Privacy Policy

How DML uses data

This page was last updated on 13 September 2024.

Who we are

Dark Matter Labs (DML) is a strategic discovery, design and development lab working to transition society in response to technological revolution and climate breakdown. We run this website (darkmatterlabs.org/) and its subdomains.

This privacy policy applies to Dark Matter Labs, a company registered at 217 Mare Street London, E8 3QE United Kingdom. We operate in various offices around the world and have partnerships that are representative of these multiple geographies that we operate within.

At Dark Matter Labs, we want every individual to know what personal data we collect, why we are collecting it, and for you to know what we do with it. We firmly believe in the right for every individual as a data subject to know how their personal data is being used by a data controller such as DML, so please get familiar with our Privacy Policy and if you have any questions at all you can reach out to info@darkmatterlabs.org.

This Privacy Policy is divided into sections based on the way you are interacting with Dark Matter Labs. You are either a Site Visitor, Research Participant, Event Attendee, Partner, or a Prospective Applicant. Please determine what type of user you are and we have explained what information we collect, how we use it, how we store it, and how we may share that information. All of our practices are compliant with the General Data Protection Regulation (GDPR) which is a legal framework that sets guidelines for the collection and processing of personal information for individuals that live in the UK & European Union.

User type

Site Visitor: You are a site visitor when you visit and interact with our web sites, web pages, blogs and content on darkmatterlabs.org.

Research Participant: You are a Research Participant when you have agreed to take part in research that Dark Matter Labs is conducting.

Partner: You are an existing Partner once you have engaged with Dark Matter Labs in a contract.

Prospective Applicant: You are a Prospective Applicant when you apply to a position at Dark Matter Labs that are found here.

Event Attendee: We occasionally host events at Dark Matter Labs that require your registration, you are an Event Attendee once you have registered for an event that we are hosting.

Principles

Firstly, we want to make you aware of six principles for which all personal data must be processed according to Article 5 of the GDPR. These principles outline what any company that has a digital presence need to keep accountable towards:

Lawfulness, fairness, and transparency: Obey the law, only process personal data in a way that people would reasonably expect, and always be open about your data protection practices.

Purpose limitation: You must normally only process personal data for the specific reason you collected it and nothing else.

Data minimization: don’t process any more data than you need.

Accuracy: Make sure that any personal data you hold is adequate and accurate.

Storage limitation: Don’t store personal data for longer than you need to.

Integrity and confidentiality: Always process personal data securely.

These principles build the foundation for why data is being collected and all of the data that DML is collecting has to fall in line with one of these six principles.

Site Visitor

What data we collect

We use Cloudlfare analytics and it collects the following personal information about visitors to our website www.darkmatterlabs.org.

  • IP address (first two bytes)
  • Timestamp of visit
  • Amount of visits
  • Country of visit
  • Page views by source
  • Referrer
  • Operating system
  • Browsers
  • Device type
  • Paths

Why we collect website data

Our website analytics allows us to see how people are using our sites and improve their experience. We do not run cookies on our website.

Where website data is processed and stored

We use an analytics software run through Cloudflare, a service that adopts a privacy-first analytics approach. This means that they enable us to analyze traffic to our website, without compromising our users’ privacy. Their approach to customer data is outlined in their privacy policy and the data that we have access to is only visible for 30 days

Opt-out of collection

You can opt out of our analytics by turning on Do Not Track in your browser. Find out how to do this for Google Chrome, Firefox, Safari, and Microsoft Edge. If you do not opt-out, clicking any link on our website is taken as implied consent to our analytics run through Cloudflare on your device, unless you have disabled them in your browser as described above.

Third-party services

We also use third-party services to host and deliver website content. You can find out more about each of these services below:

Vercel

DML’s website is hosted by Vercel, their approach to GDPR is highlighted here and also reflected in their Privacy Policy.

Medium

We host our blog on Medium, because its infrastructure is better suited to delivering blog content than our own. Find out more about how they use data in their privacy statement. Any reference to an identifiable individual in our blog space has been obtained with their consent, and all of our data is collected in this way.

If you opt-in to receiving our newsletter by email, you will explicitly be asked for your consent to keep your email on file and we do not sell our email lists, or use them for anything else that is not explicitly stated when signing up.

Our social media accounts

We use several social media accounts to share our work and that have been included on our website. We occasionally use the analytics tools provided by these platforms to understand how we can use these services better. Our social media accounts include the following and please check their privacy policies before sharing personal information:

Research participants

As a discovery organisation, research is an important part of our work: it helps us understand people’s needs and build better products and services. We treat all the notes, recordings and other data you collect during our research as personal data.

At the moment, we do not conduct any research with people under the age of 18.

What data we collect

We collect the following information from research participants:

  • Full name
  • Telephone number
  • Email address
  • Address
  • Consent forms

Why we collect this data

We collect participant information to identify participants, and arrange sessions and follow-ups. All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed we ask them to sign the form to confirm this.

How long we keep research data

Participant information is deleted at the end of the project. Our consent forms are kept on file for 6 years. All notes and digital files are destroyed or deleted 2 years after the research session. We delete any personal information provided to us from the research recruiter when the project has finished.

Where research data is processed and stored

Research material is separated from any identifiable information, such as consent forms, while we are working with it. Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on Google Drive and are only accessed by DML team members involved in the research. We may send audio of the research session to a transcriber if necessary. We review the privacy notices of the companies we use for this and ask for explicit consent from participants in our consent forms.

Opt-out of collection

Participants are able to withdraw their information from a project at any time. To do this, contact info@darkmatterlabs.org.

Potential and existing partners

We may collect the following information about our potential and existing clients:

  • Name
  • Company
  • Email address

Why we collect this data

We may process your personal data because it is necessary for the performance of a contract, or to take steps at your request prior to entering into a contract (for example, to enter into grant agreements with you). Testimonials may be used on our website for promotional purposes.

How long we keep this data

We keep information about potential clients for 1 year from last contact, and information about existing clients for 2 years from last contact.

Where data about potential and existing partners is processed

We use the following services to store and process this data: Google Workplace, including Gmail and Drive, Slack, and Notion. Our servers for Google are in the EU.

Attendees of DML’s events

From time to time, we run events to share our insights and to connect with other Responsible Data practitioners.

What data we collect

  • Full name
  • Telephone number
  • Email address
  • Job title and Company

Why we collect this data

We collect attendee information to send the event invitation, provide help should there be any issues joining the event, and to reach out for feedback.

How long we keep Attendee data

Attendee Registration data is deleted 2 years after the event. Videos of the events and the feedback we receive are kept indefinitely unless we are asked to remove them.

Where Attendee data is processed and stored

All Attendee data is stored on Google Drive and is only accessed by DML team members.

Third-party services

We also use third-party services to plan, deliver and host event content. You can find out more about each of these services below: Eventbrite Privacy Policy.

Opt-out of collection

Attendees are able to withdraw their information at any time. To do this, contact info@darkmatterlabs.org.

Prospective Job applicants

We collect the following information about people who apply to join our team:

  • Full name
  • CV and supporting information
  • Email address
  • Covering letter
  • References
  • Phone number
  • Recruitment platform profile
  • Notes from interviews

If you progress to the final round of interviews, we may ask you explicitly if we can record your interview as we work in a distributed team spread across multiple timezones. This constitutes as special category data, only the recruiting team has access to the recordings, and they are deleted as soon as the job is filled.

We do not ask for background checks, sexual orientation, biometrics, health history, race or ethnicity, or any political memberships as part of the application process.

Why we collect recruitment data

Recruitment data is used to assess suitability for a role and to help us communicate with candidates.

How long we keep recruitment data

Recruitment data is deleted when a candidate leaves the recruitment process, is offered a job, or their application is unsuccessful. If consent is given, we may store CVs for up to 1 year.

Where recruitment data is processed and stored

We use several services to help us find people to join our team. At the moment, these include: Applied (Privacy Policy)

Things we don’t do

DML doesn’t participate in the following data processing activities:

  • Buying or selling marketing lists
  • Entering into data sharing agreements with other organisations
  • Postal marketing
  • CCTV surveillance

We don’t use “soft opt-in”, meaning you won’t receive any marketing communications from us unless you’ve specifically agreed to it.

Keeping data secure

We carefully choose our services and tools at Dark Matter Labs. We’ve reviewed the privacy policies and security practices of everything we use.

When a new team member joins DML, we explain best practices for keeping their devices secure, maintaining the security of their online accounts, and working outside our offices.

Data breach

In the event of an unlawful data breach of this website’s database or the database(s) of any of our third-party data processors, it will be assessed and, if appropriate, reported to any and all affected persons and relevant authorities without undue delay, and if feasible, within 72 hours of the discovery of the breach. In the event of a data breach, we are also required to notify the Information Commissioner’s Office. We will do so following their guidance.

Data transfer outside the EEA

We have reviewed the privacy policies of third-party services we use. They provide adequate protections when information is shared outside of the European Economic Area. We have team members in South Korea and Canada, both of which have been approved as adequate for their data policies by the European Commission.

Exemptions

There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. A full list of exemptions is listed on the ICO website - this also applies to data held about you by third-party services we use.

Changes to the Privacy Policy

Every quarter, we review our documentation of the data we handle and third-party services we use. This helps us continuously improve our processes and hold ourselves to account. This process helps us ensure our Privacy Policy is up to date with our latest discoveries!

This Privacy Policy is subject to change and may be updated by Dark Matter Labs, at its sole discretion, from time to time. We will notify you of any changes by posting the new policy on the website and/or by any other method of notice we see fit, including by email. Please review this Privacy Policy periodically for any changes.

Your rights and getting in touch

The General Data Protection Regulation gives EU & UK citizens the following rights. Please familiarise yourself with them, and we have provided links to understand each right in more detail.

Right to be informed

You have the right to be informed about how Dark Matter Labs is using your personal information, and this privacy policy is an attempt to make that process very transparent.

Right of access

You have the right to request Dark Matter Labs for copies of your personal data. We may charge you a small fee for this service to cover the admin time required to deliver on this request.

Right to rectification

You have the right to request that Dark Matter Labs correct any information you believe is inaccurate or incomplete.

Right to erasure

You have the right to request that Dark Matter Labs erase your personal data under certain conditions.

Right to restrict processing

You have the right to request that Dark Matter Labs restrict the processing of your personal data under certain conditions.

Right to data portability

You have the right to request that Dark Matter Labs transfer the data that we have collected to another organisation, or directly to you, under certain conditions.

Right to object to your data processing

You have the right to object to your data processing, including profiling, when it is on relevant grounds. We do not perform direct marketing, but if we did, if you unsubscribe from marketing emails, Dark Matter Labs is not allowed to send you any more emails unless we get your consent.

Rights related to automated decision-making, including profiling

At Dark Matter Labs, we do not use any automated decision-making tools and avoid profiling any of our data subjects. However, it is important to know that as one of your data rights under the GDPR, you have the right to avoid automated decision making and ask for manual review.

To exercise any of these rights, please contact us at info@darkmatterlabs.org. We will respond to all requests within 28 days of receiving them.

If you aren’t satisfied with our response, you can contact the Information Commissioner’s Office.

Credits

Thanks to IF for publishing their Privacy Policy, which we were able to fork and add to.