Overview

Your privacy is important to us, and we want you to have control over how your personal information is used. We only collect and process your personal data for specific purposes, and we make sure that we only work with other organisations that share our values. We will not use your personal data in a way that contradicts the reasons why you gave it to us, as explained below.

We do not sell, rent or lease personal data.

We will not let any government agencies or private sector organisations access any information that you share with us. We will strongly resist any attempts to do so.

This document explains how we collect and process data from our organisation and website in different sections:

• Organisational privacy policy
  • What personal data do we collect and process?
  • Why do we collect and process personal data?
  • Protecting Personal Data: Ensuring Security
  • Who do we share personal data with?
  • How long do we retain personal data?
• Communications
• Donor and subscriber information
• Website privacy policy
• Cookies policy
  • Third party cookies
• Social media
• Applicants’ information
• Research and investigations
• Your data subject rights
• How to contact us
• Changes to the policy
• Revisions

The data controller for data collected and processed in accordance with the Policy is Arvo Software. Arvo Software is a registered company (CRO No. 452358) with Companies Registration Office. Our address is ARVO SOFTWARE LTD, 6-9 TRINITY STREET, DUBLIN 2, D02 EY47, IRELAND

Organisational privacy policy

What personal data do we collect and process?

Arvo Software only collects and processes the minimum amount of personal data that we need to achieve our mission, which you can read about on our About us page.

The types of personal data that we collect and process vary depending on your relationship with Arvo Software. We may collect and process personal data from the following people:

• Employees
• Trustees
• Fellows
• Volunteers
• Contractors and Consultants
• Candidates (for any of the above roles) (See Candidates’ Information)
• Employees of Arvo Software Partners
• Donors and subscribers
  • Individuals who subscribed to our mailing list (see Donor and subscriber information)
  • Potential, current and former donors (see Donor and subscriber information)
• Website users (see Website and Cookies Policies)
• Individuals who contact Arvo Software directly (see Communications and Social media)
• Research subjects (see Research and investigations)

The types of personal data we may process, for the purposes described below, include:

• Name
• Email address
• Home address
• Phone number
• Biographical information
• Nationality
• Immigration status (candidates only)
• Employment and employer details (candidates only)
• Financial information
• Communications Preferences (primarily through our Mailing List)
• IP addresses
• Pages accessed on any of Arvo Software’s websites
• History of actions taken on our campaigns and fundraising website
• Cookie session data (as described further in our Cookies policy)

Generally, we do not collect or keep a record of sensitive personal data and only do so in very limited circumstances, primarily when an individual has chosen to provide us with this data.

We process some sensitive personal data for Human Resource purposes, for example, about Arvo Software’s employees as far as necessary to fulfil our duties as an employer. On occasion, we may also process sensitive personal data of others engaging with Arvo Software, for example where an individual provides us with information relating to accessibility needs for the purpose of arranging a meeting or where an individual contacts Arvo Software and their communication includes sensitive personal data. We do not use this data for any other purpose other than that for which it is provided.

We may on occasion process sensitive personal data in relation to our research and investigations, for example when conducting research into potential or current subjects and participants of our research and investigation projects in the context of Arvo Software’s mission. This data may be provided to us by the individuals themselves, from publicly available sources, or from third parties.

We also collect and process data in connection with our website. Privacy is an internationally recognized human right. However, we appreciate that in certain circumstances, the data you submit on this website may reveal data that could be considered sensitive personal data (reflective of your political or philosophical views) e.g. indicating that you are interested in privacy in a specific country, have sent a letter to a specific company to complain about its privacy practices,or have signed a petition to support one of our campaigns.

While using our websites, there is no legal obligation or imperative necessity for you to provide us with personal information for processing, as outlined in our Policy. However, our Action Platform may require a minimal amount of information, such as your email address, to enable you to take actions. You have the option to sign up on the platform without disclosing any personal details apart from your email address. Nevertheless, you have the choice to provide us with extra information if you wish. Detailed information about how your personal data is utilized for the features on the Action Platform will be provided to you when you input the data.

Why do we collect and process personal data?

We collect and process personal data for the following purposes:

• For website administration;
• To address any communications, queries, or requests for information or services received from you;
• For the processing of financial donations;
• For purposes related to recruitment, employee management, and human resources;
• For the purpose of conducting audits;
• For the procurement of services;
• For the management of relationships with Arvo Software Partners;
• For conducting research, investigations, and campaigns aligned with our mission and charitable goals, as detailed on our About Us page;
• To gain insights into the engagement of our supporters and donors with us and our campaigns;
• To fulfill our legal or regulatory obligations; and
• For the establishment, exercise, or defense of legal claims.

Arvo Software will process personal data exclusively when a legal basis exists for such processing. The specific legal basis used will be contingent upon the circumstances surrounding the collection and use of your personal data. In nearly all instances, the relevant legal grounds for processing personal data are as follows:

• Subject to your Consent for using your data in a particular manner (e.g., for communication purposes through our mailing list). You may revoke your consent at any time by adjusting your preferences or reaching out to us, as indicated in the How to contact us section of this Policy. Such revocation will not affect the lawfulness of any processing that occurred prior to consent withdrawal.
• Required prior to entering into a Contract or for contract performance (e.g., for recruitment, human resources management, and oversight of individuals working on behalf of Arvo Software);
• Mandatory to adhere to Legal Obligations (e.g., compliance with relevant regulatory mandates and employment laws); and
• Necessary for our Legitimate Interests (e.g., administration of our websites, management of donations, conducting research and investigations aligned with our mission, and volunteer management). We will only rely on this legal basis after identifying the specific purpose (the legitimate interest), assessing the necessity of processing for that purpose, and conducting a balancing test to ensure that this interest does not supersede the rights, interests, and freedoms of the individual.

Protecting Personal Data: Ensuring Security

Additional safeguards are in place to secure personal data. For instance, rigorous measures are taken to encrypt data during transmission and storage. Access to this data is strictly limited to a select few and is bound by confidentiality commitments.

We will take all reasonable steps to ensure the secure treatment of your data in line with this policy. Unfortunately, internet data transmission is not entirely secure. While we strive to safeguard your personal data to the best of our ability, we cannot guarantee its security during transmission to our websites. Any transmission is undertaken at your own risk. Once we receive your information, we employ strict procedures and security features to deter unauthorized access. Whenever feasible, we employ encryption for both transit and storage. Access controls within the organization dictate who can access the information.

Our systems are hosted in the cloud. Consequently, we depend on these third parties to safeguard the data you provide through it. When you make payments, third-party payment processors collect and process your data, interacting with your bank or credit card issuer. You have the option to modify or delete this data at any time. If you request changes to your preferences or data deletion, we maintain a record of the action, such as “mary@example.com” unsubscribed from our notifications and removed her country of residence” in an analogous manner.

We never transfer your data outside of European Economic Area or the United Kingdom without your explicit consent or unless specific safeguards apply under individual circumstances, of which we will inform you if they pertain to your data.

Who do we share your personal data with?

At Arvo Software, we oversee, manage, and use a range of services and infrastructure that may involve the processing of your personal data.

We exert direct control over as many processes as possible. In conjunction with the aforementioned objectives, your personal data may be transferred to our authorized third-party service providers and partners. We meticulously choose and assess authorized third parties when feasible, reviewing their privacy and security policies. These authorized third parties may engage in various activities, such as processing payments, providing technology support, conducting outreach campaigns, or participating in research projects aligned with our mission. Limited members of Arvo Software staff or staff working for these third parties may also access and process your personal data as part of their job responsibilities or contractual obligations.

Some of these personnel and authorized third parties (e.g., payment processors) may transfer data outside European Union or the UK. We take appropriate measures to ensure that data remains within jurisdictions offering adequate protections for personal data and that recipients of personal data from us are obligated to maintain confidentiality, when relevant or appropriate. When this is not feasible, we rely on data minimization and, to the extent possible, choose trusted companies with privacy policies and auditable processes that we have reviewed, striving to ensure that adequate safeguards are in place for protecting transferred data, such as Standard Contractual Clauses. For further information on safeguards for a specific operation’s data transfer, please get in touch with us. Additionally, we may be obliged to disclose or otherwise process your personal data in the context of regulatory audits we may undergo from time to time.

These services may encompass:

• Internet resources we oversee and control but are hosted by third parties (e.g., our website www.arvosoftware.com), services we use to collaborate with our board and partners, our analytics service, our external cloud, and our search server. These are hosted by providers who maintain log data and with whom we have data processing agreements designating them as processors on our behalf. Currently, servers are hosted by Microsoft and Amazon Web Services.
• Internet resources not under our control but for which we have accounts managed by third parties (e.g., email, social media, third-party content providers such as search engines, podcasts, video platforms, surveys, payment processors, calendaring, and conferencing services). These third parties have privacy policies in place governing the use of users’ data (e.g. email by Microsoft, survey by SmartSurvey, calendaring by Microsoft and Calendly, conferencing services by Microsoft, Zoom).
• Infrastructure providers we employ where data may be processed, including cloud backup services (with data encrypted at rest), DNS and CDN services, certificate authorities, and service uptime monitors. These providers have privacy policies in place governing data use (e.g., backup by Microsoft, DNS by Letshost.ie and CDN by AWS).
• Services where the personal data of our staff, partners, and trustees may be processed, including our internally hosted services, externally hosted services we oversee and control with a third-party host, cloud-hosted services, services where we are administrative users but lack control (e.g., email and calendaring), and services where we are simply users (e.g., email). These are governed as described above based on agreements and/or policies. Our servers are currently hosted by Microsoft, or Amazon Web Services

How long do we retain personal data?

We ensure that personal data is retained only for as long as necessary in accordance with the above purposes and applicable laws. We retain personal data for the following indicative periods:

• Payment Data: 3 years following the end of the fiscal year in which the payment was made
• Communications from Members of the Public with Arvo Software: 3 months from the last correspondence

Communications

We collect and process data when you communicate with us through various means.

• Communications from the public via our website’s Contact us page are received by email and reviewed by our staff, sent onwards when necessary to other staff members, and deleted as quickly as possible.
• Communications from media and journalists via our website or by direct email to press@arvosoftware.com are all received by email and reviewed by a staff member and then sometimes shared with other staff members.
• Emails received from our supporters are reviewed by our staff, sent onwards when necessary to other staff members, and deleted as quickly as possible.
• Communications with our stakeholders and adversaries, through our staff email addresses or our public-facing email addresses, are treated confidentially. We may publish these communications if we consider it to be in the public interest and in line with data protection law, removing personal information when irrelevant to the purpose of publishing.

We do not disclose the names of senders or contents of their communications to others outside of Arvo Software, i.e., third parties, without your permission or unless strictly necessary.

We administer a mailing service for notifications by email based on your interest in topics that you have explicitly indicated to us. Outgoing messages are processed by our mail service and internet providers.

Information we receive by post is collected and reviewed by a Arvo Software staff member and sent onwards when necessary to other staff members. These items are retained or destroyed according to our retention policy. We use our best efforts to prevent the disclosure of the names of senders to third parties, consistent with our legal obligations, and we endeavor to keep files secure. If the content of messages is shared with third parties, we de-identify the messages as much as possible.

Telephone calls received on our number are serviced by our phone and internet provider. The traffic data for these calls may be retained in accordance with various laws on the retention of communications data.

Donor and subscriber information

We collect and process data that you disclose to us through our website because you signed up for our mailing list. This includes the email address that you provide to us and any biographic data (name, country of residence) or data about your areas of interest that you have volunteered when signing up to receive news from us. This can be sensitive as it could indicate your beliefs or opinions. Having your name helps us address you, but it is entirely optional. Knowing your country helps us know if we have a substantial number of supporters in a particular country. This would, for example, help us better understand if we should be creating content in other languages.

We collect and process data about your engagement with our fundraising campaigns. This can be sensitive as it could indicate your political beliefs or opinions. The nature of the campaigning action you take may require us to retain data on your participation and share it with others, with your consent. So if you signed a petition, we may need to keep a record of the fact that you signed so that we can share this with the petition target. We may also use this data to contact you about the progress of a campaign and will seek your consent to contact you about other related campaigns. How your data will be treated in a specific campaign will be explained to you when you sign up.

Our financial accounts are held with AIB Bank. Any payments made to Arvo Software in the form of a cheque or bank transfer will be processed by AIB Bank in accordance with its privacy policy and under national law. We retain information about all payments in accordance with financial auditing requirements.

Website privacy policy

We design and administer our web services to limit the amount of data collected. We endeavor to protect users and their data when we process the data.

We limit collection by minimizing the number of ways we track you. We honor “Do Not Track” requests. We do not use third parties to track you. We may link from our website to other internet services that use cookies and other forms of tracking. This is particularly the case with multimedia services and with the links that we post on our Linked In, Twitter and Facebook accounts.

It is helpful to Arvo Software to know how our websites are used. To undertake an analysis of how our site is used, we use Google analytics to see statistics in relation to our website use for the following purposes:

• To know how many visitors per day visit our site
• To know how much traffic we are sending outbound
• To know which items on our site are being downloaded (e.g., PDFs, long-form, reports, short items) and how many times
• To identify items not found, i.e., 404s, so that we can fix them
• To identify the types of browsers so we can design our site accordingly
• To identify the time of day when our site is most used in case we want to do maintenance and repairs (that result in our site being down temporarily)

These statistics are only available to Arvo Software. We keep the aggregate data indefinitely and use this aggregate data to report internally, to our board, and to our funders. For instance, we will report to our board that an investigation report was downloaded N number of times. We do not seek to identify individuals nor specific devices. Also, we obfuscate the IP addresses for this processing.

Our hosting provider, AWS, may collect and use the logs and other information for their own business purposes, such as troubleshooting and defining usage patterns, in accordance with their policies and relevant law.

Cookies policy

We use cookies, small files which we put on your device, to administer content for visitors to our website. We do not use cookies to track individuals and identify them personally.

If someone decides to log in and asks for their details to be remembered by their browser, we set a cookie for this purpose. Such a cookie expires in 7 days.

Third Party Cookies

We may also link from our websites to other internet services that use cookies. For example, our payment processors will place cookies as well. This also applies to multimedia services and the links we post on our Linked In, Twitter and Facebook accounts.

Social media

We use social media and social networking services to promote our work. These applications require the use of third-party service providers. Notably, we have a Facebook page, Instagram account, Twitter feed, articles published on Medium, and YouTube channels:

• The Facebook page is administered by Facebook, following Facebook’s Data Policy available here, and is accessible by Facebook users who have already consented to Facebook’s Data Policy. The group page is managed by Arvo Software staff members. We do not export information on our followers from the Facebook platform.
• The Linked In account we use is administered by Linked In, following their privacy policy available here.
• The Instagram account we use is administered by Instagram, following their privacy policy available here.
• The Twitter account we use is administered by Twitter, following their privacy policy available here.
• The Medium page is administered by Medium, following their privacy policy available here.
• The YouTube channel is administered by YouTube, following their privacy policy available here.

We occasionally use direct messaging over social media when individuals and organizations contact us directly on these social media platforms. We aim to delete these messages as soon as we have responded to the queries.

We will continue to advocate for stronger privacy protections for all users of social media companies.

Applicants’ information

Occasionally, we receive employment information from prospective employees. This information may include the individual’s CV, biographical information, contact details, immigration status, photograph, and references. This information is shared with relevant staff internally until that individual becomes a candidate for employment. At that point, we may share the CV with our trustees. We delete your application once it is no longer necessary for the recruitment exercise.

Research and investigations

We collect and process data in relation to our research and investigations, for example when conducting research into potential or current subjects and participants of our research and investigation projects. This data may be provided to us by the individuals themselves, from publicly available sources, or from third parties. This data may include biographical information; contact details; employment details; financial information; photographs; and information on racial or ethnic origin, political opinions and interests, trade union membership, religious or philosophical beliefs, sex life or sexual orientation, and concerning the commission (or alleged commission) of any criminal offense, and any related proceedings and sentences. This data is used to carry out research and investigations in connection with our mission, which is described on our About Us page.

Your data subject rights

You have rights under data protection law over your personal data.

You are entitled to request access to, rectification of, or erasure of your personal data. You are also entitled to request restriction of collection and/or processing of, or object to certain types of collection and/or processing of your personal data. You have the right to ask us not to collect and/or process your personal data for marketing purposes; we currently require your consent by opting-in, and you can change your preferences at any time. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You may also, in some circumstances, have a right to data portability.

We will provide you with a response to your requests in accordance with Irish data protection law. Requests can be submitted at any time by email to privacyofficer@arvosoftware.com, or by post to the physical address set out below. You also have the right to lodge a complaint with the corresponding data protection supervisory authority in your country of residence. You can find the relevant supervisory authority name and contact details here.

How to contact us

Please read the Policy carefully. To update your preferences, review or update your information, submit a request, raise any issues regarding the processing of your personal data or raise any questions, comments, or concerns about the Policy, you may contact us by writing to ARVO SOFTWARE LTD, 6-9 TRINITY STREET, DUBLIN 2, D02 EY47, IRELAND, or privacyofficer@arvosoftware.com.

Changes to the policy

In the event that the Policy is changed at any time, the date and nature of the change will be clearly indicated in this document. In the event that the change has a material impact on the handling of your personal information, we will contact you to you to inform you of the changes and where appropriate seek your consent.

Revisions

Updated April 2022 to explain our use of Social media.

Updated April 2018 GDPR related changes.