Data Protection Notice

0 min
Avg. Read Time

Table of Contents

What we believe

We believe most legal disclosures are not written for people, they are written for lawyers by lawyers. We believe we can change that, helping people learn how to make better disclosure more widespread. We believe that the data we collect and process should be stewarded. By us as an organisation and by the community.

Data privacy is core to what we believe and what we do. How the data collected and used via this platform, how it is managed and governed will evolve. To be collectively owned and governed through a cooperative structure like our whole business.

Why we collect and process personal data

We collect and process personal data to be able to provide the services offered via the Greater Than Learning platform. 

DaPIS-Purpose-Of-Processing

Purpose of Processing

We collect and process personal data for the following purposes:

DaPIS-Legal-Basis-For-Processing

Legal Basis for Processing

This is the basis in law under which we collect and process personal data:

When and what we collect and process

There are different situations when we collect and process data about you. Below we describe these situations, what data we collect and who else is involved. 

When you browse the website

We have done our best to collect no personal data when you just browse as a visitor. Aligning to the principle of data minimisation. We use a privacy preserving web analytics provider, Plausible. There are no cookies or tracking pixels so no personal data is collected or used.

To learn more view Plausible’s Data Policy

When you create an account

When you decide to register an account and become a Greater Than Learning community member we will be collecting and processing data. 

What data we collect and process

When you decide to register an account and become a Greater Than Learning community member we will be collecting and processing data. 

When you pay for membership or a course

We provide learning experiences that you can pay for with a Credit or Debit Card. This can be for one-off courses or a subscription membership to ongoing micro-learning content.

What data we collect and process

When you engage in learning activities and community collaboration

We provide micro-learning content and encourage people to share ideas and their progress as part of the courses they do. This means that the data generated in those interactions is being processed by us. 

Data we collect and process

When you add content to your member profile or timeline

We have features that enable you to create a social profile, build a reputation, and connect with other community members and make better, together. This means that when you add content (data) to your profile we collect and process it.

Data we collect and process

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

When you consent to be notified of a new course

When you want to be notified of an upcoming course we ask for your email so we can notify you when this course launches. 

Data we collect and process

When you consent to be notified of an upcoming course we’re launching we collect your email address. When that course is launched we send you an email to let you know it is available. This automated email is done through our WordPress plugins and handled by Amazon Simple Email Sending.

The data we collect and process is detailed below:

When you receive a email notification or update

There are a few different reasons you will receive an email from us. These include:
 
  • Letting you know a community member has interact with you
  • Receipts for when you buy a course
  • Emails to enhance the learning experience, and;
  • Updates on platform progress or scheduled downtime

Data we collect and process

Emails are setup through our WordPress plugins. Then sent via Amazon Simple Email Sending. The data we collect and process is detailed below:

When you register and attend a community video call or live workshop

We run video calls for community members to support learning outcomes and direct community involvement. These can be for specific courses we provide or for community sense-making, governance and decision making. 

Data we collect and process

When you join a video call you are asked to enter a name. We don’t retain this. But in situations where you provide input on decisions we make as a community the details of this are recorded. This may be in the form of notes and associated with the profile name you use in the community. In some cases we record community calls to Zoom cloud and make them available for you and other community members to view later.

The data we collect and process is detailed below:

Registering for these events is done via Zoom. This means you will need to provide some information. To register you’ll need to provide:

Tools to enhance the community experience

To enhance the learning and community experience we use a few different tools listed below.

SURVEYS & FORMS
We use surveys for understanding community preferences and perspectives. The current tool we use for this is Typeform. Surveys might no request any personal data at all. In some cases we’ll ask for an email address. This data you choose to submit in a survey or form is processed by Typeform. You can learn more on Typeform’s Terms & Conditions

VISUAL COLLABORATION
We regularly use a visual collaboration tool called Mural. We also use Mural to share templates you can use to improve your learning or ethical decision making process in your professional life. These may be embedded in pages on our site and in micro-learning experiences for you to use in enhancing your skill set. You can find more details on Mural’s data collection and processing activities in the company’s Privacy Policy.

COMMUNITY CHAT
We use a community chat network called Matrix. It’s like Slack but open source and decentralised. When you choose to join our community chat you’ll be registered on servers managed by that network. General chat channel is unencrypted. All other channels are encrypted and the keys are stored on your device, or a backup service is provided by Matrix.
You can learn more about data privacy on the Matrix Privacy Notice.

COMMUNITY WORKSTREAMS
We are open with the plans we have and also encourage community members to get actively involved in the evolution of the platform. To do this we have a Trello board that covers what we are working on and have planned. If you choose to join you are acknowledging that registering for this service is your choice. Registration data and content you add is processed by Trello as a company. You can learn about Trello’s data privacy here. If you want to contribute in other ways, reach out via our community chat or email us.

How and where we store data

We securely store your data with our hosting provider WP Engine. They are based in the US but the server infrastructure is provided by Google Cloud. We’ve chosen Europe as a region for this cloud infrastructure but because Google has servers in different locations throughout Europe it means that all the different pieces of data can be in different specific locations. We also have a Content Delivery Network provided by Cloudflare. This means that the network of servers will temporarily (this is called caching) store some of your data in locations closest to you (Geographical Proximity). They will change where the data is stored based on the IP address of the computer you are accessing our website from. So as you can tell it is kinda complicated. 

Data retention

We retain the data we process about your account and learning experience only whilst you are an active member. If you choose to cancel you membership, we will enable you to export the data we have about you. We will then delete this data.

Data collected and processed for statistical purposes through Matomo analytics is retained for 6 months. You can also make a request for us to remove the data we have collected by making a subject access request. You can learn more about that here.

Approach to data security

We have a range of practices we use to keep your data secure. 

Core service providers we use that store your data

Website Hosting

Our dedicated WordPress hosting infrastructure

This service providers’ main business is located in Austin, Texas, United States and the server region for the Google Cloud Platform we use is Europe.

Here’s more information available from WP Engine.

 

Email Provider

Email notifications we receive go through ProtonMail

When you fill out a subject access request form or register interest in an upcoming course we get an email notification. The encrypted contents of that email goes through ProtonMail’s servers.

Here’s more information on ProtonMail’s privacy policy.

Video Conferencing

When you choose to join community video calls or workshops

When you choose to join a workshop or community call Zoom does collect and retain some personal data. This can be the name you enter to use when you join a call or data associated with an account you have with them. It can also be things like your IP address to connect you to the call.

Here’s more information about Zoom’s approach to privacy and data protection.

DPN_01_stripe_logo_data_protection_notice_greaterthanlearning
Payment Processing

When you pay using a Credit or Debit card

When you make purchase a membership or a course via the Learning Marketplace Stripe processes the payment. We do not store any Credit/Debit Card details anywhere.

Here’s more information on Stripe’s privacy policy.

Your rights as a 'data subject'

You have fundamental rights we aim to uphold. We aspire to go above and beyond this. Under the General Data Protection Regulation all European Citizens have these rights. But, regardless of where in the world you call home, we’ve got your back (even if the regulators don’t).

Put simply, you have the right to clear and concise information about how we process your personal data. We’ve done a lot of work to design your right to be informed into the community experience and this Data Protection Notice.

This right is brought to life through a Subject Access Request. What this means is that you can request we give you a copy of the personal data and supplementary information we hold about you. You can do this in the very next section.

If we process or store data about you, you can ask to see it. If any data we hold about you is inaccurate or incomplete, you can request that we update or add to the data we have. 

This is sometimes referred to as the ‘right to be forgotten’. This isn’t an absolute right. But the basic gist is that, if we are not legitimately processing your personal data, you can request we delete the data we store about you. It’s worth noting this has a flow on effect, where we also have top notify any of our service providers that may be storing data bout you. If you make this request, we will execute an operational process to delete the data from our systems. We will also submit a request to any relevant service providers to ensure they do the same.

In certain circumstances, you can request that we restrict processing your personal data. This is only likely to take place if you have a problem with the way or context in which we’re processing your personal data. This is related to the right to erasure and the right to object.

This gives you the ability to request a usable (machine readable) and readable copy of the personal and supplementary data we process about you. We’ve actually been testing this internally and it’s safe to say that what you get back is pretty extensive. 

As with other GDPR data subject rights, this is a bit of an ‘it depends’ situation. However, this basically means you can ask us to stop processing your personal data.

We do not conduct automated profiling or automated decision-making. 

There’s a lot of very detailed information available about your Data Subject Rights. An Ecosia or Startpage search for “what are my data subject rights under GDPR” will give you everything you likely want and need to know.

Subject Access Requests

If you are an EU citizen you can submit a request to exercise any of your rights. If you’re not, we’ll still respect the request.

Frequently Asked Questions

We’ve been putting in lot’s of initial effort to protect your data. You can learn more about this work by viewing our key decision log or our public roadmap.

Part of this commitment to openness is accepting, documenting and communication our trade offs. Our platform is built on wordpress. We use third party plugins. These third parties state that they protect your data, but we can’t verify this to extend we’d like to. Good luck finding service providers operating in the age of surveillance capitalism that even know how they process personal data. If they do, being honest about it is another issue entirely.

We’ve designed a series of security practices too. These are embedded into the platform and our internal workflows. We recognise these practices will continually evolve. We hope we can go on that journey  together with community members. In fact, we want to progressively evolve the platform to limit the data we process considerably. Key aspects of this will be documented in our public roadmap, which, you can contribute to 👍

If you come across any service providers that are decentralised, free and open source, private, interoperable, privacy by design, easy to integrate with and have sustainable and ethical business models, please let us know.

Great question…🧐

This is kinda complicated. It’s part of the problem with the way the modern world wide web works. It’s something we hope we can help address. But let’s try get to a solid enough answer for now.

Our hosting provider is based in the US. Our server infrastructure is provided by Google Cloud. So we’ve chosen Europe as a region for this cloud infrastructure. Because Google has servers in different locations throughout Europe, it means that all the different pieces of data can be in different specific locations. As above, it’s a bit complicated. 

We also have a Content Delivery Network (CDN) provided by Cloudflare. This means that the network of servers will temporarily (this is called caching) store some of your data in the locations closest to you (Geographical Proximity). They will change where the data is stored based on where you are. They do this based on the IP address of the computer you are accessing our website from. 

We do aim to provide more specific information on this as we grow and hassle our service providers more (which, we hope you’ll be happy to know, we’ve been doing a decent job of already!). A real-time map would be cool, but it’s pretty hard for us to build on a shoestring budget. Maybe one day… We hope that helps answer your question 🙂

In simple terms, analytics help us understand how well our website is helping people achieve the stuff they’re using it for. Specifically we mean:

  • Website performance issues, such as whether pages are loading fast enough
  • The pages visitors are accessing and when
  • How people might be responding to certain content. For instance, if lots of people are pausing on one page or dropping off on another, we might infer something is wrong. We can then try fix it by asking questions and conducting qualitative research, and
  • Basically everything we need to do to try and deliver a truly valuable, meaningful and engaging community member experience

It might be worth touching on this quickly. In ‘User Research’ there are four quadrants we pay attention to. Based on the questions we’re asking and answers we seek, we employ different research methods. If we’re trying to understand what, we do quantitative beahvioural research. If we want to better understand why, we do qualitative attitudinal research. Nielsen Normal Group have a great article on this titled, “A Landscape of User Research Methods”. A quick Ecosia, Brave or Duck Duck Go search will help you find it 💥

You can submit a subject access request form here. We’re doing everything we can to make this process as simple and effective as possible.

Executing risk-based workflows helps to decrease the likelihood of breaches. However, if we believe a data breach may have occurred, we execute an operational process aligned to the recommendations made by the Office of the Australian Information Commissioner as part of the Notifiable Data Breaches Scheme.

Basically we:

  1. Assess the incident
  2. Mitigate the impact
  3. Communicate with relevant stakeholders, and
  4. Ensure any preventable weaknesses are improved as quickly as possible

Putting it simply, if we make a mistake we will own it and do whatever we can to ensure we don’t make it again.

We all make trade offs. You can see ours.

As part of our approach to operationalising ethics, we make decisions, document those decisions and attempt to verify that those decisions are the most socially preferable in the eyes of our community members and key stakeholders.

Use of Data Protection icons

We’ve used the “DaPIS (Data Protection Icon Set)” created by CIRSFID, Università di Bologna and Accademia di Belle Arti di Bologna. You can learn more about it here.

DaPIS is released under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).

initial Privacy Impact Assessment

We selected an external vendor, Ground Up Consulting, to conduct a concept PIA before we launched Greater Than Learning. 

You can view the recommendations and video going through the report here.