THIS NOTICE DESCRIBES HOW PERSONAL DATA ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW CAREFULLY.
Effective date: January, 2018
It is a fundamental principle in Alaya’s relationship with its users, clients and partners to protect the privacy and confidentiality of your personal data. This document states how we will ensure the privacy and confidentiality of the information with which you entrust us.
By accessing the Alaya platform, you agree to the collection, use and disclosure of your personal information in accordance with this policy. The clauses and terms of this policy apply to all personal information collected by Alaya on the www.alayagood.com platform. We have created this policy pursuant to the Federal Law on Data Protection of Switzerland. Your home jurisdiction may have privacy laws that are more or less protective than Switzerland.
This platform is operated by Alaya SA and may be accessed in Switzerland and abroad. For personal data protection purposes, Alaya is the controller and is also the processor of the personal information (unless otherwise noted). Information collected may be kept for as long as it is required for the purposes it was collected.
Alaya SA (Alaya, we, us or our) operates a social engagement platform at www.alayagood.com (the Platform).
Alaya is an innovative and measurable solution for your social responsibility and engagement program. An interactive platform that facilitates employee volunteering, corporate giving and impact reporting. Alaya enables your employees to pick their way of contributing and gives you a powerful tool to analyse the impact created by the entire company. The Platform, as well as the services, features, content or applications that may be offered from time to time by us in connection with the Platform and/or our business are collectively referred to as the Platform.
1. SCOPE OF APPLICATION
By visiting our website and/or using our Platform you agree to the collection and use of your Personal Data in accordance with this Policy.
3. WHAT INFORMATION IS COLLECTED
3.1. Personal Data you provide us
If you are a visitor of our website and would like to: donate, download our brochure, request a demo, subscribe to our newsletter or contact us; you may provide us with personal information (such as name, address, email address, telephone numbers and/or credit/debit card information) that you knowingly choose to disclose, which is collected on an individual basis for various purposes. If you decide to subscribe to our newsletter, we also may have access to your location (collected by our mail automation Mail Chimp). These purposes include registering to receive email newsletters or other materials, requesting further information from us about projects and services, donating to us, ordering merchandise, making requests, submitting a form on our website, or simply asking a question. We receive and store any information you enter on our website or give us in any other way, whether it is online or offline. We ask for personal information so that we can fulfill your request and return your message. This information is retained and used in accordance with existing laws, rules, regulations, and other policies. Alaya does not collect personal information from you unless you provide it to us. If you choose not to provide any of that information, we may not be able to fulfill your request or complete your order, but you will still be free to browse the other sections of the websites owned and administered by Alaya. This means that you can visit our site without telling us who you are or revealing any personally identifiable information about yourself.
If you are a user of our platform, all the above applies to you except that in order for you to be a user of our platform, you have to identify yourself through your company email. Additionally, since you will be able to act on the platform we will collect the following data:
- Mandatory data to enter as a user: First Name, Last Name, Corporate Email, Country, City, Skills, Gender, Profession
- Facultative data to enter as a user: Open data field (bio, interests, passions…), Address, Postal Code, Date of Birth, Department, Favorite country, Favorite quote, Favorite language, Social Accounts (Facebook, LinkedIn, Twitter)
Regarding the impact, we will use different metrics based on your activities (number of hours, and amount donated). However, if you decide to make the donation anonymously, the administrator of your company account, and any other members on the platform will not be able to see any amount given. Only we will use it to offer a “total-amount- given view” on your company’s profile, which is a sum of all donations made from your company.
During the course of your relationship with Alaya you may contact us by email, or in writing. We will retain this information also, supplementing the information we already have. We may also supplement any information you give us with information from social networks (LinkedIn, Facebook, Twitter and others) information. This information will also be retained by us and held confidentially in your personal data file in order to improve your user experience.
3.2. Information collected automatically
We will collect:
- Log information (e.g. IP address, number and time of visits of the Platform by users)
- Analytics information
We use third-party analytics tools (Google Analytics, Hotjar) to help us measure traffic and usage trends for the Platform. These tools collect information sent by your device or our Platform, including the web pages you visit, add-ons, and other information that assists us in improving the Platform. We collect and use this analytics information with analytics information from other Users so that it cannot reasonably be used to identify any particular individual User.
In addition to the user details that are covered above, the platform will capture the following data: An activity audit log, such as the number of connections on the platform, donations made by each user, Volunteering missions completed by user, comments and likes submitted, and the data they share on the newsboard and on other social media platforms.
Note: Every user will be able to selectively publish his actions on the Platform (ex: amount donated) to his Company and to other users.
3. COOKIES AND OTHER TECHNOLOGIES
In addition to cookies, Alaya may use other technologies, including single-pixel gifs (web beacons) on our websites and on e-mail messages. These images assist us in determining how many users have visited certain pages or opened messages. We do not use these elements to collect personal information.
4. WHO COLLECTS YOUR PERSONAL DATA
As a general rule, your Personal Data we processed is collected by Alaya through the Platform or via e-mail. We may also have access to Personal Data provided by third party partners, such as Facebook, LinkedIn or your Gmail account, if you create your account through their services.
In certain circumstances, we may also outsource the collection of data to trusted third partners. In that case, we make sure that our partners undertake commit to comply with this Policy.
5. HOW WE USE YOUR PERSONAL DATA
In addition to some of the specific uses of information we describe in this Policy, we may use information that we collect to:
- identify users and ensure that you are eligible to use the service you have requested and that our Platform is used in the appropriate way;
- operate, maintain, protect and improve the Platform, to develop new services and to protect us and our other users;
- offer tailored content, which could include online ads, mission recommendations, or other forms of marketing;
- monitor metrics such as total number of visitors, traffic, and demographic patterns;
- diagnose or fix any technology you may be facing;
- remember information so you will not have to re-enter it during your visit or the next time you visit our Platform.
6. TO WHOM INFORMATION WE COLLECT IS SHARED?
Unless provided otherwise herein, Alaya will share your Personal Data only with your consent and the following rules.
For Users, the data are accessible only by the community (co-workers, managers) of your company account. NGOs do not have access to your data as long as you do not interact with the NGO. Whenever you decide to interact with an NGO (ex: by donating to them or by applying to their volunteering mission), the NGO can see your profile and information. This profile contains the following data that is transmitted as is: First & Last Name, Profession, Profile and cover picture, City, Company, Number of NGOs helped, the money donated (if not made anonymous by user), hours dedicated to volunteering.
As a rule, your Personal Data are stored as long as your Alaya’s account is active. Following termination or deactivation of your account, we may retain some personal information as showed hereafter: The impact of the user’s actions (amount donated and the hours he volunteered) are still considered for the total Company impact, but are anonymized when the user gets deleted.
In any event, we reserve the right to retain for an unlimited period of time information derived from your Personal Data in such a way that you will no longer be identified or identifiable (pseudonymized or anonymized data).
a. Information collected automatically
Personal Data of visitors are held confidentially and are, as a rule, not shared, subject to the permitted use (as detailed below).
b. Personal Data collected from Companies
When a company gets an access to the Platform, it will be entitled to create and administrate a profile (the Company’s Profile). One part of the company profile will be accessible to all users and an exclusive part will be only for certain registered company administrators (ex: HR Director, CEO, Chief Happiness Director). As for now, no user outside of the company can access the profile of your company, unless if the administrator of the company’s profile decides otherwise.
Every user will be able to anonymize his actions on the Platform (ex: amount donated) from its Company and from other users. We ask the company to comply with Personal Data of others (e.g. their employees), notably by anonymizing the data so that any individual, who has not expressly authorized the use of his Personal Data, will no longer be identifiable.
We do not verify whether the data submitted by the Company contains Personal Data of third parties and do not provide any guarantee in this regard.
c. For Users: The Company’s Profile and the data of its users is secured.
Different employees from different companies are all on the same platform and database, but users from different companies are separated programmatically. The user role, condition and rights are different for each employee/user to ensure that they only see what they are allowed to see. As such, employees can only create an account with their corporate email. Whenever a user creates an account with a company email and verified domain, he is immediately put into the company table. Users from different companies can’t see each other’s activity or profile through programmatic conditions.
Data for each Company’s employee would be protected by applying three levels of authorisation:
- Level 1: exact domain registration. The corporate email used has to be an exact match with the submitted company domains.
- Level 2: email registration. The employee has to verify the created account via email.
- Level 3: Company user roles. Each Company user will be entitled for roles that will be exclusively reserved only for the use of Company and no one else.
d. For users: The right to erasure
Today, as soon as the Company informs us about the departure of an employee (you), we deactivate all his (your) data and his (your) login from the database. We have a deactivation process for a user account that the admin of a company can trigger by contacting the Alaya support team. The priority of this deletion action is defined by the client.
Note: The impact of the employee’s actions (amount donated and the hours he volunteered) are still considered for the total company impact, but are anonymized when the user gets deleted.
e. Personal Data collected from NGOs
We gather certain Personal Data from NGOs (1) and their administrator (2), such as (1) their name, location, activities, impact reports, jobs posted, financial projects for which they raise money; (2) their first and last name, job title, and key competences. This information will be accessible by any user and/or companies willing to help that NGO, as well as to visitors willing to donate to the NGO.
f. Permitted Use for all Personal Data
- Alaya may share your Personal Data to service providers (e.g. payment processors, cloud provider). Our service providers will be given access to your Personal Data on a need to know basis to provide their services for the Platform under reasonable confidential terms.
- If it is required under law to do so or we reasonably believe that such release is necessary to comply with applicable legislation or respond to a court order or to protect Alaya’s rights and interests.
7. TO WHOM BELONGS THE DATA
For visitors, your data is owned by Alaya under our sole responsibility.
For Users: Legally, the data is the responsibility of two entities (The user’s company and Alaya). There is therefore shared ownership of the data.
8. WHAT ARE THE DATA FLOWS?
The data is exclusively located on several (dedicated) servers hosted in Strasbourg via OVH. No other data is exported outside this place.
We use commercially reasonable safeguards to help keep the information collected through the Platform secure and take reasonable steps to verify your identity before granting you access to your account. However, Alaya cannot ensure the security of any information you transmit to Alaya or guarantee that information on the Platform may not be accessed, disclosed, altered, or destroyed. However, we are committed to provide the best service as possible. Best storing, classification, secured environment. Alaya partnered with a data protection industry-leader, Dathena S.A. and is regularly audited by this company to improve its data security policies and processes.
10. ACESSING YOUR PERSONAL INFORMATION AND PREFERENCES
If you would like to revise or review information that you previously provided to Alaya, you may contact our Customer Services by email at firstname.lastname@example.org.
Our company respects your right to make choices about the disclosure and use of your personal information. If at any moment you decide that you do not want to receive communications from us, please let us know by opting in or out on your online registration form when you sign up, or in your “user preferences” page of the platform. Alternatively, you can also contact our Customer Services following the instruction in the previous paragraph.
Whenever you use the Platform, we aim to provide you with access to your Personal Data we control. If that information is wrong, we strive to give you ways to update it quickly or to delete or to anonymize it – unless we have to keep that information for legitimate business or legal purposes. When updating your Personal Data, we may ask you to verify your identity before we can act on your request.
We may reject requests that are unreasonably repetitive, require disproportionate technical effort (for example, developing a new system or fundamentally changing an existing practice), risk the privacy of others, or would be extremely impractical.
11. CHILDREN’S PRIVACY AND LINKS TO OTHER WEBSITES
Alaya does not have the intention of collecting personal information or soliciting donations from anyone under the age of 18 without parental authorization. If you are under 18, you should not use or enter information on this website without parental consent.
We may be connected to websites, including those of our partners, subsidiaries, sponsors and third-party providers that have different privacy policies from those disclosed in this document. Alaya takes no responsibility for the policies or practices of such linked sites, and encourages you to become familiar with them prior to use.
12. CHANGES TO THIS POLICY
Your access and use of the Platform is governed by the version of this Policy in effect on the date of access and use. We may modify this Policy at any time and without prior notice. If a revision, in our sole discretion, is material, we will notify you. You acknowledge that by accessing the Platform after we have made changes to this Policy, you are agreeing to the terms and conditions of this Policy as modified. If you do not agree to the new terms, please stop using the Platform.
HOW TO CONTACT US
If you have any queries, comments or complaints regarding this Policy, just get in touch with us at email@example.com
Alaya SA, a Swiss company having its registered office in Renens, IDE CHE-420.775.974.
Note: This document provides answers to frequently asked questions regarding the utilization of data and their protection. You may share this document with you IT and Legal Department.
What data does the employee enter into the platform when he/she creates an account?
- Mandatory data to enter as a user: First Name, Last Name, Corporate Email, Title, Office location, Skills, Causes you’re Interests
- Facultative data to enter as a user: Profile picture, Open text field (bio, motivations, interests…), Address, Postal Code, Date of Birth, Department, Favourite country, Work languages.
What employee data does the platform record?
In addition to the user details that are covered above, the platform will capture the following data:
An activity audit including donations made by each user, volunteering missions applied and completed, volunteered hours on field, amounts of goods collected, comments and likes submitted, and the data they share on the newsboard.
Note: Every user is able to anonymously publish its donations through the Platform to his Company and to other users.
What information do employees, NGOs (who have their projects on the platform) receive?
NGOs do not have access to the employee data as long as the employee does not interact with the NGO. Whenever an employee decides to interact with an NGO (ex: by donating to them or by applying to their volunteering mission), the NGO can see the public profile of the employee. This profile contains the following data that is transmitted as is: First & Last Name, Profession, Profile picture, Location, Company, the amount donated (if not made anonymous by user), hours dedicated to volunteering.
Only employees of the company can access the platform, how do you make sure?
Different employees from different companies are all on the same platform and database, but users from different companies are separated programmatically. An account is dependent on an organization, and thus to ensure that they only see what they are allowed to see according to the organization identifier. Users from different companies can’t see each other’s activity or profile through programmatic conditions.
Data for each Company’s employee would be protected by applying three levels of authorisation:
- Step 1: Domain match. The corporate email used has to match one of the domains of a company already registered by our administration on the platform.
- Step 2: Email registration. If a match is found, the employee receives a link by email to create his account.
- Step 3: Account creation. By clicking on the link, the user is invited to submit basic information and a password. During the creation process, the account is linked to the company to which the email domain belongs.
How do guarantee the suppression of an employee account if this employee leaves the Company?
Today, as soon as the Company informs us about the departure of an employee, we deactivate and anonymize his account and erase his profile data from the database. We have a deactivation process for a user account that the admin of a company can trigger by contacting our support team. The priority of this deletion action is defined by the client (see support level policy in End-User Licence Agreement).
Note: The impact of the employee’s actions (amount donated and the hours he volunteered) are still considered for the total company impact, but are anonymized when the account gets deactivated. The account email is also replaced to delete all possible identification of the account owner.
To whom belong the data ?
What are the data flows and where is the data storage?
The data is exclusively located on several (dedicated) servers hosted in Strasbourg via the OVH service, and in RaiseNow servers for donation payment details. No other data is exported outside these places.
Who has access to the data?
Only developers and IT managers have access (exclusively) to the data