Privacy

What does this Notice cover?

This Notice describes how Asterisk (legal name Obelus Inc.) collects, uses, and shares your personal information when you:

visit any websites operated by us, including https://asteriskmag.com and any other sites or applications containing a link to this Notice (collectively “Websites”); or
interact with us offline (for example, when you apply for a role with us).

It also provides additional details regarding how we process the personal information of individuals in the United Kingdom (“UK”), including a description of rights you may have over your personal information under applicable UK law.

Asterisk may have other unique privacy notices that apply to specific situations. To the extent you were provided with different privacy notices that are applicable, those notices will govern our interactions with you, not this one.

If you provide us with personal information of anyone other than yourself (such as a friend or family member), please note that you are responsible for complying with all applicable privacy and data protection laws prior to providing that information to Asterisk (including obtaining consent, if required).

If you have any questions, please contact us using the details in the “Who we are and how you can get in touch” section below.

What personal information do we collect?

When we refer to “personal information,” we mean information that can be used to identify a person or can be linked - directly to an individual. We may collect and process your personal information:

directly from you (including through online forms or in conversation with staff during the course of service delivery),
from the device(s) you use to access the Websites,
from third parties (for example if a potential partner provides information as part of due diligence), and
from public sources (such as LinkedIn).

Personal Information we collect from you directly

Identity and Contact Data such as your name, profession, date of birth, mailing address, email address, and phone number.
Account Data including username and password.
Transaction Data including billing address, bank, and payment card information when making a purchase or subscription.
Marketing Preferences including any consents you have given us.
The content of your Communications or any other personal information you provide to us directly, such as information provided voluntarily in relation to your profession, your salary after tax, and your date of birth.
Career Information including that regarding your professional experience and qualifications, right to work status, and other CV information.
Demographic Information such as country of residence, gender, and age
Service Engagement with Asterisk such as activities on the Websites.
Biographical and Background Data including information that we may ask you as part of our trustee appointment process (such as details about your background and any other reflections that you have about yourself as a candidate and that you choose to provide to us).

Where we need your information to facilitate a purchase or subscription, open an account, collect a donation, or to review you for some service, we will not be able to do so if you do not provide us with it.

Personal Information we collect from your device(s)

We may collect information from the device(s) you use to access the Websites such as your:

Internet Protocol (IP) address;
device type;
dates and times you visit and use the Websites;
activity on the Websites and referring websites or applications;
Uniform Resource Locators, or URLs (i.e., website addresses) visited prior to arriving and after leaving our Websites; and
approximate geolocation.

We typically collect this information through the use of cookies and similar technologies. For more information on how we use cookies, please see our Cookie Notice.

When you sign up for our newsletter, we may track when you open emails and click links in our email campaigns. We may not be able to provide you with our newsletter service if you do not provide us with this information.

Personal Information we collect from third parties

We may collect your personal information from third parties, including the following:

Other organisations and industry experts

We work closely with organisations and industry experts in identifying and filling opportunities. Those opportunities may include jobs, volunteer roles, and conferences related to these problem areas and/or career options. Those organisations and industry experts may pass on data to us about individuals they interact with such as job applicants, employees, or volunteers so that we can assess them as potential recipients of our services, provide services to them, or consider them for a role.

We may also ask trusted informal advisors in their relevant areas to get advice, such as help assessing a grant application or to get formal or informal references in recruiting.

Publicly available sources

We may collect personal information about you from publicly available sources, including social media sites (e.g., LinkedIn) or news articles. Such information may include (as relevant) your education, employment history, and credentials.

We may do this, for example, when you apply for a role within our organisation, as part of headhunting work, or when conducting donor due diligence.

Referees

When you apply for a role within our organisation (including to be a trustee), we may ask you to provide us with details of individuals who can provide a reference on your behalf. If you do so, we will obtain personal data about you from these referees as part of the application process.

How do we use your personal information?

We use your personal information for the following purposes:

to facilitate a purchase or subscription;
to assess your suitability for services, events, collaborations, roles, or other opportunities at Asterisk, and to suggest you for, or contact you about, any of these things;
to conduct research, support discussion of ideas and research, and publish related content;
as part of our process for appointing trustees, including to determine your suitability to become a trustee of Asterisk;
to run conferences, reading groups, retreats, or other types of events;
to assess the impact of our work, and to promote our work and values through, for example, case studies and blogs;
to create any accounts you request and maintain or moderate platforms we run;
to communicate with you, including to notify you about changes to our terms, undertake surveys and give feedback, process your concerns and queries, and provide you with information we think may be useful to you;
to use data analytics to improve our website, services, online forums or sites, marketing efforts, and user experience;
to carry out proper governance on our funding and make public reports about donations (such reports will not directly identify you, but we will use your personal information when creating them);
to solicit and collect donations, and communicating with donors;
to administer and protect Asterisk, our initiatives, our people, and our websites; and
to generally protect our legal rights and comply with law and regulation.

How do we share your personal information?

We may share your personal information with third parties as follows:
In exceptional circumstances, we reserve the right to pass on your personal information when there is a legal or “duty of care” imperative (for example if we need to safeguard other individuals).

We may share your personal information with our affiliate companies and organisations for the purposes set out in this notice.

We may also share your personal information with third-party service providers, who will process it on our behalf for the purposes identified above. We use third-party providers of certain services such as but not exclusively website hosting, website analytics, behavioural remarketing services, marketing automation, payment processing, IT maintenance, and identity checking. We also pass information to our payment processing partner when you make a payment such as a donation—we do not generally store your card details when doing so.

Other than that, we may share your personal information:

with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
with funders and investors to help our organisation grow;
if you are applying to become a trustee of Asterisk, with other trustees and senior individuals within Asterisk as part of your application, and in order to determine whether you are suitable for the role that you have applied for – you can read about the safeguards that we put in place for transfers of your data (where relevant) below;
if all or part of our organisation is closed, combined with another organisation, or becomes its own organisation (for example, when an initiative is no longer hosted by Asterisk), we will share your personal information with external advisers (such as lawyers, accountants, or financial advisers) who are helping us with this process and the owners of the new organisation; and
in connection with any legal process or potential legal process.

How do we secure your personal information?

We put in place organisational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we will take steps to minimise the loss or destruction of data and, if required by law, will notify you. We have implemented data security policies and procedures, and relevant staff receive data security training.

Our security measures include:

sending the most sensitive information over encrypted channels (SSL/TLS);
using slow password hashing algorithms (such as Bcrypt);
taking reasonable steps towards the physical security of where we host our data (such as using reasonable third-party providers); and
using PCI Compliant payment processors to avoid storing your payment details (e.g. credit card numbers).

Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Websites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Although we use reasonable security measures once we have received your personal data, the transmission of data over the internet (including by email) is never completely secure. We work to protect personal information, but we cannot guarantee the security of information transmitted to or by us.

How long do we keep your personal information?

We will only keep your personal information for as long as we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.

If we no longer need this personal information for the purposes set out in this notice, we will delete it or anonymise it so that nobody can identify you from the information.

Updates to this Privacy Notice

We reserve the right to change this Privacy Notice from time to time. We will alert you when changes have been made by indicating the date this Privacy Notice was last updated or as otherwise may be required by law. It is recommended that you periodically revisit this Privacy Notice to learn of any changes.

Who we are and how you can get in touch

Asterisk is a project of Obelus Inc., a 501(c)(3) nonprofit registered at 2150 Shattuck Ave. Floor 12 Berkeley, CA 94704. If you have questions in relation to this notice or on how we use your personal information, please contact us at info@asteriskmag.com.

Additional Information for the United Kingdom

The UK General Data Protection Regulation (“UK GDPR”) requires us to provide additional information about how we handle the personal information of individuals subject to those laws. If you are a UK resident, or are otherwise within the scope of the UK GDPR, the following sections apply to our processing of your personal information.

Our role

For the purposes of the UK GDPR, Asterisk is a “controller” of your personal information as it is described in this Privacy Notice. This means we make decisions about how and why your information is used, and have a responsibility to make sure that your rights are protected when we do so.

Legal bases for processing your personal information

We will process your personal information only where we have a legal basis for doing so, including:

when we need it to perform a contract we are about to enter into or have entered into with you;
when it is necessary for our “legitimate interests” (or those of a third party) and your interests and rights do not override our interests;
when you have given us your consent; and
when we need to comply with the law.
When we refer to our “legitimate interests,” we mean:
to improve our programs;
to keep our records updated and to study how our Websites and other services are used;
to administer and protect the organization and web presence (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting);
to inform our marketing strategies; and
to best serve our aims in the most efficient manner possible.

For more information on how we use your personal information, please see the “How do we use your personal information?” section above.

Sensitive Information

Certain types of personal information may be considered “sensitive” under the UK GDPR, such as information about your race or ethnic origins, political opinions, sex life or sexual orientation, religious beliefs, and health information. We may collect Sensitive Information, in certain circumstances. For example, we may collect:

if you are attending an event, your dietary and access requirements;
information about your mental health or other personal circumstances, for example if you provide these to us as part of one of our surveys, or during other interactions; and
information about ethnicity, for the purposes of diversity monitoring.

Criminal Offence Data (data relating to criminal convictions and offences) is also given extra protection under the UK GDPR. In some circumstances we may collect Criminal Convictions Data about you, for example during our trustee application process (as part of which we invite you to inform us about your background and any crimes of which you may have been convicted).

We will generally ask for your consent for this Sensitive Information and Criminal Convictions Data, but we may also rely on other legal bases to collect and use it, for example when we need to do so for safeguarding purposes, to protect your vital interests, to obtain legal advice, or because we are subject to a legal obligation.

Your personal information rights

Under the UK GDPR, you may have the right to ask us for a copy of your personal information; to correct, delete, or restrict (stop any active) use of your personal information; and in certain cases to obtain the personal information you provide to us in a “structured, machine readable format.” You can also object to the use of your personal information in some circumstances (in particular, when we don’t have to use the data to meet a contractual or other legal requirement, or when we are using the data to send you marketing emails).

Where you have given us your consent to use your personal information, you can take back that consent at any time. If you do, we will stop using your personal information immediately, unless we collected it for a different purpose (for example, the information is necessary to comply with a legal obligation). If you decide to take back your consent, this will not affect the lawfulness of our actions before you made that decision. This means that our use of your personal information before you took back your consent remains legal.

These rights may be limited, for example, if answering your request would reveal personal information about another person or if you ask us to delete information which we are required by law to keep or have important legitimate interests to keep.

You also have the right to complain to a data protection authority about how we process your personal information. In the UK, the supervisory authority is the Information Commissioner’s Office.

To exercise any of these rights, or to make a complaint to us, you can get in touch using the details set out in the “Who we are and how you can get in touch” section above.

Cross-border transfer of your personal information

Asterisk is based in the United States and we generally store your personal information within the US. Sometimes we use service providers who access your personal data in other countries.

When we need to share your personal information with people or organisations outside the UK, including in the United States, it might be subject to data protection laws that offer less protection than under the UK GDPR. Where this is the case, we take steps to ensure your personal information is protected, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”). If you want to learn more about this, or to get a copy of the transfer mechanism that we use, please reach out using the details given in the “Who we are and how you can get in touch” section above.