SparkWell Data Protection Policy

1. About this Policy

1.1. This policy explains how Anti Entropy collects, uses, stores, and protects personal data in compliance with applicable data protection laws and best practices.

1.2. This policy applies to all personal data we process, including information about employees, contractors, Project Leads, and donors.

1.3. All employees and contractors must comply with this policy. Violations may result in disciplinary action up to and including termination.

1.4. This policy does not form part of any employment or contractor agreement and may be amended at any time.

2. Key Definitions

2.1. Personal Data: Information that identifies or can be used to identify an individual, such as name, email address, phone number, mailing address, payment information, or employment details.

2.2. Sensitive Personal Data: Information about an individual's health, race, ethnicity, religious beliefs, political opinions, sexual orientation, genetic data, or biometric data. We minimize collection of this type of data.

2.3. Processing: Any operation performed on personal data, including collecting, recording, storing, using, sharing, or deleting it.

2.4. Data Subject: The individual whose personal data we process.

2.5. Data Protection Officer (DPO): Jeffrey Poche serves as Anti Entropy's Data Protection Officer and is responsible for overseeing compliance with this policy.

3. Data Protection Principles

3.1. We handle all personal data according to these core principles:

3.1.1. Lawfulness and Transparency: We collect and use personal data lawfully and are transparent about how we use it.

3.1.2. Purpose Limitation: We collect personal data for specific, legitimate purposes and don't use it for unrelated purposes.

3.1.3. Data Minimization: We only collect personal data that is necessary for our purposes.

3.1.4. Accuracy: We keep personal data accurate and up to date.

3.1.5. Storage Limitation: We only keep personal data as long as necessary.

3.1.6. Security: We protect personal data with appropriate security measures.

3.1.7. Accountability: We can demonstrate our compliance with these principles.

4. What Personal Data We Collect

4.1. Employees and Contractors

4.1.1. We collect and process:

• Name, contact information (email, phone, address)
• Employment/contractor details (role, start date, compensation)
• Bank account or payment information
• Tax information (W-9, W-8, etc.)
• Work authorization documentation
• Performance records
• Correspondence and communications

4.2. SparkWell Project Leads

4.2.1. We collect and process:

• Name, contact information
• Project details and documentation
• Payment and banking information
• Correspondence and communications
• Information necessary for due diligence

4.3. Donors

4.3.1. We collect and process:

• Name, contact information
• Donation amount and payment information
• Communication preferences
• Correspondence

5. How We Use Personal Data

5.1. Lawful Basis for Processing

5.1.1. We process personal data based on:

• Contractual necessity: To fulfill our obligations under employment agreements, contractor agreements, or service agreements
• Legal obligation: To comply with tax laws, employment laws, or other legal requirements
• Legitimate interests: To operate our organization effectively, communicate with stakeholders, and fulfill our nonprofit mission
• Consent: When we have obtained your explicit permission (primarily for marketing communications)

5.2. Specific Uses

5.2.1. We use personal data to:

• Manage employment and contractor relationships
• Process payments and maintain financial records
• Administer SparkWell program operations
• Process donations and issue tax receipts
• Comply with legal and regulatory requirements
• Communicate about organizational activities
• Maintain records and conduct internal analysis
• Protect our legal rights and prevent fraud

6. Data Sharing and Disclosure

6.1. When We Share Personal Data

6.1.1. We may share personal data with:

Service providers who help us operate (e.g., for bookkeeping, HR/payroll, donation processing, banking, etc.). We require all service providers to protect personal data and use it only for specified purposes.

Legal authorities when required by law, court order, or government request, or to protect our rights and safety.

Professional advisors (lawyers, accountants, auditors) when necessary for professional services.

6.1.2. We do not sell personal data to third parties.

6.2. Internal Sharing

6.2.1. Personal data is shared internally only on a need-to-know basis for legitimate business purposes.

7. Data Security

7.1. Security Measures

7.1.1. We protect personal data through:

• Password-protected systems and secure file storage
• Encryption for sensitive data transmission
• Access controls limiting who can view personal data
• Regular security assessments
• Secure disposal of data no longer needed
• Vendor security requirements in contracts

7.2. Your Responsibilities

7.2.1. You must:

• Keep passwords secure and confidential
• Lock your computer when stepping away
• Only access personal data necessary for your role
• Follow all security procedures and guidelines
• Report suspected security incidents immediately
• Not share personal data inappropriately

7.3. Reporting Security Incidents

7.3.1. If you discover or suspect a data breach or security incident:

• Immediately notify Jeffrey Poche (DPO)
• Do not attempt to investigate on your own
• Preserve all evidence related to the incident
• Follow instructions from the DPO

8. Data Retention

8.1. Retention Periods

8.1.1. We retain personal data only as long as necessary for the purposes collected or as required by law:

Employees/Contractors:

• Active employment/contract records: Duration of relationship + 7 years
• Tax documents: 7 years after last payment
• Background checks/due diligence: Duration of relationship + 7 years

Project Leads:

• Active project records: Duration of project + 7 years
• Financial records: 7 years after project closure
• Due diligence records: 7 years after project closure

Donors:

• Donation records: 7 years (for tax and audit purposes)
• Communications: Until donor requests removal or 7 years, whichever is sooner

8.2. Secure Deletion

8.2.1. When retention periods expire, we securely delete or anonymize personal data through:

• Secure file deletion for electronic records
• Shredding for paper records
• Data erasure from backup systems where feasible

9. Individual Rights

9.1. Your Rights Regarding Personal Data

9.1.1. You have the right to:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your personal data in certain circumstances
• Restriction: Request that we limit how we use your personal data
• Objection: Object to processing based on legitimate interests
• Data portability: Receive your data in a portable format (where technically feasible)
• Withdraw consent: Withdraw consent for processing where consent was the basis

9.2. How to Exercise Your Rights

9.2.1. To exercise any of these rights:

• Contact Jeffrey Poche (DPO)
• Provide sufficient information to verify your identity
• Specify which right(s) you wish to exercise
• Allow up to 30 days for response

9.2.2. We may request additional information to verify your identity before processing requests. We will not charge fees for requests unless they are excessive or repetitive.

9.3. Limitations

9.3.1. Some rights may be limited by legal obligations or legitimate interests. For example, we may need to retain certain data for tax compliance even if you request deletion.

10. UK GDPR Compliance

10.1. When UK GDPR Applies

10.1.1. The UK General Data Protection Regulation (GDPR) applies when we process personal data of individuals located in the United Kingdom. This may include:

• SparkWell Project Leads or team members in the UK
• Donors located in the UK
• Service providers or contractors in the UK

10.2. Additional UK GDPR Requirements

10.2.1. When processing personal data subject to UK GDPR, we comply with additional requirements including:

• Lawful Basis: We identify and document the lawful basis for each processing activity under UK GDPR (e.g., consent, contract, legitimate interests, legal obligation).
• Data Protection Officer: Jeffrey Poche serves as our Data Protection Officer for UK GDPR purposes.
• Privacy Notices: We provide detailed privacy notices to UK data subjects explaining how we process their data.
• Data Breach Notification: For UK data subjects, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of a qualifying data breach, and notify affected individuals when required.
• International Data Transfers: We ensure appropriate safeguards when transferring UK personal data to the United States, including:
  • Standard Contractual Clauses with service providers
  • Adequacy assessments for data transfers
  • Documentation of transfer mechanisms
• Enhanced Individual Rights: UK data subjects have additional rights under UK GDPR, including the right to lodge a complaint with the ICO.

10.3. UK Data Subject Requests

10.3.1. UK data subjects can exercise their rights by contacting Jeffrey Poche (DPO). We will respond within one month and provide responses free of charge unless requests are excessive.

10.3.2. To lodge a complaint about our data processing practices, UK data subjects may contact:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

11. Special Considerations

11.1. Sensitive Personal Data

11.1.1. We minimize collection of sensitive personal data. When we must collect it (e.g., health information for accommodations, background check information for due diligence):

• We obtain explicit consent when required
• We implement heightened security measures
• We limit access to only those with a legitimate need
• We retain it only as long as necessary

11.2. Third-Country Data Transfers

11.2.1. We may transfer personal data to service providers or individuals in other countries. When doing so:

• We assess the data protection laws in the recipient country
• We implement appropriate safeguards (contracts, encryption)
• For UK/EU data subjects, we comply with UK GDPR transfer requirements

11.3. Children's Data

11.3.1. Anti Entropy does not knowingly collect personal data from individuals under 18. If we discover we have collected such data, we will delete it promptly.

12. Transparency and Privacy Notices

12.1. Privacy Notice

12.1.1. Our public-facing Privacy Notice is available at:
https://www.antientropy.org/anti-entropy-privacy-notice

12.1.2. This notice explains to external parties (donors, website visitors, Project applicants) how we handle their personal data.

12.2. Transparency Obligations

12.2.1. When collecting personal data directly from individuals, we inform them:

• Who we are and how to contact us
• What data we collect and why
• Who we share it with
• How long we keep it
• Their rights regarding the data
• How to exercise those rights

13. Record Keeping and Accountability

13.1. Data Processing Records

13.1.1. We maintain records of our data processing activities including:

• Types of personal data processed
• Purposes of processing
• Categories of data subjects
• Recipients of personal data
• Data retention periods
• Security measures implemented
• Data transfer mechanisms

13.2. Regular Reviews

13.2.1. The DPO conducts periodic reviews to:

• Assess compliance with this policy
• Update data processing records
• Review security measures
• Identify and address risks
• Update procedures as needed

14. Training and Awareness

14.1. All employees and contractors must:

• Read and understand this policy upon hire/engagement
• Complete data protection training as required
• Stay informed of policy updates
• Ask questions when unsure about data handling

14.2. The DPO provides guidance on data protection matters and is available to answer questions.

15. Contact Information

15.1. Data Protection Officer: Jeffrey Poche

15.2. Questions about this policy or data protection practices should be directed to the DPO.

15.3. For General Inquiries: support@antientropy.org

16. Policy Updates

16.1. We review and update this policy periodically to reflect:

• Changes in data processing activities
• New legal requirements
• Lessons learned from incidents or audits
• Industry best practices

16.2. The current version of this policy is always available in the Resource Portal. Significant changes will be communicated to all employees and contractors.