This document details what types of data we collect from our users and customers, and how that data is used. We use the Internet just like you do, and having access to an adequate level of information about how business partners store and process private data is an important part of any business relationship.
We’ve tried to write our various policies in a thorough—but still understandable—language. If you find anything to be unclear, or would like additional details, please reach out, and we’ll see if we can clarify the publicly available policies. Chances are others would like these additions as well.
This privacy policy is structured around the different relationships you may have with us, and we split out the policies in sub-items where appropriate.
When we talk about us, ’the Company’ or SummitFold, we’re always always talking about Nordic FreeFold; the company responsible for building and running SummitFold (which we may refer to as the app or the system).
Your relationship with us can be in the form of
Which group you belong to in this context affects the type of data collected, and the rights and obligations held in relation to the other groups.
We distinguish between data that you provide to us directly, and data automatically collected as part of the technical setup of our website, system services, and similar.
Data that you provide directly
We try to minimize the amount of information you’re required to provide in order to use the system. At the very minimum, for any use of our systems beyond our publicly available website, we require your name and email address. Your email address and any email aliases you may voluntarily provide, act as your username and identifier to access the system. You’ll also be required to set a secure password, which will be mathematically ‘salted and hashed’; a process that renders it unreadable to us.
As a Customer, we will enter into a contractual relationship that requires additional information, including (if applicable) your
As a Participant, you have access to a central SummitFold user account, and additional conference and/or organization accounts for each conference you interact with.
The central user account ensures that you only have to remember one account username and password no matter how many different conferences you attend. You may optionally save additional information in this account, such as your work institution, personal or work address, or ORCID. This information is private from any organizations or conferences, and is designed to make it easier and faster to submit abstracts or interact with future conferences. You can edit or delete this centrally stored information at any time.
The organization or conference accounts act as an editable snapshot of your information suitable for one single organization or conference. This information is viewable and editable by organization and conference organizers, and if the organization type is an internal company type where your relationship is obligatory as part of your job function, the organizers may lock or control all or part of this information. Organization and conference organizers may define additional required or optional questions that you answer as part of the sign-up process for individual events. Depending on whether these questions are defined by organizers as falling under legitimate interests or consent-based questions, you will have different rights for correcting and deleting this information.
In sum, based on the type of event and your relationship with the organization and/or conference organizer, you may be asked to provide information defined by the organizers such as
As a user of our public websites, you may provide your name and/or email in order to receive information about our company, products, or particular organizations or conferences. If you refer a friend through one of these forms, we’ll reach out to this person, and ensure they want to receive this type of information going forward.
Data that you provide automatically
When you visit our website, app, organization or conference websites, or any other satellite sites we may collect certain information automatically from and about your device. This can include information such as
Of a more technical nature, we may track
Specifically concerning email, we log
We distinguish between app service emails and marketing emails:
The purposes for the technical and automatically collected data fall into two main categories:
It’s important for us to highlight that in no event do we sell, lease, rent, or pass along the information you provide us to third parties without your express consent. This policy document details the circumstances where we collect information on behalf of organization and conference organizers, and where specific rules apply on a per-conference and per-organization basis. We try to make it very clear in your app dashboard, which rules apply for each event that you’re attending.
We take your privacy very seriously, and encourage you to contact us immediately if you suspect organization and/or conference organizers are misappropriating your provided information for purposes outside the stated legitimate interests or provided consent scopes.
You can be confident that we only use the collected data for their originally stated purpose, or any purposes that you have later authorized. If these purposes are materially expanded, we will inform you about our intentions, and give you the option to opt out or cancel your account depending on the type of change.
We want you to feel sure that the data collected is compatible with your rights and expectations. We continually review the contents of this document, and remain open to suggestions on further clarifications. We also strive to expediently answer requests for data deletions, export, or corrections.
We thoroughly evaluate each instance where we use a third party service or service sub-processor.
We may share the information you provide us—as described above—in narrow circumstances where our vendors and third party service providers require access to your personal information to assist in providing and improving our app, products, and services.
We provide a page listing all our sub-processors, which you may find by clicking here.
Additionally, we may disclose your information
Finally, you allow us to disclose aggregate, non-identifying information about how our customers use our products and services.
We are based in the European Union, and as such the EU GDPR privacy framework is an important pillar of how we do business. Our legal basis for processing your personal data depends 1) on the type of data collected, and 2) whether it happens in the context of you as Customer or Participant as defined earlier in this document.
Your name, email, password, IP address, and country will either be provided directly by you, and/or collected automatically for your central user account. We consider this information to be collected as part of our legitimate interests for the normal and safe functioning of the system. The additional optional information for your central user profile (defined previously, including work institution and address) will be considered added based on your consent if you choose to do so. You may withdraw this consent simply by deleting the information in your profile again.
As a Customer we will instead need to store this information as part of our contract with you, and as part of the processing in our legitimate or legal business interests. We act as your data controller for these purposes. You have additional obligations to the participants at your organization or conference, since you define the type of information they are required to submit. For the organization- or conference-specific information defined by you, you will assume the role of data controller, and we will be the data processor for these items. This is sometimes described as a joint controller.
As a Participant you are required to provide basic information about name, email, password, IP address, and country as defined above, where we the Company will be the data controller. Organization and conference organizers may define further obligatory information that you need to provide in order to submit abstracts or attend the conference or event. The organizers are data controllers in relation to these items, and we the Company are the data processor. If you commit to attending an event and/or authorize payments, we consider that a contract with the conference organizers.
In general, we will make it clear, when relevant, the legal basis for collecting a certain type of information. You may subsequently visit the ‘compliance’ section of your in-app dashboard for information about which types of personal information is being stored for which purposes.
We realize that the “split responsibility” between SummitFold the system and the individual organization and conference organizers may appear complex. If you have any additional questions about the individual responsibilities and the legal basis for processing your information, you’re most welcome to reach out.
We’re based in the European Union, and primarily employ EU-based physical storage and services. In the cases where this is not feasible or we deem the alternatives to provide a better service to you, we make sure to only use third party providers that adhere to the same privacy obligations as EU-based operators would provide. Particularly for US-based providers, we make sure they certify compliance with the EU–US Privacy Shield.
Data retention
We store your personal information in our systems for as long as we need to fulfil the purposes outlined in this Privacy Policy. Some types of information may have a longer required retention period for legal or regulatory reasons.
Cookies
Cookies are small text files that are saved locally on your computer or tablet/phone when you visit a website. We use cookies and similar tracking technology to collect and use personal information about you for purposes of site appearance customizations, and automated technical data collection as described previously. Specifically we host private versions of our usage statistics trackers. We use private versions vs. publically available systems like Google Analytics to better serve your privacy needs. Our app uses cookies to track the state of logged in vs. guest users and ensure proper access control – without which the app would not function.
In our in-app ‘Compliance’ section, you may
By contacting us, you may
Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to complain to a data protection authority about our collection and use of your personal information. You may see a list of Data Protection Authorities here.
The security of the data you provide us is paramount in our daily work.
For communication of personal information between you and our servers, we ensure this always happens on encrypted channels. We salt and hash passwords to protect them in our database.
When you perform payments online using our system, we only receive your credit card number in an unreadable encrypted form, and pass it along to our credit card processor, Stripe, for handling.
In general, we make sure to use appropriate technical and organizational security approaches to safeguard your personal information and secure it from fraudulent use or loss.
We will update this Privacy Policy as needed. For material changes we will take appropriate measure to contact you, consistent with the severity of the planned changes. We will obtain your consent to specific material changes as required by law. Any changes to the Privacy Policy will apply to all current and past users of the website, app, products, and services, and replaces prior policies.