The Carpentries Privacy Policy

Last updated: 2023-03-10

This Privacy Policy applies to The Carpentries and its associated lesson programs, Data Carpentry, Software Carpentry, and Library Carpentry (collectively, “We”, “Our”, “Us”). This Privacy Policy explains how we collect, use, and share the personal information that we gather in our organisational database AMY, on the subdomains and websites on carpentries.org, datacarpentry.org, software-carpentry.org, and librarycarpentry.org (the “Sites”), or through your use of our products and services. By continuing to use our Sites, you agree to the terms of this Privacy Policy.

This Privacy Policy does not apply to any of the practices of our workshop partners (“Host” or “Hosting Organisation”), such as universities and other organisations, other than our practices expressly disclosed below. To understand how our workshop partners process your information, please refer to their own privacy policies.

Please click the following links to learn more about our Privacy Policy:

1. What Types of Personal Information Do We Collect?

2. How Do We Use Personal Information?

3. How Do We Share Personal Information?

4. How Do We Respond to ‘Do Not Track’ Signals?

5. Cookies

6. Your Privacy Choices

7. Legal Bases for Processing (EEA Individuals)

8. EEA Individuals’ Rights

9. International Transfers of Data

10. Children’s Privacy

11. Change of Control

12. How Do We Protect Personal Information?

13. Policy Changes

14. Contact Information

1. What Types of Personal Information Do We Collect?

Information You Give Us

You may give us information by:

• applying to become an Instructor, a Maintainer, a Trainer

• volunteering to serve in one of our committees or task forces

• serving as a Regional Coordinator

• requesting information on workshops or memberships

• participating in any capacity in a workshop, training, or event

• entering information through our online collaborative note taking tools

• submitting forms or surveys

• entering into a membership agreement

• making a donation

• providing sponsorship

• contacting us by phone or email for information or services

• contacting us in person during a workshop or event

The categories of information include:

• Identifiers such as real name, email address, GitHub username, ORCID identifier, and social media account handles

• Contact information, such as address, location, email, and telephone number

• Financial information, such as bank account number, credit card number, or debit card number, for sponsorships, donations, and membership fees

• If you choose to self-identify, for research purposes, characteristics of protected classifications, such as race, color, national origin, religion, relationship to volunteer organisations, gender, disability, age, ancestry, medical condition, marital status, or sexual orientation

• Professional, employment, or education information, such as copies of your resume or CV and any other information required to verify your qualifications, for Instructor and Core Team recruitment purposes, including any video recordings of recruitment interviews you may have with us

• Inferences regarding your familiarity with programming languages and general computing skills, to help tailor our workshops to you

• Your expertise, lessons you may have attended or taught, and any languages you may use to communicate

Workshop Participants

“Workshop participants” include Learners, Helpers and Hosts.

What information do we collect?

We collect the name, email address and event attended of workshop participants. If you are a learner or helper this information may be provided to us by you, or by the workshop host. This information is stored in our internal database, AMY.

How is this information used?

We use this information to communicate with participants, including sending workshop information and pre- and post-workshop surveys. Names and email addresses may be shared with the workshop host for the purpose of workshop logistics. With your consent, we may use your information to contact you about additional opt-in opportunities for training, teaching, surveys and/or community engagement. We do not provide personally identifiable information to any third party. However, we may share de-identified aggregate or summary information regarding participants publicly or with volunteers, member sites or third parties, including but not limited to funding entities.

Workshop Hosts are bound by the Data Usage and Privacy stipulations within the Workshop Agreement, and the Carpentries Code of Conduct (CoC) with respect to any confidential information shared between the us and the Hosts.

Instructors

“Instructors” includes Instructors, Instructor Trainees and Instructor Applicants.

What information do we collect?

We collect the name and email address of participants at instructor training events and of current instructors. This information may be provided by the participant or event host. If you choose to complete a volunteer/instructor profile, we will store your name, email address, gender, nearest airport location, organisational affiliation, occupation, ORCID ID, GitHub, any social media handles, and personal URL in our internal database, AMY.

How is this information used?

We use this information to communicate with Instructors, including for Instructor Training events, training completion materials, communication about the organisation, and opportunities to teach. With your consent, we may use volunteer information to contact you about additional opt-in opportunities for assessment, training, teaching, volunteering and/or community engagement. We do not provide personally identifiable information to any third party. However, we may share de-identified aggregate or summary information regarding instructors publicly or with volunteers, member sites, or third parties, including but not limited to funding entities.

Trainers

“Trainers” includes Trainers, Trainer Trainees and Trainer Applicants

What information do we collect?

We collect the name and email address of participants at Trainer training events. To facilitate the organisation of Training events, we maintain a contact list of current Trainers, their active status and their availability. This information may be provided by you or the event host. If you choose to complete a Trainer profile, we may also collect your gender, nearest airport location, organisational affiliation, occupation, ORCID ID, GitHub, any social media handles, and personal URL in our internal database, AMY.

How is this information used?

We use this information to communicate with Trainers, including for Trainer Training events, training completion materials, communication about the organisation, and opportunities to teach. With your consent, we may use volunteer information to contact you about additional opt-in opportunities for assessment, training, teaching, volunteering and/or community engagement. We do not provide personally identifiable information to any third party. However, we may share de-identified aggregate or summary information regarding Trainers publicly or with volunteers, partners or third parties, including but not limited to funding entities.

Curriculum Maintainers and Contributors

“Maintainers and Contributors” includes curriculum contributors and maintainers.

What information do we collect?

Maintainers: We collect the name, email address, and language proficiency from Maintainers, as well as information about their experience, motivation, and preferences as it relates to the Maintainer role. If you choose to complete a Maintainer profile, we may also collect your GitHub handle, information about the lesson(s) you maintain, the language of those lessons, your ORCID ID, and any information about your membership within any under-represented group in research and/or computing. This information is stored within our internal database, AMY.

Contributors: When preparing a lesson for release, we extract publicly-available information about you (your GitHub handle, and the email address associated with your commits) from the commit history of the project. We do not otherwise actively collect other personal information from lesson Contributors.

Other Volunteers: When you volunteer to review lessons in the Lab, we collect your name and email address. When you propose lessons to the Incubator, we collect your GitHub username.

How is this information used?

As a Maintainer or Contributor, we cross-reference your GitHub handle or name against the community information stored in AMY to produce a .zenodo.json file for the lesson, which lists the Maintainers (as Editors) and the other Contributors (as Authors). This file includes your GitHub handle or name, depending on the preference you have indicated in your AMY profile, and your ORCID ID if you provided it. With your consent, this information may be used in scientific publications or to credit authorship.

Specifically as a Maintainer, we use your name on our websites, to list Maintainers as a whole and for specific lessons. We also use your name to add you to the maintainers Slack channel. We use your email address to contact you regarding surveys to assign your status as active or inactive, invite you to meetings and other calendar events, to contact you directly about lesson(s) you have maintained or contributed to, and we use your GitHub handle to create or update GitHub teams within our organisations, so that you can be tagged in issues/PRs as appropriate.

Volunteers for subcommittees, liaisons, and Executive Council

What information do we collect?

We collect the name and email address of volunteers across our committees and councils, e.g. Trainers Leadership Committee (TLC), Curriculum Advisory Committee (CAC). With your consent if you choose to complete a volunteer profile, we may store your gender, nearest airport location, organisational affiliation, occupation, career stage, ORCID ID, GitHub, any social media handles, and personal URL.

How is this information used?

We use this information to communicate with other volunteers, including communication about the organisation and your role(s) within it. For committee and Executive Council members, we list your name and committee membership on our website. We may use volunteer information to contact you about additional opt-in opportunities for assessment, training, teaching, volunteering and/or community engagement. We do not provide personally identifiable information to any third party. However, we may share de-identified aggregate or summary information regarding volunteers publicly or with other volunteers, member sites or third parties, including but not limited to funding entities.

Form and Survey Respondents

Community and workshop participants are invited to complete forms and questionnaires, and contribute to a variety of surveys to better serve our community. These include but are not limited to pre-workshop and post-workshop surveys of learners, and various opt-in surveys to evaluate programs or events.

What information do we collect?

Pre- and post-workshop surveys represent a formal part of the workshop training process and are vital to ensure that our lessons, organisation, Code of Conduct, and workshops adhere to our vision, mission, and standards. The information collected within these surveys is anonymised and used in reporting and impact studies.

Other opt-in surveys that you may be sent are entirely voluntary and information is not collected in a way that it is linked to personally identifiable responses without your consent to self-identify. Surveys collect information particular to the event or program being evaluated, and any optional information about you.

How is this information used?

We use survey information to evaluate and improve our programs, report on impact and outcomes, and understand the needs and interests of our community. With your consent, we may use your contact details to request follow-up information from you.

Organisational Services

Like many website operators, we may collect information that your browser sends whenever you visit one of our websites. This Privacy Policy is applicable to information that you provided/we collect through physical (such as a paper form) and online means, including through our websites. We also use other external online spaces, including but not limited to GitHub repositories, Etherpads, Google documents, Eventbrite and mailing lists. By using these spaces, you agree to the terms of this Privacy Policy. Most of these tools and services have their own independent privacy policies, to which you may agree separately.

What information do we collect?

We may collect information about visitors’ devices and browsers, such as browser version and type, IP address, the pages of our sites that you visit, country of origin, the time and date of your visit, the time spent on those pages and other statistics, and whether you reached our page via a social media or email campaign. You can control cookies in your browser to enable or disable them. Learn more in our Cookie Policy.

If you access our Sites through third-parties (e.g., GitHub or Google), or if you share content from our Sites to a third-party social media service, the third party service may send us certain information about you if the third party service and your account settings allow such sharing. The information we receive will depend on the policies and your account settings with the third party service.

In addition, we may collect textual input (e.g. Etherpad entries) from you which may be associated with your name, affiliation and/or social media handles. If you provide financial information to pay for a workshop or membership or make a donation, the transaction information will be processed by a third-party secured site. This information will only be accessible to our staff or authorised administrators and to the staff of our fiscal sponsor (Community Initiatives) who is involved in processing financial transactions. We engage with third-parties to gather and collect this information securely and do not have access to or store any payment details in our systems.

How is this information used?

We use this information to improve our sites and services. With your consent, we may use contact information that you provide to contact you about additional opt-in opportunities for assessment, training, teaching, and/or community engagement. We do not provide personally identifiable information to any third party. However, we may share de-identified aggregate or summary information regarding visitors publicly or with volunteers, partners or third parties, including but not limited to funding entities. We may use publicly available data of the external online services in programmatic analysis and evaluation.

2. How Do We Use Personal Information?

We Never Sell Personal Information: We will never sell, rent or otherwise provide your personal information to any third party for marketing purposes.

We use your personal information as follows:

• To provide you with the services on our platform, which involves the creation and coordination of training events, coding and data science workshops, discussions, and other events

• To process donations or workshop administration fees for our programs

• To assess your qualifications as an applicant for one of our community volunteer position (such as being an Instructor or a Maintainer) or other Core Team member position

• To market our products and/or services to you

• To analyze Sites usage and improve the services offered

• For market research, project planning, and troubleshooting problems

• For detecting and protecting against error, fraud or other criminal activity

We may process limited and specific elements of your personal information, e.g. geographical location, into anonymised summarised statistics and infographics to produce publicly available reports and documents. We may also process pre- and post-workshop survey responses for inclusion into scientific publications. In these cases, we will not disclose identifying personal information.

3. How Do We Share Personal Information?

To the Public

With your consent, we may share your name, education, social media account handles, and professional affiliation with the public for your role in our community and other Core Team members’ biographies. The information you choose to provide to us will determine how much information is shared with the public. You can opt-in or opt-out of sharing your information publicly in your AMY profile. With your consent, that you can revoke at any time, we may also share testimonials or reviews, alongside your personal information.

Carpentries Instructor applicants

If you have applied to be a Carpentries Instructor or are currently going through the Instructor certification process, application information may be shared with members of the Carpentries Core Team. We may also share your information in the following ways:

• If you have chosen “Pre-approved registration”: your application materials and information about your progress towards The Carpentries Instructor certification may be shared with our contacts at your member institution.

• If you have chosen “Open training application”: your application materials may be shared with The Carpentries Trainers in order to review and accept your application.

Affiliates and Service Providers

We share your information with our third-party service providers and any subcontractors as required to offer you our products and services. For example, we use Mailchimp to send our email marketing campaigns, Help Scout for communications, Square to process payments, and ConnectionPoint systems and GitHub to collect program donations.

Third Party Links and Websites

Our Sites may contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any data to these websites.

Disclosures Requested by You

You may exercise your rights to request the personal data we hold on you under data protection law, and we are required to respond as quickly as possible within one calendar month, starting from the day we receive your request.

Disclosures Required by Law

We may be required to disclose your data in response to lawful requests by public authorities, including to meet law enforcement requirements. We may be under a duty to disclose or share your personal information in order to comply with any legal obligation, to enforce or apply our terms and conditions and other agreements, to protect our rights, property, or safety, or to protect the rights, property, or safety of others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Aggregate and De-Identified Information

We reserve the right to share aggregate or de-identified information about you with our volunteers, workshop partners, and funding partners in order to analyse and improve our programs, market our membership program, and apply for funding. We use this information to help evaluate and improve programs, report on impact and outcomes and understand the needs and interests of our community. Where we share open-ended responses or testimonials, we always do so anonymously or ask for explicit consent to allow de-identified responses.

4. How Do We Respond to ‘Do Not Track’ Signals?

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. When and where possible, we respect DNT (e.g., page views on our Sites will not be recorded). However, we cannot guarantee your DNT preference will be recognised across our Sites, as the Internet industry is currently still working toward defining exactly what DNT means, what it means to comply with DNT, and a common approach to responding to DNT.

5. Cookies

To make our Sites and services work properly, we sometimes place small data files called cookies on your device. A cookie is a small text file that a website saves on your computer or mobile device when you visit the site. It enables the website to remember your actions and preferences (such as login, or other preferences) over a period of time, so you do not have to keep re-entering them whenever you come back to the site or browse from one page to another. To learn more, please see our Cookie Policy.

6. Your Privacy Choices

As an organisation registered within the USA state of California, we abide by the privacy rights stipulated below. However, we have staff and volunteers who fall under other jurisdictions, so in all cases, we aim to comply with the GDPR guidance, details of which can be found under the EEA sections below. For countries outside the UK, USA and EEA, we aim to comply with the processes set out for international data transfer via Standard Contractual Clauses where appropriate.

Can I decide what communications to receive?

Yes. All communication with us is opt-in, except for when you need to receive information about your program and for Instructors and Trainers, information required to maintain your status. If you have consented to us contacting you, you may occasionally be sent emails asking if you would like to opt-in to communication channels that we feel may be of interest to you (for example, a mailing list dedicated to your geographical area). In the absence of specific action from you, we will assume you choose not to join these channels.

Removing personal information

The data we collect is characterized by specific, explicit, and legitimate interest to facilitate the continued functioning of The Carpentries organisation and its activities. As such, we retain specific data indefinitely that allows us to contact active volunteers, produce internal metrics and reports, and to publicly share anonymised impact studies and scientific publications.

Consent options regarding information held within the AMY database can be made by you from within AMY itself. For any other requests by you to revoke consent from us holding any information on you outside the AMY database, please notify privacy@carpentries.org. If you choose to exclude your information, we will delete your personal information from our databases. However, this may interfere with our ability to give you credit for training events you have completed or contributions you have made to our lessons, to contact you about upcoming events in your area, and may affect your active status within our organisation. Please contact us if you have any questions about removal or archival of your data.

Marketing Opt-Out

We may use your personal information to contact you with newsletters, marketing or promotional materials and other information that may be of interest to you. You may opt-out of receiving any, or all, of these communications from us by following the unsubscribe instructions provided in any email we send, or you can contact us using the contact details provided in the “Contact Information” section below.

6.1 California Privacy Rights

If you are a California consumer, you have the following rights:

• The right to know what personal information is being collected about you.

• The right to know whether your personal information is sold or disclosed and to whom.

• The right to say no to the sale of personal information.

• The right to access your personal information.

• The right, in certain circumstances, to delete the information you have provided to us.

• The right to equal service and price, even if you exercise your privacy rights.

Request for Information and Deletion

California consumers have the right to request, up to twice in a 12-month period, that a business that collects personal information about the consumer disclose to the consumer the information listed below for the preceding 12 months. We have the right to request verification of your identity for all requests for information.

1. The categories of personal information it has collected about that consumer.

2. The categories of sources from which the personal information is collected.

3. The business or commercial purpose for collecting or selling personal information.

4. The categories of third parties with whom the business shares personal information.

5. The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.

6. The categories of personal information that the business disclosed about the consumer for a business purpose.

7. The specific pieces of personal information it has collected about that consumer.

To make such a request, email us at privacy@carpentries.org or visit this webpage https://carpentries.typeform.com/to/v4RDlibM.

Do Not Sell My Personal Information

California consumers have the right to opt-out of the sale of the consumer’s personal information. We do not sell your contact information or other personal information to third parties.

Third Party Marketing

California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information to third parties for the third parties’ direct marketing purposes. We do not share your information.

7. Legal Bases for Processing (EEA Individuals)

If you are from the European Economic Area, our legal bases for collecting and using your Personal Information are as follows:

• The performance of your contract or to enter into the contract and to take action on your requests. For example, the processing of your workshop request and administration fee, facilitating instructor training, and coordinating workshops.

• Our legitimate business interests. For example, fraud prevention, enforcement of our Code of Conduct, maintaining the security of our network and services, direct marketing to you, and improvement of our services.

• Compliance with a mandatory legal obligation. For example, accounting and tax requirements, which are subject to mandatory retention periods. We may also collect your Personal Information to record your requests to exercise your rights and to verify your identity for such requests.

• Consent you provide where we do not rely on another legal basis. Consent may be withdrawn at any time.

• In some limited cases, we may also have a legal obligation to collect Personal Information from you, in response to investigation of breaches to our Code of Conduct that involves violation of local laws, lawful requests by public authorities, including to meet law enforcement requirements, as described above in “How Do We Share Personal Information?”

If you have questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us using the contact details provided in the “Contact Information” section below.

8. EEA Individuals’ Rights

Under GDPR, if you are from the UK or European Economic Area, you have the right, under certain circumstances, to:

• Access your Personal Information;

• Correct inaccurate Personal Information;

• Request erasure of your Personal Information without undue delay;

• Request the restricted processing of your Personal Information;

• Request portability of the Personal Information that you have given us; and

• To object to the processing of your Personal Information.

If you are from the European Economic Area, you also have the right to lodge a complaint with a supervisory authority, under certain circumstances.

You may contact us using the contact details provided in the “Contact Information” section below for more information or to exercise your rights.

9. International Transfers of Data

Given the international nature of our organisation, to be able to process your personal data, it is necessary for us to transfer or share your personal data outside the UK/EEA:

• with Core Team members within our organisation who are located outside the UK/EEA;

• with your and our service providers, (e.g., cloud service providers), who might have servers located outside the UK/EEA;

• if you are based outside the UK/EEA;

• where there is a European and/or international dimension to the services we are providing to you.

We will only transfer or share your personal data outside the UK/EEA:

• to a country, territory or organisation that has been assessed as providing an adequate level of protection for personal data ‘adequacy decision’ by the UK or the EU Commission;

• by using legally-approved UK or EU Standard Contractual Clauses (SCCS) or Model Clauses, in addition to implementing appropriate supplementary measures to ensure the protection of the personal data.

By accessing our Sites and using our Services, you acknowledge that your personal data may be collected and transferred from your local jurisdiction (including those in the European Economic Area and the UK) to the United States or other jurisdictions.

10. Children’s Privacy

The Sites are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If you become aware that a child has provided us with personal information, please contact us using the contact details provided in the “Contact Information” section below. If we become aware that a child under 16 has provided us with personal information, we will take immediate steps to delete such information and notify the individual.

11. Change of Control

Personal information may be transferred to a third party as a result of a merger, reorganisation or other change in control.

12. How Do We Protect Personal Information?

We implement a variety of security measures to maintain the safety of your personal information when you enter, submit, or access your personal information. For example, when possible, we use encryption to transfer and store data. We further limit access to this data using access controls and confidentiality commitments.

However, no website, application, or transmission can guarantee security. Thus, while we have established and maintain what we believe to be reasonable procedures to protect the confidentiality, security, and integrity of personal information obtained through the Sites, we cannot ensure or warrant the security of any information you transmit to us.

13. Policy Changes

We may change our Privacy Policy at any time. We encourage you to periodically review this Privacy Policy to ensure you are familiar with the most current version.

14. Contact Information

If you wish to contact us or have any questions about or complaints in relation to this Privacy Policy, please contact us at the following contact details:

• Email: privacy@carpentries.org

• Mailing address:

  The Carpentries c/o Community Initiatives
  1000 Broadway, Suite #480
  Oakland, CA 94607
  USA

• Contact form: https://carpentries.typeform.com/to/v4RDlibM

License

Please note our Privacy Policy is released under a Creative Commons Attribution-NonCommercial-ShareAlike (CC BY-NC-SA) licence.