Privacy Policy

Introduction

Skip this section if you just want the privacy policy part. But mind you, this is the least boring part 😉

Hi, I’m Johanna Gundermann. I’ve build this website with the use WordPress and lots of plugins, and I’m the privacy protection officer of this website. I can be reached through the address and contact form listed below.

I’m one of the very few people on the planet who actually reads every single privacy policy and TOS before signing up to any service. This means I’ve read hundreds of them! It’s incredible just how much data is collected, stored, sold, shared with zillions of vendors of ads bundles. Rarely are the policies user friendly. Often, they make me cranky. Especially the line that says that privacy policies are subject to change any time and you, the visitor of the site, are supposed to check and read every privacy policy again each time you visit the site ), just in case they’ve changed anything – lol! Since people know they will never do that (I admittedly don’t), I suppose they figure, they might as well not even read the first time around. Knowing customers won’t read their privacy policy, service providers and vendors exploit the limits and end up having the most privacy-unfriendly privacy policies – people will consent anyway. Rarely, a version is uploaded that shows with different colors and strike-outs the recent changes that have been made. Often, the language is vague and/or not understandable for normal people.

It has been my pleasure to put a lot of attention in trying to…

  1. avoid unnecessary data collection, disabling anything that was not necessary and carefully choosing plugins that don’t collect data.
  2. make sure future changes to this policy are transparent, easy to check-in, and that visitors can be notified of changes, if they want to. After all, this website is addressing activists, who might have an increased interest in data protection.
  3. make this privacy policy humanly understandable.

This undertaking is not easy, especially because no matter what, the General Data Protection Regulation, GDPR for short, which is a EU law and the most user-friendly privacy law on the planet, is … extensive, to say the least.

For good reason, you have the right to understand what data is collected, why, where, for how long, with whom it is shared. In order to avoid just re-directing you to the privacy policies of the service providers we use, like other privacy policies love to do, I read the privacy policies of every plugin, contacted the makers, figured out what cookies they set etc. We also have to take measures to keep the data secure, and for as short as only necessary, which means having to put systems in place that take care of that so we don’t forget. Albeit humanly understandable, all this information ends up being overwhelming none-the-less.

Please let me know if you see something that can be improved in this Privacy Policy, or if you know of alternative plugins for the ones that we chose that do collect data.

§ 1 About Us

Our website’s URL is: www.activersity.org

We’re an NGO called Activersity e.V., located in Germany, in the state of Saxony. “E.V.” means “registered association”. Our address is Georg-Schwarz-Straße 10, 04177 Leipzig. The board members’ names are Eleanor Busby and Istvan Dunkl.

The privacy protection officer is Johanna Gundermann, who can be reached via the means listed in § 4.

§ 2 Definitions & Key

“Visitors” – that’s you, the visitors of our site.

“Users” – are editors, administrators, authors who edit content, manage the website, control comments etc.

“Us/We” – are our pronouns 😉

[brackets] – In this Privacy Policy, we have quoted some of the makers of the plugins we use. If we have put anything in [square brackets], that’s a comment, further detail or explanation inserted by us into the quote.

§ 3 You Have the Right…

  1. to request from us access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  2. to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  3. to lodge a complaint with a supervisory authority;
  4. to learn all the information we have gathered in this privacy policy;
  5. to learn whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data:

The provision of your personal data, is for the most part a contractual requirement: Decisions we have made regarding the use of certain plugins require logging of some personal data such as IP addresses. For example, we can block IP addresses from which malicious or spam content is posted.

Regarding your real names and address, the provision of such data is voluntary. Failure to provide such data results only in our inability to give you stamped certification of your study time at Activersity.

§ 4 Invoking Your Rights, & Questions

For any questions regarding our Privacy Policy, or if you wish to invoke your rights, you may contact our privacy concerns controller:

  • By using this Contact Form.
  • By sending snail mail to our head office: Activersity e.V., Georg-Schwarz-Straße 10, 04177 Leipzig, Germany.

§ 5 Data Storage Place & Retention Times

  1. Electronic data is stored in local computers as well as in uberspace.de. Unless explicitly described in the plugins section below, collected data by our plugins is stored in the WordPress database, also hosted in Germany at uberspace.de. Unless otherwise described in this privacy policy the general retention time is 10 years, or until you request deletion.
  2. Paper documentation is stored in our head office for 10 years, or until you request deletion.
  3. Some digital/analog documentation is not subject to deletion within 10 years due to legal restrictions, even upon request. Whenever we write in this privacy policy “until you request deletion”, please keep these legal restrictions in mind. Examples:
    • any donation information and data related to any kinds of payments. Examples: The names of donors will be kept if they donated digitally or against a tax-refundable receipt; personal information which is recorded in receipts of expenses that have been layed out by volunteers and are later reimbursed.
    • We must also keep documentation of what we do as an NGO in order to retain our status, which may include people or legal entities we have worked with.
    • We might need to keep information that we have collected in order to protect our interests at court in legal battles, or due to a court order.
    • We must retain personal information about employees, interns and volunteers we work with for 10 years.
    • If you are unsure whether you wish your name to appear in our records, let us know in advance what we can do to preserve your privacy. Some interactions with us might not be possible in this case, but most will still be.
  4. If you leave a comment, the comment and its metadata, which includes username and e-mail address, are retained for as long as the website is online, or until you request deletion. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
  5. For visitors that register on our website as members, we also store the personal information they provide in their user profile. All members can see, edit, or delete their personal information at any time (except they cannot change their usernames). Website administrators can also see and edit that information.

§ 6 Data Collection: What, Where, Why & for How Long?

1. Back-Ups

Our hosting service, uberspace.de, makes a back-up of our WordPress database every day. Daily backups are kept for 9 days. It also makes weekly backups, which are kept for 7 weeks. As you will read further on, some plugins store visitor data in the WordPress database. Since we have no influence on their back-up policy, when a visitor requests their data to be deleted, they will be notified as to when they can expect the last back-up to have been deleted.

2. We Collect Data Through Plugins, Services, Our WordPress Theme & Cookies

We asked all the makers of the services we use on our WordPress installation via e-mail what information they collect and store from the visitors of our website. The information under each listed service reflects their answer by e-mail, with the exception of Turnstile Captcha and WordPress.

Plugins that are marked as not collecting any visitor’s data may have the capacity to collect data, but we’ve turned it off whenever it was not absolutely necessary.

Our theme (namaha by Out the Box) does not collect any data, nor does it set any cookies.

We Use the Following Plugins/Services

Akismet Anti-Spam: Spam Protection

Akismet’s anti-spam plugin may collect personal data from visitors who interact with our site’s comment forms. Akismet claims to not sell the collected data and that it needs to collect comments that are detected and marked as spam in order to gain insights about spam in order to keep their service up-to-date. Since Akismet’s collection of data is considered “legitimate interest”, in practice, no consent is needed from you, but you need to be informed. Normally, privacy policies would direct you to Akismet’s privacy policy. Here is the critical part: Basically, if your comment is falsely detected as spam, your comment and any information you had provided like visitor name and e-mail address are sent to Akismet servers, or rather, automattic, which is the data collection partner of Akismet. They claim to delete this information once it’s clearly a false positive comment.

As of May 16th 2024, Akismet has refused to tell us what cookies it sets and has only provided us with the following cookie policy, which literally leaves us without any clue as to what cookies are set https://automattic.com/cookies/

For detailed information about collected data by Akismet/automattic, please review https://automattic.com/privacy-notice/.

Carousel Slider: Fotos Slider

This plugin reportedly does not collect any visitor’s data.

Duplicate Post: Copy and Delete Posts

This plugin reportedly does not collect any visitor’s data.

Duplicator: Back-up of WordPress Data

This plugin reportedly does not collect any visitor’s data, but it is a tool to back up our entire database, which will include personal information collected through other plugins, as described. A back-up can be used to restore our WordPress installation in case of a failure of our servers, lost data, a mistake by us, trouble with conflicting plugins, tampering with our database by hackers etc. A generated back-up file with this plugin may be downloaded from time to time and stored in one or several of our local computers, or self-hosted cloud, all of which are in Germany, the latter of which is run by uberspace.de. The back-ups are kept for a maximum of 7 weeks. If a visitor requests deletion of their data, we will make new back-ups that do not contain their data, then we will delete the old ones containing visitor data.

Just Writing Statistics: Counts words etc.

This plugin reportedly does not collect any visitor’s data.

Page Builder SiteOrigin Plugin Bundle

This plugin reportedly does not collect any visitor’s data, nor does it set any cookies.

Polylang Pro: Translation Plugin

This plugin reportedly does not collect any visitor’s data. Polylang Pro sets the “pll_language” cookie. Polylang claim in their Privacy Policy:

Data collected by our plugins:
Polylang or the Polylang add-ons that we provide to you do not collect any personal data without your users’ [editors of our website, not the visitors of our website] consent. Polylang allows your user [editor] to translate their biographical info. It is considered as personal data and is exported with other personal data of your users[our editors]. Polylang does not send any data from your website to us.

More details: https://polylang.pro/privacy-policy/

Essentially, it means that if you start working behind the scenes, and become one of our editors, administrators, authors etc., and if you allowed Polylang to translate your biographical information, then that data is stored in our WordPress database, but not sent to Polylang. We will retain this data only for as long as the website is online, or until you request deletion.

The ‘PLL_COOKIE’ is the cookie set for the following situation:
* The single sign on across domains,
* The detection of the browser preferred language,
* The transport of the cart across domains for Polylang for WooCommerce customers.

Really Simply SSL: Security Plugin

This plugin reportedly doesn’t set any cookies.

This plugin makes security logs, and the makers have informed us about the following:

Really Simple SSL – Security Logs
The IP address of visitors, visitor ID of logged in visitors, and visitor name of login attempts are conditionally logged to check for malicious activity and to protect the site from specific kinds of attacks. Examples of conditions when logging occurs include login attempts, log out requests, requests for suspicious URLs, changes to site content, and password updates. This information is retained for 90 days. When using the Remember Device for Two-Factor, a cookie will be set with a secure token that expires in 30 days.
Please rest assured that all data is indeed stored locally on your own [Activersity] webserver/database; that data never has to leave your server. As such, we do not have access to any of the data/logs from the plugin on your environment either.

Really Simple SSL

Simple History

This plugin reportedly sets no cookies. It is a security log and website change verification tool that helps us identify authorized and unauthorized changes made to this website. We review authorized changes when we review another editor’s work. We review unauthorized changes or login attempts to check for malicious attempts to hack our website. This tool stores site users’ and visitors’ personal data in a temporary log, for inspection by authorized staff only.

Reportedly, the following data is logged:

  • Anonymized IP address
  • Visitor’s username (if logged in)
  • E-mail address (if logged in)
  • Visitor profiles – info about added, updated or removed visitors
  • Visitor logins – we see when a visitor logs in & logs out.
  • Visitor edits – we see when a visitor is added, updated or removed, and get detailed information about the changes made to the visitor.
  • Comments added – we see the information provided by the commenter, and their comment. Visitor’s username/display name and comment will also be visible to the public.
  • Failed visitor logins – we see when someone has tried to log in, but failed. The log will then include the IP address of the possible hacker (good way to catch brute-force log in attempts).
  • Data export – we see when a privacy data export request is added and when this request is approved by the visitor, downloaded by an admin, or emailed to the visitor.
  • Visitor data erasure requests – we see when a visitor privacy data export request is added and when this request is approved by the visitor and when the visitor data is removed.

The plugin does not use Google Fonts.

The RSS feed is not enabled.

The plugin uses no local storage as in https://en.wikipedia.org/wiki/Web_storage

Simple WordPress Membership:

This plugin reportedly sets a cookie.

This plugin allows students to register officially with a real or fake name in order to gain access to content that we only make available to committed students. Members may receive members-only e-mails sent through this plugin. Members will be added to our Newsletter via riseup.net, see section “Emails and Newsletter”.

  • This plugin does not collect any additional visitor’s data apart from the information that you have provided via the registration form, which is stored on our server’s database only.
  • In order to become a member (“student”), we will ask for a visitor username, a first name and last name, all of which needn’t be your real names. Furthermore, we will ask for an e-mail address. Our local computers might store any additional contact information you might provide on a voluntary basis.
  • Your membership data will be retained for as long as you are a member, or until you request deletion, or until we terminate the service.
  • Note: Since E-Mail notification is enabled, the member’s decryptable password is temporarily stored in the database until the account is activated. You may change your password afterwards.

SiteOrigin CSS, SiteOrigin Premium & SiteOrigin Widgets Bundle

These plugins reportedly neither collect any visitor’s data, nor do they set any cookies.

Spiffy Calendar

This plugin reportedly neither collects any visitor’s data, nor does it set any cookies.

Turnstile Captcha

According to our research, not being a google service, Turnstile Captcha by Cloudflare is the most privacy friendly service we have found that detects whether you are human or bot. Bots can be maliciously set up to post spam as comments or to send spam via contact forms. However, when compiling this privacy policy, we were not even able to figure out which privacy policy applies to front-end visitors like you (as opposed to visitors of the website cloudflare.com). The Application Privacy Policy (see below) seems to be a good-for-all applications Cloudflare offers, making it rather opaque if and how data is collected, whether cookies are set or not.

In general, from our perspective, it would be totally legal to simply post here the URLs of their privacy policy. As you have seen throughout, we’ve tried to share with you what we have looked up. Anyway, we’ve contacted them by e-mail on 13.05.24, an answer is still pending. For now, check out: https://www.cloudflare.com/application/privacypolicy/ and https://www.cloudflare.com/privacypolicy/ if you are interested.

WordPress itself

WordPress is an open source software that makes it possible for non-web designers to build a website from scratch, by using building blocks, themes, and plugins. Without needing to code html, we can insert text, images and features like membership registration, contact forms, embedding video and much more.

  • By default, WordPress does not collect any personal data about visitors, and only collects the data shown on the User Profile screen from registered users.
  • If you leave a comment on our site, you may elect to save your name, e-mail address and website in cookies. These are for your convenience, so that you do not have to provide your details again when you leave another comment. These cookies last for one year.
  • If you visit our login page, it sets a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
  • When you log in, several cookies to save your login information and your screen display choices are set. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
  • If you are a user (editor, administrator, author…), and you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
  • If you request a password reset, your IP address will be included in the reset email.

WP Mail SMTP – Sending E-Mails from WordPress

This plugin reportedly does not collect any visitor’s data.

WPForms Lite – For Any Type of Contact Forms

This plugin reportedly does not collect any visitor’s data on its servers. We do collect the data you provided via the contact form, and it is sent to us via unencrypted e-mail.

When contacting us via contact form, your IP-address is collected and sent to us via unencrypted e-mail. All visitors have unique IP addresses that identify them, and we capture which one is being used to fill out any one of our forms. That way, if we’re getting spam form submissions, we can block that address from accessing our site entirely.

The data collection and tracking cookies that WP Forms pro can set are not enabled in this version of the plugin.

The following information that you provide is sent to us via unencrypted e-mail:

  • If you contact us via contact form to “volunteer with us,” we will ask for your name, your e-mail address, your preferred volunteering area. If you make an appointment to meet us in order to volunteer with us, this information will be connected to your person, but not in written form, unless you want a certification of your time volunteering with us.
  • The e-mails are downloaded to our local computers via a mail client such as thunderbird. Unless you request prior deletion, our set filters will automatically delete e-mails older than 4 years. From experience, this is a reasonable time within which we can expect staff members to search and find information within passed communications that might still be relevant in one way or another.
  • When a visitor requests data deletion, we delete the relevant e-mails, unless we deem them necessary to be kept for legal purposes.
  • If you contact us via contact form to “contact us”, we will ask for your name and your e-mail address. If you meet us subsequently, this information will be linked to your person, but not in written form, unless you want certification of your involvement with us.
  • If you contact us via the contact form named “Collected Data Request”, we will ask for a name and e-mail address, and how you’d like to get the data we’ve collected about you or data connected to the IP-address you send this message with.

§ 7 Comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection. An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it.

The Gravatar service privacy policy is available here: https://automattic.com/privacy/.

After approval of your comment, your profile picture is visible to the public in the context of your comment.

§ 8 E-Mails & Newsletter

  1. If you want to receive the Activersity Newsletter, you will be added to a mailing list at riseup.net. Riseup describe themselves as follows: “Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.“
    Here is their privacy policy: https://riseup.net/en/privacy-policy
  2. If you want to contact us by e-mail, please request our e-mail address first via the contact form. This is to avoid spam. You can use our public key for PGP encrypted email contact (Fingerprint: BF0E 76F2 10AD 2A4B 6420 DB70 458E 3C46 07D3 2977), please send yours when contacting us. The e-mails are downloaded into our local computers via an e-mail client such as thunderbird. Unless you request prior deletion, our set filters will automatically delete e-mails older than 4 years. From experience, this is a reasonable time within which we can expect staff members to search and find for passed communications that might still be relevant in one way or another. You consent to giving us the information you have provided by contacting us, namely your displayed name, the name you use to identify yourself, your e-mail address, meta-data sent in the header, the content of your e-mail etc., as well as any other personal information that you choose to send us in the message.
  3. If you get in touch with us personally, you might disclose your phone number(s) and e-mail address which our staff may save on their phones, computers or other digital or analog storage devices until you request deletion, or our relationship terminates. This information is used to stay in touch with you when we are working together, or if you become a student or volunteer.

§ 9 Donations

If you donate to us via bank transfer, or in cash against a tax refundable receipt, your name, your bank account number and the amount will be stored in digital form and as paper documentation for 10 years, which is the time books have to be kept about anything financial in Germany.

§ 10 Data Sharing

  1. We do not share or sell any data collected by us to third parties. Data collected by some of our plugins is sent to their servers, see above.
  2. We might share some of the collected data with staff members. For example, staff members might have access to our WordPress database in order to work on the website or post, review or edit content, or deal with members, comments, the newsletter etc. The board members of our NGO may also have access to this data anytime.
  3. Our staff members have acknowledged our privacy policy and are required to install filters in their e-mail clients to delete e-mails older than 4 years, and to never share any of the collected personal information.
  4. We might be required to share some information with our lawyers during litigation, at court, dealing with the police or due to a court order, or defending our organization.

§ 11 Data Transfer

Some of our staff members may work abroad, outside of the EU for short periods of time. They might have access to the WordPress database from outside the EU. If personal data is downloaded to a local computer, it will only be downloaded to an Activersity-owned computer. All of our computers are encrypted. Your data is therefore safeguarded to European data protection standards, see also § 10, 3).

§ 12 Data Breach Procedures

Whenever possible, data is encrypted. Doors of our headquarters are locked and guarded. Back-ups are kept in encrypted storage. We prefer encrypted communication via e-mail. If you use our contact forms, we encourage you to use fake names.

If a data breach should occur, we will inform everyone who is affected by e-mail, or other means of contact, if ever possible.

§ 13 Updates to this Privacy Policy

We may adjust our Privacy Policy from time to time. If you wish to be notified when we change the privacy policy, please sign up as a student member, or sign up to our newsletter, or privacy policy update newsletter. We will make a version of the new Privacy Policy available with visible changes so that you don’t neeed to read the whole thing again. Additionally, we will publish such a version here, for anyone who wishes to take responsibility of checking each time they visit our site, as viewing and interacting with our site equals accepting this Privacy Policy.