-
-
Notifications
You must be signed in to change notification settings - Fork 411
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(PrivacyPolicy): Update & GDPR compliance
- Loading branch information
Showing
1 changed file
with
95 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,11 +1,15 @@ | ||
| # Open Collective Privacy Policy | ||
|
|
||
| **Last Updated: 7 January 2019** | ||
| **Last Updated: 2025-02-26** | ||
|
|
||
| <p class="lead">This Privacy Policy explains how information about you is collected, used, and disclosed by Open Collective, Inc. ("Open Collective" or “we”). This Privacy Policy applies to information we collect when you use our websites and online services (collectively, the “Services”) or when you otherwise interact with us.</p> | ||
| <p class="lead">This Privacy Policy explains how information about you is collected, used, and disclosed by OFi Technologies LLC ("OFi Technologies", "we", "us", or "our"), a company 100% owned and controlled by Open Finance Consortium, a C3 non-profit. The opencollective.com website is operated by OFi Technologies LLC. This Privacy Policy applies to information we collect when you use our websites and online services (collectively, the "Services") or when you otherwise interact with us.</p> | ||
|
|
||
| We may change this Privacy Policy from time to time. If we make changes, we will notify you by revising the date at the top of the policy and, in some cases, we may provide you with additional notice (such as adding a statement to our homepage or sending you a notification). We encourage you to review the Privacy Policy whenever you access the Services or otherwise interact with us to stay informed about our information practices and the ways you can help protect your privacy. | ||
|
|
||
| ## Data Controller | ||
|
|
||
| OFi Technologies LLC is the data controller of your personal information. We are responsible for, and determine how your personal data is processed. If you have any questions about this Privacy Policy or how we handle your personal data, please contact our Data Protection Officer at [email protected]. | ||
|
|
||
| ## Collection of Information | ||
|
|
||
| ### Information You Provide to Us | ||
|
|
@@ -23,37 +27,89 @@ When you access or use our Services, we automatically collect information about | |
|
|
||
| We may also obtain information from other sources. For example, if you connect your account with an account you have with a third-party service (such as GitHub), we will have access to certain information from that service, such as your profile information, in accordance with the authorization procedures determined by that service. Additionally, we may collect information about you from third-party sources that help us to learn more about you, like for example your profile picture or social media handles. | ||
|
|
||
| ### Use of Information | ||
| ## Legal Basis for Processing | ||
|
|
||
| We process your personal information on the following legal bases: | ||
|
|
||
| - **Performance of Contract**: Processing your information is necessary to provide the Services to you, such as creating an account, processing contributions, or handling expense reimbursements. | ||
| - **Legitimate Interest**: We process your information for our legitimate business interests, such as improving our Services, understanding how our Services are used, preventing fraud, and marketing our Services. | ||
| - **Consent**: In some cases, we process your information based on your consent, such as for certain types of marketing communications. | ||
| - **Legal Obligation**: We may process your information to comply with our legal obligations, such as maintaining financial records for tax purposes. | ||
|
|
||
| ## Use of Information | ||
|
|
||
| We may use information about you for various purposes, including to: | ||
|
|
||
| - Provide, maintain and improve our Services, and develop new products and services; | ||
| - Provide and deliver the products and services you request, | ||
| - Provide and deliver the products and services you request; | ||
| - Send you notices, updates, and support and administrative messages; | ||
| - Communicate with you about products, services, offers, promotions, rewards, and events offered by Open Collective and others, and provide news and information we think will be of interest to you; | ||
| - Monitor and analyze trends, usage and activities in connection with our Services; | ||
| - Detect, investigate and prevent fraudulent transactions and other illegal activities and protect the rights and property of Open Collective and others; | ||
| - Personalize and improve the Services and provide, content or features that match user profiles or interests; | ||
| - Personalize and improve the Services and provide content or features that match user profiles or interests; | ||
| - Facilitate contests, sweepstakes and promotions and process and deliver entries and rewards; | ||
| - Link or combine with information we collect about you; and | ||
| - Carry out any other purpose described to you at the time the information was collected. | ||
|
|
||
| ### Sharing of Information | ||
| ## Sharing of Information | ||
|
|
||
| We may share information about you as follows or as otherwise described in this Privacy Policy: | ||
|
|
||
| - With hosts and organizers of a collective, if you are a contributor, or request reimbursement for expenses made in support, of that collective | ||
| - We will share your name and image with GitHub if you participate in a collective that is also working on a software project through GitHub. | ||
| - With hosts and organizers of a collective, if you are a contributor, or request reimbursement for expenses made in support, of that collective. The collective may use your information for the same purposes and under the same conditions as those outlined in this document. However, it remains solely and exclusively responsible for complying with its legal and declarative obligations in processing your personal data that it carries out by itself, with its own means, and for its own needs. We are only responsible for our use of your personal data, excluding any other uses made by the collective. | ||
| - We will share your name and image with GitHub if you participate in a collective that is also working on a software project through GitHub; | ||
| - With vendors, consultants and other service providers who need access to such information to carry out work on our behalf. If you submit a request to us, we will provide you with a list of the third-party service providers with which we have shared information about you for the 12 months prior to your request; | ||
| - In response to a request for information if we believe disclosure is in accordance with, or required by, any applicable law, regulation or legal process; | ||
| - If we believe your actions are inconsistent with our user agreements or policies, or to protect the rights, property and safety of Open Collective or others; | ||
| - In connection with, or during negotiations of, any merger, sale of Open Collective assets, financing or acquisition of all or a portion of our business by another Open Collective; | ||
| - With your consent or at your direction. | ||
| - In connection with, or during negotiations of, any merger, sale of Open Collective assets, financing or acquisition of all or a portion of our business by another company; | ||
| - With your consent or at your direction; | ||
| - We may also share aggregated or de-identified information, which cannot reasonably be used to identify you. | ||
|
|
||
| ## Objections, Right To Be Forgotten, and Data Removal | ||
| ## Third-Party Service Providers | ||
|
|
||
| We work with third-party service providers to perform various operations related to our Services. These providers may have access to your personal information only to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes. Our main third-party service providers include: | ||
|
|
||
| - **Stripe, PayPal, Wise**: Payment processors that handle financial transactions. When you make a payment through our platform, your payment information is collected and processed directly by these providers according to their privacy policies. | ||
|
|
||
| - **Sentry**: An error monitoring service that helps us identify and fix bugs in our applications. It may collect technical data related to errors encountered while using our Services. | ||
|
|
||
| - **Metabase**: An analytics platform we use to analyze data. | ||
|
|
||
| - **Heroku**: A cloud platform service where we host our applications. Your data may be stored on Heroku's servers as part of our service operations. | ||
|
|
||
| - **Cloudflare**: A content delivery network and security service that helps us deliver our Services efficiently and securely. Cloudflare may process your IP address and other technical information when you access our Services. | ||
|
|
||
| Each of these providers maintains their own privacy policies that govern how they use, store, and process the data they receive. We encourage you to review these policies for more information about their practices. | ||
|
|
||
| ## Data Retention | ||
|
|
||
| We retain your personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. | ||
|
|
||
| To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements. | ||
|
|
||
| If you are unhappy with your information being processed, shared or stored in line with the content of this policy please email <a href="mailto:[email protected]">[email protected]</a> and we will work to remove public references to your activity on the site. Note that in order to maintain our accounting, tax and legal obligations we may be required to retain some private information about you once this process is complete. | ||
| Specifically: | ||
|
|
||
| - Account information is retained for as long as your account remains active, plus a retention period after account closure for legal and accounting purposes | ||
| - Financial transaction data is kept for at least 7 years to comply with tax and accounting requirements | ||
| - Communication records may be retained for 2 years after your last interaction with us | ||
|
|
||
| In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. | ||
|
|
||
| ## Your Rights Under GDPR and Other Privacy Laws | ||
|
|
||
| Depending on your location, you may have certain rights regarding your personal information. These may include: | ||
|
|
||
| - **Right to Access**: You have the right to request a copy of the personal information we hold about you. | ||
| - **Right to Rectification**: You have the right to request that we correct any inaccurate or incomplete personal information we hold about you. | ||
| - **Right to Erasure (Right to be Forgotten)**: You have the right to request that we delete your personal information in certain circumstances. | ||
| - **Right to Restriction of Processing**: You have the right to request that we restrict the processing of your personal information in certain circumstances. | ||
| - **Right to Data Portability**: You have the right to request that we transfer the personal information we hold about you to another organization, or directly to you, in certain circumstances. | ||
| - **Right to Object**: You have the right to object to the processing of your personal information in certain circumstances. | ||
| - **Rights Related to Automated Decision Making and Profiling**: You have rights related to how we use automated decision-making and profiling. | ||
| - **Right to Lodge a Complaint**: You have the right to lodge a complaint with a supervisory authority. If you are in the European Economic Area (EEA), you can find your national data protection authority on the European Data Protection Board website (https://edpb.europa.eu). | ||
|
|
||
| If you are unhappy with your information being processed, shared or stored in line with the content of this policy please email <a href="mailto:[email protected]">[email protected]</a> and we will work to address your concerns. Note that in order to maintain our accounting, tax and legal obligations we may be required to retain some private information about you even after processing a deletion request. | ||
|
|
||
| To exercise any of these rights, please contact us as described in the "Contact Us" section below. Please note that we may request specific information from you to help us confirm your identity and process your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to legal restrictions. | ||
|
|
||
| ## Social Sharing Features | ||
|
|
||
|
|
@@ -65,17 +121,22 @@ We engage other companies to provide analytics services via the Services. These | |
|
|
||
| ## Security | ||
|
|
||
| Open Collective takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. | ||
| Open Collective takes reasonable measures to help protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction. These measures include encryption of personal data where appropriate, and regular review of our information collection, storage and processing practices. | ||
|
|
||
| ## International Data Transfers | ||
|
|
||
| ## Transfer of Information to the U.S. and Other Countries | ||
| Open Collective is based in the United States and the information we collect is governed by U.S. law. When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States or other countries which have not been determined by the European Commission to have laws that provide an adequate level of data protection, we use legal mechanisms designed to help ensure your rights and protections, including: | ||
|
|
||
| Open Collective is based in the United States and the information we collect is governed by U.S. law. By accessing or using the Services or otherwise providing information to us, you consent to the processing, transfer and storage of information in and to the U.S. and other countries, where you may not have the same rights and protections as you do under local law. | ||
| - Standard Contractual Clauses approved by the European Commission | ||
| - Obtaining your explicit consent for certain types of processing | ||
|
|
||
| By accessing or using the Services or otherwise providing information to us, you understand that your information will be processed as described in this Privacy Policy. | ||
|
|
||
| ## Your Choices | ||
|
|
||
| ### Account Information | ||
|
|
||
| You may update the profile information you provide by logging into your online account. | ||
| You may update the profile information you provide by logging into your online account. You may also request that we delete your account by contacting us at [email protected]. | ||
|
|
||
| ### Cookies | ||
|
|
||
|
|
@@ -85,12 +146,26 @@ Most web browsers are set to accept cookies by default. If you prefer, you can u | |
|
|
||
| You may opt out of receiving promotional or notification emails from Open Collective by following the instructions in those emails. If you opt out, we may still send you non-promotional emails, such as those about your account or our ongoing business relations. | ||
|
|
||
| ## GDPR | ||
| ### Do Not Track | ||
|
|
||
| Some browsers offer a "Do Not Track" ("DNT") signal where you can indicate your preference regarding tracking and cross-site tracking. Although we do not currently employ technology that recognizes DNT signals, we will only process your personal data in accordance with this Privacy Policy. | ||
|
|
||
| ## Automated Decision Making | ||
|
|
||
| We do not use automated decision-making processes that would produce legal effects concerning you or significantly affect you. If in the future we employ such processes, we will provide you with information about the logic involved, as well as the significance and potential consequences of such processing. | ||
|
|
||
| ### Compliance | ||
| ## Children's Privacy | ||
|
|
||
| Open Collective is GDPR compliant. We are not in the business of selling data to any 3rd party. Our business model is to take a commission on the money raised by Collectives (like most other crowdfunding platforms). Companies that sponsors Collectives don't get access to private information. Only the admins of the Collective (core contributors) and of the organization that is legally hosting the Collectives (fiscal sponsor) get access to your email address. We don't store credit card information on our servers (we only store a token if you have decided to save it to your profile). We don’t store any passwords. Since our entire code base is open source, anyone can easily audit it. | ||
| Our Services are not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If you are under 16, please do not provide any personal information to us. If you believe that a child under the age of 16 has provided us with personal information, please contact us at [email protected]. | ||
|
|
||
| ## Changes to This Privacy Policy | ||
|
|
||
| We may update this Privacy Policy from time to time. When we do, we will post the new Privacy Policy on this page and change the date at the top. We encourage you to review the Privacy Policy whenever you access the Services to stay informed about our privacy practices and the ways you can help protect your privacy. If we make material changes to how we treat our users' personal information, we will notify you through an email. | ||
|
|
||
| ## Contact Us | ||
|
|
||
| If you have any questions about this Privacy Policy, please contact us at: <a href="mailto:[email protected]">[email protected]</a> | ||
| If you have any questions about this Privacy Policy, or to exercise your rights regarding your personal data, please contact us at: | ||
|
|
||
| - Email: <a href="mailto:[email protected]">[email protected]</a> | ||
| - Mail: OFi Technologies LLC, 440 N Barranca Ave #3489, Covina, CA 91723, US | ||
| - Data Protection Officer: Benjamin Piouffle, <a href="mailto:[email protected]">[email protected]</a> | ||