Last updated on 15/2/2022.
If you would like to contact us about the processing of your personal data or relating to any security concerns, please contact firstname.lastname@example.org
Proca is built to protect the privacy and security of supporters and users. Proca widgets do not set cookies nor collect personal information before explicit consent. Proca’s core has been audited by independent organisations and certified by the German Federal Office for Information Security (BSI), because it is used to power European Citizens’ Initiatives It is easy for organisations using Proca to encrypt the data they collect, collected supporter data is only accessible by the organisations who run that campaign.
We value movement generosity, no vendor lock-in and transparency of our code, and our platform is Free Software. We welcome anyone studying the code and improving it further.
Data we Collect
Data we collect falls into three different categories.
- Dashboard Users, ie, people who are using the Proca platform and Proca widgets.
- Public Users, who take part in actions using Proca widgets.
- Visitors to our website, forum, etc.
This data is collected, kept and processed by us with regards to dashboard users of the platform. This data is processed within our system (including any third-party services, microservices, etc) and not shared publicly or with any third parties.
The data we collect includes:
- Email address
- Organisation membership
- Associated campaigns which the user or their organisation is involved in
- Interactions on the dashboard (eg buttons clicked, settings changed, widget generation, etc)
- IP Address, browser data and other metrics are tracked for security and monitoring reasons and stored as standard server logs and not associated with other personal data
A ‘public user’ is anyone who interacts with a Proca widget. This may also be called a “supporter” as they have “supported” the campaign or are a “supporter” of an organisation.
Data collected through our platform (via widgets) would typically include: name; email address; the digital campaign action taken; and may also include: nationality; a comment submission or other custom field; phone number; date of birth; government ID (when required for a particular campaign). The particular fields of a form and data provided will vary as chosen by the organisation running the campaign and controlling the widget, and may also vary based on country. This list is not exhaustive but this information will always be submitted by a user.
Collected data goes to Proca servers and it is stored by us. We are processing this data on behalf of the organisation who collected it and do not otherwise use this information. The basis for this collection is (a) consent of the person submitting it and (b) legitimate interest of the campaign organisation controlling the widget. This data may be stored encrypted at rest if the campaign organisation have enabled encryption, which we encourage. This encrypts almost all of the collected data, but in some campaign configurations there may be personal data which is kept unencrypted on a need-to-function basis to allow emails to be sent to supporters (eg thank you or double opt-in emails) or a campaign action to be undertaken (eg a mail-to-target).
Metrics and Analytics
In addition to personal data collected by the form, some standard metrics and analytics will also be collected, such as IP address, device and browser information. We use IP address to do lookup for providing the user with a country-tailored service but do not otherwise store it or link it to collected personal data. IP addresses will be collected by hosting services to provide the hosting, which is standard metrics and security operations.
We track and store data about campaign pages being shared to social media, but not account details. When a user shares a link to a campaign on social media, we track that they have done this and if anyone else interacts or takes action with that link. This allows campaigners to track how their campaign is spreading on social media.
If a person makes a payment (usually a donation) using a widget, then the payment provider (Stripe, Paypal, etc) will provide us with:
- Donation amount
- Donation currency
- Your user id in the payment provider systems
- Last 4 digits of payment card, if used
- Date of expiry of payment card, if used:
Some campaigns may include the sharing of data with the public or a third party (usually the “target” of the campaign eg. state institution, representative, etc). In such campaigns, a privacy or data statement visible alongside the widget should make clear what will happen with personal information.
A digital action which includes comments published online is one example. This may be published on the campaigner’s website or submitted to another institution as a comment to publish.
In a mail-to-target campaign, some personal data (typically name, email address, physical address) will be sent to the “target” email address, in addition with the email content.
For a European Citizens Initiative, the collected ECI data will be stored securely on our server and passed onto relevant EU and Member State institutions in the submission of the collected signatures. As per the ECI Regulations, the ECI Support data is collected separately and have separate widget steps to signing up to a campaign organisation who are controlling the widget (or any other related digital action as part of the campaign). In collecting data for the ECI we follow strictly the regulation
Business, Forum, Website
As is normal for any business, we will store information about business contacts such as customers, partners, service providers, etc, based on the legitimate interest in doing so. We will also store personal data relating to people who apply to (or indeed do!) work or volunteer with us, based on the consent of the applicant and the legitimate interest in doing so.
Forum users will give a name or alias, an email address (which can be seen by other users or hidden from other users but visible to our staff team), a picture they submit (optional), as well as any posts, messages, etc. We also collect browser/user agent metrics including IP address. Most of the categories are non-public and only accessible to the people involved in a particular campaign or forum category, but if you have any concerns about access and sensitivity please let us know so we can ensure information is appropriately controlled.
There is no data tracking or cookies for any visitors to our website. We use Plausible Analytics to monitor aggregate data for our website which does not track any personal data (more information here).