Privacy & Data

Our Data Practices

What we collect

• Information you provide (name, email, bio, contact details)
• Skills and availability you share
• Projects you propose or express interest in
• Bug reports and feedback you submit
• Admin notes about your volunteering activity (visible to admins only)

Legal basis for processing

We process your data based on:

• Consent — for sharing your profile with other volunteers and allowing project owners to contact you (you can withdraw consent at any time via your profile settings)
• Legitimate interest — for operating the platform, matching volunteers with projects, platform administration, and sending inactivity reminders to volunteers who have claimed a task
• Contract performance — for providing you the service you signed up for

How we use it

• To match you with relevant projects based on your skills
• To enable project owners to contact you (with your consent)
• To send you transactional emails (password resets, admin invites, welcome emails)
• To relay messages between volunteers via email (the sender's email is included as reply-to so you can respond directly)
• To send you notifications about your projects and interests
• To send automated inactivity reminders if you are assigned to a task and have not posted an update for a period of time, and to automatically unassign you from the task after continued inactivity so that other volunteers can take it on. Project owners and admins are notified when a volunteer is unassigned due to inactivity (legitimate interest basis — keeping projects moving)
• To notify project owners and admins when task updates are posted, so they can stay informed about progress
• For platform administration and volunteer coordination

What we don't do

• We never sell your data
• We don't share your contact info without your consent
• We don't use your data for profiling or to make decisions that have legal or significant effects on you. Automated task unassignment due to inactivity is a minor operational measure to keep projects moving — it does not affect your account, profile, or ability to claim other tasks

Third-party data processors

The following services process data on our behalf (as data processors under GDPR Article 28). We have assessed each for adequate data protection safeguards:

• Railway(hosting) — our application and database are hosted on Railway's cloud infrastructure. Data may be processed in the United States. We rely on Railway's standard contractual safeguards for international transfers.
• Resend (email delivery) — used to send transactional emails (password resets, welcome emails, admin invites) and relay messages between volunteers. Resend processes your email address and name for delivery purposes only. Data may be processed in the United States.
• Backblaze B2(encrypted backups) — daily encrypted backups of the database are stored in Backblaze's EU data centre (Amsterdam). Backups are retained for 30 days and then automatically deleted. Backups are used solely for disaster recovery and are never accessed for any other purpose.
• Google Analytics (usage analytics) — used to understand how the platform is used so we can improve it. Collects anonymised page view and interaction data via cookies. IP addresses are anonymised. Only loaded if you accept cookies via the consent banner. You can withdraw consent at any time by clearing your browser cookies or using browser privacy settings. Data may be processed in the United States.
• Google Sign-In (authentication) — if you choose to sign in with Google, Google verifies your identity and shares your name and email with us to create or log into your account. No other Google data is accessed.

Where data is processed outside the UK/EEA, we rely on the service provider's standard contractual clauses and data processing agreements as safeguards for international transfers.

Data retention

• Active accounts: data is kept as long as your account is active
• Deleted accounts: personal data is anonymised immediately upon deletion. Anonymised records (e.g. “[Deleted User]” on project history) are retained for platform integrity
• Database backups: retained for 30 days, then automatically deleted. When you delete your account, your data is anonymised in the live database immediately; backup copies containing pre-deletion data will be overwritten within 30 days
• Password reset tokens expire after 1 hour
• Admin invite tokens expire after 7 days

Cookies

• Essential cookies — we use localStorage (not cookies) to store your login session and preferences (dark mode, cookie consent choice). These are necessary for the site to function.
• Analytics cookies — Google Analytics uses cookies to collect anonymised usage data. These are only loaded after you accept the cookie consent banner. You can decline or withdraw consent at any time.

Security

Passwords are hashed using PBKDF2-SHA256 with random salts and are never stored in plain text. All data is transmitted over HTTPS. Authentication uses secure random tokens. Database backups are encrypted at rest by Backblaze and transmitted over HTTPS. Access to backups requires API credentials that are stored securely as environment variables.

Your GDPR Rights

Under GDPR and the UK Data Protection Act 2018, you have the right to:

• Access (Article 15) — Download all your data using the export feature above
• Rectification (Article 16) — Update your profile at any time
• Erasure (Article 17) — Delete your account and all personal data
• Restrict processing (Article 18) — Contact us to limit how we use your data
• Portability (Article 20) — Export your data in a machine-readable format (JSON)
• Object (Article 21) — Contact us to opt out of specific processing
• Withdraw consent (Article 7) — Update your privacy settings or delete your account at any time

Data Controller: Safe AI Alliance Ltd (trading as PauseAI UK / Catalyse)
Contact: matilda@pauseai.info

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.