🔑 Core Contributor Privacy Policy

This Privacy Notice is effective as of February 2022.

This Privacy Notice refers to our commitment to treat all Personal Data (as defined below) of the relevant individuals, including contractors, and Provider’s Workers providing services to the Beneficiary (“Data Subjects”), with the utmost care and confidentiality.

With this Privacy Notice, we ensure that we gather, store, protect and handle Personal Data fairly, transparently and with respect towards individual rights, even after the termination of the contractual relationship with the Beneficiary, where applicable.

We process Personal Data lawfully, fairly, securely and in a transparent manner. We only collect and process Personal Data that is adequate, relevant and limited to what is necessary for specified, explicit and legitimate purposes and we do not further process such Personal Data in a manner that is incompatible with those purposes. We keep Personal Data accurate and up to date and keep it in a form which permits identification of Data Subjects for no longer than is necessary.

This Privacy Notice is issued by the Beneficiary, to explain how we process Personal Data before, during and after any contractual relationship with us and in connection with affiliation with us. We process Personal Data, in accordance with the applicable data protection laws, including the EU General Data Protection Regulation 2016/679 (the “GDPR”) where applicable. The Beneficiary is the entity that is considered the controller with respect to Personal Data processed by us.

In this Privacy Notice where we refer to "we" or "us", we mean the Beneficiary.

What data do we collect?

The Beneficiary will process certain Personal Data related to Data Subjects. "Personal Data" means any information relating to an individual and processed by us, including any information through which an individual can be identified or identifiable, directly or indirectly, which may include:

• Contact and general information, such as name, surname, postal and/or email address, phone number, date of birth, gender, marital status, and photo (if such is provided to us).
• A resume and any other information required to apply for the role with the Beneficiary.
• Professional information, such as education credentials and professional experience and qualifications, professional networks, training employment history, board memberships and employment status.
• Other information, if applicable, such as government issued identification number, social security number, identification document, passport, or national insurance details where required by law, tax status, bank account details, wallet address, travel and expenses, performance management, emergency contact details, compensation, holidays and benefits related information.
• In case of contractors, details of the deliverables and/or services provided to compensate appropriately.
• Assessments of a performance during the trial period and on an ongoing basis (based on peer feedback and evidence of performance provided, as relevant) and where relevant, details of periods of leave taken, and notes of relevant discussions as applicable. We endeavour to maintain accurate information.

How do we collect Personal Data?

Sometimes individuals directly provide us with most of their Personal Data we process. We collect and process Personal Data when someone registers online or applies for a position through any online site where the Beneficiary posts a new role and when they enter into a contractual relationship with us. Sometimes we will obtain Personal Data from alternative sources, including but not limited to: other affiliates and service providers (such as recruitment agents and background checking services to the extent permitted by applicable law) and government bodies where required by law (such as tax authorities). If the requested information is not provided, we may be unable to conduct certain business operations or comply with the applicable legislation. We may also receive Personal Data indirectly from sources such as Greenhouse, or others.

Exceptionally, we might process sensitive information and only for limited and strictly defined purposes, such as equal opportunities monitoring and diversity monitoring and initiatives may involve us using race or ethnicity data such as information contained in the passport or other citizenship document.

How will we use Personal Data?

We will process Personal Data for the following purposes:

• For entering into and the performance of a contract with an individual and to manage our contractual relationship, including business communication, maintaining relevant records, payment of compensation, evaluations, and legally required procedures.
• For the purposes of the legitimate interests pursued by us and in our role as the controller of Personal Data.
• To comply with applicable laws and regulations.

Where relevant, we will only process Personal Data with an express prior consent of the Data Subjects.

We store most of Personal Data in our internal systems. We keep some data in a secure Google Drive folder. Between affiliates of the Beneficiary we only grant access to Personal Data on a need-to-know basis, necessary for the purposes for which such access is granted. In some cases, the Beneficiary uses third parties located in various countries to collect, use, analyse, and otherwise process Personal Data on its behalf. We tightly control access to the data to only members of the organisation that have a valid reason to access the information (generally - Legal, People Ops and Finance).

We maintain records of processing of Personal Data in accordance with the applicable laws, including obligations established by the GDPR.

How do we share Personal Data?

We may share Personal Data with our group entities and third-parties in accordance with the applicable laws. When we share Personal Data with a data processor, we will put the appropriate legal framework in place in order to cover data transfer and processing.

Outsourcing

We may outsource all or part of Personal Data processing to outsourcee. When executing an outsourcing agreement, the eligibility of the counterparty as an outsourcee is sufficiently investigated. Safety management measures, confidentiality, conditions for the outsourcee to outsource to another party, and other matters regarding the appropriate processing of the data are prescribed in the outsourcing agreement, and our outsourcees are appropriately supervised by implementing periodic monitoring, etc. of the outsourcing conditions.

Corporate affiliates and corporate reorganisations

We may share Personal Data with all our corporate affiliates. In the event of a merger, corporate reorganisation, acquisition, joint venture, assignment, transfer, sale or disposition of all or any portion of our business (including in connection with any bankruptcy or similar proceedings), we may transfer any and all Personal Data to the relevant third party.

Legal compliance and security

It may be necessary, by law, legal process, litigation, and/or requests from public and relevant governmental authorities that we disclose Personal Data. We may also disclose Personal Data if we determine that, for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.

We may also disclose Personal Data if we determine in good faith that disclosure is reasonably necessary to protect our rights and pursue available remedies, enforce our internal regulations, investigate fraud, or protect our operations or users.

Transferring data

Disclosures or sharing of Personal Data as described above may involve transferring Personal Data out of the EEA. For each of these transfers we make sure that we provide an adequate level of protection to the data transferred.

Sharing

We may share the minimum necessary amounts of Personal Data with the following third-party partners as required and applicable for statutory filings, benefits, and reporting, these include:

1. Greenhouse
2. Juro Online Limited
3. Google LLC
4. Bamboo HR LLC
5. Spiff Workflow
6. Odoo

There might be other third-party providers we will use in the future. If necessary, we will request the relevant Data Subjects’ permission before releasing Personal Data to any other third-party.

How do we secure Personal Data?

The Beneficiary takes the protection of Personal Data seriously and we intend to protect Personal Data and to maintain its accuracy. We process Personal Data in a manner that ensures such data undergoes appropriate security (including protection against unauthorised or unlawful processing and against accidental loss, destruction damage, unauthorised access, use and disclosure etc.) using appropriate technical or organisational measures to achieve this. We also require that our suppliers and providers protect such information from unauthorised access, use and disclosure.

How long will we store Personal Data?

We will not retain Personal Data longer than necessary to fulfil the purposes for which it is processed, including the security of our processing, complying with legal and regulatory obligations (e.g. audit, accounting and statutory retention terms), handling disputes, and for the establishment, exercise or defence of legal claims in the countries where we do business.

Therefore, we will hold Personal Data for a maximum of six years if an individual is a contractor and for a maximum of 18 months, if an individual is a candidate, to comply with applicable laws.

What are applicable data protection rights?

We would like to make sure that we inform Data Subjects of all data protection rights, such as:

The right to access - The right to obtain from us confirmation as to whether or not Personal Data concerning the individual is being processed and request access to and copies of such Personal Data.

The right to rectification - The right to obtain from us without undue delay the rectification of inaccurate Personal Data concerning the individual. The right to request us to complete Personal Data that is incomplete.

The right to erasure - The right to request that we erase Personal Data without undue delay, under certain conditions.

The right to restrict processing - The right to request that we restrict the processing of Personal Data, under certain conditions.

The right to object to processing - The right to object to processing of Personal Data by us, under certain conditions.

The right to data portability - The right to receive Personal Data we process, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller, under certain conditions.

The right not to be subject to profiling and automated decision making - The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning individuals or similarly significantly affecting them.

The additional rights pursuant to local laws applicable to the processing of Personal Data.

For more information on how to exercise any of these rights, please contact us at email [email protected]. After receiving a request, we have one month to respond.

How to lodge a complaint?

In the event anyone considers our processing of their Personal Data not to be compliant with the applicable data protection laws, a complaint can be lodged directly with the Beneficiary by contacting us via [email protected] or with the competent data protection authority. The name and contact details of the Data Protection Authorities in the European Union can be found at:

http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

In case of breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, we have the mechanisms and policies in place in order to identify it and assess the details of the breach promptly. Depending on the outcome of our assessment, we will make the necessary notifications to the supervisory authorities and communications to the affected Data Subjects.

Changes to Privacy Notice

We may occasionally make changes to this Privacy Notice, as well as any other specific privacy statement. When making changes to this Privacy Notice we will add a new date at the top of this Privacy Notice. Any changes to this Privacy Notice will become effective upon posting of the revised Privacy Notice in the relevant section of our website. If we make changes which we believe are significant, we will inform the relevant Data Subjects and seek the Data Subjects’ consent where applicable.

How to contact us?

In case of any questions related to this Privacy Notice, don't hesitate to contact us via email at [email protected]