Privacy Policy

GoodUp and your personal data

We at GoodUp – the makers of this platform – enjoy sharing. However, we don’t enjoy sharing your personal data. We’re committed to protecting your privacy and to keeping the personal data you share with us secure and used only for clear, legitimate purposes.

This Privacy Policy explains:

  • What personal data we process,
  • Why we process it (and on which legal basis),
  • How we protect it,
  • How long we keep it, and
  • What rights you have.

This policy applies whenever you use the GoodUp platform, create an account, participate in activities, or otherwise use our services.

1. Who we are

GoodUp B.V.
Vredenburg 40
3511 BD Utrecht
The Netherlands

Email: info@goodup.com
Website: www.goodup.com

2. Our role under GDPR (controller vs processor)

Depending on the context, GoodUp acts as either:

  • a data processor (processing personal data on behalf of our customer organisation), or
  • a data controller (processing personal data for our own purposes).

Most commonly: when your employer or another organisation provides you access to the platform, that organisation is the data controller, and GoodUp is the data processor for the processing required to provide and operate the platform.

In some cases: GoodUp is a data controller, for example where we process personal data to:

  • manage our own relationship with you (e.g. direct support requests),
  • secure and improve the platform (e.g. fraud prevention, security monitoring),
  • comply with legal obligations (e.g. financial and tax retention), or
  • send service-related communications (and marketing where you have consented).

Where GoodUp is acting as a processor, your primary point of contact for privacy requests is usually the customer organisation that gave you access to the platform. Where GoodUp is acting as a controller, you can contact us directly using the details above.

3. Personal data we process on the platform

GoodUp processes personal data to provide, operate, secure and support the platform on behalf of our customer organisations. The categories of personal data we process depend on how you use the platform and your role within it.

Below we describe the main categories of personal data, the purpose for which they are processed, and the applicable legal basis under the GDPR.

a. Identification and contact data

Examples: first name, last name, email address, phone number.

Purpose

  • creating and managing your user account;
  • enabling access to the platform;
  • allowing users and organisers to identify and contact each other where relevant.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legitimate interest (Article 6(1)(f) GDPR), such as ensuring proper platform operation.

b. Account and authentication data

Examples: username, encrypted password, login credentials, and identification data received from third-party authentication providers, where you choose to use such login functionality.

Purpose

  • secure authentication and access control;
  • enabling login through third-party identity providers;
  • prevention of unauthorised access.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legitimate interest in platform security (Article 6(1)(f) GDPR).

Passwords are stored in encrypted form. Where you use third-party login functionality, authentication is performed via the relevant provider in accordance with your settings with that provider.

c. Profile and participation data

Examples: profile photo, biography, preferences, participation in activities, reactions or comments.

Purpose

  • enabling participation in activities and initiatives;
  • displaying relevant information to other platform users;
  • improving relevance of content and activity suggestions.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legitimate interest in platform usability (Article 6(1)(f) GDPR).

Please note that you control which optional profile information you choose to share. Profile photos and similar content may be visible to other users within the platform environment.

d. Usage and technical data

Examples: device information, login dates, registration date, platform usage statistics, number of activities joined, donations made or volunteer activities completed.

Purpose

  • ensuring proper technical functioning of the platform;
  • monitoring security and preventing misuse;
  • generating aggregated statistics for platform improvement.

Legal basis

  • legitimate interest (Article 6(1)(f) GDPR), in particular platform security and continuity;
  • legal obligation where applicable (Article 6(1)(c) GDPR).

e. Financial and transaction data

Examples: bank account details of activity initiators, transaction references, donation confirmations.

Purpose

  • processing and transferring donations;
  • financial administration and reporting.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legal obligation (Article 6(1)(c) GDPR), such as accounting and tax requirements.

GoodUp does not store credit card or bank account details. Payments are processed by an external payment service provider.

f. Communications data

Examples: emails sent to or received from GoodUp, support requests, service notifications.

Purpose

  • responding to inquiries;
  • providing support;
  • sending service-related communications.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legitimate interest (Article 6(1)(f) GDPR).

Marketing communications are only sent where you have provided consent and can be withdrawn at any time.

g. Content processing and translation data

Examples: content submitted by users that may include personal data, which is processed using automated tools for translation or formatting.

Purpose

  • enabling multilingual functionality of the platform;
  • improving accessibility and usability of content.

Legal basis

  • performance of a contract (Article 6(1)(b) GDPR);
  • legitimate interest in platform functionality and accessibility (Article 6(1)(f) GDPR).

4. Cookies

GoodUp uses cookies and similar technologies where necessary to operate and secure the platform. Where required by law, cookies are placed only after obtaining your consent.

Detailed information about the use of cookies and similar technologies, including the types of cookies used and how you can manage your preferences, is provided in our Cookie Policy.

5. Data retention

GoodUp does not store personal data longer than necessary for the purposes for which it is processed.

Retention periods depend on:

  • the type of personal data;
  • the purpose of processing;
  • legal, contractual and regulatory obligations.

In general, the following principles apply:

  • Account and profile data are retained for as long as your account is active. After account deletion, such data will be deleted or anonymised within a reasonable period, unless retention is required by law or agreed with the customer organisation.
  • Usage and technical data are retained for limited periods to ensure platform security, continuity and improvement, after which they are deleted or anonymised.
  • Financial and transaction data are retained in accordance with applicable financial and tax legislation.
  • Communications data are retained for as long as necessary to handle requests, provide support and meet contractual or legal obligations.

Where GoodUp acts as a data processor, retention periods may be determined by the customer organisation and documented in the applicable data processing agreement.

Retention periods are periodically reviewed as part of GoodUp’s internal information security and privacy controls.

6. Recipients and sub-processors

GoodUp does not sell or rent personal data to third parties.

Personal data may be shared only with:

  • customer organisations, as data controllers, within their platform environment;
  • service providers and sub-processors engaged by GoodUp to support the operation of the platform (such as hosting, infrastructure, communication, payment services or automated content processing services, such as translation tools);
  • competent authorities, where required by law.

GoodUp engages service providers and sub-processors that offer appropriate assurances regarding data protection, information security and confidentiality, taking into account the nature of the services provided.

Where applicable, GoodUp ensures that contractual, organisational and/or technical safeguards are in place to protect personal data, in line with applicable data protection law and recognised security standards.

A current overview of key service providers and sub-processors is available upon request or included in the applicable customer documentation.

7. Data location and international transfers

Personal data processed by GoodUp is, by default, hosted and processed within the European Economic Area (EEA).

GoodUp selects hosting and infrastructure providers that operate data centres within the EEA and apply appropriate technical and organisational security measures.

If, in exceptional cases, personal data were to be processed outside the EEA (for example as part of specific support or service arrangements), GoodUp will ensure that appropriate safeguards are in place in accordance with applicable data protection law, such as standard contractual clauses approved by the European Commission.

8. Your rights under the GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights with regard to your personal data:

  • Right of access – to obtain confirmation as to whether we process your personal data and to receive a copy of that data.
  • Right to rectification – to have inaccurate or incomplete personal data corrected.
  • Right to erasure – to request deletion of your personal data, where applicable.
  • Right to restriction of processing – to request that we temporarily limit the processing of your personal data.
  • Right to data portability – to receive your personal data in a structured, commonly used and machine-readable format, where applicable.
  • Right to object – to object to the processing of your personal data based on legitimate interests.
  • Right to withdraw consent – where processing is based on consent, you may withdraw that consent at any time.

Where GoodUp acts as a data processor, requests relating to these rights are typically handled by the customer organisation acting as data controller. Where GoodUp acts as a data controller, you may exercise your rights by contacting us directly using the contact details listed in this Privacy Policy.

9. Complaints and supervisory authority

If you believe that your personal data has been processed in violation of applicable data protection law, you have the right to lodge a complaint with the competent supervisory authority.

In the Netherlands, this is:

Autoriteit Persoonsgegevens
www.autoriteitpersoonsgegevens.nl

We encourage you to contact us first so we can address your concerns directly.

10. Security measures

GoodUp takes appropriate technical and organisational measures to protect personal data against loss, unauthorised access, alteration or disclosure.

These measures include, among others:

  • access controls and authentication mechanisms;
  • encryption of data where appropriate;
  • logging and monitoring for security purposes;
  • regular risk assessments and internal reviews.

Security and privacy are embedded in the design and operation of the platform and are reviewed on an ongoing basis as part of GoodUp’s information security management practices.

11. Personal data breaches

In the event of a personal data breach, GoodUp follows documented incident response procedures.

Where GoodUp acts as a data processor, we will notify the relevant customer organisation without undue delay after becoming aware of the breach, in accordance with the applicable data processing agreement.

Where GoodUp acts as a data controller, and where required by law, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach, and affected individuals where required by law.

12. Changes to this Privacy Policy

This Privacy Policy applies to current and future use of the GoodUp platform and services.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements or data processing practices. The most recent version will always be made available via our website or platform. Where required, material changes will be communicated through appropriate channels.

13. Contact

If you have questions about this Privacy Policy or about how GoodUp processes personal data, you can contact us at:GoodUp B.V.
Email: support@goodup.com
Website: www.goodup.com