DPO Hub

Personal data processing (privacy notice)

Hey there, fellow DPO/privacy & data protection enthusiast! πŸ‘‹

πŸ’‘
This notice is kept intentionally brief because of who's reading this, so don't use it as a template for your customers.

Since you're GDPR savvy and already overwhelmed with limited time, I'll simply state that you're entitled to all GDPR rights, including access. Just reach out if you have any questions: your controller here is me, Rie Aleksandra Walle at dpohub[at]noties.consulting.

This notice is for the DPO Hub. See the company privacy notice for processing related to general business operations and for the DPO Hub Community.

DPO Hub

When you sign up for the DPO Hub you must share your email address, payment details, name, billing address and, if you're purchasing as a business, Tax ID number (for VAT purposes). The purpose is to give you access to the DPO Hub and the data is required if you want to subscribe. The legal basis is contract. This data is kept for as long as you subscribe, and then for 3,5 years for accounting obligations. I use Stripe to process your payment securely and they retain certain personal data to comply with legal obligations, such as anti-terrorism and anti-money laundering laws.

If you're a Founding Member and would like to receive the carefully put together welcome gift, you must also share your address. I'll then keep this for as long as I might send you something-something in snail mail. This is based on your consent and you can withdraw this at any time, after which I'll delete the data promptly, at the latest within two weeks.

Your email address is required to log in to the DPO Hub and to receive news alerts, but you can unsubscribe from the latter. You can also add your name.

The platform I've built the DPO Hub on allows for newsletter analytics, but this is disabled. Statistics showing when a member signed up, logged in and emails received can't be disabled, however, and is as such considered as part of the contract (where the purpose is to fulfill the contract). If you cancel your subscription, your profile, and all related data, is usually deleted immediately, at the latest within a week.

Finally, I use Fathom Analytics for website analytics; software that was built with privacy at the very core. Your IP address and User Agent are only processed in pseudonomised form for 24-48 hours (read more here). The purpose is to assess the use of the DPO Hub in the most privacy-friendly way as possible, for example which pages are the most visited. The legal basis is f), where my legitimate interest is to continually improve the DPO Hub.

Processors and third-country transfers

DPO Hub is built on a platform by Ghost Foundation Ltd, a "proud non-profit organisation building open source technology for journalism". Ghost confirms they store "all data in the EU." I use Stripe as described above and Zapier to automatically create your membership after payment.

The transfer tool for processors in third countries is either an adequacy decision, the EU Standard Contractual Clauses or your explicit consent. Stripe and Zapier are based in the US and certified under the EU-US Data Privacy Framework. Fathom Analytics is based in Canada and falls under their adequacy decision.

This is Version 1.2, August 2024

Great! Next, complete checkout for full access to DPO Hub.
Welcome back! You've successfully signed in.
You've successfully subscribed to DPO Hub.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.