Legal

Simply Secure is a registered 501(c)3 nonprofit organization based in the United States of America. Our Employee Identification Number (EIN) is available upon request to contact@simplysecure.org. Our official address is:

Simply Secure
609 Elm Ave
Swarthmore, PA 19081

Email: contact@simplysecure.org
Website: simplysecure.org

Our team in Berlin can be reached at:

Simply Secure
WE’RE ALL IN Coworking
Torstraße 177
10115 Berlin

Simply Secure adheres to the highest ethical standards in all of our operations and is dedicated to protecting the privacy of everyone who interacts with us. We don’t sell, barter, give away, rent, or permit anyone outside of Simply Secure, our Board of Directors, and project-scoped contractors to use or access information about our partners, collaborators, research participants, or website visitors.

We use third party services to publish work, keep in touch with people, and understand how we can do both of these things better. Here you can find out what these services are and how we handle all sorts of data, from user research to job applications.

If there is additional information you would like to see in this document about our practices, or if you have other comments or questions, please reach out to data@simplysecure.org.

This document was last updated on August 10, 2018.

Our site & services

We use the following services to run our websites and understand how people are using them.

Google Analytics

For the time being, the Simply Secure website uses Google Analytics, which collects information about how people are using our sites to allow us to improve their experience. Data is stored indefinitely, so we can see how use of our website changes over time.

You can opt out of our analytics by turning on Do Not Track in your browser. Find out how to do this for Google Chrome, Firefox, Safari, InternetExplorer and Microsoft Edge.

Newsletter

When we send out newsletters, we use phpList, which stores subscribers email addresses. We do not use the platform features for tracking links or opens. We only send our newsletter to people who expressly sign up for it.

GitHub

We use GitHub Pages to host our website. Find out more about how Github uses data in their privacy statement.

Vimeo

We host videos using Vimeo for its robust and scalable infrastructure. Find out more about how they use data in their privacy statement.

Google Drive & Email

We currently use G Suite for Nonprofits for our email, calendaring, and document storage. Individual members of the team use PGP and are happy to correspond via encrypted email, or honor requests to have files shared with us be not stored in Google Drive. We respect diverse threat models and work to accommodate our partners’ needs and concerns.

Slack

We host a Slack organization for internal communication and community organizing. Slack stores your account information and usage data, and our administrators have access to all public channels. Please refer to Slack’s privacy policy before you sign on.

Underexposed events

We use Pretix and Meetup to handle signups and ticketing for our Underexposed events. They allow us to promote each event to other people interested in similar gatherings.

When someone signs up to an event through Pretix, we’ll only use that information to get in touch about that specific event. After the event, we delete any information about attendees from Pretix.

To exercise your data rights on Pretix, go to their privacy policy for more information; also see Meetup’s privacy policy.

Submissions

Our submission platform is run on AirTable. When you submit a session to Underexposed, or apply to the Underexposed Design Residency program, your data will be stored on AirTable. AirTable does not collect or process the information you submit. More in their privacy policy.

At the event

We ask attendees for consent to being filmed or photographed by members of the Simply Secure team on Pretix. If you want to change your decision or you’ve been filmed or photographed against your consent at a Simply Secure event, please email data@simplysecure.org.

If a speaker consents, we film their talk so we can publish it after the event. We transcribe films to ensure that what the speaker says is accessible to everyone. This transcript will be published verbatim, unless a speaker wants to review and edit it. We won’t publish footage of Q&As if we haven’t received consent from all participants.

Our social media accounts

We use social media accounts to share our work. We occasionally use the analytics tools provided by these platforms to understand how we can use these services better. Our social media accounts are:

If you’d like content about you removed from any of our social media profiles, please contact data@simplysecure.org.

Research participants

Research is an important part of our work: it helps us understand people’s needs and build better products and services.

All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed we ask them to sign the form to confirm this. We scan signed consent forms and shred paper copies, then store consent forms on Google Drive and keep these for 3 years.

At the moment, we do not conduct any research with people under the age of 18.

You can view an example of our participant Bill of Rights on GitHub.

Using information from research

Research material is separated from any identifiable information, such as consent forms, while we are working with it.

Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on Google Drive and are only accessed by Simply Secure team members involved in the research. At the end of the project, all notes and digital files are destroyed or deleted.

Sometimes we may publish quotes from research sessions. We only do this if we have specific consent from the participant and any personally identifiable information has been removed. We will only publish audio, photos and video from a research session if a participant has given consent and has signed a model release form.

Survey

We use LimeSurvey for gathering and processing information from survey participants. See their privacy policy for more information.

Participants are able to withdraw their information from a project at any time. To do this, contact data@simplysecure.org.

Working at Simply Secure

Only team members involved in the recruitment process have access to applications, CVs and emails we receive. We don’t collect any special category data or ask for any background checks as part of the application process.

When people join Simply Secure, we request information about them needed for tax purposes. We hold information about their role and their professional development at Simply Secure. Access to this information is controlled.

Things we don’t do

Simply Secure doesn’t participate in the following data processing activities:

  • Buying or selling marketing lists
  • Entering into data sharing agreements with other organisations
  • Telephone marketing
  • Postal marketing
  • CCTV surveillance

We don’t use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at Simply Secure. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password. We’ve reviewed the privacy policies and security practices of everything we use.

When a new team member joins Simply Secure, we explain best practices for keeping their devices secure, maintaining the security of their online accounts, and working outside our offices.

Data breaches

In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their guidance.

Data transfer outside the EEA

We have reviewed the privacy policies of third party services we use. They provide adequate protections when information is shared outside of the European Economic Area.

Exemptions

There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. This includes requirements and orders in the United States, where we are based. A full list of EU exemptions are listed on the ICO website. This also applies to data held about you by third party services we use.

Reviewing how we use data

Every quarter, we review our documentation of the data we handle and third party services we use. This helps us continuously improve our processes and hold ourselves to account. We will update this document as necessary.

Your rights and getting in touch

The General Data Protection Regulation gives EU citizens the following rights:

To exercise any of these rights, please contact us at data@simplysecure.org. You can find information specific to the services we use or our activities in the relevant sections of this document. If you are located in the EU and aren’t satisfied by our response, you can contact the EU Information Commissioner’s Office.

Acknowledgements

In drafting this policy we used a number of different resources and inspirations. We want to offer particular thanks to Projects By If for their clear example.