About Your Data and Privacy...
Your data is yours. We are a non-profit association and selling your data is not what we do, ever. There is a certain minimum amount of information that we need to know about our members in order to provide our services.
That said, we do collaborate with the IGDA main organisation and need to pass your information to them to give you access to the full global membership. We also do some high level analysis of aggregate data, like event visitor counts, to understand how we could do better and promote IGDA Finland.
Data privacy is a non-trivial thing to maintain in a volunteer organisation and we regularly review our practices to stay accountable and worthy of your trust in us!
To view or edit your personal membership data please head over to Emmi.
Questions and data requests: members (at) igda (dot) fi
Privacy Policy (19.5.2018)
1. Registry holder
IGDA Finland ry
2. Data protection officer
Teemu Haila
teemu.haila@igda.fi
3. Registry name
IGDA Finland ry member and visitor registry
4. Purpose and justification of personal data handling
Personal information will only be handled to:
Fulfill legal requirements (informing about yearly association meetings etc.)
Manage membership lifecycle (payment processing, data updates, etc.)
Deliver membership services (inform about events, provide discounts, etc.)
Compile anonymised usage data (total number of members etc.)
5. Registry contents
Snapshot of all Individual membership registry fields with highlighted personal information:
needsNewCard: Whether or not a new membership card will be ordered in the next batch.
createdDate: Date of joining IGDA Finland ry
lastUpdated: Date and time of last membership detail update
_id: Unique identifier of membership records in our system
firstName: First name for general communication
lastName: Last name for general communication
email: Email for general communication
address: Physical mailing address for membership cards and payment processing
postOffice: Physical mailing address for membership cards and payment processing
postNumber: Physical mailing address for membership cards and payment processing
country: Physical mailing address for membership cards and payment processing
membershipType: Type of active membership
igdaFinlandId: Unique membership number for archiving purposes
validUntil: Last valid month of membership
lastRenewed: Date and time of last membership renewal
token: Personal security token
Note: we never store your payment information!
Snapshot of all event visitor registry fields with highlighted personal information:
_id: Unique identifier of visitor records in our system
firstName: First name for general communication
lastName: Last name for general communication
email: Email for general communication
organisation: Current professional organisation for statistical purposes
interests: Event mailing list subscriptions (not actually part of the registry but managed and provided by MailChimp in context)
Additionally we have separate records for event attendance and could reconstruct a personal list of past attended events, but currently our tools do not do that. These separate records become fully anonymous if your visitor details are deleted.
Snapshot of all studio membership registry fields with highlighted personal information:
ID: Unique identifier of membership records
First Name: First name for general communication
Last Name: Last name for general communication
E-mail: Email for general communication
Address: Physical mailing address of the studio affiliate for membership cards
Postal Code: Physical mailing address of the studio affiliate for membership cards and payment processing
City: Physical mailing address of the studio affiliate for membership cards and payment processing
Expiration date: Last valid month of membership
6. Data sources
Personal information is only added or updated in the registry by the person themselves. For example during initial registration or event participation.
7. Passing data to 3rd parties
Information will only ever be passed along to IGDA main organisation or to comply with legal demands.
Notice: General Data Protection Regulation will still apply to your personal information even when passed to IGDA main organisation. We kindly ask you to directly contact them with questions concerning international data protection.
8. Passing or storing data outside of EU or ETA
We do our best to physically maintain all information records inside EU at all times. However due to the nature of global networking some data may temporarily pass through or get served from international data centres, for example for credit card payment processing. In these events we limit any personal information to the absolute minimum needed to complete the request and will always use industry standard encryption and GDPR compliant partners.
9. Data processing partners and data flow
All of our registry data and affiliated personal data is stored either in a MongoDB hosted in Mlab using Google EU regions or in Google's G Suite for Business in our proprietary data formats without unauthorised access.
During normal routine operations we send, reference or process registry data via following services or partners:
Slack (daily team communication, collaboration and customer support with retained chat logs - we try to keep personal data to minimum but sometimes discussing an email address, a name or a unique identifier is mandatory for providing our services)
Google Cloud (service hosting, document archival, website analytics, email hosting)
Stripe (credit card payment processing - we do not retain any personal information after a transaction has been completed and only send the minimum recommended for payment defrauding)
Mailgun (email sending - only anonymised meta data is retained of sent emails for statistical and service monitoring purposes)
Additionally we routinely use the following services that require their own subsets of our registry:
MailChimp (email lists - we only send email addresses with no first or last names and you can opt-out at any time)
Eventbrite (private event invites - we do not import or retain data from their systems)
Holvi (financial services, invoicing, large payment processing - we do not import or retain data from their systems)
Squarespace (this website - we have a public list of studio affiliates on the site and you can opt-out at any time)
Finally we do a periodic export of our membership changes for IGDA to update their membership database accordingly. Even visitor information is never shared with outsiders for any reason.
10. Data protection
Personal information is handled confidentially. IGDA Finland's IT systems and networking are secured with industry standard security and best practices, like tiered permission structures, strong passwords, data encapsulation and encryption. We only select partners with good reputation for data security and GDPR compliance.
11. Data storage, retention and deletion
We store our data either in a secure database or encrypted documents on trusted providers. By default we never delete our internal discussion logs (like emails or slack messages) because they provide a paper trail of accountability. These logs may reference subsets of personal data (for example when passing a customer support request to another volunteer).
Access to personal data is controlled with tiered permissions granted only to association board members and trusted individuals, like developers, who need access to improve our services. The main database has nightly backups with 30 day retention policy for old backups.
When memberships expire we still keep your account active in our system for easy renewals. For complete deletion or anonymisation please contact us at: members (at) igda (dot) fi
