Privacy Policy

Read about how we protect your personal information.

Last updated: January 28, 2019

This document details what types of data we collect from our users and customers, and how that data is used. We use the Internet just like you do, and having access to an adequate level of information about how business partners store and process private data is an important part of any business relationship.

We’ve tried to write our various policies in a thorough—but still understandable—language. If you find anything to be unclear, or would like additional details, please reach out, and we’ll see if we can clarify the publicly available policies. Chances are others would like these additions as well.

This privacy policy is structured around the different relationships you may have with us, and we split out the policies in sub-items where appropriate.

1. Your relationship with us

When we talk about us, ’the Company’ or SummitFold, we’re always always talking about Nordic FreeFold; the company responsible for building and running SummitFold (which we may refer to as the app or the system).

Your relationship with us can be in the form of

  1. an organization, society, group or individual acting as our direct customer, hosting events, handling incoming payments, receiving abstracts and other activities related to organization or conference management. We refer to this group as ‘Customers’ in this policy.
  2. a person wanting to interact with the organizations or conferences mentioned under point 1. We refer to this group as ‘Participants’ in this policy.

Which group you belong to in this context affects the type of data collected, and the rights and obligations held in relation to the other groups.

2. Data that we collect

We distinguish between data that you provide to us directly, and data automatically collected as part of the technical setup of our website, system services, and similar.

Data that you provide directly

We try to minimize the amount of information you’re required to provide in order to use the system. At the very minimum, for any use of our systems beyond our publicly available website, we require your name and email address. Your email address and any email aliases you may voluntarily provide, act as your username and identifier to access the system. You’ll also be required to set a secure password, which will be mathematically ‘salted and hashed’; a process that renders it unreadable to us.

As a Customer, we will enter into a contractual relationship that requires additional information, including (if applicable) your

  1. organization name and physical address,
  2. points of contact including contact information for relevant people inside your organization,
  3. banking information for participant fee payouts, if we’re handling payments on your behalf,
  4. signed agreements about how you promise to handle participant user information.

As a Participant, you have access to a central SummitFold user account, and additional conference and/or organization accounts for each conference you interact with.

The central user account ensures that you only have to remember one account username and password no matter how many different conferences you attend. You may optionally save additional information in this account, such as your work institution, personal or work address, or ORCID. This information is private from any organizations or conferences, and is designed to make it easier and faster to submit abstracts or interact with future conferences. You can edit or delete this centrally stored information at any time.

The organization or conference accounts act as an editable snapshot of your information suitable for one single organization or conference. This information is viewable and editable by organization and conference organizers, and if the organization type is an internal company type where your relationship is obligatory as part of your job function, the organizers may lock or control all or part of this information. Organization and conference organizers may define additional required or optional questions that you answer as part of the sign-up process for individual events. Depending on whether these questions are defined by organizers as falling under legitimate interests or consent-based questions, you will have different rights for correcting and deleting this information.

In sum, based on the type of event and your relationship with the organization and/or conference organizer, you may be asked to provide information defined by the organizers such as

  1. work institution,
  2. work and/or personal information such as address, country, or ORCID,
  3. billing information if the event is not free to attend,
  4. consent for your submitted materials to be transmitted, printed, used, or distributed,
  5. consent for your contact information to be passed along to the main organization hosting the event or passed along to the organizers of the next event (for example the organizers of the next annual meeting of a scientific society).

As a user of our public websites, you may provide your name and/or email in order to receive information about our company, products, or particular organizations or conferences. If you refer a friend through one of these forms, we’ll reach out to this person, and ensure they want to receive this type of information going forward.

Data that you provide automatically

When you visit our website, app, organization or conference websites, or any other satellite sites we may collect certain information automatically from and about your device. This can include information such as

  1. your Internet Protocol (IP) address,
  2. the date and time of each request you make,
  3. the information you include in forms you submit.

Of a more technical nature, we may track

  1. your approximate country and region based on your IP address,
  2. information about the device you used, such as the operating system, browser, and window size,
  3. which pages you visit on our website and apps, and whether you download any files or watch any videos on these sites.

Specifically concerning email, we log

  1. the emails we send and receive from you,
  2. which emails from us you open,
  3. which links you click inside these emails.

We distinguish between app service emails and marketing emails:

  1. App service emails contain critical information about our products and services. This includes sign-up information, password resets, or information on scheduled or unscheduled downtime of the system. You cannot opt out of these emails without cancelling and deleting your account.
  2. Marketing emails can be managed and deselected from your online in-app dashboard. We also include unsubscribe links in all marketings emails.

3. How do we use this data?

The purposes for the technical and automatically collected data fall into two main categories:

  1. Technical optimization and fraud prevention. Information about the countries of origin of our visitors, when you visit, and how many—and which—pages you visit, allow us to prioritize our work-efforts by understanding how you use our websites and apps. We use the information to ensure that the site can handle the load of incoming visitors and remain technically available, and that we support the browsers used by our visitors. It also allows us to use the traffic information to identify fraudulent actions as part of our efforts to ensure the integrity of the system.
  2. Marketing. If you’re visiting our sites to learn about our products and services, we offer multiple actions to establish contact with us. We use the provided data to contact you and inform you about our technologies, products, and services.

It’s important for us to highlight that in no event do we sell, lease, rent, or pass along the information you provide us to third parties without your express consent. This policy document details the circumstances where we collect information on behalf of organization and conference organizers, and where specific rules apply on a per-conference and per-organization basis. We try to make it very clear in your app dashboard, which rules apply for each event that you’re attending.

We take your privacy very seriously, and encourage you to contact us immediately if you suspect organization and/or conference organizers are misappropriating your provided information for purposes outside the stated legitimate interests or provided consent scopes.

You can be confident that we only use the collected data for their originally stated purpose, or any purposes that you have later authorized. If these purposes are materially expanded, we will inform you about our intentions, and give you the option to opt out or cancel your account depending on the type of change.

We want you to feel sure that the data collected is compatible with your rights and expectations. We continually review the contents of this document, and remain open to suggestions on further clarifications. We also strive to expediently answer requests for data deletions, export, or corrections.

4. Who do we share it with?

We thoroughly evaluate each instance where we use a third party service or service sub-processor.

We may share the information you provide us—as described above—in narrow circumstances where our vendors and third party service providers require access to your personal information to assist in providing and improving our app, products, and services.

We provide a page listing all our sub-processors, which you may find by clicking here.

Additionally, we may disclose your information

  1. in situations where you consent for us to do so,
  2. where required by law or regulatory requirement, or other lawful obligations defined by public authorities,
  3. in connection with the sale, transfer, merger, bankruptcy, restructuring, or other reorganization of a business,
  4. to protect or defend our rights, interests or property, or that of third parties,
  5. to investigate any suspected fraud or wrongdoing in connection with our products and services, and
  6. to protect the vital interests of an individual.

Finally, you allow us to disclose aggregate, non-identifying information about how our customers use our products and services.

We are based in the European Union, and as such the EU GDPR privacy framework is an important pillar of how we do business. Our legal basis for processing your personal data depends 1) on the type of data collected, and 2) whether it happens in the context of you as Customer or Participant as defined earlier in this document.

Your name, email, password, IP address, and country will either be provided directly by you, and/or collected automatically for your central user account. We consider this information to be collected as part of our legitimate interests for the normal and safe functioning of the system. The additional optional information for your central user profile (defined previously, including work institution and address) will be considered added based on your consent if you choose to do so. You may withdraw this consent simply by deleting the information in your profile again.

As a Customer we will instead need to store this information as part of our contract with you, and as part of the processing in our legitimate or legal business interests. We act as your data controller for these purposes. You have additional obligations to the participants at your organization or conference, since you define the type of information they are required to submit. For the organization- or conference-specific information defined by you, you will assume the role of data controller, and we will be the data processor for these items. This is sometimes described as a joint controller.

As a Participant you are required to provide basic information about name, email, password, IP address, and country as defined above, where we the Company will be the data controller. Organization and conference organizers may define further obligatory information that you need to provide in order to submit abstracts or attend the conference or event. The organizers are data controllers in relation to these items, and we the Company are the data processor. If you commit to attending an event and/or authorize payments, we consider that a contract with the conference organizers.

In general, we will make it clear, when relevant, the legal basis for collecting a certain type of information. You may subsequently visit the ‘compliance’ section of your in-app dashboard for information about which types of personal information is being stored for which purposes.

We realize that the “split responsibility” between SummitFold the system and the individual organization and conference organizers may appear complex. If you have any additional questions about the individual responsibilities and the legal basis for processing your information, you’re most welcome to reach out.

6. Data storage

We’re based in the European Union, and primarily employ EU-based physical storage and services. In the cases where this is not feasible or we deem the alternatives to provide a better service to you, we make sure to only use third party providers that adhere to the same privacy obligations as EU-based operators would provide. Particularly for US-based providers, we make sure they certify compliance with the EU–US Privacy Shield.

Data retention

We store your personal information in our systems for as long as we need to fulfil the purposes outlined in this Privacy Policy. Some types of information may have a longer required retention period for legal or regulatory reasons.

Cookies

Cookies are small text files that are saved locally on your computer or tablet/phone when you visit a website. We use cookies and similar tracking technology to collect and use personal information about you for purposes of site appearance customizations, and automated technical data collection as described previously. Specifically we host private versions of our usage statistics trackers. We use private versions vs. publically available systems like Google Analytics to better serve your privacy needs. Our app uses cookies to track the state of logged in vs. guest users and ensure proper access control – without which the app would not function.

7. Your rights to your data

In our in-app ‘Compliance’ section, you may

  • see the personal information stored about you,
  • update or correct this data,
  • delete your account and associated data.

By contacting us, you may

  • object to the data processing,
  • ask that we restrict it where technically feasible,
  • ask for any additional personal information we may have about you.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about our collection and use of your personal information. You may see a list of Data Protection Authorities here.

8. How we protect your information

The security of the data you provide us is paramount in our daily work.

For communication of personal information between you and our servers, we ensure this always happens on encrypted channels. We salt and hash passwords to protect them in our database.

When you perform payments online using our system, we only receive your credit card number in an unreadable encrypted form, and pass it along to our credit card processor, Stripe, for handling.

In general, we make sure to use appropriate technical and organizational security approaches to safeguard your personal information and secure it from fraudulent use or loss.

9. Changes to this policy

We will update this Privacy Policy as needed. For material changes we will take appropriate measure to contact you, consistent with the severity of the planned changes. We will obtain your consent to specific material changes as required by law. Any changes to the Privacy Policy will apply to all current and past users of the website, app, products, and services, and replaces prior policies.