SEEDSAT DATA PRIVACY POLICY

In effect from June 01, 2020 for all users

This data privacy policy applies to the KoBoToolbox hosted instance made available by DAI (collect.seedsat.org). For other instances used by DAI and powered by the open-source code for KoBoToolbox, please contact the host. KoBoToolbox software is licensed for use under the GNU license available here. DAI uses KoBoToolbox, a forked version of the open-source software under this GNU License.

The policy below is intended to supplement, not replace, DAI’s corporate privacy policy. Please use this link to view DAI’s general privacy policy.


What Types of Data Does DAI/SeedSAT Control and Process?

This data privacy policy distinguishes between data that is controlled by DAI/SeedSAT and data that is processed by DAI/SeedSAT via SeedSAT Collect.

SeedSAT Collect is:

  • A data controller of very limited data about site visitors and account holders (i.e. DAI/SeedSAT determines the purposes, conditions and means of the processing of personal data). DAI/SeedSAT may at times collect webpage analytics from unregistered and registered users of its webpage using Google Analytics – pages visited, clicks, browser used, language choice, country of origin and so on. For registered users, DAI/SeedSAT has access to e-mail addresses, organizational affiliation, sector, country, and gender as part of the registration process and stores users’ preference in their profile (e.g. language).
  • A data processor of data collected by account holders (i.e. processes data on behalf of a data controller). Once a registered user creates a project, DAI/ SeedSAT stores the information related to the survey (e.g. form) and data collected by the account holder (i.e. submissions). This includes data submitted by participants completing forms designed by registered users and can include personal information.

HOW AND WHY DO WE USE YOUR DATA?

DAI/Partner takes very seriously the privacy, confidentiality and security of personal information and any data collected or stored by DAI/ SeedSAT.

Data that we control:
Personal information from registered users is used to provide survey and data collection services to registered users and communicate with registered users about our services. Registered users can view, edit, and delete their personal information stored in their profile, unregister from communication emails, or delete their account. Personal information is never sold to parties external to DAI/SeedSAT. Data collected as part of project activities may be shared with the donor/client and will be reasonably sanitized, anonymized, or aggregated to protect the personal information and identity of respondents.

Data that we process:
DAI/SeedSAT processes data on behalf of registered users who have created a project and collected data within SeedSAT Collect. DAI/SeedSAT fully owns their application data but DAI/SeedSAT does not share or sell that information unless under specific contractual obligation to do so by their primary donor/client. Metadata about projects may be used in aggregated ways to analyze usage with the permission of the account holder. This metadata does not include personal information.

Registered users are the data controllers of the data they collect using SeedSAT Collect (the DAI-hosted version of KoBoToolbox) and are responsible for the safe management of personal information, including compliance with the General Data Protection Regulation (GDPR). The SeedSAT software allows registered users to share application data publicly or only with selected users. Information shared publicly is visible to anyone and can be indexed by search engines. If you collect personal or otherwise sensitive data, DO NOT share this data publicly. DAI/SeedSAT is not responsible for how registered users handle survey participants’ personal information. We may assist individual respondents in contacting users and organizations with regards to GDPR requests.


RETENTION OF PERSONAL INFORMATION

It is our intent to not keep personal information for longer than reasonably required. The retention duration depends on the nature of the personal data and the purposes for which it was received. DAI/SeedSAT’s business entities maintain a data retention policy informed by:

  • Legal or regulatory requirements of the location of the data processing;
  • The completion of a contract or employment engagement with you or work you supported with our clients;
  • If your personal data is held for reasons other than legal requirement or contractual engagement (i.e. – newsletter, recruitment database), we will maintain that data until you request its removal or correction;

YOUR RIGHTS REGARDING YOUR PERSONAL DATA

The EU’s GDPR details an individual’s rights regarding their personal data. DAI respects and supports these rights and applies them to personal data held generally. These rights include:

  • Right to Access – Subject to certain conditions, you are entitled to have access to your personal data. You may contact DAI/SeedSAT to request a copy of your personal data held by us.
  • Right to Data Portability – Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.
  • Right to Correction – You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date.
  • Right to Object to or Restrict Processing – Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.
  • Right of Erasure – Subject to certain conditions, you are entitled to have your personal data erased (e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful).
  • Right to Withdraw Consent – As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time. If you withdraw your consent, this will only take effect for future processing and is subject to certain conditions based on DAI/SeedSAT’s legal obligations.

To act on any of the above rights, DAI/SeedSAT may need to request additional information regarding the specifics of the request as well as confirm your identity. We will respond to these requests in accordance with regulatory requirements once we confirm the validity of the request. Requests regarding these rights can be submitted to DAI/SeedSAT by following the instructions in the “Contact for Requests and Complaints” section below.


HOW DO WE PROTECT YOUR DATA?

DAI/Partner is committed to protecting the data you entrust to us. We employ industry standard best practices (both technical and administrative) to protect against unauthorized access of your data. Data is stored in AWS S3 and encrypted at rest. We cannot guarantee, however, its absolute security. To protect from loss of data, we do frequent system and incremental backups. To further protect your data, we encourage you to never to share your login information and to change your passwords regularly. If you have any questions regarding our security and backup procedures, please contact us.


CHANGES TO THE PRIVACY POLICY

We may need to modify this privacy statement from time to time, especially in response to changing norms and legislation. If we make material changes to this policy, we will notify you here or by means of a notice on our homepage so that you are aware of any changes with relation to what information we collect, how we use it, and under what circumstances, if any, we disclose it.


CONTACT FOR REQUESTS AND COMPLAINTS

If you are uncertain about our data privacy policy or have requests with regards to general compliance, including GDPR rights, please contact us. We respond to requests within 30 days.