Privacy Policy

Last updated on 15/2/2022.

Introduction

This privacy policy relates to services provided and activity relating to Fix the Status Quo’s business activity, which is primarily the Proca platform. Fix the Status Quo is a limited liability company registered in Harju maakond, Tallinn, Kristiine linnaosa, A. H. Tammsaare tee 47, 11316, Tallin, Estonia, under the registration number 14614272.

If you would like to contact us about the processing of your personal data or relating to any security concerns, please contact support+privacy@fixthestatusquo.com

Proca is built to protect the privacy and security of supporters and users. Proca widgets do not set cookies nor collect personal information before explicit consent. Proca’s core has been audited by independent organisations and certified by the German Federal Office for Information Security (BSI), because it is used to power European Citizens’ Initiatives  It is easy for organisations using Proca to encrypt the data they collect, collected supporter data is only accessible by the organisations who run that campaign. 

We value movement generosity, no vendor lock-in and transparency of our code, and our platform is Free Software. We welcome anyone studying the code and improving it further.

Data we Collect

Data we collect falls into three different categories.

  • Dashboard Users, ie, people who are using the Proca platform and Proca widgets.
  • Public Users, who take part in actions using Proca widgets.
  • Visitors to our website, forum, etc.

The primary basis for data we collect is consent, based on users voluntarily submitting data to us and with knowledge of this privacy policy. Some data may also be collected based on legitimate interest, for the function of the application or security purposes, or if an organisation we work with provides us with data they have collected for us to process. We have made our best efforts to list all the data we collect in this privacy policy.

Dashboard Users

This data is collected, kept and processed by us with regards to dashboard users of the platform. This data is processed within our system (including any third-party services, microservices, etc) and not shared publicly or with any third parties. 

Most of this data is provided voluntarily by users when they register or otherwise submit information when interacting with the dashboard (or some other part of the system). The basis for collecting it is (a) consent (by users submitting the data and agreeing to the privacy policy) and (b) legitimate interest (for running and providing the service).

The data we collect includes:

  • Name
  • Email address
  • Organisation membership
  • Associated campaigns which the user or their organisation is involved in
  • Picture
  • Interactions on the dashboard (eg buttons clicked, settings changed, widget generation, etc)
  • IP Address, browser data and other metrics are tracked for security and monitoring reasons and stored as standard server logs and not associated with other personal data

Public Users

A ‘public user’ is anyone who interacts with a Proca widget. This may also  be called a “supporter” as they have “supported” the campaign or are a “supporter” of an organisation.

Campaign Data

When a person interacts with a Proca widget, personal data will be collected when they submit it through the form. Most of this data is based on the fields of the form. Ultimately, this data is being collected by the organisation controlling the widget and it is their data to use in line with their privacy policy, and we are their subprocessor being used for their data collection.

Data collected through our platform (via widgets) would typically include: name; email address; the digital campaign action taken; and may also include: nationality; a comment submission or other custom field; phone number; date of birth; government ID (when required for a particular campaign). The particular fields of a form and data provided will vary as chosen by the organisation running the campaign and controlling the widget, and may also vary based on country. This list is not exhaustive but this information will always be submitted by a user.

Collected data goes to Proca servers and it is stored by us. We are processing this data on behalf of the organisation who collected it and do not otherwise use this information. The basis for this collection is (a) consent of the person submitting it and (b) legitimate interest of the campaign organisation controlling the widget. This data may be stored encrypted at rest if the campaign organisation have enabled encryption, which we encourage. This encrypts almost all of the collected data, but in some campaign configurations there may be personal data which is kept unencrypted on a need-to-function basis to allow emails to be sent to supporters (eg thank you or double opt-in emails) or a campaign action to be undertaken (eg a mail-to-target).  

The campaign organisation controlling a widget receives the data and should use it in line with their privacy policy (which should be linked to in the widget). The data is always encrypted during transfer either from supporter’s device to the server, or between servers, with HTTPS/SSL/TLS encryption. For communication from the organisation (mailings, etc) there will be a choice to opt-in or opt-out. Collected supporter data will be removed from our system one year after the campaign finishes or becomes inactive.

Redundant line kept only for comment:This data is then passed onto the relevant campaign organisation and used by them in line with their privacy policy, to which there should be a link in the widget. 

Metrics and Analytics

In addition to personal data collected by the form, some standard metrics and analytics will also be collected, such as IP address, device and browser information. We use IP address to do lookup for providing the user with a country-tailored service but do not otherwise store it or link it to collected personal data. IP addresses will be collected by hosting services to provide the hosting, which is standard metrics and security operations. 

We track and store data about campaign pages being shared to social media, but not account details. When a user shares a link to a campaign on social media, we track that they have done this and if anyone else interacts or takes action with that link. This allows campaigners to track how their campaign is spreading on social media. 

We use hosted servers to run our primary services and we use microservice hosting (eg CloudFlare Workers) to run microservices. More information about microservices and third party services used can be found in Annex 1 of this Privacy Policy.

Payment Processing

If a person makes a payment (usually a donation) using a widget, then the payment provider (Stripe, Paypal, etc) will provide us with:

  • Donation amount
  • Donation currency
  • Your user id in the payment provider systems
  • Last 4 digits of payment card, if used
  • Date of expiry of payment card, if used:

Specific Campaigns

Some campaigns may include the sharing of data with the public or a third party (usually the “target” of the campaign eg. state institution, representative, etc). In such campaigns, a privacy or data statement visible alongside the widget should make clear what will happen with personal information.

A digital action which includes comments published online is one example. This may be published on the campaigner’s website or submitted to another institution as a comment to publish. 

In a mail-to-target campaign, some personal data (typically name, email address, physical address) will be sent to the “target” email address, in addition with the email content. 

For a European Citizens Initiative, the collected ECI data will be stored securely on our server and passed onto relevant EU and Member State institutions in the submission of the collected signatures. As per the ECI Regulations, the ECI Support data is collected separately and have separate widget steps to signing up to a campaign organisation who are controlling the widget (or any other related digital action as part of the campaign). In collecting data for the ECI we follow strictly the regulation 

Business, Forum, Website

As is normal for any business, we will store information about business contacts such as customers, partners, service providers, etc, based on the legitimate interest in doing so. We will also store personal data relating to people who apply to (or indeed do!) work or volunteer with us, based on the consent of the applicant and the legitimate interest in doing so.

Forum users will give a name or alias, an email address (which can be seen by other users or hidden from other users but visible to our staff team), a picture they submit (optional), as well as any posts, messages, etc. We also collect browser/user agent metrics including IP address.  Most of the categories are non-public and only accessible to the people involved in a particular campaign or forum category, but if you have any concerns about access and sensitivity please let us know so we can ensure information is appropriately controlled.

There is no data tracking or cookies for any visitors to our website. We use Plausible Analytics to monitor aggregate data for our website which does not track any personal data (more information here).