Privacy policy

The purpose of this privacy policy is to inform you of which data we process and store when you visit our website or use our service. This includes details on our use of cookies.

Read the following sections to learn about:

Last revised on February 22nd, 2024. The latest version of this privacy policy can be obtained at https://www.activityinfo.org/about/privacy-policy.html.

Definitions

This privacy policy uses the following terms:

Which data we store and why

When you visit the website without signing into the platform, we store data in your browser and on our servers. This section details which data we store and why we store this data.

When you sign into the platform, we store data which you provide to us. This includes the following information:

  1. your email address which we use for the following purposes:
    • to send you an activation email message to confirm that you have entered an existing email address to which you have access,
    • to identify your account and to check if you have provided the correct password to log in,
    • to send you a password reset email message in case you have forgotten your password or if you have elected to change your password,
    • to send you daily and weekly digest email messages in case you have elected to receive these,
    • to access your account in case you have requested us to support you,
    • to identify your account in our server logs which we use to monitor latency and errors in the platform.
    • contact you to offer support or guidance in using ActivityInfo.
  2. your name which is displayed to other users next to the databases you own and reports you share. Your name also appears in the digest email messages which are sent to the owner(s) of the database(s) in which you have entered or edited data.
  3. the data which you create on the platform which includes, but is not limited to, forms with indicators and attributes, quantitative and narrative data entered into the forms and locations.

Where we store your data

The platform runs on infrastructure provided as part of the Google Cloud Platform. This infrastructure, which includes servers, databases and file storage, is supported by data center locations around the world. We have opted to process and store your data exclusively on Google’s data centers located within the European Union. See https://www.google.com/about/datacenters/inside/locations/ for a full list of data center locations.

Some data is stored in the browser which you use to access the service. This includes cookies (see the section on Cookies below) and application data. The latter includes our use of the “application cache” and the “IndexedDB Database” in your browser. The use of this storage allows you to use the application in areas with poor or no internet connectivity.

How we protect your data

In general we observe and test against the guidelines provided by the Open Web Application Security Project (OWASP). A full list of guidelines for a variety of topics related to security can be found at https://www.owasp.org/index.php/Cheat_Sheets.

The following sections provide more detail on specific topics such as data security, privacy and authentication.

Data processing and storage

We have chosen the Google Cloud Platform because it is extremely secure and fault-tolerant. We are confident that this infrastructure provides you with the best possible security for your data. Full details on the Google Cloud Platform security and its certifications can be found at https://cloud.google.com/security/.

Traffic between client and server

When you are logged into the platform, all data sent between the client (your browser) and our servers is encrypted using the TLS 1.2 protocol with the SHA-256 hashing function.

User authentication

Users are authenticated using their email address and a password. Passwords are chosen by users and must be at least six characters. Passwords are stored salted and hashed using the BCrypt algorithm. No passwords are stored in plain text and we require that all authenticated traffic use HTTPS. Users may reset their password by providing their email address, through which they will receive an email with a token allowing them to choose a new password within 24 hours.

Third Party Service Providers / Subprocessors

In order to support our operations we rely on several Service Providers. They help us with various services such as payment processing, web audience analysis, cloud hosting, marketing and communication, etc.

Our full list of sub-processors is available at https://www.activityinfo.org/about/third-party.html.

Cookies

When you log into the platform, we store cookies in your browser to record details about your session in the browser. We do this so you do not have to log in again whenever you navigate to another page in the platform or open a page in a new tab within the same browser session. These cookies are therefore essential for the functioning of the platform.

ActivityInfo.org sets the following cookies:

Name Expires Purpose
locale 60 days Remember the user's selected locale for login page and application
oidccrsf End of browser session Random token to protect against Cross Site Request Forgery (CSRF) when using Single Sign On (SSO)
GCLB End of browser session Random token issued by the load balancer to ensure that a user's requests are routed consistently to the same backend server. This improves performance.
email End of browser session Logged in user's email address.
userId End of browser session Logged in user's user id
authToken End of browser session Logged in user's secret session token