GDPR privacy notice

Effective Date: 12 November 2018

This GDPR privacy notice (this “GDPR Notice”) is included in our Privacy Policy and applies to the ‘personal data,’ as such term is defined in the GDPR, processed by Devpost of natural persons located in the European Economic Area (“EEA Individuals,” “you,” or “your”). Any capitalized terms or other terms not defined in this Notice shall have the meaning ascribed to them elsewhere in the Privacy Policy or, if not defined herein or elsewhere in the Privacy Policy, the GDPR. To the extent of any conflict between this GDPR Notice and any other provision of the Privacy Policy, this GDPR Notice shall control only with respect to EEA Individuals and their personal data. If you are located elsewhere, please see the rest of our Privacy Policy here.

Controller Disclosure & Details: We are a data controller of personal data regarding the following categories of EEA Individuals: Visitors, Users that take part in Hackathons (“Hackathon Participants”), and Posters for the purposes and under the legal bases described in the table below. Please note that, in some cases, the categories of data subjects above may overlap (e.g., Visitors may also be Hackathon Users).

Data Subject Category	Purpose & Legal Basis of Processing
Visitors, Hackathon Participants, and/or Posters (collectively, our “User Base”)	Newsletter: Sending our newsletter to Hackathon Participants based on our legitimate interest in providing the latest news and updates to such registered users. Recommendations: Our legitimate interest in utilizing information submitted by a Hackathon User, such as Profile information or Hackathon Submission Information, to make recommendations for new Hackathons that may be of interest to such Hackathon Participant or feature such Hackathon Participant on the Site in cases where she is a winner. Direct Marketing: Sending email marketing to our User Base based on their consent. Provision of Services: We will process all personal data as necessary for the performance of contracts to which our User Base are a party, such as our Terms of Use and Privacy Policy, in order to provide our Services (or to take requested steps to enter into such contracts or execute a contract in your interests, such as our contracts with Posters regarding participation in Hackathons). Such activities include allowing Profile registration (e.g., directly through us or through a social media or other third-party service at your discretion, such as Facebook or GitHub) and supplementation, answering inquiries or working with Posters for hosting an in-person or online hackathon, processing Hackathon Submission Information for participation in Hackathons (e.g., sharing with Posters), or requesting payment. Audience Measurement and Retargeting: Pursuant to their consent, our use of analytics or retargeting providers on our Site to understand how our User Base interacts with the Site or retarget such User Base (e.g., dropping a cookie on a Visitor’s browser when on our Site and showing a Devpost ad on other websites), respectively. General Business Development: Our legitimate interest in furthering relationships with our User Base (such as by storing information regarding our User Base within a CRM or other database or file), ensuring customer satisfaction, and answering inquiries. Information Security: Our web servers will log your IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Site usage, combating DDOS or other attacks, and removing or defending against malicious visitors on the Site. Compliance with Applicable Law: We will process personal data as needed to fulfill our legal obligations, such as our obligations relating to tax, accounting, and finance.

Data Subject Category

Purpose & Legal Basis of Processing

Visitors, Hackathon Participants, and/or Posters (collectively, our “User Base”)

Newsletter: Sending our newsletter to Hackathon Participants based on our legitimate interest in providing the latest news and updates to such registered users.

Recommendations: Our legitimate interest in utilizing information submitted by a Hackathon User, such as Profile information or Hackathon Submission Information, to make recommendations for new Hackathons that may be of interest to such Hackathon Participant or feature such Hackathon Participant on the Site in cases where she is a winner.

Direct Marketing: Sending email marketing to our User Base based on their consent.

Provision of Services: We will process all personal data as necessary for the performance of contracts to which our User Base are a party, such as our Terms of Use and Privacy Policy, in order to provide our Services (or to take requested steps to enter into such contracts or execute a contract in your interests, such as our contracts with Posters regarding participation in Hackathons).

Such activities include allowing Profile registration (e.g., directly through us or through a social media or other third-party service at your discretion, such as Facebook or GitHub) and supplementation, answering inquiries or working with Posters for hosting an in-person or online hackathon, processing Hackathon Submission Information for participation in Hackathons (e.g., sharing with Posters), or requesting payment.

Audience Measurement and Retargeting: Pursuant to their consent, our use of analytics or retargeting providers on our Site to understand how our User Base interacts with the Site or retarget such User Base (e.g., dropping a cookie on a Visitor’s browser when on our Site and showing a Devpost ad on other websites), respectively.

General Business Development: Our legitimate interest in furthering relationships with our User Base (such as by storing information regarding our User Base within a CRM or other database or file), ensuring customer satisfaction, and answering inquiries.

Information Security: Our web servers will log your IP address and other information (e.g., browser information, operating system, request date/time, user agent string, referral and exiting URL) in order to maintain an audit log of activities performed. We use this information pursuant to our legitimate interests in tracking Site usage, combating DDOS or other attacks, and removing or defending against malicious visitors on the Site.

Compliance with Applicable Law: We will process personal data as needed to fulfill our legal obligations, such as our obligations relating to tax, accounting, and finance.

Controller’s Representative: Our representative in the European Union is:

ePrivacy GmbH‍Große Bleichen 21‍20354 Hamburg‍Germany‍

https://www.eprivacy.eu

Recipients: Devpost personnel shall receive and process your personal data for the purposes described above. Certain personal data, such as Hackathon Submission Information submitted by Hackathon Participants, will be shared with Posters for participation in Hackathons; such Posters may be located all over the world.

Personal data is also disclosed to the following categories of US-based recipients to effectuate the purposes described above: hosting providers, analytics and marketing providers, customer support services, marketing and transactional email services, and payment processors.

Retention: Devpost retains your personal data as necessary to fulfill the purposes set forth within this Notice and to the extent you have (or demonstrate interest in) a relationship with Devpost, unless you request deletion of such data or such data is no longer relevant. In some cases, we may have to retain data to comply with our legal obligations (e.g., accounting, finance, tax).

Your GDPR Rights: As a natural person, you have a right to: (i) request access to, correction and/or erasure of your personal data; (ii) object to processing of your personal data; (iii) restrict processing of your personal data; and (iv) request a copy of your personal data, or have a copy thereof sent to another controller, in a structured, commonly used and machine readable format under the right of data portability. You may exercise these rights and submit a GDPR complaint by contacting: support@devpost.com with the subject line “GDPR Notice.”

You also have the right to lodge a complaint about the processing of your personal data with an appropriate data protection authority, and, as applicable, to exercise third-party beneficiary rights under Devpost’s Standard Contractual Clauses.

Contact details for the EU data protection authorities can be found at: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

Objecting to Legitimate Interest/Direct Marketing: You may object to personal data processed pursuant to our legitimate interest. In such case, we will no longer process your personal data unless we can demonstrate appropriate, overriding legitimate grounds for the processing or if needed for the establishment, exercise, or defense of legal claims. You may also object at any time to processing of your personal data for direct marketing purposes by clicking “Unsubscribe” within an automated marketing email or by submitting your request to support@devpost.com with the subject line “GDPR Notice” (the latter for instances where, for example, you would not like to receive follow-ups from our sales team). In such case, your personal data will no longer be used for that purpose.

Transfer of Personal Data outside the EEA: We are self-certified under the EU-US and Swiss-US Privacy Shield for appropriate transfer of your personal data, such as to our US data centers, pursuant to Article 45(1) (see E.U.-U.S. and Swiss-U.S. Privacy Shield Notice below); in these instances, you may have specific rights under the Privacy Shield. In other instances as appropriate, we may alternatively rely (i) on appropriate Standard Contractual Clauses to ensure adequate protection for your personal data or (ii) the derogations under Article 49(1)(b) and (1)(c) for performance of our contracts with you or to execute a contract in your interest with another entity/person.

Disclosure to Public Authorities: Devpost may be required to disclose personal data in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements. We may also disclose personal data to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Corporate Restructuring: In the event of a merger, reorganization, dissolution or similar corporate event, or the sale of all or substantially all of our assets, we expect that the information that we have collected, including personal data, would be transferred to the surviving entity in a merger or the acquiring entity. All such transfers shall be subject to our commitments with respect to the privacy and confidentiality of such personal data as set forth in this GDPR Notice. This GDPR Notice shall be binding on Devpost and its legal successors in interest.

Updates to this GDPR Notice: If, in the future, we intend to process your personal data for a purpose other than that which it was collected, we will provide you with information on that purpose and any other relevant information at a reasonable time prior to such processing. After such time, the relevant information relating to such processing activity will be revised or added appropriately within this GDPR Notice, and the “Effective Date” at the top of this page will be updated accordingly.

How to Contact Us: Devpost is located at 222 Broadway, 19th Floor, New York, NY 10038. Please use this address or, preferably, reach out to support@devpost.com for any questions, complaints, or requests regarding this GDPR Notice; please include the subject line “GDPR Notice.”

E.U.-U.S. and Swiss-U.S. Privacy Shield Notice

Important Notice for Residents of the European Economic Area and Switzerland

Devpost complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland transferred to the United States pursuant to Privacy Shield. Devpost has certified that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the policies in this privacy policy and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Devpost is subject to the investigatory and enforcement powers of the Federal Trade Commission.

Upon request to support@devpost.com we will provide you with confirmation as to whether we are processing your personal data, and have the data communicated to you within a reasonable time. You have the right to access, correct, amend or delete your personal data where it is inaccurate or has been processed in violation of this Privacy Policy. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable time to respond to your inquiries and requests.

We will provide an individual opt-out choice before we share your personal information with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to support@devpost.com, with the subject line, “Privacy Shield,” unless you have already had an opportunity to opt-out at the time of your registration and/or submission for a hackathon.

We will not disclose your sensitive personal information to any third party without first obtaining your opt-in consent. You may grant such consent by contacting us at to support@devpost.com. In each instance, please allow us a reasonable time to process your response.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose personal information to other third parties when compelled to do so by government authorities or required by law or regulation including, but not limited to, in response to court orders and subpoenas.

Devpost’s accountability for personal data that it receives in the United States under the Privacy Shield and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Devpost remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with the Principles, unless Devpost proves that it is not responsible for the event giving rise to the damage.

In compliance with the Privacy Shield Principles, Devpost commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Devpost by email at support@devpost.com.

Devpost has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Onward Transfer to Third Parties under the Privacy Shield: Like many businesses, we contract with other companies to perform certain business-related services. We may disclose Information, including personal information in some cases, to certain types of third-party companies, but only to the extent needed to enable them to provide such services, including, without limitation, hosting provider, analytics tools, customer support services, marketing and transactional email services, and payment processing. All such third parties function as our agents, performing services at our instruction and on our behalf pursuant to contracts which require they provide at least the same level of privacy protection as is required by this Privacy Policy and implemented by Devpost. We may also disclose your information, including any personal information, to any of our parent companies, subsidiaries, joint ventures, or other companies under common control with us in order to support delivery of our products and services.

Retention of Personal Information under the Privacy Shield: We will retain your personal information in a form that identifies you pursuant to our data retention periods in Retention above or as subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis and subject to the protection of this Privacy Policy. After such time periods have expired, we may either delete your personal information or retain it in a form such that it does not identify you personally.

How We Protect Your Personal Information under the Privacy Shield: Devpost takes very seriously the security and privacy of the personal information that it collects pursuant to the Privacy Shield. Accordingly, we will implement reasonable and appropriate security measures to protect your personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data, and comply with applicable laws and regulations.