The Counterbalance Arts Collective (CBAC) is deeply committed to upholding the trust of our community, which encompasses our artists, students, families, volunteers, donors, and website visitors. We recognize that your privacy is paramount, especially in an increasingly digital world where information security is a foundational aspect of public trust. This Comprehensive Privacy Policy outlines, in extensive detail, the types of personal data we collect, the specific methods we use to collect it, the legal justifications and purposes for its use, the measures we take to secure it, and your rights concerning this information. Our policy is guided by principles of transparency, necessity, and proportionality—we only collect data that is strictly necessary to fulfill our mission, provide high-quality programming, maintain operational integrity, and comply with legal obligations. As an artist-led nonprofit organization, we view data stewardship as an ethical responsibility, ensuring that the same integrity and intentionality we apply to our artistic and educational programs are applied to the handling of your sensitive personal information. This document serves as our binding pledge to manage your data responsibly, securely, and in strict adherence to applicable privacy regulations. We aim for this policy to be accessible and easily understandable, acting as a clear counterweight to the often-opaque nature of digital data management, thereby fostering a stronger, more trusting relationship with every individual who engages with the Collective. We encourage you to read this policy in its entirety to understand how your information contributes to the success and sustainability of our mission.

2. Scope and Application of this Policy

Defining the Boundaries of Our Data Protection Efforts

This Privacy Policy applies universally to all forms of personal data collected, processed, and stored by the Counterbalance Arts Collective through any medium, which includes, but is not limited to: our primary organizational website (www.cbac.lat and all subdomains); dedicated portals used for enrollment, donation, or volunteer applications; information collected via physical forms submitted at our 176 Highland Drive location; data gathered during public events, exhibitions, and community workshops; and personal details exchanged through email, telephone, or other direct digital communications with our staff, collective artists, and representatives. It covers all individuals who interact with CBAC, including registered students and their parents/guardians, collective members, employees, financial donors, partners, and casual website visitors. The policies and practices detailed herein are designed to comply with a framework of international data protection standards, including principles found in the European Union’s General Data Protection Regulation (GDPR) and various US state laws, ensuring a consistent and high level of protection for our diverse global and local community. It is important to note that while we provide links to third-party sites, such as ticketing agents or educational resources, this policy does not extend to the data practices of those external entities, and we encourage you to review their policies independently. This policy is a comprehensive document intended to cover all aspects of our organization’s data handling lifecycle, from the point of initial collection through secure deletion and archival.

3. The Personal Data We Collect and Methods of Collection

Detailed Inventory of Information Gathered and How It Is Acquired

The personal data collected by CBAC is segmented into several categories based on the nature of your interaction with the Collective, and we employ several transparent methods for its acquisition. A. Identity and Contact Data: This includes foundational information necessary for communication and identification, such as your full name, physical mailing address (176 HIGHLAND DRIVE, SEATTLE, WA 98109), email address (e.g., info@cbac.lat), dedicated telephone numbers (555) 123-4567, and, for students, their date of birth and gender. This data is typically collected through mandatory fields on enrollment forms, donation processing forms, or sign-up sheets for our e-newsletter and events. B. Program and Transactional Data: This encompasses information related to your use of our services, including program enrollment history, class attendance records, payment history, tuition fees paid, and purchase details related to art sales or merchandise. This data is collected during the secure online checkout process or through paper forms processed by our administrative team. C. Technical and Usage Data: When you visit our website, our servers automatically record certain information, including your Internet Protocol (IP) address, browser type and version, time zone setting, operating system, and data about your browsing patterns and interactions with our site pages (e.g., time spent on specific pages, search terms used). This is collected automatically via cookies, server logs, and analytics software. D. Health and Safety Data (Sensitive): For youth program participants and employees, we collect necessary health information, including emergency contact details, documented allergies (e.g., food, material-based), required medications, and specific physical accommodations needed to ensure a safe and supportive studio environment. This sensitive data is collected directly from parents/guardians or employees through secure, dedicated forms only when absolutely necessary for safety and immediate care, and its access is strictly limited within the organization. E. Photographic and Media Data: We may capture photographs or video recordings during classes, exhibitions, and public events for use in promotional materials, grant applications, and website content (such as testimonials). This is always done with advance notice and, for minors, requires explicit written consent from a parent or guardian, ensuring full transparency regarding our media usage practices and respecting the right of individuals to opt out of participation in any media capture.

4. Legal Basis and Specific Purposes for Data Processing

The ‘Why’ Behind Our Data Collection and Compliance Obligations

We process personal data only when we have a clearly defined legal basis to do so, ensuring that every collection activity is proportionate to its intended purpose and serves the mission of the Counterbalance Arts Collective while adhering to legal requirements. Our core purposes and legal bases for processing include: A. Fulfillment of Contract: The primary purpose of collecting Identity, Contact, and Program Data is to perform the contract entered into with you, which includes managing your enrollment in a class, processing your tuition payment, providing administrative support related to your participation, and delivering the promised educational or artistic service. B. Legitimate Interests: We process Technical and Usage Data to pursue our legitimate interest in improving our operations, ensuring network security, and understanding website traffic patterns to better tailor our online content and marketing efforts to our community’s needs. We also rely on legitimate interest for non-sensitive internal communications and for certain necessary administrative functions. C. Legal Compliance: We process financial and tax-related Transactional Data to comply with mandatory legal obligations, such as maintaining accurate financial records for tax purposes, conducting required employee background checks, and meeting specific grant reporting requirements mandated by funding bodies. D. Vital Interests and Public Interest: Health and Safety Data is processed under the legal basis of protecting the vital interests of the data subject (especially minors) or others, enabling us to provide emergency care or make essential safety accommodations within the studio environment, ensuring the well-being of everyone at 176 Highland Drive. E. Consent: We rely on explicit, informed consent for activities that are not core to program delivery but enhance the community experience, such as sending marketing or fundraising newsletters, or for using Photographic and Media Data in public-facing materials. You have the right to withdraw this consent at any time without impacting your participation in our core programs, and we provide clear mechanisms for opting out of these non-essential communications.

5. Data Sharing, Disclosure, and Third-Party Processors

Who We Share Information With and Why: Maintaining Confidentiality

The Counterbalance Arts Collective is committed to limiting the sharing of your personal data; we do not, under any circumstances, sell, rent, or trade your personal information to external marketers or unauthorized third parties. However, in order to operate efficiently and fulfill our core services, we must engage with trusted third-party service providers and, in limited instances, comply with legal requirements for disclosure. A. Payment Processors: We share necessary Transactional Data with secure, industry-standard payment processing services (e.g., Stripe, PayPal) to process tuition fees and donations. These entities are obligated by contract to protect your data and are compliant with Payment Card Industry Data Security Standards (PCI DSS). B. IT and Cloud Service Providers: We utilize third-party cloud-based services (e.g., secure data storage, email hosting, customer relationship management software) to store, manage, and process data securely. These providers act as data processors under our instruction and are required to implement robust technical and organizational security measures that match or exceed our own standards. C. Educational and Program Partners: In the context of collaborative projects with local schools or community partners (as outlined in our Community & Engagement section), we may share limited, necessary Identity and Program Data (e.g., class rosters, attendance data) strictly to facilitate the joint program delivery and comply with partnership agreements. We always minimize the data shared and execute formal data sharing agreements. D. Legal and Regulatory Disclosure: We will disclose personal data when required by law, such as in response to a valid court order, a legally binding subpoena, or to comply with necessary governmental or regulatory reporting obligations (e.g., tax authorities, law enforcement agencies), or to protect the rights, property, or safety of CBAC, our staff, or the public. We will always attempt to notify the affected individuals before sharing data in response to legal processes unless legally prohibited from doing so. E. Donors and Public Recognition: For those who opt for public recognition as donors, we may share their name and donation level in annual reports or on our website, but only with their explicit consent or stated preference during the donation process.

6. International Data Transfers

Protecting Data Across Geographical Boundaries

As a Seattle-based organization that utilizes globally-operating cloud infrastructure and serves a community that includes international members and visiting artists, the processing of your personal data may involve the transfer and storage of data outside of the United States. Whenever we transfer your personal data outside of its country of origin, we take rigorous steps to ensure that your data receives a similar and adequate level of protection as mandated by local laws, even when the data is crossing borders. This is achieved primarily through the implementation of legal and technical safeguards with our third-party processors. Specifically, for any transfers involving the personal data of individuals residing in the European Economic Area (EEA), we ensure that these transfers rely on recognized legal mechanisms, such as contractual clauses approved by competent authorities (Standard Contractual Clauses or SCCs), or by utilizing providers who are certified under recognized legal frameworks designed to secure international data flows. We maintain comprehensive documentation of all international data transfer agreements and conduct due diligence on all cross-border data processors to confirm they meet our internal security and compliance standards, ensuring that data stored on servers outside the US is just as secure as data managed directly at 176 Highland Drive. Our commitment to accessibility does not compromise our commitment to global data protection standards, ensuring that our outreach is inclusive but our security is universal.

7. Data Security and Technical Safeguards

Implementing Robust Protections for Digital and Physical Information

The Counterbalance Arts Collective maintains a comprehensive and layered security architecture designed to protect personal data from unauthorized access, accidental loss, disclosure, alteration, or destruction, treating data integrity with the same seriousness as artistic integrity. Our technical safeguards include A. Encryption: All sensitive personal data, especially Transactional and Health Data, is encrypted both in transit (using TLS/SSL protocols) and at rest (using AES-256 encryption or equivalent) within our databases and cloud storage environments. B. Access Control: Access to digital and physical records containing personal data is strictly limited to employees, collective artists, and volunteers who require the information to perform their specific job functions (a principle known as ‘least privilege’). This access is managed through robust authentication protocols, multi-factor authentication (MFA) for key systems, and regular review of access rights. C. Network and System Security: Our internal networks are protected by enterprise-grade firewalls and intrusion detection systems, and we implement regular vulnerability scanning and penetration testing to proactively identify and mitigate security weaknesses. D. Physical Security: At our 176 Highland Drive facility, physical records (such as signed enrollment forms or health waivers) are stored in locked, secure cabinets within access-controlled administrative offices. E. Employee Training: All CBAC staff and collective members receive mandatory annual training on data protection best practices, privacy policies, and security incident response procedures, fostering a culture of security awareness across the organization. While no digital system can guarantee absolute security, we continuously review and update our security practices in line with industry standards to provide the maximum possible protection for the valuable personal data entrusted to us.

8. Data Retention and Destruction Policy

Determining How Long We Keep Your Data and Ensuring Secure Disposal

We adhere to a strict data retention policy, ensuring that personal data is only kept for as long as is necessary to fulfill the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements that may apply to our nonprofit operations. A. Program Data and Enrollment Records: Data related to student enrollment, attendance, and program history is typically retained for a minimum period of seven years after the last date of interaction, necessary for historical archival, alumni outreach, and the provision of necessary academic references or documentation required by former students. B. Financial and Transactional Data: This data is generally retained for a period of seven to ten years to comply with mandatory US federal and state tax laws and auditing requirements. C. Health and Safety Data: Sensitive health data for minors is destroyed (securely deleted or shredded) shortly after the student’s final date of program participation, as the immediate safety necessity for retention expires. D. Media and Consent Records: Records pertaining to photographic and media consent are retained indefinitely to ensure that we maintain clear legal documentation for all public-facing archival images and videos. E. Data Destruction: Once the retention period expires, we utilize secure, verifiable methods for data destruction, which includes cryptographic erasure for digital data stored in cloud environments and cross-shredding for all physical documentation, ensuring that data cannot be reconstructed or retrieved after deletion, thereby providing a secure counterbalance to the risk of long-term data exposure.

9. Your Rights as a Data Subject

Empowering You with Control Over Your Personal Information

Under applicable data protection laws, you possess a range of rights concerning your personal data that the Counterbalance Arts Collective fully respects and is committed to enabling. These rights include: A. The Right to Access: You have the right to request confirmation of whether we are processing your personal data and, if so, to obtain a copy of that data, along with specific details regarding the purposes of processing and the categories of data involved. B. The Right to Rectification: You can request that we correct any inaccurate or incomplete personal data we hold about you (e.g., updating an email address or correcting a spelling error in your name). C. The Right to Erasure (The Right to be Forgotten): You have the right to request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected, or if you withdraw consent, provided there are no overriding legal obligations requiring us to retain it (e.g., tax records). D. The Right to Restrict Processing: You can request that we temporarily suspend the processing of your personal data if you contest its accuracy or if the processing is deemed unlawful, allowing for a review period. E. The Right to Object: You have the right to object to the processing of your personal data where we are relying on a legitimate interest as the legal basis, particularly in relation to direct marketing activities. F. The Right to Data Portability: Where technically feasible, you have the right to request that your personal data be transferred to you or a third party in a structured, commonly used, machine-readable format. G. Withdrawal of Consent: You have the right to withdraw consent for processing activities based on consent at any time, which we will honor promptly. To exercise any of these rights, please submit a formal written request to our designated Privacy Officer via the email address listed in the policy’s Contact Details section. We will acknowledge receipt of your request and provide a substantive response within a legally mandated timeframe, typically 30 days, ensuring that your control over your data is immediate and effective.

10. Policy Updates and Contact Details

Transparency in Revision and How to Reach Our Privacy Officer

The Counterbalance Arts Collective reserves the right to modify or update this Privacy Policy periodically to reflect changes in our operational practices, educational offerings, or regulatory requirements. Any material changes to the policy will be communicated clearly and prominently on our website, and where appropriate, we will notify registered users via email. The most current version of this document will always be available on our website, and we encourage frequent review to stay informed about our data handling practices. This commitment to transparency ensures that our policies evolve ethically alongside the digital and creative landscape.

Privacy Officer Contact Details: For all questions, concerns, or requests related to this Privacy Policy, including exercising your rights as a data subject, please contact our designated Privacy Officer in writing:

Attention: CBAC Privacy Officer Email: privacy@cbac.lat Mailing Address: Counterbalance Arts Collective, 176 HIGHLAND DRIVE, SEATTLE, WA 98109

We take every privacy inquiry seriously and are dedicated to resolving any concerns you may have in a fair, thorough, and timely manner, continuing our commitment to integrity and trust within the artistic community we serve.