Privacy Policy (19.5.2018)

1. Registry holder

IGDA Finland ry

2. Data protection officer

Teemu Haila
teemu.haila@igda.fi

3. Registry name

IGDA Finland ry member and visitor registry

4. Purpose and justification of personal data handling

Personal information will only be handled to:

  • Fulfill legal requirements (informing about yearly association meetings etc.)
  • Manage membership lifecycle (payment processing, data updates, etc.)
  • Deliver membership services (inform about events, provide discounts, etc.)
  • Compile anonymised usage data (total number of members etc.)

5. Registry contents

Snapshot of all Individual membership registry fields with highlighted personal information:

needsNewCard: Whether or not a new membership card will be ordered in the next batch.
createdDate: Date of joining IGDA Finland ry
lastUpdated: Date and time of last membership detail update
_id: Unique identifier of membership records in our system
firstName: First name for general communication
lastName: Last name
for general communication
email: Email for general communication
address: Physical mailing address for membership cards and payment processing
postOffice: Physical mailing address for membership cards and payment processing
postNumber: Physical mailing address for membership cards and payment processing
country: Physical mailing address for membership cards and payment processing

membershipType: Type of active membership
igdaFinlandId: Unique membership number for archiving purposes
validUntil: Last valid month of membership
lastRenewed: Date and time of last membership renewal
token: Personal security token

Note: we never store your payment information!

Snapshot of all event visitor registry fields with highlighted personal information:

_id: Unique identifier of visitor records in our system
firstName: First name for general communication
lastName: Last name
for general communication
email: Email for general communication

organisation: Current professional organisation for statistical purposes
interests: Event mailing list subscriptions (not actually part of the registry but managed and provided by MailChimp in context)

Additionally we have separate records for event attendance and could reconstruct a personal list of past attended events, but currently our tools do not do that. These separate records become fully anonymous if your visitor details are deleted.

Snapshot of all studio membership registry fields with highlighted personal information:

ID: Unique identifier of membership records
First Name: First name for general communication
Last Name: Last name
for general communication
E-mail: Email for general communication

Address: Physical mailing address of the studio affiliate for membership cards
Postal Code: Physical mailing address of the studio affiliate for membership cards and payment processing
City: Physical mailing address of the studio affiliate for membership cards and payment processing
Expiration date: Last valid month of membership

6. Data sources

Personal information is only added or updated in the registry by the person themselves. For example during initial registration or event participation.

7. Passing data to 3rd parties

Information will only ever be passed along to IGDA main organisation or to comply with legal demands.

Notice: General Data Protection Regulation will still apply to your personal information even when passed to IGDA main organisation. We kindly ask you to directly contact them with questions concerning international data protection.

8. Passing or storing data outside of EU or ETA

We do our best to physically maintain all information records inside EU at all times. However due to the nature of global networking some data may temporarily pass through or get served from international data centres, for example for credit card payment processing. In these events we limit any personal information to the absolute minimum needed to complete the request and will always use industry standard encryption and GDPR compliant partners.

9. Data processing partners and data flow

All of our registry data and affiliated personal data is stored either in a MongoDB hosted in Mlab using Google EU regions or in Google's G Suite for Business in our proprietary data formats without unauthorised access.

During normal routine operations we send, reference or process registry data via following services or partners:

  • Slack (daily team communication, collaboration and customer support with retained chat logs - we try to keep personal data to minimum but sometimes discussing an email address, a name or a unique identifier is mandatory for providing our services)
  • Google Cloud (service hosting, document archival, website analytics, email hosting)
  • Stripe (credit card payment processing - we do not retain any personal information after a transaction has been completed and only send the minimum recommended for payment defrauding)
  • Mailgun (email sending - only anonymised meta data is retained of sent emails for statistical and service monitoring purposes)

Additionally we routinely use the following services that require their own subsets of our registry:

  • MailChimp (email lists - we only send email addresses with no first or last names and you can opt-out at any time)
  • Eventbrite (private event invites - we do not import or retain data from their systems)
  • Holvi (financial services, invoicing, large payment processing - we do not import or retain data from their systems)
  • Squarespace (this website - we have a public list of studio affiliates on the site and you can opt-out at any time)

Finally we do a periodic export of our membership changes for IGDA to update their membership database accordingly. Even visitor information is never shared with outsiders for any reason.

10. Data protection

Personal information is handled confidentially. IGDA Finland's IT systems and networking are secured with industry standard security and best practices, like tiered permission structures, strong passwords, data encapsulation and encryption. We only select partners with good reputation for data security and GDPR compliance.

11. Data storage, retention and deletion

We store our data either in a secure database or encrypted documents on trusted providers. By default we never delete our internal discussion logs (like emails or slack messages) because they provide a paper trail of accountability. These logs may reference subsets of personal data (for example when passing a customer support request to another volunteer).

Access to personal data is controlled with tiered permissions granted only to association board members and trusted individuals, like developers, who need access to improve our services. The main database has nightly backups with 30 day retention policy for old backups.

When memberships expire we still keep your account active in our system for easy renewals. For complete deletion or anonymisation please contact us at members@igda.fi