Human Rights Watch Privacy Statement

This website together with any non-English language versions (the Human Rights Watch websites) are provided by Human Rights Watch, Inc. (“Human Rights Watch” or “HRW”) and hosted in the United States. Human Rights Watch is a non-profit, non-governmental organization that investigates and exposes abuses around the world and advocates for the protection of human rights and human dignity around the globe. We are committed to protecting your right to privacy.

What is this Privacy Statement? This Privacy Statement sets out our information processing practices in relation to you and your personal data. These principles apply when we collect personal data from you through any channel. It explains Human Rights Watch’s information processing practices and applies to any personal information you provide to Human Rights Watch and any personal information we collect from other sources. This Privacy Statement is a description of our practices and of your rights regarding your personal information, but it is not a contract and it does not create any new rights or obligations beyond what the law already provides. This Privacy Statement does not apply to your use of a third-party site linked to on this website. Please refer to the privacy statement of that third-party site to understand how they handle your personal information.

Who is responsible for your information? Throughout this Statement, “Human Rights Watch” or “HRW” refers to Human Rights Watch, Inc., and its various parts around the world, including its affiliated charities, branch offices and other registered entities (also referred to as “we”, “us”, or “our”). The Human Rights Watch entity responsible for your personal information (and the controller for the purposes of data protection laws) will be the member of Human Rights Watch that originally collects information from or about you. This may also be explained in separate privacy notices made available when your personal information is first collected by that Human Rights Watch entity.

When and how do we collect your information? Human Rights Watch collects personal information in the following ways: • Website and Application Use: We collect information about how visitors use our websites and applications. This may include the log data from your visit to our website; analytics data about your usage patterns and the performance of our website; and technical information about your browsers and device configuration. • Donations: If you donate to HRW, we collect the data required to process your donation with our payment processor(s). • Volunteer Participation and Employment: If you seek employment with HRW or volunteer for HRW, we will collect information related to your role. For instance, we will collect employment history information if you submit a resume to HRW. You may provide this information directly (through an online recruitment portal, careers site or via correspondence), or it may be provided via an agency. • Events: When you register for and attend a Human Rights Watch event, we will collect personal information in order to keep you informed about the event, track attendance, and provide appropriate accommodations. • Engagement with Campaigns: We keep a record of your engagement with our campaigns. If you engage with our campaigns, e.g., sign an online petition, we will keep a record of these interactions. • Inquiries: When you submit an inquiry, query, or complaint, we will collect the Personal Information you provide in order to assist you and follow up with you in the future. • Subscriptions: When you subscribe to one of our online services, such as newsletters, we collect the data needed to send you news and information related to your interests. • Other Sources: We use third-party advertising networks, analytics providers, hosting providers and search information providers from whom we may also receive general aggregated, anonymous information about you. HRW may also receive your personal information through referrals from others who believe you would like to support our cause. We may also combine data about you with data that is available from other sources including publicly available sources.

What information do we collect? Information you provide to us When you contact us, we may collect: your name, contact information including physical address, email address, telephone number, and any other information that you voluntarily provide to us. When a visitor provides personal information to us, we use it for the purposes for which it was provided to us as stated at the point of collection or as obvious from the context of collection. Information we collect over Human Rights Watch websites, mobile applications and social media For purposes of this Statement, “website” includes our mobile applications. We may collect some or all of the following types of information when you register for events, make inquiries, access various content and features or directly visit our websites. This includes, but is not limited to: • Contact information, such as name, e-mail address, postal address, phone number and mobile number; • User name, password, password reminder questions and password answers; • Communication preferences, such as which newsletters you would like to receive; • Search queries; • Contact information about others when you refer a friend to a particular site or service (note: this information is used solely to facilitate requested communications); and • Information posted in community discussions and other interactive online features. In some instances, we automatically collect certain types of information when you visit our websites and through e-mails that we may exchange. Automated technologies may include the use of web server logs to collect IP addresses, “cookies” and web beacons. Further information about our use of cookies can be found below in the Cookies and other Tracking Technologies section. Social Media: You can engage with us through social media websites or through features such as plug-ins or applications on Human Rights Watch websites that integrate with social media sites. You may also choose to link your account with us to third party social media sites. When you link your account or engage with us on or through third-party social media sites, plug-ins, or applications, you may allow us to have

ongoing access to certain information from your social media account (e.g., name, e-mail address, photo, gender, birthday, the posts or the ‘likes’ you make). If you post information when you interact with our websites through social media sites, plug-ins or other applications, depending on your privacy settings, this information may become public on the Internet. You can control what information you share through privacy settings available on some social media sites. For more information about how you can customize your privacy settings and how third party social media sites handle your personally identifiable information, please refer to their privacy help guides, privacy notices and terms of use. Mobile Devices: If you access our websites on your mobile telephone or mobile device, we may also collect your unique device identifier and mobile device IP address, as well as information about your device’s operating system, mobile carrier and your location information. We may also ask you to consent to providing your mobile phone number (for example, so that we can send you push notifications). How do we use your personal information? Providing you with personalized service; Operating this website and understanding its use for statistical purposes (number of site visits, average time visitors spend at the site, etc.) and security purposes; Managing and processing inquiries, registrations, donations and other interactions with you; Forwarding or sending petitions you have signed to advocacy targets; Providing you with information about services we offer such as newsletters, breaking news, reports, etc. and informing you of other relevant Human Rights Watch activities; We will not send you such information if you object to receiving it from us or, if applicable, local laws do not permit us to send such information to you. Please see the section on Your Choices Regarding Your Information below if you do not wish to receive such information; Other marketing purposes where you have consented (if required by applicable law); Sharing your contact information with our affiliates and third-party organizations which we feel could be of interest to you, provided you agree to such sharing and such sharing is legal under

applicable local law. Please see the section on Your Choices Regarding Your Information below if you do not wish to have your information shared in this way; Sharing the information that you provided us with third-party service providers who help us to provide our services and operate. Whenever possible or required by law, such sharing of information will be subject to an agreement with each such service provider, requiring such service provider to comply with data protection requirements. We use service providers, which may change from time to time, to undertake some of the following activities: • process donations; • operate our websites and other IT systems; • administer our e-mail lists; • offer publications or other products for sale on our site, for which in some cases you may automatically be directed away from our website to our third-party service providers; and • complying with applicable laws and regulations. Conducting data analytics Other uses: • Provide you with information and services; • Conduct data analysis so we can understand better how to inform the public; • Perform monitoring and training; • Develop new services; and • Conduct data processing where needed to fulfil a contract, such as when you purchase tickets to one of our events. If we wish to use your personal information for a purpose which is not compatible with the purpose for which it was collected for, we will request your consent. In all cases, we balance our legal use of your personal information with your interests, rights, and freedoms in accordance with applicable laws and regulations to make sure that your personal information is not subject to unnecessary risk.

Legal basis All processing (i.e., use) of your personal information is justified by a “lawful basis” for processing. In the majority of cases, processing will be justified on the basis that: • the processing is in our legitimate interests, subject to your interests and fundamental rights. • the processing is necessary for the performance of a contract to which you are a party, or to take steps (at your request) to enter into a contract; • the processing is necessary for us to comply with a relevant legal obligation (e.g., where we are required to make disclosures to courts or regulators); • the processing is necessary for the performance of a task carried out in the public interest (e.g., the tracking of human rights violations); In limited circumstances, we will use your consent as the basis for processing your personal information, for example, where we are required by law to obtain your prior consent in order to send you marketing communications. Before collecting and/or using any special categories of data, or criminal record data, we will establish a lawful exemption which will allow us to use that information. This exemption will typically be: • your explicit consent; • the establishment, exercise or defense by us or third parties of legal claims; or • a context specific exemption provided for under local laws of EU Member States and other countries implementing the GDPR or another relevant law. Do we collect information from children? Our website is not intended for children under 13 years of age. We do not knowingly collect personal information from an individual under age 13. If you are under the age of 13, please do not submit any personal information through the website. If you have reason to believe that we may have accidentally received personal information from an individual under age 13, please contact us immediately at privacy@hrw.org.

How long do we retain your personal information? How long we retain your personal information depends on the purpose for which it was obtained and its nature. We will keep your personal information for the period necessary to fulfill the purposes described in this Statement unless a longer retention period is permitted or required by law. In specific circumstances we may store your personal information for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal information or dealings. Do we disclose your personal information? Within Human Rights Watch We may share your personal information with other Human Rights Watch entities, divisions, and branch offices to serve you, including for the activities listed in this statement. We do not rent, sell or otherwise disclose personal information about our online visitors with unaffiliated third parties for their own marketing use. We do not share your personal information with third parties except in the following circumstances discussed below. Authorized Service Providers 1. Analytics We use third-party analytics tools to better understand who is using the website and how people are using it so we can continuously improve it. These tools may use cookies and other technologies to collect information about your use of the website and your preferences and activities. These tools collect information sent by your device or the website and other information that assists us in improving the website. This information may be used to analyze and track data, determine the popularity of certain content, and better understand your online activity, among other things. We use Chartbeat to provide real-time analytics to web sites and blogs. The interface tracks visitors, load times, and referring sites on a minute-by-minute basis. We use this information to improve the website and as otherwise described

in this privacy policy. Please see https://chartbeat.com/privacy for information about how Chartbeat uses this information. Chartbeat uses javascript to send tracking pings from users’ browsers to Chartbeat servers and allows HRW to monitor traffic and engagement in real time. Chartbeat may track your activity over time and across websites. We use Google Analytics to better understand who is using the website and how people are using it. Google Analytics uses cookies to collect and store information such as website pages visited, places where users click, time spent on each website page, Internet Protocol address, type of operating system used, location-based data, device ID, search history, gender, age, and phone number. We use this information to improve the website and as otherwise described in this Privacy Policy. Please see http://www.google.com/policies/privacy/partners/ for information about how Google Analytics uses this information, and visit https://tools.google.com/dlpage/gaoptout for information about the Google Analytics Opt-out Browser Add-on. Google may track your activity over time and across websites. We use Deep.BI to better understand who is using the service and how they are using it. Deep.BI uses javascript code to collect and store information such the pages of our website that you visit, the time and date of your visit, the time spent on those pages, and unique device identifiers as well as cookies to identify you and remember your preferences and various settings. We use this information to improve the Service and otherwise as described in this Privacy Policy. Please see http://www.deep.bi/privacy/ for information about how Deep.BI uses this information and for information about how to opt-out of Deep.BI. We use New Relic to better understand the performance of our website on users’ computer systems. New Relic gathers data regarding how many visitors are interacting with each page, how long before the first click occurs, if there are any scripts that are causing performance issues, the time assets are taking to load, and if there are any other scripting errors associated with the site. We use this information to improve the website and as otherwise described in this Privacy Policy. Please see https://newrelic.com/termsandconditions/privacy for information about how New Relic uses this information and for information about how to opt-out of New Relic targeted advertising. 2. Cookies and Other Tracking Technologies We, along with third-parties, use cookies, local storage objects, Web beacons and other technologies. These technologies are used for tracking, analytics and personalization and optimization of the website.

Cookies are small files that are transferred to and stored on your computer through your Web browser (if you allow it) that enable the website’s or service provider’s system to recognize your browser and capture and remember certain information. You can instruct your browser to stop accepting cookies. But if you do not accept cookies, you may not be able to use all portions of all functionality of the website. • Persistent cookies remain on the visitor’s computer after the browser has been closed. • Session cookies exist only during a visitor’s online session and disappear from the visitor’s computer when they close the browser software. Flash cookies (also known as local shared objects) are data files that can be created on your computer by the websites you visit and are a way for websites to store information for later use. Flash cookies are stored in different parts of your computer from ordinary browser cookies. You can disable the storage of flash cookies. For additional information about managing and disabling flash cookies, please visit http://helpx.adobe.com/flash-player/kb/disable-local-shared-objects- flash.html. Web beacons are small strings of code that provide a method for delivering a graphic image on a Web page or in an email message for the purpose of transferring data. You can disable the ability of Web beacons to capture information by blocking cookies. We use cookies and other tracking technologies on the website to help us understand and save your preferences and interests so we can personalize your future visits and compile aggregate data about website traffic and website interaction so that we can offer better website experiences and tools in the future. Some of our business partners, such as our analytics providers, advertising networks, social sharing provider, and social media connections, also use cookies and other tracking technologies on our website, some of which may track users acrosswebsitesandovertime. Giventhenatureofthird-partyservices,theyare constantly evolving and if you have any questions concerning the use or policies of those third parties, we encourage you to consult their Privacy Policies and Terms of Use directly. 3. Third Party Service Providers and Business Partners We may disclose your information to service providers we have retained (as processors) to perform services on our behalf (either in relation to services performed for our clients, or information which Human Rights Watch uses for its

own purposes, such as marketing). These service providers are restricted from using or disclosing the information except as necessary to perform services on our behalf or to comply with legal requirements. These activities could include any of the processing activities that we carry out as described in the above section, ‘How we use your personal information.’ Examples include: • IT service providers who manage our IT and back office systems and telecommunications networks; • marketing automation providers; • contact center providers. For a detailed list of Third-Party Service Providers and Business Partners that we may use to process personal data, please see our Third-Party Service Provider list. Legal Requirements and Business Transfers We may disclose personal information (i) if we are required to do so by law, legal process, statute, rule, regulation, or professional standard, or to respond to a subpoena, search warrant, or other legal request; (ii) in response to law enforcement authority or other government official requests; (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss; (iv) in connection with an investigation of suspected or actual illegal activity; or (v) in the event that Human Rights Watch is dissolved or otherwise reorganized. Disclosure may also be required for audits or to investigate a complaint or security threat. Do we transfer your personal information across national borders? We are a global organization and may transfer certain personal information across geographical borders to Human Rights Watch entities, authorized service providers or business partners in other countries working on our behalf in accordance with applicable law. Our affiliates and third parties may be based locally or they may be in other countries, some of which have not been determined by the European Commission to have an adequate level of data protection. When we do, we use a variety of legal mechanisms to help ensure your rights and protections travel with your data:

• we ensure transfers within Human Rights Watch are covered by agreements based on the EU Commission’s standard contractual clauses, which contractually oblige each member to ensure that personal information receives an adequate and consistent level of protection wherever it resides within Human Rights Watch; • where we transfer your personal information outside Human Rights Watch or to third parties who help provide our services, we obtain contractual commitments from them to protect your personal information. Some of these assurances are well recognized certification schemes like the EU - US Privacy Shield for the protection of personal information transferred from within the EU to the United States, or the standard contractual clauses; or • where we receive requests for information from law enforcement or regulators, we carefully validate these requests before any personal information is disclosed. Examples of countries we transfer personal information to include, but are not limited to, the United States, the United Kingdom and India. If you would like further information about whether your information will be disclosed to overseas recipients, please contact us as noted below. You also have a right to contact us for more information about the safeguards we have put in place (including a copy of relevant contractual commitments, which may be redacted for reasons of commercial confidentiality) to ensure the adequate protection of your personal information when this is transferred as mentioned above. Do we have security measures in place to protect your information? The security of your personal information is important to us and Human Rights Watch has implemented reasonable physical, technical and administrative security standards to protect personal information from loss, misuse, alteration or destruction. We protect your personal information against unauthorized access, use or disclosure, using security technologies and procedures, such as encryption and limited access. Only authorized individuals access your personal information, and they receive training about the importance of protecting personal information. While we take reasonable measures to protect the information you submit via the website against loss, theft, and unauthorized use, disclosure, or modification, we cannot guarantee its absolute security. No internet, email, or mobile application transmission is ever fully secure or error free. Email or other messages sent through the website may not be secure. You should use caution

whenever submitting information through email or the website and take special care in deciding which information you provide us. Our service providers and agents are contractually bound to maintain the confidentiality of personal information and may not use the information for any unauthorized purpose. We cannot guarantee that transmissions of your personal information will be fully secure and that third parties will never be able to defeat our security measures or the security measures of our partners. WE ASSUME NO LIABILITY FOR DISCLOSURE OF YOUR INFORMATION DUE TO TRANSMISSION ERRORS, THIRD PARTY ACCESS, OR CAUSES BEYOND OUR CONTROL. Your Choices Regarding Your Information We offer certain choices about how we communicate with you and what personal information we obtain about you and share with others. When you provide us with personal details, if we intend to use those details for marketing purposes, we will provide you with the option of whether you wish to receive promotional e- mail, SMS messages, telephone calls and postal mail from us. At any time, you may opt out from receiving interest-based advertising or marketing from us by contacting us. You may also choose not to receive marketing communications from us by clicking on the unsubscribe link or other instructions in our marketing e-mails or contacting us as noted below. You may update, correct, or change your information by contacting us at privacy@hrw.org or by following the instructions below in this Privacy Statement. How can you update your communication preferences? We take reasonable steps to provide you with communication about your information. You can update your communication preferences in the following ways. Newsletters If you request electronic communications, such as an e-newsletter, you will be able to unsubscribe at any time by following the instructions included in the communication.

Mobile Devices If you previously chose to receive push notifications on your mobile device from us but no longer wish to receive them, you can manage your preferences either through your device or the application settings. If you no longer wish to have any information collected by the mobile application, you may uninstall the application by using the uninstall process available on your mobile device. E-mail Contact us by e-mail or postal address as noted below. Please include your current contact information, the information you are interested in accessing and your requested changes. If we do not provide you with access, we will provide you with the reason for refusal and inform you of any exceptions relied upon. You may have certain other rights in relation to your personal information, depending on your place of nationality, residence, and the processing activity involved. These are described below. You can exercise your rights by contacting us. Subject to legal and other permissible considerations, we will make every reasonable effort to honor your request promptly or inform you if we require further information in order to fulfill your request. If you make a request, we may ask you for additional information to confirm your identity and for security purposes, before disclosing the personal information requested by you. We reserve the right to charge a fee where permitted by law, for instance if your request is manifestly unfounded or excessive. We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are legally entitled to deal with the request in a different way. EU Data Subject Rights If you are an EU Data Subject, you have the following rights of this EU Data Subject Rights section. To exercise these rights, please email us at privacy@hrw.orgwith a description of your request. Right to Access

You have right to access personal information that Human Rights Watch holds about you. Right to Rectification You have a right to request us to correct your personal information where it is inaccurate or out of date. Right to be Forgotten (Right to Erasure) You have the right, under certain circumstances, to have your personal information erased. Your information can only be erased if your data is no longer necessary for the purpose for which it was collected, and we have no other legal ground for processing the data. Right to Object to Processing You have the right to object to the processing of your personal information at any time, on legitimate grounds, except if otherwise permitted by applicable law, or to lodge a complaint with a supervisory authority. If you raise an objection, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms. Right to Restrict Processing You have the right to restrict the processing of your personal information, but only where: • its accuracy is contested, to allow us to verify its accuracy; or • the processing is unlawful, but you do not want it erased; or • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or • you have objected to processing of your data, and verification of overriding grounds is pending. Right to Data Portability You have the right to data portability, which requires us to provide personal information to you or another controller in a commonly used, machine readable format, but only where the processing of that information is based on (i) your consent; or (ii) the performance of a contract to which you are a party. Right to Decline Automated Decision Making

You have the right to not be subject to decisions based solely on automated decision making, which produce legal or significant effects for you, except where these are (i) necessary for a contract to which you are a party; (ii) authorized by law; (iii) based on your explicit consent. Even where such decisions are permitted, you can contest the decision and require Human Rights Watch to exercise human intervention. We currently do not use automated decision making (including automated decision making using profiling) when processing your personal information. If we ever use an automated decision making solution, you have a right to request that a decision based off your personal information cannot be solely decided via an automated process. International Transfers As noted above, you can ask to obtain a copy of, or reference to, the safeguards under which your personal information is transferred outside of the European Union. Your California Privacy Rights Section 1798.83 of the California Civil Code permits California residents to request from a business, with whom the California resident has an established business relationship, certain information about the types of personal information the business has shared with third parties for those third parties’ direct marketing purposes and the names and addresses of the third parties with whom the business has shared such information during the immediately preceding calendar year. You may make one request each year by emailing us at privacy@hrw.org or by writing us at Human Rights Watch 11500 W. Olympic Blvd., Suite 608 Los Angeles, CA 90064 USA. Information Collected From Other Websites and Mobile Applications and Do Not Track Policy Your browser or device may offer you a “Do Not Track” option, which allows you to signal to operators of websites, web applications, mobile applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities over time and/or across different websites or applications. Our website does not support Do Not Track requests at this time, which means that we or our analytics providers or other third parties with which we are working may collect information about your online activity both during and after your use of the website.

Contact Us If you have any questions, would like further information about our privacy and information handling practices, would like to discuss opt-outs or withdrawing consent, or would like to make a complaint about a breach of the Act or this Statement, please contact us at this address: privacy@hrw.org. Alternatively, you have the right to contact your local Data Protection Authority. If you have any questions relating to this Statement, you can contact us using the following means: By email at privacy@hrw.org or by mail sent to 350 Fifth Avenue, 34th Floor, New York, New York 10118 United States, Attention: Operations Changes to this Statement We may update this Statement from time to time. When we do, we will post the current version on this site, and we will revise the version date located at the bottom of this page. We encourage you to periodically review this Statement so that you will be aware of our privacy practices.

** This Statement was last updated on May 25, 2018. **