Verra GDPR Privacy Policy

IMPORTANT NOTE: This privacy policy (Verra GDPR Privacy Policy) applies to people in the European Economic Area and the United Kingdom only. The Verra Privacy Policy applies to those persons not in the EEA or the UK.

Except as stated above, this Verra GDPR Privacy Policy applies to all personal data processed by Verra, a not-for-profit, tax-exempt organization incorporated in the District of Columbia, USA whose registered office is at 1 Thomas Circle, Suite 1050, Washington DC, 20005, USA, including without limitation, by way of the Verra website located at https://www.verra.org.

Verra recognizes the importance of people’s privacy, and that people have a right to control how their personal data is collected and used. We know that providing personal data is an act of trust and we take that seriously.

Verra primarily collects the following personal information:

• Personal details required to open an account on the Verra Registry. This includes name, telephone number, email, position title of the authorized representative, account manager and billing contact identified by an account holder for their account.
• Contact details for communications with stakeholders, strategic partners and other parties relevant to Verra’s activities. This includes name, telephone number, email, position title of the representatives of these parties that will communicate with Verra.
• If the account holder, stakeholder, strategic partner or other party is an individual, additional details about that person may be collected such as bank account and physical address and, if applicable, details needed to conduct verification checks such as date of birth or government issued identifier.
• Details about activity on the Registry such as transaction details which could identify a person.
• Personal data contained in communications with Verra including via the Website, during face-to-face meetings, email correspondence or telephone conversations. This may also include personal data contained in reports, surveys, questionnaires and forms provided to Verra in order to participate in the Verra Registry or apply to do things such as use our logos.
• Information collected automatically from a Website visit such as IP address.

In some cases Verra may collect personal data from someone other than the individual concerned (e.g., from the person opening the account holder’s account). If you provide to Verra personal data about another person, Verra is relying on you having addressed all relevant consents, notifications and other requirements to enable Verra to process the personal data for Verra’s purpose of collection.

Verra collects this personal data for the following reasons: (1) the collection is necessary for us to provide our services; (2) it is in our legitimate interest to collect this data for the purposes of providing the services; (3); the collection is necessary for us to comply with our legal obligations or applicable law; or (4) we have consent, where applicable or required under law.

If Verra is not provided with all requested personal data, Verra may be unable to register an account holder, provide the requested Verra Program services and resources or respond fully to a request.

Verra uses personal information for the following purposes:

• Operate the Verra Registry and provide Verra Program services and resources and related initiatives and activities.
• Issuing, conducting, compiling, managing and analyzing reports, questionnaires and surveys and producing reports and/or ratings based on responses.
• Responding to stakeholder queries or requests for information.
• Administering and maintaining the Website.
• Improving Verra services and resources.
• For other purposes with your consent or where permitted or required by law.

Verra uses this personal data for the following reasons: (1) the use is necessary for us to provide our services; (2) it is in our legitimate interest to use this data for the purposes of providing our services; (3); the use is necessary for us to comply with our legal obligations or applicable law; or (4) we have consent, where applicable or required under law.

Verra discloses personal information as follows:

• For participants in the California Air Resources Board (CARB) approved Verra Offset Project Registry (the Offset Registry), we may disclose personal data to government agencies as appropriate in connection with the operation of the Offset Registry in accordance with the applicable CARB rules.
• In order to deliver services and provide access to resources (including via the Website), and to improve those services and access, we may sometimes disclose personal data to third parties such as affiliates, partners,service providers, independent contractors, consultants, off-site security storage or IT providers, website hosts and other partners of Verra.
• We may also share and disclose de-identified, and aggregated information for the purposes of research and promotional activities. For example, we may disclose aggregated data from website visitor reports, event registrations, completed reports, questionnaires and surveys, and make such data available on the Website or through other mediums.
• Verra may disclose personal data in connection with a sale or transaction involving all or a portion of the business to representatives of a prospective purchaser, and where required by applicable law.
• Verra may also disclose personal data with your consent or where permitted or required by law.

Verra discloses this personal data for the following reasons: (1) the disclosure is necessary for us to provide our services; (2) it is in our legitimate interest to disclose this data for the purposes of providing our services; (3); the disclosure is necessary for us to comply with our legal obligations or applicable law; or (4) we have consent, where applicable or required under law.

Cookies are pieces of information that a website transfers to your computer’s hard drive. Most web browsers are set to accept cookies. Verra uses cookies to make your use of the Website, resources and services more convenient. Cookies are used for example to estimate the overall number of users of the Website and determine traffic patterns through the Website.

If you do not wish to receive any cookies, you may set your browser to refuse cookies, but this may affect your ability to take full advantage of the services and resources on the Website.

Verra will endeavor to take all reasonable steps to keep secure any user information, and to keep this information accurate and up to date. Information is stored on secure servers in the United States that are protected in controlled facilities. We require our employees and data processors to respect the confidentiality of any personal data held by Verra.

Please note also that Verra may use facilities outside the United States to process or back up its information. As a result, we may transfer your personal data to facilities outside the United States for storage. However, this does not change any of our commitments to safeguard your privacy.

Verra will only retain personal data for as long as necessary to provide our services. We may retain personal data after the termination of the contractual relationship if the personal data are necessary to comply with other applicable laws or if we need the personal
data to establish, exercise or defend a legal claim, on a need to know basis only.

When we no longer require the personal data, we will make sure it is either deleted or anonymised.

As provided by applicable data protection law, the following rights may apply for personal data collected, used and disclosed by Verra:

• Access: Individuals have the right to be told about how their personal data is processed, and have access to such personal data.
• Correction: Where the personal data of individuals is incorrect, individuals may request that we rectify the personal data we hold. Please take care to ensure details provided to us are kept up to date. Where we provide facilities to update or change those details, please use those facilities.
• Portability: In some cases, individuals can request that their personal data we hold is provided to them in a structured, machine-readable format, and can require us to transfer the personal data to another data controller.
• Right to be forgotten: Individuals may have the right to require us to erase personal data concerning them.
• Right to restrict processing: In some cases, individuals may require us to restrict the processing of their personal data.
• Right to object: In some cases, individuals have the right to object to the processing of their personal data.
• Withdrawal of consent: Individuals may withdraw their consent (in cases where we rely on consent) at any time. If consent is withdrawn it may have consequences such as we may no longer be able to provide certain services or communications.

To exercise these rights, please contact us using the details in the Contact Us section below. Please include sufficient details so we can understand the nature of your requests. We may need to request personal data in order to verify identity. In some cases we may respond that a request will not be actioned where permitted or required under law.

Verra provides, through the Website, access to third-party websites where content is not controlled by Verra. These linked websites are not under the control of Verra, and we are not responsible for the content or the conduct of the organizations accessed via links to such third party websites through the Website. Before disclosing your personal data on any website, we suggest you examine the terms and conditions and privacy policy of that website.

Verra may, from time to time, amend this Verra GDPR Privacy Policy. Any such amendments will be posted on the Website and will take effect at least fourteen (14) days after such posting. Please therefore keep checking this Verra GDPR Privacy Policy to ensure you are aware of the terms of the current version.

If you have a concern or complaint about our processing of your personal data including about our compliance with applicable data protection laws, please contact us using the details in the Contact Us section below. We will consider and promptly respond to the issues raised. Please include sufficient details so we can understand the nature of your concern. We may need to request personal data in order to verify your identity. You also have the right to lodge a complaint with the competent data protection supervisory authority.

We can be contacted in connection with privacy matters including as contemplated by this Verra GDPR Privacy Policy as follows:

Post:

Attention: Data Protection Officer
Verra
1 Thomas Circle, Suite 1050
Washington DC, 20005, USA
Email: Privacy@verra.org

Date of Verra GDPR Privacy Policy: 19 January 2021