Privacy

Web Privacy Policy

Summary

Our policy in 5 points:

  1. We record anonymous information about you when you visit our website. We do this primarily through Google Analytics and server logs. Third party content like YouTube videos and Facebook ‘Like’ buttons probably track you, but we can’t do anything about that.
  2. When you give us your personal information (name, email etc.) we use it for the purpose you gave it to us (email newsletter, purchase receipts etc.), share it with relevant third parties (like PayPal and Mailchimp), and store it.
  3. We take data security very seriously and do everything in our power to keep your personal information secure. We limit access to the people in our team who need it, we keep the amount we hold to a minimum, we try not to hold on to it for longer than is necessary, and we protect it with passwords and other security measures.
  4. You have the right to access and correct the personal data we store about you, to restrict what we do with it, and to ask us to remove it entirely.
  5. This privacy policy only covers your interactions with us on the web. It doesn’t cover joining as a member of the Alliance or the data we collect as part of our research work.

Introduction

This document covers all the interactions you can have with us on our website in which we collect personal data. It does not cover interacting with us on Facebook, Twitter, Google+, Flickr, Instagram, or any other social media website we have an official account on.

The Space Skills Alliance

In this document ‘SSA’, ‘the Alliance’, ‘we’, and ‘us’ refers to the Space Skills Alliance, registered company number pending, represented by its Directors and employees.

Contacting Us

If you would like to see this policy include something else, or have any questions, please email us at [email protected]. You can also raise data privacy concerns directly with the Information Commissioner’s Office.

Amendments

This document may be updated from time to time by agreement of the Directors. We will notify you by email if we store your personal information and you will be affected by the changes.

Definitions

We use a number of technical terms in this document that you may be unfamiliar with. These are explained below.

Google Drive

Google Drive is a cloud storage service provided by Google. We use it to store the majority of our organisational documents, as well as some of the personal data we collect. Google Drive keeps track of all revisions to documents, which means that it is very difficult to permanently delete information once it has been stored on Google Drive.

Hashing

Hashing some information irreversibly transforms it into something unintelligible but unique. Hashing information is a way of protecting it whilst still making it possible to compare it against other information. You can find a full explanation of hashing in this article.

Lawful Bases

A lawful basis is a legal reason why we store and processes personal data. There are six available lawful bases as outlined in the General Data Protection Regulation (GDPR).

Legitimate Interest

Legitimate interest means using data in ways you would reasonably expect, and which have a minimal privacy impact. It is the basis for most of our processing. For example, we use email addresses to send emails, and names to make name badges.

Whenever we don’t have a compelling reason to need personal data, we ask for consent and/or make the fields optional.

Consent

Consent means asking for permission to store and process personal data. We usually ask for consent even when it is not legally required, to make it explicitly clear that we will be processing your information.

Legal Obligation

Some data we are required to retain by law. This primarily applies to transaction data, which HMRC requires we keep for 6 years following the end of the financial year or longer in some cases.

Websites

Our websites are various webpages found at the spaceskills.org and spaceskillsalliance.org domains.

Web Servers and Databases

When we refer to our web servers, we are talking about computers owned and operated on our behalf by Tsohost, our hosting provider. These servers store the files and database for our websites and provide them to website visitors and our team.

Data We Collect

This section covers all the interactions you can have with us in which we collect personal data. For each interaction, we have detailed:

  • What data is collected
  • Where is it stored, and for how long
  • What is it used for
  • Whether it is shared with any third parties

If you do not provide information marked in a data collection form as mandatory, we will not be able to provide the services you have requested. Most of our collection forms will not allow you to proceed if you do not provide the required information.

Accessing our Websites

We store up to three distinct kinds of records when you access one of our websites. The data is processed to compile statistical reports on website activity. We use these reports to evaluate aggregate visitor usage so that we can optimise the content and identify what is performing well and why.

Server Logs

Our web server automatically logs all requests for webpages. This is standard procedure for most websites.

This means that whenever anyone or anything loads one of our webpages or submits data, the action will be logged. Each log entry contains the requester’s IP address, some details about the browser they are using, and the name of the page that has been requested (more information can be found here). All such logs are anonymous.

Server logs are stored by our web host on their servers. We can request access to the last 30 days of logs. We rarely use full server logs. From time to time they are analysed by our team to troubleshoot problems, particularly spam attacks.

Internal Logs

Additionally we run our own logging system that operates in a similar way but only logs the visitor’s IP address and the details of the page they are visiting. All such logs are anonymous, and are stored in our database indefinitely.

Google Analytics

On top of this we run Google Analytics, which uses “cookies” (small text files placed on your computer) to collect standard internet log information and visitor behaviour information in an anonymous form. Typical examples of the information that’s recorded are:

  • Which links you clicked
  • Whether you’ve ever visited our website before
  • How long you spent on a page

Google Analytics data is stored on Google’s servers. Data associated with cookies, user identifiers or advertising identifiers is retained for 26 months after last user access. Anonymous aggregated data is stored forever. You can disable this tracking by altering your browser settings or installing software which blocks third party tracking.

Emailing Us

When you email any @spaceskills.org or @spaceskillsalliance.org address, copies of your email are stored on Google’s Gmail servers.

Subscribing to our Newsletters

When you register for one of our email newsletters, we ask you to provide your email address so that we can email you.

Data for our mailing list is stored by Mailchimp, our email marketing provider, until you unsubscribe.

We may prune our mailing list from time to time, removing subscribers who do not open our newsletter. You will not be notified of your removal.

Buying from Us

Event Tickets

When you purchase, or attempt to purchase, a ticket for an event, we ask for various personal details, which we store in our database, and additionally in PayPal’s systems. Your financial information is processed directly by PayPal, and we cannot see your card or bank details. If you provide explicit consent, then we will add your email address to our mailing list.

Data Reason Duration Shared?
Name, billing address Legally required as part of the transaction record Max 7 years, then destroyed Yes, with PayPal
Email address Legally required as part of the transaction record Max 7 years, then hashed Yes, with PayPal
Email address For mailing list Until unsubscribed With Mailchimp, if consent given
All other fields Aggregate analysis Indefinite Yes, in anonymous aggregated form

We are required under the law to keep transaction data for a period of 6 years after the financial year in which the transaction was made.

We hash your email address rather than destroying it so that we can see trends in how many events people attend, without compromising your anonymity.

Attending one of our Events

If you attend one of our events we ask for your name and email address, which we store in our database, as well as some other optional information.

If someone else bought your ticket, then they will have provided this information on your behalf.

Data Reason Duration Shared?
Name For contact 1 year, then destroyed Yes, with venue if required.
Email address For contact 1 year, then hashed. No
All other fields Aggregate analysis Indefinite Yes, in anonymous aggregated form

We hash your email address rather than destroying it so that we can see trends in how many events people attend, without compromising your anonymity.

Third Parties

We share and sell information only in the ways explained below. When sharing identifiable personal information, we only share what is necessary.

Data Processors

We share certain identifiable personal data with third parties who do processing on our behalf.

Party Name Purpose Data We Share
PayPal To process financial transactions on our behalf. Name,
Email address,
Billing address
Tsohost To provide data storage for our data and a platform on which we build our websites All data
Google To provide cloud-based email services, hosting, storage and processing services to assist and/or enable us to manage personal data, and deliver, analyse and improve our services. All data
Mailchimp To provide bulk mailing services for our email newsletter. Email address

Service Partners

Some data we have to share with third parties in order to provide the services you are expecting from us. We do not always know in advance what we will have to share or with whom, but we will always minimise the amount of information that is shared.

Media Companies

Some of the content on our website is embedded from somewhere else. For example a video from YouTube, or Facebook’s ‘Like’ button.

We do not explicitly share any personal data with these companies in this way, but embedded content may track your interaction with our content. We cannot disable this tracking, but you can do so by altering your browser settings or installing software which blocks third party tracking.

Event Partners

We may share information such as your name and organisational affiliation with our event partners (for example the venue hosting an event) where necessary, but we will not share your contact details.

Organisational Partners and the Public

We share and publish anonymised aggregate data in a variety of formats.

The Public

We share anonymised aggregate data in reports we publish publicly. We do this as part of our advocacy work to promote student involvement in the space sector.

Government and Statutory Bodies

If we are legally compelled to hand over information we will comply. This could include to law enforcement, or as part of audits.

How we Protect Data

We take data security very seriously and do everything in our power to keep your personal information secure.

  • We audit our data to ensure we are keeping only information we need
  • We carefully limit what can be accessed publicly, and protect the rest with passwords
  • We use protocols such as HTTPS, Single Sign On, and Two Factor Authentication to minimise the chances of someone intercepting data or one of our passwords
  • We set monitor our servers and databases for suspicious activity

Data Breaches

We have a comprehensive action plan and checklist for data breach incidents. If we identify that personal data has been exposed, we will make this news public and notify any affected individuals. We will also act to identify the cause of the breach and take steps to prevent it from happening again.

Your Rights

Your rights relating to your data are written into law under the Data Protection Act, and the General Data Protection Regulation. These are:

  1. The right to be informed – You have a right to be informed about how we collect, process, and store your personal data. This information is provided in this document.
  2. The right of access – You have a right to access the personal data we store about you.
  3. The right to rectification – You have a right to have inaccurate details corrected.
  4. The right to erasure – You have a right to have personal data erased.
  5. The right to restrict processing – You have a right to restrict the way in which we process your personal data.
  6. The right to data portability – You have the right to obtain the personal data we store about you in a structured machine readable format.
  7. The right to object – You have the right to object to the way in which we process your personal data.
  8. Rights in relation to automated decision making and profiling – This right does not apply as we do not engage in automated decision making or profiling.

To exercise any of the rights listed above, please email us including your name and outlining the ways in which you have interacted with us. You must also provide proof of identity, which can include sending the email from an address we have on record.