Data Processing and Privacy Statement

Data Protection and Privacy Statement
Latest update:
16.08.2024
Aarhus, Denmark

Data protection is among our highest priorities at Involved. When we invite users to participate in an Involved session, we promise them anonymity. This is a promise we take seriously. We are committed to ensuring this anonymity and that everyone can participate in an Involved session without personal data being tracked, used, or shared in any way. We do this for two reasons:

  1. We want participants to know that they can share their open, honest feedback without any fear of being identified.
  2. We want our customers to know that they can safely invite their employees, citizens, customers, or users to an Involved session without fear of compromising their own data protection regulations.

This is the reason we have made the choice not to store or treat personal data from participants. We do not ask participants to log in or identify themselves before a session. We do not even log IP addresses of our participants. Additionally, there is no third-party analytics or tracking service linked to our participant platform.

If you have any questions or concerns about data collection or user anonymity, you can call our CEO, Sara Høyer Kragelund, at +45 5157 8240, or contact our CTO, Geert Vandensteen, at Geert@involved.live for technical questions, comments, or concerns.

In the document below, we have detailed our data collection practices for your Legal or IT department to review. This includes:

  1. Data collection and usage on the digital Involved platform
  2. Description of AWS services used
  3. Data security
  4. Analytics

Once again, don’t hesitate to contact us if you have questions, concerns, or need more information. Anonymity and data protection are among our highest priorities, and if there is anything we can do to improve, we want to know!

Kind regards,
Sara Høyer Kragelund & Geert Vandensteen
CEO & CTO and Co-founders of Involved
www.getinvolved.io

1. Data Collection and Usage on the Digital "Involved" Platform

Involved does not log any IP addresses. Involved does not store or treat personal data collected in a digital session. Instead, users receive a unique code to enter the session prepared for them. In the session, participants can anonymously give their input to the questions prepared. This input is stored, but it is not linkable to a physical person.

Involved's online sessions are browser-based. To participate in an Involved session, participants are provided with a unique link or code to the relevant online dialogue prepared for them. Participants are not asked to identify themselves in any way, as the dialogues are anonymous.

When a user joins an Involved session, it happens through the AWS API Gateway. A user connects anonymously and receives a random identifier in a token. The API Gateway does not communicate to the backend of the Involved platform where the participant is connecting from, nor does it log it. This means the Involved platform backend only knows the randomly assigned ID from the participant and can tell how many people are connected to a specific session, but not where they are connecting from, or any other factors which would serve as identifiers.

Participants may enter an Involved session directly from our website www.getinvolved.io. To ensure we do not compromise our promise of anonymity, we use a self-hosted analytics platform (Matomo) for tracking on our website. This platform shows who is visiting www.getinvolved.io, but is configured to drop the last 8 bits of the IP address. A visitor will be shown as 255.255.255.xxx. In addition, the analytics platform does not know which session a specific user connects to.

To facilitate an online session, Involved utilises various AWS services exclusively hosted in the EU-central-1 region (Frankfurt). These services are described in Section 2.

1.1 Session Data

i. Involved does not log any IP addresses. Involved does not store or treat personal data collected in a digital session. Instead, users receive a unique code to enter the session prepared for them. In the session, participants can anonymously give their input to the questions prepared. This input is stored, but it is not linkable to a physical person.

1.2 Server Log Data

i. Involved stores server log data to identify bugs and enhance the functionality of our software.

ii. No personal data is logged in the logging system. Personal data or IP addresses will not be written to the log files.

2. AWS Services and Hosting

To facilitate a session, Involved utilises various AWS services. The services used can have logging configured for them so they log relevant data in the AWS log aggregator (AWS CloudWatch). Involved's services are configured in such a way that no personal data (including IP addresses) are logged in AWS. AWS does not perform separate logging of our data or requests. In its Data Processing Addendum, AWS guarantees not to access, use, or disclose our data unless it is necessary to provide the service, or in case of a court order (in which case we are notified first).

The services used for customer data are hosted exclusively in the EU-central-1 region. As the networking is also hosted in the EU-central-1 region, no traffic is sent to any data centers outside the EU to host a session. All services used in an Involved session, as well as the location of the service, are described below:

  • RDS (Relational Database Service): Our database is hosted on Amazon RDS within the eu-central-1 region. RDS ensures the secure and scalable storage of customer data.
  • VPC (Virtual Private Cloud): Our networking infrastructure is hosted on Amazon VPC within the eu-central-1 region. This allows for private and isolated networking for enhanced security.
  • CloudWatch: We employ Amazon CloudWatch for monitoring and logging purposes within the eu-central-1 region. CloudWatch helps in maintaining the availability and performance of our services.
  • ELB (Elastic Load Balancer): Involved uses Amazon ELB within the eu-central-1 region for load balancing incoming traffic. ELB ensures high availability and scalability of our services.
  • Lambda: Involved employs AWS Lambda within the eu-central-1 region to execute serverless functions. Lambda allows for efficient and scalable processing of data without managing infrastructure.
  • EC2 (Elastic Compute Cloud): Involved uses Amazon EC2 instances within the eu-central-1 region for hosting virtual machines. EC2 provides flexible and secure compute resources for our applications.
  • S3 (File Storage): Involved uses S3 File Store globally. However, this service is not utilised for processing customer data. Customer data does not pass through S3, and it is solely used for distributing the application.
  • EKS (AWS Managed Kubernetes): Involved utilises AWS Managed Kubernetes Service (EKS) in the eu-central-1 region to effortlessly manage and scale containerized applications. EKS simplifies Kubernetes deployment and operations, enabling us to focus on application development while ensuring reliability and scalability.

3. Data Security

Involved implements appropriate technical and organizational measures to safeguard all data that enters our platform. This includes opinions that Involved participants write anonymously. (As these opinions cannot be linked to a specific individual, they do not constitute 'personal data' as per the definition of the European Commission). These measures are designed to prevent unauthorized access, loss, alteration, or disclosure of data.

4. Analytics

Participants of an Involved session can access their sessions without visiting our website. This happens via a link directly to their Involved session where we have not implemented any tracking or analytics services.

For our general website www.getinvolved.io, we use the on-premise solution of Matomo Analytics hosted on our AWS servers in Frankfurt, Germany. The data is owned by Involved, and no third party has access to the data, which is stored in Europe. Learn more about Matomo here: https://matomo.org/privacy/

5. Communication Data

Involved collects contact information, such as email addresses, names, and last names, through personal business contacts, business relations of Involved consultants, and people reaching out to Involved's contact email addresses. This information is used for communication purposes and maintaining business relationships. Individuals can request to be forgotten and stop receiving emails by contacting the email address: sara@involved.live.

6. Project-related Contact Information

Involved can, if requested by the client, collect contact information provided by clients (data controllers) for the successful completion of projects. The use of this data is specified in the contract with the client. Contact information can be used for project-related activities, such as sending invitations to online dialogues, surveys, or other agreed-upon activities between the client and Involved. Involved acts strictly as a data processor in these cases, and the client remains in control of the data.

iv. Information provided by clients will be deleted after the completion of the project.

7. Human Resources - Job Applications

Involved collects resumes of individuals who contact Involved for potential job opportunities. Resumes are kept confidential and discussed internally within Involved.

iii. Resumes will be kept until the end of employment or will be deleted if a person is turned down for a vacancy. Open job applications may be kept for a longer period.

8. Data Retention and Deletion

Involved retains personal data only for as long as necessary for the purposes outlined in this document or as required by law. Once data is no longer needed, it will be securely deleted or anonymized to ensure continued privacy protection.

9. Data Subject Rights

Data subjects have the right to access, rectify, erase, restrict, and object to the processing of their personal data. To exercise these rights or inquire about any privacy concerns, data subjects can contact Involved at sara@involved.live.

10. Compliance with Applicable Laws

Involved complies with applicable data protection laws and regulations, including the General Data Protection Regulation (GDPR), in the collection, processing, and storage of personal data.

11. Changes to the Data Processing and Privacy Document

Involved reserves the right to modify or update this document as necessary. Any changes will be communicated to relevant stakeholders and will be effective upon posting the updated version on the Involved website or other appropriate platforms.

For further information or clarification on data processing and privacy practices, please contact:

Involved CEO,
Sara Høyer Kragelund
Risdalsvej 13
8260 Viby J
Denmark
Email: sara@involved.live