Privacy Policy

Preamble

Our Privacy Policy, Methodology, and Code of Conduct provides clarity on how New Design Congress operates and the standards we hold ourselves, our members and community to.

New Design Congress is a fiscally sponsored project of Superbloom, a registered 501(c)(3) nonprofit organization based in the United States of America. Superbloom's Employer Identification Number (EIN) is available upon request from contact@superbloom.design.

Our operating address is:

The New Design Congress
c/o Superbloom
276 Fifth Ave Suite 704-33
New York, NY 10001

Email: contact@superbloom.design

Website: superbloom.design

We adhere to the highest ethical standards in all of our operations. We are dedicated to protecting the privacy of everyone who interacts with us. We don’t sell, barter, give away, rent, or permit anyone outside of New Design Congress, our fiscal sponsor, and project-scoped contractors to use or access information about our partners, collaborators, research participants, or website visitors.

Where possible, we administer our own infrastructure to ensure that our data stays within our control. We sometimes use third party services to publish work and keep in touch with people, and we understand the privacy implications of this. We have an active focus on doing both of these things better through the development of our infrastructure project, Underscore, and by regular reviews of our infrastructure partners. Below, you can find out what these services are and how we handle all sorts of data, from user research to job applications.

If there is additional information you would like to see in this document about our practices, or if you have other comments or questions, please email us at hello@newdesigncongress.org.

Our Sites and Services

We use the following services to run our websites and understand how they are being used:

Web Hosting

We host our websites in Europe on infrastructure we control. We maintain basic server access logs for reasons of security. Our server is located in Finland, and operated on our behalf by Hetzner, a Germany-based data infrastructure company.

CDN and DDOS Protection

Caching and DDOS protection for our web projects is provided by eQualitie Deflect. eQualitie is a Canadian organisation developing open and reusable systems with a focus on privacy, online security and freedom of association. We use Deflect to analyse traffic, detect threats and proactively defend our sites. Deflect is governed by eQualitie's values statement and Deflect's Terms of Service and Privacy Notice.

Analytics

Our analytics are provided by Plausible, an open-source, privacy-preserving web analytics platform. We maintain our own, siloed instance of Plausible. Our analytics responds to Do Not Track requests. Our protection service (Deflect) maintains their own analytics service that we do not use. Our traffic data is not monetised. We may provide generalised reporting on traffic.

We maintain basic analytics for our email newsletters. We track overall open rates for each email communication we publish. All emails are handled via our own self-hosted Ghost instance, and are sent via Mailgun. We only send our newsletter to people who expressly sign up for it.

Video and Audio Content

We self-host video content via Underscore TV, a self-hosted Peertube instance and part of Underscore.

Peertube is a federated video platform. Peertube offers simple built-in analytics (such as view-counts, etc) for each video uploaded to the service. We use these analytics in reporting to funders or collaborators and other instances in which we seek to measure our impact. Peertube also offers an opt-out feature in which viewers can help distribute a video's playback load, which sometimes exposes an individual's IP address to others who are viewing our content at the same time. This is on by default.

Where appropriate, we selectively mirror our content via our YouTube account and do so in accordance with YouTube's Community Guidelines.

Podcasts and other audio content are distributed via RSS through our website.

Data Storage

Our work is stored on an end-to-end encrypted Nextcloud instance.

In cases where we interact with Superbloom (our fiscal sponsor) or other external parties, we use Google Workspace for Nonprofits, and this is subject to Google’s terms. This includes contracts and other documents with legal retention requirements.

We use Notion for project planning. The use of all services is governed by an internal data security policy and collaborations are evaluated individually against our policies. In this way, we are subject to Notion’s privacy policy.

Our team uses PGP and are happy to correspond via encrypted email, or honor requests to have files shared with us be not stored in services we do not completely control. We respect diverse threat models and work to accommodate our partners’ needs and concerns.

All data stored locally is encrypted as per our internal data security policy.

Community

NDC Members and Donations

Our NDC Members programme helps us maintain our independence. New Design Congress Member contributions are processed via Stripe, and are subject to standard financial regulations, dependant on relevant jurisdictions. In all cases, your financial information is never transmitted to or stored by us. For more information, please refer to Stripe’s Global Privacy Policy.

Our membership profiles are limited to member details, and a corresponding email address. We do not collect additional personal information, nor are we able to link the personal info of members to other platforms, such as Discord, etc.

Collaboration

We use Discord for community and collaboration efforts. Please refer to Discord’s privacy policy for more information.

When collaborating with our fiscal sponsor or partners, we use Slack as required. Slack stores your account information and usage data, and our administrators have access to all public channels. Please refer to Slack’s privacy policy.

Streaming & Events

We maintain a schedule of events, many public facing, via Underscore Events, an unfederated instance of the Mobilizon project. We collect event RSVPs for the purposes of logistics and understanding the impact of our events. Attendee and event participant information is used solely to ensure event integrity and safety.

We host livestreamed events in circumstances where in-person events have a significant environmental impact and/or as directed by public health advice. Our online events are streamed via Underscore infrastructure, which we control. In some circumstances, we may simulcast a live event on Twitch. In these cases, the policies of Twitch and Amazon are relevant, and can be understood via the Twitch privacy notice.

We securely archive all New Design Congress events. Before publishing an archived event, we require written consent from all participants.

Social Media

New Design Congress maintains a presence on popular social media platforms (LinkedIn, etc), as well as alternatives (such as Mastodon and Bluesky). Many of these networks have their own individual policies or technical differences. We take all reasonable steps to ensure participant consent when sharing content that includes external participants.

Consent

You can withdraw your consent from any of our published material at any time by emailing hello@newdesigncongress.org.

Collaborating With Us

New Design Congress collaborates with individuals, organisations and companies across a range of research streams. In many cases, our collaborations involve sensitive information supplied to us via our consulting partner. We maintain strict confidentiality and secure data storage for all materials.

We maintain a transparency policy for our consultations and list active and former consultancies on our site. We are not able to work with organisations that cannot accommodate this policy.

Volunteering with Us

We welcome the participation of individuals, organisations and companies who would like to voluntarily contribute their time to research and writing on behalf of New Design Congress. Volunteers with New Design Congress are not paid or compensated for their participation and are not covered by or eligible for any insurance, health care, worker’s compensation, or other benefits from New Design Congress. Volunteers and Contributors are not entitled to and New Design Congress has made no promise of future employment with us.

When you volunteer with us, you remain independent. This means you aren’t acting as an employee or representative of New Design Congress or Superbloom (our Fiscal Sponsor) unless otherwise specified and agreed to in writing. It also means that you retain full rights to the original contribution you make as part of volunteering with us. You are free to do whatever you like with your contribution, and you agree that New Design Congress retains a non-exclusive license to publish, modify, redistribute or incorporate your contribution in future projects. As a Volunteer, you agree that your work is original or that you have permission from the copyright holder to reuse work for collaboration with us.

We require that all Volunteers and Contributors abide by both our Code of Conduct, and the Code of Conduct and Principles of our fiscal sponsor, Superbloom. When collaborating as a Volunteer, you agree that your contributions may be incorporated in either original or edited form and released under the applicable project-specific license. All Volunteers are visibly credited and platformed as part of our broader publishing and communications strategy, though you can request to remain anonymous if you'd prefer.

Research Participants

Research is an important part of our work: it helps us understand people’s needs and helps us develop our perspectives with a greater degree of nuance.

Consent

All research participants are given a consent form that outlines what the research involves, what information will be recorded and how it will be used. If the participant is happy to proceed, we ask them to sign the form to confirm this. We scan signed consent forms and shred paper copies, then store consent forms on Google Drive and keep these for 3 years.

At the moment, we do not conduct any research with people under the age of 18.

Our participant Bill of Rights is aligned with Superbloom, our fiscal sponsor. You can view an example of Superbloom’s participant Bill of Rights on GitHub.

Using Information for Research

Research material is separated from any identifiable information, such as consent forms, while we are working with it.

Any notes we gather during research sessions are stored securely. Any digital files (like audio, photos and videos) are stored on end-to-end encrypted infrastructure. In cases where we interact with our fiscal sponsor or select partners, this data may be stored on Google Drive. In any case, all data is only accessed by New Design Congress researchers. At the end of the project, all notes and digital files are securely archived or, in more sensitive cases, destroyed and deleted.

Sometimes we may publish quotes from research sessions. We only do this if we have specific consent from the participant and any personally identifiable information has been removed. We will only publish audio, photos and video from a research session if a participant has given consent and has signed a model release form.

Working at New Design Congress

Only team members involved in the recruitment process have access to applications, CVs and emails we receive. We don’t collect any special category data or ask for any background checks as part of the application process.

When people join New Design Congress, we request information about them that is necessary for tax purposes. We hold information about their role and their professional development. Access to this information is controlled.

Personal data shared during an application process may be shared with our fiscal sponsor as required by our sponsorship agreement.

We maintain a roster of contact information for individuals and organisations to work with as required. We collect this on a voluntary basic via our roll call. With consent, we store basic contact details and links to portfolios in encrypted infrastructure. This can be destroyed at any time upon request.

Data Policy Overview

The New Design Congress doesn’t participate in the following data processing activities:

• Buying or selling marketing lists
• Entering into data sharing agreements with other organisations
• Telephone marketing
• Postal marketing
• CCTV surveillance

We do not use “soft opt-in”, meaning you won’t receive any marketing communication from us unless you’ve specifically agreed to it.

Data Protection

We carefully choose our services and tools at New Design Congress. It’s important that they follow good security practices, like HTTPS, two-factor authentication and the ability to set a strong password. We’ve reviewed the privacy policies and security practices of everything we use.

When a new team member joins The New Design Congress, we explain best practices for keeping their devices secure, maintaining the security of their online accounts, and working outside our offices.

In the event of a data breach, we are required to notify the Information Commissioner’s Office. We will do so following their guidance.

Every quarter, we review our documentation of the data we handle and third party services we use. This helps us continuously improve our processes and hold ourselves to account. We will update this document as necessary.

Transfer Outside the EEA

We have reviewed the privacy policies of third party services we use (most of which are listed above). They provide adequate protections when information is shared outside of the European Economic Area.

Exemptions

There are exemptions to data protection regulations that may require us to share data about you, including requests by law enforcement. This includes requirements and orders in the United States, where our fiscal sponsor is based. A full list of EU exemptions are listed on the ICO website. This also applies to data held about you by third party services we use.

GDPR

The General Data Protection Regulation gives EU citizens the following rights:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making, including profiling

To exercise any of these rights, please contact us at hello@newdesigncongress.org. You can find information specific to the services we use or our activities in the relevant sections of this document. If you are located in the EU and aren’t satisfied by our response, you can contact the EU Information Commissioner’s Office.