Data Protection Notice

0 min
Avg. Read Time

Table of Contents

icon_green_agreement_bypass_bias_01

What is the agreement bypass bias (ABB for short)?

Learn more about ABB

How our business works

We’re using the Platform Design Toolkit to map out the ways in which we want our business to evolve. This is super useful as it helps us clearly define roles and value exchanges within the platform ecosystem we intend to design.

Our business model is pretty simple. You can pay to become a community member. There are three levels of community membership. Once you’re a member, you also gain access to the Learning Marketplace. Here you can pay for one off micro-learning experiences. These can be designed by us, a member that is also a content creator, or they could be co-branded and co-designed with our partners. When this is the case, we share revenue from the one off payment with the course creator.

You pay for your membership and courses with your credit or debit card. 

That’s it for now. 

We hope this goes without saying, but we will never sell your data. Your individual agency and right to privacy is not just important to us, it is critical to everything we believe

Why we collect and process personal data

We collect and process personal data to be able to provide the services offered via the Greater Than Learning platform. 

DaPIS-Purpose-Of-Processing

Purpose of Processing

We collect and process personal data for the following purposes:

DaPIS-Legal-Basis-For-Processing

Legal Basis for Processing

This is the basis in law under which we collect and process personal data:

What types of personal data we collect and process

Depending on the situation and the relationship you have with us we collect and process the following types of data.

Analytics Data

We use Matomo website analytics because of the values and ethical alignment when it comes to personal data rights. We collect and process this data when you explicitly consent to it.

Data we collect and process:

  • IP address (masked)
  • Date and time of visit
  • Title of the page being viewed
  • URL of the page being viewed
  • URL of the page viewed prior to the current page
  • Screen resolution being used
  • Time in local user's timezone
  • Files that were clicked and downloaded
  • Links to any outside domain that were clicked
    to get to our site (referral link)
  • Pages load time
  • Approximate location of visitor
  • Main Language of the browser being used
    (Accept-Language header)
  • User Agent of the browser being used 
    (User-Agent header)

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

Registration Data

This is the data we collect when you sign up for an account. It is stored within our wordpress instance password is hashed and salted by default. Never stored in plain text.

Data we collect

  • Nickname (this is your profile name in the community)
  • Email address
  • Password (hashed and salted)
  • Date and time of registration

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

Purchase Data

When you pay for a course or community boost membership we collect and process data. We use Stripe as a payment processor and some of the data is shared with them. 

Purchase Submission Data

  • First name
  • Last name
  • Card number
  • Expiry date
  • CVV code
  • Product(s) name
  • Purchase amount
  • Payment method
  • Date and time of purchase

We do not store your Credit Card details, but they are securely sent to Stripe for payment processing.

Purchase Form Submission Data

  • First name
  • Last name
  • Name of product(s) purchased
  • Customer company name (optional)
  • Billing address (optional)
  • Product quantity
  • Order number
  • Product SKU

 

Course Interest Data

We have the option for you to register your interest in upcoming courses and learning experiences. 

Data we collect:

  • Email address
  • Course interested in
  • Content you share in the additional form field (optional)
  • Data and time of form submission

Learner Data

When you engage in any of the micro-learning experiences we collect and process data. 

Data we collect

  • Course(s) enrolled in
  • Course(s) completed
  • Lessons completed
  • Quizzes taken, the data and time and the score achieved
  • Lessons completed (name of lesson and date of completion)
  • Activities any points (and point type) are awarded for
  • Activities any points (and point type) are deducted for
  • Total points balance and the type of points
  • Achievements (and types) received and when
  • Course certificates received and when

This is only stored within our WordPress environment hosted via WP Engine.

Social Learning Data

As part of the social learning experience and being a community member of Greater Than Learning you add content (data) to the platform.

Social Learning Data we collect and process:

  • Topics posted in the forum and when
  • Content of topic post in the forum
  • Comment/reply in the forum and when
  • Content of comment/reply in the forum
  • Any images and video shared in forum and when
  • Likes given to topic(s) in forums and when
  • Favourites given to topics in the forums and when

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

Member Profile Data

As Greater Than Learning is a social learning platform it has features that are similar to a social network. This means we collect a process data you add to your member profile.

Data we collect and process:

  • Profile images you add
  • Content (text, images and video) you add to your profile bio
  • Content you share in the additional form field (optional)
  • Content (text, images and video) you share on you profile timeline
  • Date and time when you add this content
  • Community member nicknames you tag in your timeline posts

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

Subject Access Request Data

We enable people to exercise their GDPR rights, even when they are not EU citizens. To do this you'll have to submit a form and this means we will collect and process data.

Data we collect and process when you submit a Subject Access Request form:

  • Email address
  • Right(s) you want to exercise
  • Text content you add to the submission message
  • Lessons completed
  • Data and time of the submission

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

When we collect and process data

There are different situations when we collect and process data about you. Below we describe these situations, what data we collect and who else is involved. 

Before you sign up

When you are browsing our website we do collect and process some data if you consent to it. 

Data we collect and process

We use third party services as part of the Greater Than Learning platform. In some cases they process data on our behalf to support certain business functions. Because we use WordPress we have chosen supporting plugins that process the minimal amount of your data as data possible. When you browse our website and consent to cookies via Metomic we collect and process website analytics data via our Matomo wordpress plugin. 

The data we collect and process is detailed below:

Services we use

DPN_01_metomic_logo_data_protection_notice_greaterthanlearning
Managing Cookie Consent

We use Metomic for managing cookie consent so we can give you choice and control about how we collect and process your data.

This is the data that is processed:

Here’s more information on Metomic’s privacy policy.

DPN_01_matomo_logo_data_protection_notice_greaterthanlearning
Website Analytics

We use Matomo for website analytics so we can understand how people use our website and continue to improve the services we offer.

Note: the data we collect is not sent to Matomo but is stored in our wordpress plugin directory and hosted by WP Engine.

If you want to learn more about Matomo’s approach to privacy you can find more information in their privacy policy.

During the sign up process

When you decide to register an account and become a Greater Than Learning community member we will be collecting and processing data. 

What data we collect and process

When you decide to register an account and become a Greater Than Learning community member we will be collecting and processing data. 

Services we use

DPN_01_WPengine&Gcloud_logo_data_protection_notice_greaterthanlearning
Website Hosting

We use WP Engine for our website hosting infrastructure so we can deliver a fast and high quality experience for our website visitors and community members.

Our site runs on the open source content management system wordpress. When you register is stored on Google Cloud Infrastructure in the EU via our hosting provider WP Engine.

When you register an account this data is processed by WP Engine

Here’s more information on WP Engine’s privacy policy.

DPN_01_protonmail_logo_data_protection_notice_greaterthanlearning
Email Service

We use Proton Mail for our business emails so we can can receive order notifications and respond to you if there are any problems.

When you sign up we receive an email notification. This helps us to check when you registered an account and use this to respond to any issues if they arise during your signup process.

While it always remains encrypted the data below is processed through ProtonMail’s servers.

Here’s more information on ProtonMail’s privacy policy.

When you pay for membership or a course in the learning marketplace

We provide learning experiences that you can pay for with a Credit or Debit Card. This can be for one-off courses or a subscription membership to ongoing micro-learning content.

What data we collect and process

Services we use

DPN_01_stripe_logo_data_protection_notice_greaterthanlearning
Payment Processing

We use Stripe for Credit Card payment processing so we can provide ease of payment for our subscriptions and one-off courses to you.

The data that is processed by Stripe includes:

Here’s more information on Stripe’s privacy policy.

DPN_01_protonmail_logo_data_protection_notice_greaterthanlearning
Email Service

We use Proton Mail for our business emails so we can can receive order notifications and respond to you if there are any problems.

The data that is processed by ProtonMail includes:

Here’s more information on ProtonMail’s privacy policy.

DPN_01_WPengine&Gcloud_logo_data_protection_notice_greaterthanlearning
Website Hosting

We use WP Engine for our website hosting infrastructure so we can deliver a fast and high quality experience for our website visitors and community members engaging in learning.

When you pay for a membership or a course in the Learning Marketplace this is all processed via our servers that are managed by WP Engine. Note that the credit card details are not stored.

Here’s more information on WP Engine’s privacy policy.

When you engage in learning activities and community collaboration

We provide micro-learning content and encourage people to share ideas and their progress as part of the courses they do. This means that the data generated in those interactions is being processed by us. 

Data we collect and process

When you add content to your member profile or timeline

We have features that enable you to create a social profile, build a reputation, and connect with other community members and make better, together. This means that when you add content (data) to your profile we collect and process it.

Data we collect and process

This is only stored within our WordPress environment hosted via WP Engine. It is not shared with any other parties.

Services we use

DPN_01_WPengine&Gcloud_logo_data_protection_notice_greaterthanlearning
Website Hosting

We use WP Engine for our website hosting infrastructure so we can deliver a fast and high quality experience for our website visitors and community members engaging in learning.

When you do any of the micro-learning courses and social activities you generate data. When you add data your profile and timeline it goes through our platform. This is all processed via our servers that are managed by WP Engine using Google Cloud infrastructure.

Here’s more information on WP Engine’s privacy policy.

When you CONSENT to be notified of a new course

When you want to be notified of an upcoming course we ask for your email so we can notify you when this course launches. 

Data we collect and process

When you consent to be notified of an upcoming course we’re launching we collect your email address. When that course is launched we send you an email to let you know it is available. This automated email is done through our WordPress plugins and handled by Amazon Simple Email Sending.

The data we collect and process is detailed below:

Services we use

DPN_01_WPengine&Gcloud_logo_data_protection_notice_greaterthanlearning
Website Hosting

We use WP Engine for our website hosting infrastructure so we can deliver a fast and high quality experience for our website visitors and community members.

Our site runs on the open source content management system wordpress. When you request to be notified of an upcoming course the data is stored on Google Cloud Infrastructure in the EU via our hosting provider WP Engine.

Your email and data related to your interaction with email content is stored in our WordPress environment and processed by WP Engine.

Here’s more information on WP Engine’s privacy policy.

DPN_01_aws_logo_data_protection_notice_greaterthanlearning
Email SENDING Service

We use Amazon Web Services' Simple Email Service to send all automated emails via our platform to ensure high performance and reliable delivery.

When you chose to be notified for when a course goes live an email is automatically sent to you. The sending of these emails is done via Amazon Web Services. This means the contents of these emails is sent as encrypted data through their servers.

Here’s more information on Amazon’s Simple Email Service and the company privacy policy.

Tools that enhance the learning experience

To enhance the overall learning experience of some courses we ask people to sign up for a Mural account. We do this to support visual communication and collaboration as part of the learning experiences we provide via the Greater Than Learning platform. While we don’t collect data for this, Mural do.

DPN_01_Mural_logo_data_protection_notice_greaterthanlearning
Visual Collaboration Toolkit

They’re are collecting and processing way more data than what we detail here. But we aim to help them improve their disclosures by encouraging their team to join and learn with the Greater Than Learning community. Maybe we can help them evolve their architecture too. After all, we can learn and make better, together. 

Following are some basic details related to signing up for a Mural account.

So there are two specific scenarios that can take place.

Scenario one where you sign up for a standard trial with Mural and provide the following data:

Then scenario two is where you can sign up for the Mural Consultant Network and provide the following data:

We also use Mural to share templates you can use to customise your own toolkit. These may be embedded in pages on our site and in micro-learning experiences for you to use in enhancing skillset.

You can find more details on Mural’s data collection and processing activities in their Privacy Policy.

How and where we store data

We securely store your data with our hosting provider WP Engine. They are based in the US but the server infrastructure is provided by Google Cloud. We’ve chosen Europe as a region for this cloud infrastructure but because Google has servers in different locations throughout Europe it means that all the different pieces of data can be in different specific locations. We also have a Content Delivery Network provided by Cloudflare. This means that the network of servers will temporarily (this is called caching) store some of your data in locations closest to you (Geographical Proximity). They will change where the data is stored based on the IP address of the computer you are accessing our website from. So as you can tell it is kinda complicated. 

Data retention

We retain the data we process about your account and learning experience only whilst you are an active member. If you choose to cancel you membership, we will enable you to export the data we have about you. We will then delete this data.

Data collected and processed for statistical purposes through Matomo analytics is retained for 6 months. You can also make a request for us to remove the data we have collected by making a subject access request. You can learn more about that here.

Approach to data security

We have a range of practices we use to keep your data secure. 

Core service providers we use that store your data

Website Hosting

Our dedicated WordPress hosting infrastructure

This service providers’ main business is located in Austin, Texas, United States and the server region for the Google Cloud Platform we use is Europe.

Here’s more information available from WP Engine.

 

Business Emails

Email notifications we receive go through ProtonMail

When you fill out a subject access request form or register interest in an upcoming course we get an email notification. The encrypted contents of that email goes through ProtonMail’s servers.

Here’s more information on ProtonMail’s privacy policy.

DPN_01_stripe_logo_data_protection_notice_greaterthanlearning
Payment Processing

When you pay using a Credit or Debit card

When you make purchase a membership or a course via the Learning Marketplace Stripe processes the payment. We do not store any Credit/Debit Card details anywhere.

Here’s more information on Stripe’s privacy policy.

Your rights as a 'data subject'

You have fundamental rights we aim to uphold. We aspire to go above and beyond this. Under the General Data Protection Regulation all European Citizens have these rights. But, regardless of where in the world you call home, we’ve got your back (even if the regulators don’t).

Put simply, you have the right to clear and concise information about how we process your personal data. We’ve done a lot of work to design your right to be informed into the community experience and this Data Protection Notice.

This right is brought to life through a Subject Access Request. What this means is that you can request we give you a copy of the personal data and supplementary information we hold about you. You can do this in the very next section.

If we process or store data about you, you can ask to see it. If any data we hold about you is inaccurate or incomplete, you can request that we update or add to the data we have. 

This is sometimes referred to as the ‘right to be forgotten’. This isn’t an absolute right. But the basic gist is that, if we are not legitimately processing your personal data, you can request we delete the data we store about you. It’s worth noting this has a flow on effect, where we also have top notify any of our service providers that may be storing data bout you. If you make this request, we will execute an operational process to delete the data from our systems. We will also submit a request to any relevant service providers to ensure they do the same.

In certain circumstances, you can request that we restrict processing your personal data. This is only likely to take place if you have a problem with the way or context in which we’re processing your personal data. This is related to the right to erasure and the right to object.

This gives you the ability to request a usable (machine readable) and readable copy of the personal and supplementary data we process about you. We’ve actually been testing this internally and it’s safe to say that what you get back is pretty extensive. 

As with other GDPR data subject rights, this is a bit of an ‘it depends’ situation. However, this basically means you can ask us to stop processing your personal data.

We do not conduct automated profiling or automated decision-making. 

There’s a lot of very detailed information available about your Data Subject Rights. An Ecosia, Brave or Duck Duck Go search for “what are my data subject rights under GDPR” will give you everything you likely want and need to know.

Subject Access Requests

If you are an EU citizen you can submit a request to exercise any of your rights. If you’re not, we’ll still respect the request.

Frequently Asked Questions

We’ve been putting in lot’s of initial effort to protect your data. You can learn more about this work by viewing our key decision log or our public roadmap.

Part of this commitment to openness is accepting, documenting and communication our trade offs. Our platform is built on wordpress. We use third party plugins. These third parties state that they protect your data, but we can’t verify this to extend we’d like to. Good luck finding service providers operating in the age of surveillance capitalism that even know how they process personal data. If they do, being honest about it is another issue entirely.

We’ve designed a series of security practices too. These are embedded into the platform and our internal workflows. We recognise these practices will continually evolve. We hope we can go on that journey  together with community members. In fact, we want to progressively evolve the platform to limit the data we process considerably. Key aspects of this will be documented in our public roadmap, which, you can contribute to 👍

If you come across any service providers that are decentralised, free and open source, private, interoperable, privacy by design, easy to integrate with and have sustainable and ethical business models, please let us know.

Great question…🧐

This is kinda complicated. It’s part of the problem with the way the modern world wide web works. It’s something we hope we can help address. But let’s try get to a solid enough answer for now.

Our hosting provider is based in the US. Our server infrastructure is provided by Google Cloud. So we’ve chosen Europe as a region for this cloud infrastructure. Because Google has servers in different locations throughout Europe, it means that all the different pieces of data can be in different specific locations. As above, it’s a bit complicated. 

We also have a Content Delivery Network (CDN) provided by Cloudflare. This means that the network of servers will temporarily (this is called caching) store some of your data in the locations closest to you (Geographical Proximity). They will change where the data is stored based on where you are. They do this based on the IP address of the computer you are accessing our website from. 

We do aim to provide more specific information on this as we grow and hassle our service providers more (which, we hope you’ll be happy to know, we’ve been doing a decent job of already!). A real-time map would be cool, but it’s pretty hard for us to build on a shoestring budget. Maybe one day… We hope that helps answer your question 🙂

In simple terms, analytics help us understand how well our website is helping people achieve the stuff they’re using it for. Specifically we mean:

  • Website performance issues, such as whether pages are loading fast enough
  • The pages visitors are accessing and when
  • How people might be responding to certain content. For instance, if lots of people are pausing on one page or dropping off on another, we might infer something is wrong. We can then try fix it by asking questions and conducting qualitative research, and
  • Basically everything we need to do to try and deliver a truly valuable, meaningful and engaging community member experience

It might be worth touching on this quickly. In ‘User Research’ there are four quadrants we pay attention to. Based on the questions we’re asking and answers we seek, we employ different research methods. If we’re trying to understand what, we do quantitative beahvioural research. If we want to better understand why, we do qualitative attitudinal research. Nielsen Normal Group have a great article on this titled, “A Landscape of User Research Methods”. A quick Ecosia, Brave or Duck Duck Go search will help you find it 💥

You can submit a subject access request form here. We’re doing everything we can to make this process as simple and effective as possible.

Executing risk-based workflows helps to decrease the likelihood of breaches. However, if we believe a data breach may have occurred, we execute an operational process aligned to the recommendations made by the Office of the Australian Information Commissioner as part of the Notifiable Data Breaches Scheme.

Basically we:

  1. Assess the incident
  2. Mitigate the impact
  3. Communicate with relevant stakeholders, and
  4. Ensure any preventable weaknesses are improved as quickly as possible

Putting it simply, if we make a mistake we will own it and do whatever we can to ensure we don’t make it again.

We all make trade offs. You can see ours.

As part of our approach to operationalising ethics, we make decisions, document those decisions and attempt to verify that those decisions are the most socially preferable in the eyes of our community members and key stakeholders.

Use of Data Protection icons

We’ve used the “DaPIS (Data Protection Icon Set)” created by CIRSFID, Università di Bologna and Accademia di Belle Arti di Bologna. You can learn more about it here.

DaPIS is released under a Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0).

initial Privacy Impact Assessment

We selected an external vendor, Ground Up Consulting, to conduct a concept PIA before we launched Greater Than Learning. 

You can view the recommendations and entire report here.