Summary
Our policy in 5 points:
- We record anonymous information about you when you visit our website.
- When you give us your personal information (name, email etc.) we use it for the purpose you gave it to us (email newsletter, purchase receipts etc.), share it with relevant third parties (like PayPal and Mailerlite), and store it.
- We take data security very seriously and do everything in our power to keep your personal information secure. We limit access to the people in our team who need it, we keep the amount we hold to a minimum, we try not to hold on to it for longer than is necessary, and we protect it with passwords and other security measures.
- You have the right to access and correct the personal data we store about you, to restrict what we do with it, and to ask us to remove it entirely.
- This privacy policy only covers your interactions with us on the web. It doesn’t cover joining as a member of the Alliance or the data we collect as part of our research work.
Introduction
This document covers all the interactions you can have with us on our websites in which we collect personal data. It also covers interacting with us on X (Twitter), LinkedIn, and other social media websites on which we have an official account.
The websites covered by this policy are:
- spaceskills.org (main Space Skills Alliance website)
- craft.spaceskills.org (website for the SpaceCRAFT competencies framework)
- training.spaceskills.org (website for the Space Training Catalogue)
Space Skills Alliance
In this document 'Space Skills Alliance', ‘SSA’, ‘we’, and ‘us’ refers to Space Skills Ltd, registered company number 12209851, represented by its directors and employees. We are registered with the Information Commissioner’s Office with certificate number ZA828423.
We are the data owners and controllers. Our Data Protection Officer is Joseph Dudley.
Contacting us
If you would like to see this policy include something else, or have any questions, please email us at info@spaceskills.org. You can also raise data privacy concerns directly with the Information Commissioner’s Office.
Amendments
This document may be updated from time to time by agreement of the Directors. We will notify you by email if we store your personal information and you will be affected by the changes.
Definitions
We use a number of technical terms in this document that you may be unfamiliar with. These are explained below.
Google Drive
Google Drive is a cloud storage service provided by Google. We use it to store the majority of our organisational documents, as well as some of the personal data we collect. Google Drive keeps track of all revisions to documents, which means that it is very difficult to permanently delete information once it has been stored on Google Drive.
Hashing
Hashing some information irreversibly transforms it into something unintelligible but unique. Hashing information is a way of protecting it whilst still making it possible to compare it against other information. You can find a full explanation of hashing in this article.
Lawful bases
A lawful basis is a legal reason why we store and process personal data. There are six available lawful bases as outlined in the General Data Protection Regulation (GDPR). We use three in this document:
Legitimate interest
Legitimate interest means using data in ways you would reasonably expect, and which have a minimal privacy impact. It is the basis for most of our processing. For example, we use email addresses to send emails, and names to make name badges.
Whenever we don’t have a compelling reason to need personal data, we ask for consent and/or make the fields optional.
Consent
Consent means asking for permission to store and process personal data. We usually ask for consent even when it is not legally required, to make it explicitly clear that we will be processing your information.
Legal obligation
Some data we are required to retain by law. This primarily applies to transaction data, which HMRC requires we keep for 6 years following the end of the financial year or longer in some cases.
Web servers and databases
When we refer to our web servers, we are talking about computers owned and operated on our behalf by Heroku, our hosting provider. These servers store the files and database for our websites and provide them to website visitors and our team.
Data we collect
This section covers all the interactions you can have with us in which we collect personal data. For each interaction, we have detailed:
- What data is collected
- Where is it stored, and for how long
- What is it used for
- Whether it is shared with any third parties
If you do not provide information marked in a data collection form as mandatory, we will not be able to provide the services you have requested. Most of our collection forms will not allow you to proceed if you do not provide the required information.
Accessing our websites
We store up to three distinct kinds of records when you access one of our websites. The data is processed to compile statistical reports on website activity. We use these reports to evaluate aggregate visitor usage so that we can optimise the content and identify what is performing well and why.
Server logs
Our web server automatically logs all requests for webpages. This is standard procedure for most websites.
This means that whenever anyone or anything loads one of our webpages or submits data, the action will be logged. Each log entry contains the requester’s IP address (a kind of name computers use to identify each other), some details about the browser they are using, and the name of the page that has been requested (more information can be found here). All such logs are anonymous.
Server logs are stored by our web host on their servers. We can request access to the last 30 days of logs. We rarely use full server logs. From time to time they are analysed by our team to troubleshoot problems, particularly spam attacks.
Internal logs
Additionally we run our own logging system that operates in a similar way but only logs the visitor’s IP address and the details of the page they are visiting. All such logs are anonymous, and are stored in our database indefinitely.
Plausible Analytics
On all of our websites we use Plausible Analytics for website traffic tracking.
Plausible does not use cookies or any persistent identifiers and does not collect or store any personal or identifiable data. All of the data is aggregated data only and it has no personal information. Typical examples of the information that’s recorded are:
- Which page you are visiting
- Which website you came from, if you followed a link
- What kind of device and browser you are using
- Where in world you are visiting from (at city level)
You can learn more about Plausible's data collection by reading their data policy.
Emailing us
When you email any @spaceskills.org or @spaceskillsalliance.org address, copies of your email are stored on Google’s Gmail servers indefinitely, and we use your email to respond to your query.
Interacting with us on social media
When you interact with any of our social media accounts (for example on Twitter and LinkedIn) this interaction is recorded on the platform you use and stored indefinitely. We have no control over this, but will only use your information to respond to you on the platform unless you give us permission to contact you some other way.
Subscribing to our newsletters
When you register for one of our email newsletters, we ask you to provide your email address so that we can email you.
Data for our mailing list is stored by MailerLite, our email marketing provider, until you unsubscribe.
We may prune our mailing list from time to time, removing subscribers who do not open our newsletter. You will not be notified of your removal.
Buying from us
This section relates to buying goods and services via our website. It does not cover contracts that we might enter into with you for research and consultancy work.
Event tickets
When you purchase, or attempt to purchase, a ticket for an event, we ask for various personal details, which we store in our database, and additionally in PayPal’s systems. Your financial information is processed directly by PayPal, and we cannot see your card or bank details. If you provide explicit consent, then we will add your email address to our mailing list.
| Data | Reason | Duration | Shared? |
|---|---|---|---|
| Name, billing address | Legally required as part of the transaction record | Max 7 years, then destroyed | Yes, with PayPal |
| Email address | Legally required as part of the transaction record | Max 7 years, then hashed | Yes, with PayPal |
| Email address | For mailing list | Until unsubscribed | With MailerLite, if consent given |
| All other fields | Aggregate analysis | Indefinite | Yes, in anonymous aggregated form |
We are required under the law to keep transaction data for a period of 6 years after the financial year in which the transaction was made.
Attending one of our events
If you attend one of our events we ask for your name and email address, which we store in our database, as well as some other optional information.
If someone else bought your ticket, then they will have provided this information on your behalf.
| Data | Reason | Duration | Shared? |
|---|---|---|---|
| Name | For contact | 1 year, then destroyed | Yes, with venue if required. |
| Email address | For contact | 1 year, then hashed. | No |
| All other fields | Aggregate analysis | Indefinite | Yes, in anonymous aggregated form |
Third parties
We share and sell information only in the ways explained below. When sharing identifiable personal information, we only share what is necessary.
Data processors
We share certain identifiable personal data with third parties who do processing on our behalf.
| Party Name | Purpose | Data We Share |
|---|---|---|
| PayPal | To process financial transactions on our behalf. | Name,
Email address, Billing address |
| Heroku | To provide data storage for our data and a platform on which we build our websites | All data |
| To provide cloud-based email services, hosting, storage and processing services to assist and/or enable us to manage personal data, and deliver, analyse and improve our services. | All data | |
| MailerLite | To provide bulk mailing services for our email newsletter. | Email address |
Service partners
Some data we have to share with third parties in order to provide the services you are expecting from us. We do not always know in advance what we will have to share or with whom, but we will always minimise the amount of information that is shared.
Media companies
Some of the content on our website might be embedded from somewhere else. For example a video from YouTube, or Facebook’s ‘Like’ button.
We do not explicitly share any personal data with these companies in this way, but embedded content may track your interaction with our content. We cannot disable this tracking, but you can do so by altering your browser settings or installing software which blocks third party tracking.
Event partners
We may share information such as your name and organisational affiliation with our event partners (for example the venue hosting an event) where necessary, but we will not share your contact details.
Organisational Partners and the Public
We share and publish anonymised aggregate data in a variety of formats.
The public
We share anonymised aggregate data in reports we publish publicly. We do this as part of our advocacy work to promote student involvement in the space sector.
Government and statutory bodies
If we are legally compelled to hand over information, we will comply. This could include to law enforcement, or as part of audits.
How we protect data
We take data security very seriously and do everything in our power to keep your personal information secure.
- We audit our data to ensure we are keeping only information we need
- We carefully limit what can be accessed publicly, and protect the rest with passwords
- We use protocols such as HTTPS, Single Sign On, and Multi Factor Authentication to minimise the chances of someone intercepting data or one of our passwords
- We monitor our servers and databases for suspicious activity
Data breaches
We have a comprehensive action plan and checklist for data breach incidents. If we identify that personal data has been exposed, we will make this news public and notify any affected individuals. We will also act to identify the cause of the breach and take steps to prevent it from happening again.
Your rights
Your rights relating to your data are written into law under the Data Protection Act, and the General Data Protection Regulation. These are:
- The right to be informed – You have a right to be informed about how we collect, process, and store your personal data. This information is provided in this document.
- The right of access – You have a right to access the personal data we store about you.
- The right to rectification – You have a right to have inaccurate details corrected.
- The right to erasure – You have a right to have personal data erased.
- The right to restrict processing – You have a right to restrict the way in which we process your personal data.
- The right to data portability – You have the right to obtain the personal data we store about you in a structured machine readable format.
- The right to object – You have the right to object to the way in which we process your personal data.
- Rights in relation to automated decision making and profiling – This right does not apply as we do not engage in automated decision making or profiling.
To exercise any of the rights listed above, please email us including your name and outlining the ways in which you have interacted with us. You must also provide proof of identity, which can include sending the email from an address we have on record.