+++ title = "Privacy Policy" subtitle = "We strive for the lowest amount of data retention as possible. In fact even this website uses no cookies! Learn here how you interact with our services." theme = "dark" text = "#FFFFFF" +++ Ura Design adheres to the highest ethical standards in all of our operations and is dedicated to protecting the privacy of everyone who interacts with us. We don’t sell, barter, give away, rent, or permit anyone outside of Ura Design, and project-scoped contractors to use or access information about our partners, collaborators, research participants, or website visitors. We use third party services to publish work, keep in touch with people, and understand how we can do both of these things better. Here you can find out what these services are and how we handle all sorts of data, from user research to job applications. If there is additional information you would like to see in this document about our practices, or if you have other comments or questions, please reach out to hello@ura.design This document was last updated on 5 August, 2022. ## Our site & services We use the following services to run our websites and understand how people are using them. ## Website Analytics Our website uses [Plausible](https://plausible.io/) for simple and privacy-friendly web analytics. We collect information about how people are using our sites to allow us to improve their experience. Our traffic data is not used for any other purposes. Plausible does not use cookies and is fully compliant with GDPR, CCPA, PECR and other privacy regulations out of the box. ## Presentator We host our work presentations using [Presentator](https://show.ura.design) for its robust and scalable infrastructure. Find out more about how they use data in their [privacy statement](https://presentator.io/terms-and-conditions). ## ProtonMail We currently use [ProtonMail](https://proton.me) for our email, calendaring, and document storage. Individual members of the team use PGP and are happy to correspond via encrypted email, or honor requests to have files shared with us be not stored in Google Drive. We respect diverse threat models and work to accommodate our partners’ needs and concerns. ## Mattermost We host [Mattermost](https://chat.ura.design) chat service for internal communication and community organizing. Mattermost stores your account information and usage data, and our administrators have access to all public channels. Please refer to [Mattermost’s privacy policy](https://mattermost.com/privacy-policy/) before you sign on. ## Nextcloud We host a [Nextcloud](https://cloud.ura.design) server to store every work project, documentations and photographies from conferences we have participated and organized. We also use Nextcloud for surveys and forms needed for the testing and research. ## HedgeDoc We use [HedgeDoc](https://pad.ura.design) as our real-time editor, allowing authors and users to edit a text document and see their edits instantly and simultaneously. ## Our social media accounts We use social media accounts to share our work. We occasionally use the analytics tools provided by these platforms to understand how we can use these services better. Our social media accounts are: - [Ura Design on Twitter](https://twitter.com/uradotdesign "Twitter Link") | [Privacy policy](https://twitter.com/en/privacy#update) - [Ura Design on Instagram](https://www.instagram.com/uradotdesign/) | [Privacy policy](https://help.instagram.com/519522125107875/?helpref=uf_share) If you’d like content about you removed from any of our social media profiles, please contact us at https://chat.ura.design/. ## Research participants Research is an important part of our work: it helps us understand people’s needs and build better products and services. ## Asking for consent All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed we ask them to sign the form to confirm this. We scan signed consent forms and shred paper copies, then store consent forms on our Nextcloud server and keep these for 3 years. At the moment, we do not conduct any research with people under the age of 18. We do not give incentives for the participants. ## Using information from research Research material is separated from any identifiable information, such as consent forms, while we are working with it. Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on Nextcloud and are only accessed by Ura Design's team members involved in the research. At the end of the project, all notes and digital files are destroyed or deleted. Sometimes we may publish quotes from research sessions. We only do this if we have specific consent from the participant and any personally identifiable information has been removed. We will only publish audio, photos and video from a research session if a participant has given consent and has signed a model release form. ## Survey We use Nextcloud for gathering and processing information from survey participants. See [their privacy policy](https://nextcloud.com/privacy/) for more information. ## Withdrawing your consent Participants are able to withdraw their information from a project at any time. To do this, contact hello@ura.design. ## Working at Ura Only team members involved in the recruitment process have access to applications, CVs and emails we receive. We don’t collect any special category data or ask for any background checks as part of the application process. When people join Ura Design, we request information about them needed for tax purposes. We hold information about their role and their professional development at Ura Design. Access to this information is controlled. ## Things we don’t do Ura Design doesn’t participate in the following data processing activities: - Buying or selling marketing lists - Entering into data sharing agreements with other organisations - Telephone marketing - Postal marketing - CCTV surveillance We don’t use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it. ## Keeping data secure We carefully choose our services and tools at Ura Design. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password. We’ve reviewed the privacy policies and security practices of everything we use. When a new team member joins Ura Design, we explain best practices for keeping their devices secure, maintaining the security of their online accounts including the usage of a new Yubikey provided by [Yubico](https://www.yubico.com/). ## Data breaches In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their [guidance](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/). ## Data transfer outside the EEA We have reviewed the privacy policies of third party services we use. They provide adequate protections when information is shared outside of the European Economic Area. ## Reviewing how we use data Every quarter, we review our documentation of the data we handle and third party services we use. This helps us continuously improve our processes and hold ourselves to account. We will update this document as necessary. ## Your rights and getting in touch The General Data Protection Regulation gives EU citizens the following rights: - [Right to be informed](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/) - [Right of access](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/) - [Right to rectification](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/) - [Right to erasure](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/) - [Right to restrict processing](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/) - [Right to data portability](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/) - [Right to object](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/) - [Rights related to automated decision-making, including profiling](https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/) To exercise any of these rights, please contact us at [our chat](https://chat.ura.design) or via email at [hello@ura.design](mailto:hello@ura.design). You can find information specific to the services we use or our activities in the relevant sections of this document. If you are located in the EU and aren’t satisfied by our response, you can contact the EU [Information Commissioner’s Office](https://ico.org.uk/make-a-complaint/). ## Acknowledgements In drafting this policy we used a number of different resources and inspirations. We want to offer particular thanks to Simply Secure for their clear example.