We obviously care tremendously about privacy and data protection principles. We want to be fully transparent with what our service does and how it works. If what follows is not clear, please address any question you might have to firstname.lastname@example.org.
We are committed to the interests of the users of the PersonalData.IO service, without any ambiguity.
We have embedded this commitment into our own governance:
We are a nonprofit organisation registered in Geneva, Switzerland.
We will never sell any of our users' data or even derivative products. The project is currently dependent on the core team's volunteering and donations. To put our service on a more sustainable financial footing in the future, we might eventually offer paying services.
The core proposition of our service is to offer our users the possibility to request their personal data from many companies, in a convenient and scalable way, and under their explicit consent. If you are not a user of our service, we are unlikely to process your personal data unless some very particular exceptions apply (see below).
Taking a wide view of what constitutes personal data, currently we collect personal data about our users in the following ways:
Our policy is currently to retain your personal data for 6 months, as a trial period after the General Data Protection Regulation coming into force. Within that initial trial period, we are improving our systems to give you more granular control on our retention policy, for instance per attribute and request. We think there is a clear tension between retaining data for as long as is needed to send the request, while retaining the capability to effectively offer additional help after the first response. We want to test this out as we improve our systems. However, we will of course honor any individual's requests on those matters in the interim. You can send your requests to email@example.com. It is likely that our response will be to improve our systems for all, so we absolutely want to encourage you to make use of this option (or just send suggestions).
We do collect some personal data for non-users of our services, in very limited circumstances.
Indeed, in order to be able to connect our users with companies, we need to collect information about contact persons (such as Data Protection Officers) at those companies. This also constitutes personal data. Our legal basis for collecting this data is our legitimate interest to offer our services to our users.
If you are not a contact person at a company likely to process personal data, or have not reached out to us directly, we do not process your personal data.
Given that we are established in Switzerland, our processing of personal data, regardless of residency of the data subjects, is covered by the the Swiss Data Protection Act. This means our supervisory authority under that act is the Swiss Federal Data Protection Commissioner.
Additionally, for individuals residing in the European Union, the General Data Protection Regulation envisions that we would be subject to that Regulation as well, and obliges us to inform you of which would be our Supervisory Authority. However, this Regulation does not specify which would be the Supervisory Authority in the case of a data controller established in Switzerland, which we find very unfortunate: simply said, no one knows the answer we are supposed to provide. The best we can do is to suggest that you ask the Data Protection Authority in your country of residence for guidance on that matter. If you need assistance with this step, definitely let us know.
Regardless of whether you are a user or not of our services, and irrespective of your country of residence, we are committed to respecting the European General Data Protection Regulation (in addition of course to the Swiss Data Protection Act).
You have the following rights:
All these rights can be exercised by reaching out to firstname.lastname@example.org.