EFF's Site Privacy Guide for join.eff.org

EFF's events portal site (https://join.eff.org) is built on Microsoft Power Pages, part of the Microsoft Power Platform. Unlike some of the other third-party services we use, the data you submit through this site goes into a Microsoft Dynamics database that EFF operates directly. In the writeup below, "we" stands for EFF.

 Microsoft provides the platform; EFF holds and uses the data. That split matters for how to think about your privacy on this site, and there are a few aspects of the platform we don't fully control. We want to be transparent about what those are.

Note that actual donations and membership payments are processed through a separate donation system at https://supporters.eff.org/donate/ ; join.eff.org hosts our events registrations, contact forms, and subscription forms that write to our contact database.

Summary

 When you visit join.eff.org, Microsoft's platform assigns your browser a 90-day identifier that distinguishes you from other visitors. No personal information is stored in your browser. When you submit a form, the information you enter (name, email, and whatever else the form asks for) goes into EFF's contact database. If the form is a payment form, Stripe also loads on that page to handle the card fields, and Stripe applies its own fraud-detection fingerprinting. To manage your privacy on this site: clear cookies from join.eff.org if you want to reset your 90-day identifier, contact EFF if you want your data deleted, and consider installing Privacy Badger for protection across the web. Details below.

Managing your session

 When you visit join.eff.org, Microsoft's Power Pages platform sets a cookie called Dynamics365PortalAnalytics in your browser, valid for 90 days. According to Microsoft's documentation, this cookie is used to distinguish one visitor from another for service-reliability purposes, and doesn't contain personal information or a user identity — it's a pseudonymous ID assigned to your browser.

 Microsoft does not allow us to disable this cookie. Even visitors who decline cookies through a banner on this site would still receive it, because Power Pages treats it as essential to platform operation. We have raised this with Microsoft and would prefer the option to turn it off. In the meantime, if you want to reset the identifier, you can clear cookies for join.eff.org in your browser settings — a new 90-day identifier will be assigned on your next visit.

 The other cookies this site sets are short-lived session cookies that expire when you close your browser, and they handle routine things like your language preference, time zone, and the anti-forgery token that protects form submissions. None of them contain personal information, and they do not persist between browser sessions.

Managing your data

Any information you submit through a form on join.eff.org is stored in EFF's contact database and is handled under EFF's privacy policy. We — not Microsoft — decide what happens with it, and Microsoft operates the platform as our data processor.

If you would like your data deleted, please email membership@eff.org with the name and email address you used when submitting a form, and we will remove your record from our contact database.

If you submitted a form that signed you up for EFF's email lists and wish to unsubscribe, you can do so through the unsubscribe link at the bottom of any EFF email or at https://join.eff.org/Subscription/

Managing tracking on this site

We have configured join.eff.org without site-wide tracking. On pages where you are simply browsing, the only external services involved are Microsoft's own platform services (the Azure and Power Platform infrastructure that operate the site) — no third-party analytics, advertising, or session-recording tools are loaded.

On forms that collect payment, two additional services load:

Stripe, our payment processor, loads its JavaScript on pages with card fields to tokenize your card information so that it never touches our servers. Stripe's JavaScript also performs its own fraud-detection analysis when the page loads, including device fingerprinting, and sets a cookie scoped to join.eff.org that identifies your browser to Stripe for up to one year. The data Stripe collects on these pages is subject to Stripe's privacy policy, not EFF's.

 hCaptcha, a "prove you're a human" service, loads on forms to prevent automated spam. We selected hCaptcha specifically because it does not share data with Google (unlike the more common Google reCAPTCHA). hCaptcha is still a third party and is subject to its own privacy policy.

These two services only load on form pages that need them, not site-wide.

Because individual site policies don't always translate into full protection in practice, the most reliable way to protect yourself is to block trackers directly in your browser. We recommend installing Privacy Badger, EFF's free open-source browser extension, which automatically blocks third-party trackers across the web. Note that Privacy Badger will not block Stripe's fraud-detection scripts on our payment forms — those are required for the payment to function — but it will protect you on the many other sites where unexpected trackers are present.