DataKind privacy policy

Effective Date: 11-03-2023

Most recent update: 08-13-2024

This Privacy Policy sets out how DataKind uses and protects any information that you give DataKind when you use this website and, subsequently, when you interact with DataKind through emails or events. In using our website, digital tools, working or volunteering with us, we might collect personal identifiable information about you. DataKind is committed to protecting your data and your privacy. We only collect the data we need to offer the best possible service to our volunteers and partner organizations (“users” from here on), and always use it in accordance with this Privacy Policy.

 

The information you provide will be held in accordance with the applicable law and may be used by DataKind and its agents to supply DataKind services. For the purpose of the General Data Protection Regulation (GDPR) where applicable, the data controllers are DataKind and DataKind UK.

 

Introduction

DataKind is a nonprofit registered as a 501(c)3 organization in the United States. DataKind UK is a charity registered in England ∓ Wales (No. 1154213), and a company limited by guarantee registered in England ∓ Wales (No. 08462148). This Privacy Policy applies to all the above entities.

This Privacy Policy is applicable to DataKind (“we,” “our,” or “us”) as related to our services, which collectively include:

  • the use of datakind.org
  • the use of any DataKind application websites (datakind.org, playbook.datakind.org, hiequity.org) 
  • social media messages, email newsletter, and marketing campaigns and 
  • the use of our products and services. 

This Privacy Policy sets out the essential details relating to your personal data relationships with DataKind as:

  • A website visitor
  • An end user of the application (“end user”)
  • A prospective client
  • An event participant 
  • A job applicant and
  • Partners

What we collect

DataKind may collect information about you at different stages and through various means. We try to collect as little data as necessary to provide our services. Some of it is optional, but allows us to continuously improve ourselves. We will only collect such data with your explicit consent. We will only collect and process your personal data where we have a lawful reason for its collection. Specifically, we collect information in the following ways:

 

  • When you sign up on the website or one of our product websites, we may ask for information such as name, occupation, email address, etc.
  • If you subscribe to any of the digital platforms we use (mailing lists, team collaboration tools, etc.), we will collect information about your interaction with the services.
  • If you apply to volunteer to work with us, we may interview you and keep track of your professional profile, skills etc.
  • In the course of your volunteering work with us, the output of your work may contain elements that describe you, e.g. pictures of you or notes that may refer to meetings and events you attended.
  • If you participate in a community event or webinar, we collect data you enter upon your registration, attendance status, and poll responses.
  • If you apply for a job at DataKind, we collect your resume, cover letter, and additional personal information. All information is securely kept in our Applicant Tracking System, Greenhouse. 

 

We will hold your personal information on our systems for as long as is necessary to provide you with our services. Since knowledge of our past interaction with volunteers and partner organizations is essential to continuously improve our services, we may keep data you provide to us indefinitely. 

 

What we do with the information we gather

We collect information about our volunteers, partners, users, and other community members to ensure we can provide the best services to you and the organizations we support. In particular:

 

  • We may keep internal records of our users and activities.
  • We may use the information to improve our products and services. For example, from time to time, we may perform some statistical analysis on the data we have collected or on the feedback you have provided us.
  • We may contact you by email using the email address which you have provided.
  • We may periodically send promotional emails about events or other information which we think you may find interesting (for subscribers only).
  • We may sometimes use the address you provided to send you emails about events happening that may be of interest.
  • We may use photos taken during our meetings and events for marketing purposes.
  • We may combine information collected from multiple sources under a unique profile.
  • We use anonymous aggregated data to describe our work with volunteers.
  • We will inform you of any other purpose other than those set out in this Privacy Policy.
  • We may use information to protect the security or integrity of a DataKind website, application, or services.

 

If DataKind needs to use personal information for an unrelated or new/secondary purpose, DataKind will notify the appropriate individual and obtain their consent for the new purpose or rely on another prescribed exception under the applicable privacy legislation for the use or disclosure. Where consent is used as the basis for the secondary use or disclosure, individuals have the right to withdraw their consent at any time. Where the secondary use or disclosure includes sensitive information (i.e., personal health information), DataKind will take reasonable steps to ensure that the information is de-identified before it is disclosed or used. 

Where the data is stored

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff and volunteers operating outside the EEA. Such personnel may be engaged in statistical analysis of your data and the provision of support services. By submitting your personal data, you agree to this transfer, storing, or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

 

The information that we have collected about you will be stored on DataKind-owned or third party servers and, on occasions, on the local machines of staff and volunteers. As a remote-first organization, we process data in a variety of locations across the United States, United Kingdom, Kenya, Canada, and other locations. We rely on legally-provided mechanisms to lawfully transfer data across borders, such as contracts incorporating data protection and sharing obligations. We provide the capability for the return, transfer and/or disposal of personal data in a secure manner. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. 

 

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. We have implemented best-practice standards and controls in compliance with internationally recognized security frameworks. We use encryption technologies to protect data at rest and in transit. 

 

Security

We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we use suitable physical, electronic, and managerial procedures to prevent unauthorized access, disclosure, alteration, or destruction of the information we hold. Where applicable, we periodically review our information collection, storage and processing practices.

 

Information that we share

We do not share personal information about our users with companies, organizations, and individuals outside of DataKind, unless one of the following holds:

 

We have the user’s explicit consent.

For sensitive personal information, we have the user’s explicit, opt-in, consent.

We are required by law to do so.

 

We do not sell your information to any third party. 

Cookies and Third party tools

Our website uses cookies to help us provide a better service to our users. Cookies are small data files which are stored on the user’s computer or mobile device when visiting a website. They can be managed through the user’s internet browser.

The information collected with cookies includes:

  • access times
  • the pages you view
  • the links you click on 
  • the search terms you enter 
  • actions you take in connection with any of the visited pages
  • your device information such as IP address, location, browser type and language
  • the Uniform Resource Locator (URL) of the website that referred you to our website and 
  • the URL you browse away from our pages if you click on an external link

 

During your interaction with DataKind, we may ask, mandatorily or optionally, that you use a third party tool. We do our best to ensure that they are compliant with any applicable law. However, such tools are not covered by this Privacy Policy, and we do not have any control over them. Therefore, we are not responsible for the protection and privacy of any information which you provide whilst using such third party tools.

 

Our website may contain links to other websites of interest. However, any personal information you provide while visiting those websites is not governed by this Privacy Policy.

 

Controlling your personal information

Our policy is written using the European Union’s General Data Protection Regulation (GDPR) as a reference for all DataKind activities, including for individuals outside of the EU for which the law may not be applicable. You have the right to review, amend, and delete the data we have about you. For this, you can contact us at the following email address: privacy@datakind.org. Learn about the GDPR in English and other languages at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG.

 

Supervisory Data Authorities

If DataKind suspects or has proof of any data breach happening, by us or any of our processors, DataKind will notify the relevant supervisory data authority and follow any applicable procedures as required by the law. We attempt to notify our community about legal demands for their personal data when appropriate in our judgment unless prohibited by law or court order or when the request is an emergency. Our systems and data management practices are designed to minimize any such occurrence. If you suspect any data breach by DataKind, or in case of any dispute regarding your personal information, you have the right to contact the relevant supervisory data authority, or you can let us know by contacting the following email address: privacy@datakind.org.

Selecting your communication preferences

You may choose to receive or not receive marketing communications from us. Please click the “Unsubscribe” link in the email we sent you to stop receiving marketing communications. 

 

Even if you opt-out of receiving marketing communications, we may still communicate with you regarding security and privacy issues, servicing your account, fulfilling your requests, or administering any promotion or any program in which you may have elected to participate. 

Changes

Our Privacy Policy may change from time to time. We will post any Privacy Policy changes on this page and, if the changes are significant, we will provide a more prominent notice, such as an email notification of Privacy Policy changes.

 

Contact us

If you have any questions, comments, or requests regarding this Privacy Policy, you are welcome to contact us at privacy@datakind.org.

 

Appendix 

A.1 For Individuals Based in the  European Economic Area (EEA), United Kingdom (UK) and Switzerland

If you are based in one of these jurisdictions, DataKind is the controller of your personal data collected in the following instances:

  • When you visit our website datakind.org
  • When we process your personal data for sales and marketing purposes

DataKind is a processor of all personal data processed on the application, on behalf of our clients. We only process the personal data under their direction. Please contact your employer or the organization that granted you access to the application for details on their privacy practices.

We only process personal data if we have a lawful basis for doing so. The lawful bases applicable to our processing as controller are:

  • Consent: We will ask for your express and informed consent every time we collect your personal data on this legal basis.
  • Contractual basis: We process the personal data as necessary to fulfill our contractual terms with you or our clients.
  • Legitimate interest: We process the names, contact details, job titles, companies of our existing and prospective clients for our marketing purposes, including market research and sales leads generation. 

You have the following rights under the GDPR:

  • Be informed about the collection and use of your personal data
  • Access your personal data
  • Correct errors in your personal data
  • Erase your personal data
  • Object to the processing of your personal data.
    • This right is also available to individuals whose personal data is processed by us for direct marketing purposes. If you object to the processing of your personal data for direct marketing purposes, we shall stop processing within 30 days of receipt of your request. 
  • Export your personal data
  • Restrict our processing of your personal data for specific reasons, including any of the purposes supported by the legitimate interest legal bases (see the section above). 
  • Not to be subject to a decision based solely on automated decision making

We process personal data in the United States and share it with our service providers in the United States and other jurisdictions. We use standard contractual clauses, approved by the European Commission or competent UK authority (as applicable), as the data transfer mechanism for transferring personal data from the EEA or UK to other countries subject to data transfer requirements. See the table of our service providers here. (link to the table above)

You may contact us at privacy@datakind.org. You may also lodge a complaint with your local supervisory authority:

  • EU Data Protection Authorities (DPAs). See their contact details here National Data Protection Authorities.
  • Information Commissioner’s Office (ICO)
  • Swiss Federal Data Protection and Information Commissioner (FDPIC). 

A.2 For Individuals Based in The United States 

Under the California Privacy Rights Act (‘CPRA’) – which amended and expanded on CCPA, Connecticut Data Privacy Act (‘CTDPA’),  Virginia Commonwealth Data Protection Act (‘CDPA’), Utah Consumer Privacy Act (‘UCPA’), and the Colorado Privacy Act (‘CPA’), consumers may be able to exercise the following rights in relation to the personal information about them that we have collected (subject to certain limitations at law):

  • The right to access/know any or all of the information relating to your personal information that we have collected, processed or disclosed in the preceding 12 months (upon verification of your identity). For details on the categories of personal information we have collected and/or shared, refer to section “What we collect”in the notice. DataKind will provide a copy of the consumer’s personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance.
  • The right to request the deletion of personal information we have collected from you.
  • The right to opt-out of personal information sales to third parties now or in the future. However, we do not sell your personal information.
  • The right to opt-in to personal information sales to third parties for consumers under the age of 16. However, we do not sell personal information of minor consumers.
  • The right to opt-out of sharing of personal information to third parties now or in the future. To view the information we have shared in the preceding 12 months, refer to section “Information that we share” in the notice.
  • The right to request rectification/correction of inaccurate personal information, considering the nature and purposes of the processing of the information. (Not Applicable under UCPA)
  • The right to limit use and disclosure of sensitive personal information to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer. (Applicable under CCPA, as amended by CPRA)
  • The right to opt-out of the processing of sensitive personal information (I.e., data that reveals ethnic or racial origin, mental or physical health diagnosis, religious beliefs, sexual orientation, or citizenship or immigration status. (Applicable under UCPA)
  • The right to opt-out of targeted advertising. (Applicable under CPA, CTDPA, UCPA, VCDPA)
  • The right to opt-out of profiling in connection with automated decisions. (Applicable under CPA, CTDPA, UCPA)

Please note that if exercising these rights limits our ability to process personal information (such as a deletion request), we may no longer be able to provide you with our products and services or engage with you in the same manner. Additionally, DataKind has established processes (including reviewing business processes, systems and resources on a periodic basis) to ensure consumers who exercise any of the above rights under US state privacy laws are not discriminated against.

A.2.1 How to Exercise Your Consumer Rights

To exercise any of your rights mentioned above, please submit a request by contacting us at privacy@datakind.org. We will need to verify your identity before processing your request. 

In order to verify your identity, we will generally require sufficient information from you so that we can match it to the information we maintain about you in our systems. Sometimes we may need additional personal information from you to be able to identify you. We will notify you. 

We may decline a request where we cannot verify your identity or locate your information in our systems or as permitted by law. In this case, we may request that you provide additional information reasonably necessary to authenticate you and your request.

You may choose to designate an authorized agent to make a request under the CCPA on your behalf. No information will be disclosed until the authorized agent’s authority has been reviewed and verified. Once an authorized agent has submitted a request, we may require additional information (i.e., written authorization from you) to confirm the authorized agent’s authority.

If you are an employee/former employee of a DataKind client that uses our application and services, please direct your requests and/or questions directly to your employer or former employer.

If you are a third party (auditor, business associate, etc.), who was given access to the DataKind application by a DataKind client, please direct your requests and/or questions directly to the DataKind client that gave you access.

If DataKind does not take action on your Consumer Rights Request within the 45 days, or in the event of an extension, within the maximum 90-day response period, we will inform you in writing of the reasons for not taking action, as well as provide an explanation of any rights you have to appeal the decision. For opt-out or limit use and disclosure requests submitted under the CCPA, DataKind will respond as soon as feasibly possible, with up to a maximum of 15 days. 

For consumers residing in Virginia, within 60 days of receipt of an appeal, and for consumers residing in Colorado, within 45 days of receipt of an appeal, DataKind will inform the consumer, in writing, of any action taken/not taken in response to the appeal, including an explanation of the reasons for the decisions. If the appeal is denied, DataKind will provide consumers with an online mechanism, if available, or another method which allows the consumer to contact the Attorney General to submit a complaint.

Minors Under Age 16

Our application and services are intended for business use, and we do not expect them to be of any interest to minors. We do not intentionally collect any personal information of consumers below the age of 13. If you believe that a child under 13 may have provided us their Personal Information, please contact us at privacy@datakind.org. Following contact, DataKind will request the age of the data subject that is minor and get the consent of the holder of the parental responsibility for the minor, where DataKind needs to process that personal information. 

A.3  For Individuals Based in Australia 

This section is applicable to individuals whose personal information is collected, stored, used or disclosed by an APP Entity under the Australian Privacy Principles (“APPs”) contained in the Privacy Act of 1988. 

A.3.1 Providing Anonymous and Pseudonymous Options 

You have the option of anonymity or using a pseudonym when dealing with DataKind. However, this option may not be made available to you in certain cases, including if it’s impractical for DataKind to allow this option or when DataKind is required or authorized to deal with an identified individual by or under the law.  

A.3.2 Collection, Use and Disclosure of Personal Information 

DataKind collects personal information only by lawful and fair means. Additionally, DataKind collects personal information directly from you or your authorized representative, unless we have your consent for collection from another source (i.e., third parties), it is required or authorized by law, or it is unreasonable to collect the information only from you. DataKind may collect ‘sensitive information’ about you where you have consented to the collection and it is reasonably necessary for one of our functions or activities or if it is required or authorized by law.

DataKind only uses and discloses your information for the purpose for which it was collected (the primary purpose) unless one or more of the following apply: 

  • You have consented 
  • You would reasonably expect the secondary purpose 
  • It is required or authorized by or under law 
  • DataKind believes that it is reasonably necessary for an enforcement body’s activities 

We disclose your personal information with our service providers in <update name of locations> and other jurisdictions. We do not disclose your personal information to any overseas recipients unless one of the following applies:

  • You have consented to the disclosure 
  • The recipient is subject to a law or binding scheme substantially similar to the APPs, and you can enforce that law/binding scheme 
  • It is required or authorized by law 
  • It is required or authorized by an international agreement relating to information sharing 
  • It is reasonably necessary for an enforcement body’s or similar entity’s activities 

See the table of our service providers here. (link to the table above)

A.3.3 Your Rights Under the APPs 

You have the following rights related to the collection, use and disclosure of your personal data:

  • Be informed about the collection and use of your personal data
  • Access your personal information
  • Correction of your personal information to ensure accuracy and completeness  
  • Request to not receive direct marketing communications from us or to not disclose your personal information to others for direct marketing purposes 

If you wish to access your personal information or correct that information, please contact us at privacy@datakind.org You may opt-out (unsubscribe) from receiving marketing communications by using the links provided in our emails. If you are unable to find the opt-out instructions, please contact us at privacy@datakind.org for assistance. 

If you are concerned about DataKind’s handling of your personal information, you may lodge a complaint in writing to privacy@datakind.org and we will provide a written response to your complaint within a reasonable time (30 days).

If you are not satisfied with our response, you may also complain directly to the Office of the Australian Information Commissioner (OAIC) by:

  • Email: enquiries@oaic.gov.au (be aware that email isn’t encrypted, if you’re concerned about this, use the online form on OAIC’s website which is secure)
  • Mail: GPO Box 5218, Sydney NSW 2001 (send it by registered mail if you’re concerned about sending it by standard post)
  • Fax: 02 9284 9666
Scroll to Top