regulation, and we refuse to take action on your request to exercise your Data Rights, we will provide you with a notification and the reason for our refusal. You may also be entitled to appeal our decision. If you choose to appeal our decision, please email us at the email address in Section I with “APPEAL” and your first and last name written in the subject line. Complaints If you have any complaints about the way we handle your personal data, please contact us so we may resolve the issue. If you, your data, and Orr Group are covered by a specific data protection law or regulation, and you are unsatisfied with our response, or you do not believe that we can assist you with your complaint or concern, you may also have the right to lodge a complaint a government authority: If you are located in the EEA or EU, you may lodge a complaint with the competent Data Protection Authority (“DPA”) for your country. The contact details for the DPAs are listed on the following website. If you are located in the UK, you may lodge a complaint with the Information Commissioner’s Office at the following website. If you are located in the United States and if you are covered by a data protection law, you may have the ability to contact your state’s Attorney General to lodge a complaint if you are concerned about the outcome of your appeal. I. How to Contact Us If you have any questions about our Privacy Policy or you would like to exercise one of your Data Rights, please contact us at: Orr Group, Inc 3000 K Street NW, Suite e280 Washington, DC 20007 info@orrgroup.com J. Disclaimer Nothing in this Privacy Policy should be taken as an admission or evidence that any particular data privacy or information security law or regulation applies to Orr Group generally, or in any specific context. This Privacy Policy also does not guarantee complete security of your data, as we cannot reasonably ensure complete security.
Responsible AI at Orr Group Effective Date of February 2, 2024 To provide the best consulting services, Orr Group is invested in integrating responsible Artificial Intelligence (AI) into how we operate internally and how we support our clients. Orr Group is committed to the continuous evolution of its AI practices to best manage risk, define appropriate and responsible usage, and maintain up-to date governance to ensure secure and compliant adoption of AI tools. We believe that all AI usage should align with our Values, our policies, and our procedures. To promote responsible and ethical usage, Orr Group believes in the following principles: Respect for Human Dignity – AI should not be used to generate or propagate any content that is discriminatory, offensive, defamatory, or harmful to individuals or groups. Safeguarding Against Bias – Users should be educated on avoiding biases in AI output and have an awareness of and mitigate inherent biases in AI algorithms and datasets. Integrity & Compliance – Output of AI tools should not be manipulated to mislead, deceive, or harm others. Use of AI should adhere to all applicable laws, regulations, and intellectual property rights when using AI Tools, including copyright and trademark laws. Accountability & Avoidance of Misinformation – AI-generated material should not be “copy-and-pasted;” It should be reviewed to prevent unintentional dissemination of false or misleading information, and all AI-sourced facts, statistics, or data should be fact-checked for accuracy. Transparency – Use of AI should be transparent and disclosed when used for decision-making or insight. Explainability – Users of AI and their collaborators should be able to speak to how AI tools were used in their work product, and why the AI’s algorithm produced any given results that were utilized. Confidentiality & Ownership – Use of AI should respect confidentiality in work and intellectual property rights. AI tools should be used in a way that protects the privacy of individuals and respects data ownership rights. Sensitive, proprietary, or confidential information should not be disclosed to AI without guaranteed security. Privacy & Security – Proper handling of data is paramount. AI systems should be checked to ensure that they are secure from unauthorized access and that data privacy is maintained. To maintain trust and integrity in our operation, the use of AI must be secure against misuse and cyber-attacks.