Politique de confidentialité

Collecting Personal Information
This Privacy Policy describes how shop.rom.on.ca ("ROM Boutique" the “Site” or “we”) collects, uses, and discloses your Personal Information when you visit or make a purchase from the Site.

When you visit the Site, we collect certain information about your device, your interaction with the Site, and information necessary to process your purchases. We may also collect additional information if you contact us for customer support. In this Privacy Policy, we refer to any information that can uniquely identify an individual (including the information below) as “Personal Information”.

Privacy Policy
ROM (“we” or “us”) is committed to safeguarding the personal information entrusted to us by our visitors, customers, donors, sponsors, members and volunteers (collectively, “Supporters”).  As such, we comply with the requirements of the Freedom of Information and Protection of Privacy Act (Ontario) and the Personal Information Protection and Electronic Documents Act (Canada) and we uphold the principles of the Donor Bill of Rights developed by the Association of Fundraising Professionals.  ROM employs reasonable administrative and technical measures to ensure the security of all the personal information we collect.  Our credit card processing system is Payment Card Industry compliant.

What Our Privacy Policy Covers
We value the trust of our Supporters and recognize that maintaining this trust requires that we be transparent and accountable in how we treat the information that is provided to us by our Supporters. This privacy policy describes how the ROM collects, uses and shares the personal information of its Supporters. When we use the term “personal information” we are referring to information that is about an identifiable individual; however, “personal information” does not include business contact information or certain publicly available information. This policy applies to the ROM and to any other person providing services on our behalf. A copy of this policy will be provided upon request.

What We Collect
Personal information is collected when a Supporter supplies it to us voluntarily; for example, by purchasing product online, purchasing tickets to an exhibition, registering for a program, making a donation, engaging with us on social media, entering a contest or subscribing to our e-newsletter.

The following are examples of the personal information that we collect in respect of our Supporters:

  • contact information (including salutation, name, professional title, home and business address, phone number and email address)
  • the type of ROM membership purchased and the contact information for the primary and secondary cardholder for the membership
  • the product purchased as well as shipping and billing address
  • the number and type of tickets purchased, including whether tickets were purchased for any of our special exhibitions
  • payment information (such as credit card number, expiry date and 3-digit CVV)
  • visiting history and program participation
  • images of visitors to the ROM, which are taken by our security cameras
  • value of any donation, sponsorship, grant and volunteer dues
  • volunteer status (active or inactive)
  • age, gender, marital or family status

To better understand our visitors and to improve the visitor experience on our website, ROM’s website collects data using services including Google Analytics); no personal information is collected through these tools that would allow ROM to identify individuals. For more information about Google Analytics, please visit:  www.google.com/policies/privacy/partners/. We also collect information about email open rates and click-through rates to determine whether ROM’s electronic communications are effective.

When you visit our site, we may store some data on your computer in the form of a “cookie”. A “cookie” is a small piece of text that a website places in the cookie file of your browser that allows our site to recognize your personal computer the next time you visit. Cookies by themselves do not tell us your email address or otherwise identify you personally. Cookies cannot be used to run programs or deliver viruses to your computer. Your Web browser can be set to accept or reject cookies. Please note that disabling or deactivating cookies may result in a reduced availability of the functionality of our site or parts of our site may no longer function correctly.

ROM may use third parties to collect data from our website anonymously for marketing purposes (for example, advertisements). Users of our website will not be personally identified through this data and ROM does not see any data or contact information on an individual level. These third parties may include, but are not limited to, Facebook and/or Twitter. You may tailor your privacy settings to limit the collection of personal information.

How We Use Your Personal Information
We use personal information to:

  • communicate with our Supporters about our exhibitions, programs, events, offers, fundraising projects and other special initiatives
  • communicate with visitors about their experience at the ROM
  • contact Supporters to determine their interest in becoming members of the ROM and processing memberships and membership renewals
  • contact Supporters in connection with fundraising efforts for the ROM and processing donations, sponsorships, or grants
  • contact Supporters to determine their interest in purchasing tickets to a fundraising event and completing any ticket purchases and related registrations
  • contacting Supporters in connection with opportunities to become a volunteer with the ROM and enrolling any interested individuals as volunteers
  • maintain a robust database of current and past members of the ROM
  • deliver requested information about our programs and events

A Supporter may opt out of receiving communications from us by contacting our Privacy Officer, whose contact information may be found under the heading “Contact Us”.

How We Share Your Personal Information
As partners with a shared mission, ROM shares certain personal information about its Supporters (salutation, name, address, professional title, address, phone number, email address) with the Royal Ontario Museum Foundation (the “Foundation”) so that the Foundation may contact Supporters about whether they are interested in becoming members of or donors to the ROM or the Foundation. The ROM and the Foundation have entered into a data sharing and data protection agreement which commits the Foundation to keep Supporters’ personal information confidential and to comply with ROM’s privacy policy and all applicable privacy laws.

In some circumstances, ROM uses third party vendors for services that would not be practical or cost-effective for us to perform ourselves. Some of the services that ROM retains a third vendor to perform include but are not limited to:

  • credit card processing
  • database analysis
  • tele-fundraising programs
  • updating our database

 Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.  When you purchase something from our store, as part of the buying and selling process, we collect the personal information you give us such as your name, address and email address.  When you browse our store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.  If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). Your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.  All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa and MasterCard etc. PCI-DSS requirements help ensure the secure handling of credit card information by our store and its service providers. You can read more about how Shopify uses your Personal Information here: https://www.shopify.com/legal/privacy. 

In all cases, the third-party vendor is contractually bound to comply with ROM’s privacy policy and all applicable privacy laws and to maintain the confidentiality of all personal information that ROM provides to it. The contracts with third-party vendors also require them to take reasonable precautions to protect the personal information under its control and to destroy such personal information upon completion of their services to ROM. Personal information sent between ROM and third-party vendors is transferred using secured password-protected file transfer protocols.

Where a member has granted his or her consent to do so, we may share his or her contact information with other not for profit entities within Canada. In those circumstances, ROM shares a member’s contact information with a third-party mailing house. The third-party vendor communicates with the ROM member on behalf of the other not-for-profit entity. The other not-for-profit entity only receives the contact information if the ROM member responds to the communication and engages directly with it. In all cases, the third-party mailing house is contractually bound to comply with ROM’s privacy policy and all applicable privacy laws and to maintain the confidentiality of all personal information that ROM provides to it.

We collect detailed medical information with respect to participants in our camps and children’s programs. We use this information solely to provide each camper with a high-quality experience, address any integration needs and manage any potential health issues. Except (i) as required by law, or (ii) in a medical emergency where disclosure is limited to medical personnel and law enforcement, we do not share this personal information with any third parties.

To provide a safe environment for visitors to the ROM, as well as for the artifacts and objects that we are entrusted to house, ROM has installed security cameras throughout the museum. We use footage from these cameras for security and loss prevention purposes and in connection with incident investigations. In addition, we may share this footage with law enforcement in connection with a criminal investigation.

ROM does not sell or rent its list of Supporters to any organization.

When a Supporter provides personal information to the ROM, he or she is consenting to ROM’s collection, use, and disclosure of his or her personal information in accordance with this privacy policy. A Supporter may refuse or withdraw his or her consent to the collection, use, or disclosure of his or her personal information at any time by contacting our Privacy Officer, whose contact information may be found under the heading “Contact Us”. We will act on such requests promptly.

Retention of Personal Information
ROM retains personal information only for as long as necessary to fulfill the purpose(s) for which it was collected and to comply with applicable laws. When personal information is no longer (i) necessary or relevant for the identified purposes, (ii) required to be retained by applicable laws, or (iii) required to enable ROM to maintain a robust database of current and past members of the ROM, ROM will take steps to have such personal information deleted, destroyed, erased, aggregated, or made anonymous. ROM uses reasonable business practices to ensure that we have appropriate practices relating to information security and policies with respect to records retention and destruction with respect to all personal information under our control.

Accuracy and Access
ROM takes reasonable steps to ensure that personal information that it maintains about Supporters is accurate, complete, and up to date. If a Supporter becomes aware that any personal information under our control about him or her is not correct, please contact our Privacy Officer, whose contact information may be found under the heading “Contact Us”.

Supporters are entitled to a copy of the personal information that ROM has under our control about them; if you would like a copy of such information, please contact us. We will take reasonable steps to verify your identity before granting access or making corrections. In addition, your right to access or correct your personal information is subject to certain legal restrictions.

Children Under the Age of 13
Children should use ROM’s website only with the approval of a parent or guardian. A child under the age of 13 should not provide ROM with any personal information unless his or her parent or guardian has consented to such disclosure. ROM does not knowingly collect any personal information from children under the age of 13. If a parent or guardian learns that his or her child under the age of 13 has provided ROM with personal information without his or her consent, the parent or guardian should immediately contact our Privacy Officer, whose contact information may be found under the heading “Contact Us”, and we will remove this personal information from our database.

For Customers outside Canada:
If you are a European resident, you have the right to access personal information we hold about you and to ask that your personal information be corrected, updated, or deleted. If you would like to exercise this right, please contact us through the contact information below. 

Additionally, if you are a European resident, note that we process your information in order to fulfill contracts we might have with you (for example if you make an order through the Site), or to otherwise to pursue our legitimate business interests listed above. Please also note that your information will be transferred outside of Europe, including to Canada and the United States. For more information on how data transfers comply with the GDPR, see Shopify’s GDPR Whitepaper: https://help.shopify.com/en/manual/your-account/privacy/GDPR.

If you are a resident of California, you have the right to access the Personal Information we hold about you (also known as the ‘Right to Know’), to port it to a new service, and to ask that your Personal Information be corrected, updated, or erased. If you wish to exercise these rights, please contact us through the contact information below. 

If you would like to designate an authorized agent to submit these requests on your behalf, please contact us at the address below.

Contact Us
The Privacy Officer of the ROM works closely with the Freedom of Information & Protection of Privacy Coordinator of the Foundation in order to comply with the principles and policies of Imagine Canada, the Personal Information Protection and Electronic Documents Act (Canada), and the Freedom of Information and Protection of Privacy Act (Ontario).

If you have any questions about our privacy or security practices, if you would like to request access to or correction of your personal information, or if you would like to opt out of receiving communications from us in the future, please contact our privacy officer by mail, telephone, or email:

The Royal Ontario Museum
Attention: Susan Fruchter, Privacy Officer
100 Queen’s Park
Toronto, ON M6S 2C6


Changes to this Policy
We may revise our privacy policy from time to time. You should review our privacy policy periodically so that you keep up-to-date on our most current practices. We will note the effective date at the end of each version of our privacy policy.

Effective as of June 2, 2021