For the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, (“GDPR”), the Data Protection Act 2018, the Austrian Data Protection Act and any applicable national implementing laws, regulations and secondary legislation relating to the processing of personal data (together “Data Protection Law”), we are the data processor.
‘Personal data’ is defined in accordance with Data Protection Law.
This document should be read together with the Data Processing Agreement which lays out in further detail the roles and responsibilities of each party. This Data Processing Agreement is signed by more onion and our clients as a part of the Impact Stack contract that all clients must sign to use the Impact Stack platform.
Legal basis for data collection
What data do we collect?
The nature of the data collected and stored by Impact Stack is determined by clients, but may include:
- Personal identification information (Name, email address, postal address phone number, etc.)
- Information on donations made and other forms completed, including any form field values (amount of donation, motivation, messages to politicians etc)
- No sensitive personal data (as defined by GDPR) may be collected through Impact Stack
- We do not collect or store any credit card information. This type of information is passed directly to payment processors the client has a direct relationship with
- We do collect payment information when clients choose to ask for bank account and sort codes to process direct debits
How do we collect your data?
The data is collected through several methods:
- Data files transferred to us by the client
- Data files loaded into Impact Stack or a given to us via a secure file sharing folder by the client
- Data inputted into Impact Stack forms directly by supporters
- Data automatically imported from other tools, such as email marketing tools used by the client
How will we use your data?
Data is collected and stored for the sole purposes of clients. For further details on how this data will be processed by clients, please consult clients’ own Privacy Policies.
Personal Data will be processed to the extent necessary to provide the Impact Stack platform in accordance with both the contractual agreement and the client’s instructions (as Data Controller). We process Personal Data only on behalf of the Controller. Processing operations include, but are not limited to:
- sending emails to campaign targets as designed by clients
- sending data to third party services such as email broadcast tools and CRMs through integrations and webhooks
- processing donations, storing form completion data. This operation relates to all aspects of Personal Data processed
- Analysing the data on behalf of the client
How do we store your data?
Your information may be stored in a number of locations, including:
- In databases and log files on our webservers
- Our secure file transfer service, NextCloud
- On local computers or mobile devices for the purpose of data processing
Our data centres (applicable to 1. and 2.) are based in Germany and we never move personal data outside of the EEA and the UK.
We will never use supporter data held in Impact Stack for marketing purposes.
What are your data protection rights?
Supporters are entitled to the following:
The right to access – You have the right to request that More Onion Ltd or More Onion GmbH provides copies of personal data held about you. We have the right to charge a reasonable fee for the administrative costs of such requests if they are manifestly unfounded or excessive; or if an individual requests further copies of their data following a request.
The right to rectification – You have the right to request that we correct any information that you believe to be inaccurate. You also have the right to ask us to complete information that you believe to be incomplete.
The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions
The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
The right to data portability – You have the right to request that we transfer the data that we have collected to another organisation, or directly to you, under certain conditions.
Supporters should exercise these rights by directly contacting the client, ie Data Controller, who will in turn instruct us as Data Processor to action this request.
What are cookies?
Cookies are placed on your computer to collect standard internal log information and visitor behaviour information. When you visit a website that runs on Impact Stack, we may collect information from you automatically through cookies or similar technology (such as session storage).
For further information, visit https://www.allaboutcookies.org/
- Understanding, analysing and optimising how you interact with Impact Stack
- To improve your experience using Impact Stack
- To allow our clients to analyse, optimise and to further tailor communications with you
What types of cookies do we use?
The table below explains the cookies we use and why we use each of them.
Impact Stack Webform Tracking
The Impact Stack webform tracking cookie is used for analysis and optimisation purposes. The data from the cookie will be saved with any form submissions you make on our websites.
Drupal 7 „Java Script enabled“
This cookie is used to keep a record of whether the browser has Java Script enabled or not. This cookie is required for the site to function.
Impact Stack Webform prefilling
Impact Stack saves your data in the session storage so you don’t have to fill in the same information multiple times while using the platform. This data is saves when you land on the page where your data is passed through via the URI parameter or once you have submitted a form on the platform. The data is deleted as soon as the session is closed.
How to manage your cookies
You can set your browser to not accept cookies, and the above website will tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Privacy policies of other websites
Protection of your data
All information you provide to Impact Stack for processing is stored on our secure servers. Any credit card information, payment transactions and form submission will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of the Impact Stack platform or services, you are responsible for keeping this password confidential. We ask you not to share any password with anyone.
Unfortunately, the transmission of information via the Internet is not completely secure. Although we will endeavour to protect your personal data, we cannot guarantee the security of your data transmitted to Impact Stack or the services. Any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Where we store your data
All Impact Stack services are hosted on servers in Germany, however the Impact Stack services are global and your information (including personal data) may be stored and processed in the European Union or the United Kingdom where we have operations or where we engage service providers, and we may transfer your information to countries outside of your country of residence, which may have data protection rules that are different from those of your country of residence.
The personal data that we collect from you may therefore be transferred to, and stored at, a destination inside the European Economic Area ("EEA") or the UK. It may also be processed by staff operating inside the EEA or UK who work for us or for one of our suppliers or partners. Such staff or subcontractors may be engaged in, among other things, the fulfilment of your order, the processing of your payment details or the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing inside of the EEA or the UK.
Impact Stack services are accessible via the internet and may potentially be accessed by anyone around the world. Other users may access Impact Stack services from outside the EEA or the UK. This means that where you chose to post your data on Impact Stack based websites or within the services, it could be accessed from anywhere around the world and therefore a transfer of your data outside of the EEA or the UK may be deemed to have occurred. You consent to such transfer of your data for and by way of this purpose.
We retain personal data for as long as necessary for the relevant activity for which it was provided or collected. Specific timelines on data retention and expiry are to be determined by the Data Controller (the Client).
The detailed information on how long we retain data and for what purpose is regulated by the data processing agreement between Impact Stack and the client using the Impact Stack service.
We will retain de-personalised information after your account has been closed.
Please note: After you have closed your account or deleted information from your account, any information you have shared with others will remain visible. We do not control data that other users may have copied from our Websites or the services. Your profile may continue to be displayed in the services of others (e.g. search engine results) until they refresh their cache.
Age of Users
Our services are not intended for and shall not be used by anyone under the age of 16.
How to contact us
You can contact us at firstname.lastname@example.org if you have any questions or would like to exercise one of your data protection rights.
How to contact the appropriate authorities
Should you wish to make a complaint or if you feel that we have not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office.
For individuals located in the EU: To our lead supervisory authority in Austria: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria.
For individuals located in the UK: The Information Commissioner’s Office at, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.