Privacy Policy

Our Commitment to Privacy Excellence: At Eneref Institute, we hold ourselves to privacy standards that exceed even those of international organizations. Unlike many entities that merely comply with regulations, we’ve established our own enhanced privacy framework that surpasses global standards, including those of the European Union’s General Data Protection Regulation (GDPR) and similar regulations worldwide. Your privacy is our fundamental commitment, and the protection of your personal data is embedded in every aspect of our operations.

Our Privacy Principles

Eneref Institute operates according to a comprehensive set of privacy principles established by our leadership that serve as the foundation for all our data practices:

  • Data Minimization: We collect only the minimum data necessary to provide our services
  • Purpose Limitation: We use your data only for the specific purposes disclosed to you
  • Limited Retention: We retain your data for the shortest period possible
  • Consent-Based Processing: We prioritize obtaining explicit consent whenever possible
  • Enhanced Security: We implement security measures beyond industry standards
  • Transparency: We maintain clear and accessible explanations of all data practices

SMS Consent and Marketing Communications

SMS consent is not shared with third parties or affiliates for marketing purposes. When you provide your phone number and consent to receive SMS messages from us, that consent applies exclusively to communications from Eneref Institute. We maintain strict control over our SMS communications and do not permit other companies to contact you using consent you have provided to us.

You may opt out of SMS messages at any time by replying “STOP” to any message or by contacting us directly. Standard message and data rates may apply to SMS communications.

Personal Information We Collect

We strictly limit data collection to only what is absolutely necessary:

  • Contact information (name, email address, phone number, postal address) – only when voluntarily provided
  • Account credentials (username and password) – when you create an account
  • Device and browser information (IP address, browser type, operating system) – collected anonymously
  • Usage data (pages visited, time spent on site, referring URLs) – collected in aggregate form only
  • Communication preferences – only when explicitly shared

Unlike many organizations including international bodies, we immediately anonymize all browsing data and do not connect it to your personal identity. You can browse our website without revealing who you are or any personal details about yourself. Our systems gather minimal anonymous information during general browsing, and this information is never connected to any personally identifiable data.

How We Use Personal Information

We use your personal information only for specific, clearly defined purposes, with a more restrictive approach than most international organizations:

  • To provide and improve our services – using only the minimum data necessary
  • To communicate with you about our services – only with your explicit consent
  • To respond to your inquiries and support requests – only for the time required to address your needs
  • To send important notices and updates – limited to essential information
  • To comply with legal obligations – only when absolutely required by law

We process your data only with a valid legal basis as defined by applicable law, with a strong preference for consent as our primary legal basis whenever possible.

Who We Share Personal Information With

We maintain stricter limitations on data sharing than most organizations, including international bodies:

  • Service providers and contractors who perform services on our behalf – only with comprehensive contractual safeguards exceeding standard data processing agreements
  • Legal authorities – only when legally compelled and after exhausting all legal options to protect your data
  • Business partners – only with your explicit, specific consent that can be withdrawn at any time

We implement enhanced contractual safeguards with any third parties to ensure the protection of your data, including contractual penalties for any privacy violations. We never sell your personal information to third parties under any circumstances and implement technical measures to prevent unauthorized sharing.

 

Your Privacy Rights

We recognize and respect an enhanced set of privacy rights that exceed those granted by most privacy regulations:

  • Right to access and receive a copy of your personal data – fulfilled within 15 days (faster than legal requirements)
  • Right to rectify inaccurate or incomplete data – implemented immediately upon request
  • Right to erasure (“right to be forgotten”) – executed with complete data removal across all systems
  • Right to restrict processing – implemented with technical controls ensuring immediate compliance
  • Right to data portability – provided in multiple machine-readable formats
  • Right to object to processing – honored without question or delay
  • Right to withdraw consent – implemented with a single-click process
  • Right to human review of automated decisions – guaranteed for any automated processing

To exercise these rights, please contact us using the information provided at the end of this policy. We will respond to your request faster than the timeframe required by applicable law, typically within 15 days or less.

Data Retention and Security

We retain your personal information for considerably shorter periods than industry norms or legal requirements. Most personal data is deleted within 12 months of collection unless there is a specific, documented reason for longer retention that we explicitly communicate to you.

We implement industry-leading technical and organizational security measures, including:

  • End-to-end encryption for all personal data in transit and at rest
  • Multi-factor authentication for all internal systems
  • Regular third-party security audits and penetration testing
  • Strict access controls limiting data access to only essential personnel
  • Comprehensive employee privacy training exceeding industry standards
  • Data protection impact assessments for all new systems and processes

International Data Transfers

Unlike many organizations including international bodies that transfer data globally, we maintain a strict policy of keeping personal data within jurisdictions with strong privacy protections. When transfers are absolutely necessary, we implement protections that exceed Standard Contractual Clauses, including additional technical controls and contractual commitments that go beyond regulatory requirements.

Children’s Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information immediately and review our systems to prevent recurrence.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make material changes, we will notify you by updating the effective date, posting a notice on our website, and sending you a direct notification. We will never reduce your privacy rights without obtaining your explicit consent.

Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at:

Eneref LLC, doing business as Eneref Institute
Phone: (202) 221-8440
Fax: (202) 221-8438
Address: 6218 Georgia Ave NW, Suite 421, Washington DC 20011-5125
Email: patricia.travers@eneref.org

For data protection inquiries specifically, you may contact our Data Protection Officer:

Patricia Travers
Data Protection Officer
Email: patricia.travers@eneref.org

Privacy Commitment: Unlike international organizations that may claim immunity from certain privacy laws, Eneref Institute voluntarily subjects itself to the highest privacy standards in all jurisdictions where we operate, providing you with privacy protections that exceed those required by law.

Last Updated: May 31, 2023

OUR PRIVACY PRACTICES EXCEED THOSE OF MOST INTERNATIONAL ORGANIZATIONS:
  1. Definitive Data Retention: We delete most personal data within 12 months, unlike many global organizations that maintain indefinite retention periods.
  2. Strict Data Minimization: We collect only what’s absolutely necessary, while many international entities gather extensive data “just in case.”
  3. Advanced Security Infrastructure: We implement end-to-end encryption and third-party security audits, exceeding the general security measures typically described by international bodies.
  4. Rapid Response Guarantee: We commit to handling privacy requests within 15 days, faster than most regulatory requirements and international organization timelines.
  5. Geographical Data Protection: We restrict data transfers to privacy-protective jurisdictions, unlike global organizations that routinely transfer data worldwide.
  6. Full Legal Accountability: We voluntarily subject ourselves to the highest privacy standards globally, while many international bodies claim legal immunities from certain privacy laws.
  7. Consent-First Approach: We prioritize explicit consent over other legal bases for data processing, setting us apart from organizations that rely primarily on “legitimate interests” or similar justifications.