Diggle Privacy Policy

Table of contents

This Policy describes the following:

  • What information we collect and how it is collected
  • How we use the information
  • With whom we may share information
  • Legal basis for processing the information
  • Your rights and choices
  • Security and storage of the information
  • Third party websites; and
  • Changes to the Policy and Contact Information.

We will now define a few terms to describe the terms used in this document.

Definitions

Throughout the document, we will refer to The Landing Page as content accessible from the internet domains diggle.com and www.diggle.com. We will refer to The App as content accessible from the internet domains app.diggle.comgodiggle.compuppeteer.diggle.commydiggle.comdiggleit.com, and any subdomain of diggle.com not mentioned.

The Platform encompasses The Landing Page and The App. The Service encompasses The Platform and support from Diggle employees.

A Supporting Service is defined as one of the sub-processors for The Service.

Diggle Users are people using The App in some capacity. They may be further classified into three categories:

  • Account Owner: Person or company that legally pays to use The App.
  • Creators: Person or company who creates content on The App and hosts sessions.
  • Participant: Person who participates in sessions created by Diggle Creators.

Every Account will have one Account Owner, but may have several Diggle Creators (as agreed upon with our representatives). Because Account Owners are also Diggle Creators within their respective accounts, everything in this document that applies to Diggle Creators also applies to Account Owners.

Account: Data stored in The App for an Account Owner.

Your data is your data

At Diggle, we value your privacy, and we will only collect information that we need to deliver The Service to you and continue to maintain and develop The Service. The following is a list of data we collect, process or store, with the purpose and legal ground listed for each item through the General Data Protection Regulation – https://www.eugdpr.org/.

What data we collect

User account information. Users that choose to register, will have to provide a valid email address and username. The information may be used to operate The Service and to ensure the security and integrity of The Service, maintaining back-ups of our databases, and communicating with you. This is required to deliver The Service to you as a user, by taking steps, at your request, to enter into such a contract (Terms of Service) cf. GDPR art. 6 (1) b.

  • Transaction information. Customers that have purchased a paid version of The Service (and our payment processors) with billing details such as credit card information, billing email, banking information, location at the time of transaction, and/or a billing address. The transaction data may be processed to supply the purchased services and keep proper records of those transactions. This data may be used to deliver The Service. Collecting this information is required for performing the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) b.Additionally, this information needs to be retained to comply with accounting and tax regulations cf. GDPR art. 6 (1) c.
  • Technical log data. Our servers automatically collect information when you access or use The Platform and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited within The Service, browser type and settings, and the date and time The Service was used.
  • Device information. We may collect information about devices used to access The Service, including the type of device, what operating system is used, device settings, application IDs, unique device identifiers, and crash data. 
  • The legal basis for this processing is our legitimate interests cf. GDPR art. 6 (1) f, namely using this data to ensure the proper administration of The Service and our business, analyzing the use of The Service and Supporting Services, monitoring and improving The Service, improving the user experience, preventing abuse, and assisting users with support inquiries.
  • Collecting this information is required for performing the contract we entered into with you, at your request (our Terms of Service), and our legitimate interest in handling your requests cf. GDPR art. 6 (1) f.
  • Service and transactional notifications. Sometimes we’ll send you emails about your account, service changes, or new policies. You can’t opt out of this type of “service or transactional” email (unless you delete your account). The legal grounds for this communication are that it is required for performing our commitment about communicating changes in plans and pricing to you in the contract we entered into with you, at your request (our Terms of Service) cf. GDPR art. 6 (1) b, and our legitimate interest in communicating important information about your account to you, cf. GDPR art. 6 (1) f.

Your responsibility

  • If you, as an Account Owner or Diggle Creator, store any personal data in Diggle, for example, as a result of creating a survey, you are the data controller for that data.
  • You are responsible for managing the data provided by participants in your Diggle sessions and complying with GDPR and local law.

Database backups

  • The data is backed up hourly, and backups are retained for up to 21 days.
  • If you require information to be completely deleted from the system in a shorter time frame, you can send us an email, and we will speed that up.
  • You are free to distribute the images of the answer displays and excel reports generated from your Diggle sessions to anyone. By distributing such images or excel documents, you are responsible for complying with regulations and laws regarding the distribution of personal data. 
  • If you decide to cancel your account subscription, your account will be changed into a trial account, and your content and account data will remain. You can, however, request an account deletion to [email protected]. Diggle will delete your account and all its data and content from our servers. The data will remain in our backups until they are deleted.

Information You Provide Voluntarily

  • Contact data. When you create an account on Diggle, you provide us with the information needed to communicate with you, such as an email address and your name. Sometimes, you may also choose to share your phone number for support purposes.
  • Content data. This includes any content you create or upload on Diggle, such as exercises (title, choices, URLs, pictures), demographics, and information. As a participant, this corresponds to the information you send, such as your answers or inputs.
  • Billing data. If you purchase a predefined subscription plan (not a customized plan), our third-party payment processor (Stripe) will collect and store your billing address and credit card information. We do not store any parts of your credit card number, card type, or expiration date on our servers or virtual servers that we manage
  • Profile data. Diggle Users may permit us to access their information in other services. For example, with the User’s consent, you may want to get newsletters from Diggle to your email. As this process is typically handled using a third-party marketing and email managing tool, the third party is given access to parts of your personal information, such as name, username, email, and subscription plan. The information we get from those services helps us manage our users and grow Diggle, effectively enabling us to provide and improve our services.

Information Collected Automatically

Like many websites, our service providers and we may use cookies, web beacons, and other technologies to receive and store certain types of information when you interact with us through your computer or mobile device, subject to your opt-out preferences (see Your Rights and Choices section below). Using these technologies helps us customize your experience with our Services, improve your experience, and tailor marketing messages. Here are some of the information we collect:

Log & Device data. When you access The Platform, our servers automatically record information (“log data”). This log data may include the web address you came from or are going to, your device model, operating system, browser type, unique device identifier, IP address, mobile network carrier, and time zone or location. Whether we collect some or all of this information often depends on what type of device you’re using and its settings. For example, different types of information are available depending on whether you’re using a Mac, a PC, an iPhone, or an Android phone. To learn more about what information your device makes available to us, please check the policies of your device manufacturer or software provider.

Cookies and Other Tracking Mechanisms

  • Cookie data. Depending on how you’re accessing our products and subject to your opt-out preferences, we may use “cookies” (a small text file sent by your computer each time you use The Platform, unique to your Diggle account or browser) or similar technologies to record log data. When we use cookies, we may use “session” cookies (these last until you close your browser) or “persistent” cookies (these last until you or your browser deletes them). For example, we may use cookies to keep you logged in to Diggle. Some of the cookies and locally stored data we use are associated with your Diggle account (including personal information about you, such as your account username). To help us make emails more useful and interesting, we often receive a confirmation when you open an email from Diggle if your computer supports such capabilities. You can opt out of receiving marketing emails from us but not from transactional emails. Please see the Your Rights and Choices section below.
  • Other Website Analytics Services. Subject to your opt-out preferences (see Your Rights and Choices below), we may use third-party service providers such as Google Analytics to provide specific analytics and user interactions services to Diggle in connection with the operation of our Platform, including the collection and tracking of particular data and information regarding the characteristics and activities of visitors. You may opt out of third-party services using Opt-Out Features on their website or, in the case of Google Analytics, by rejecting cookies on The Landing Page. As of today, we do not use Google Analytics and will update our terms and conditions and inform you if this is the case.

How We Use Your Information

We may use the information we collect about you, including personal information, to:

  • Provide the Diggle Service. We will use your information to provide our Platform and services to you; to facilitate interactivity between Diggle Creators and Diggle Participants; to manage your account; to respond to your inquiries, and for other customer service and support purposes. We use the payment information you provide to us to alert you of past, current, and upcoming charges, to allow us to present the billing history to you on your account page in the platform, and to perform internal financial processes, such as looking at the status of a credit card charge. In a credit card dispute session, we also share account information with your bank to verify the legitimacy of a charge.
  • Understand and improve our products. We will research and analyze your use of, or interest in, our products, services, or content, or products, services, or content offered by others. We do this to help make our products better and to develop new products.
  • Communicate with you.
  • Service-related communications. We may send you service and administrative emails to ensure The Service is working correctly. We may also email you if a session report becomes available. Being able to deliver these messages constitute a legitimate interest, so you may not opt-out of these messages.
  • Promotional. Subject to your opt-out preferences, we may send you emails about new product features, other news about Diggle, or topics we think would be relevant to you. You may opt out of receiving these communications at any time. Please see the Your Rights and Choices section below.
  • Responding to your requests. We will also use your information to respond to your questions or comments.
  • Administrative. We may contact you to inform you about changes in our services, our service offering, and other important service-related notices, such as changes to the Policy or security or fraud notices.
  • Protecting Rights and Interests. We may use your information to protect our rights and interests and the rights and interests of our users and any other person, as well as to enforce this Policy or our Terms of Service.
  • Legal Compliance. We may use your information to comply with applicable legal or regulatory obligations, including informal requests from law enforcement or other governmental authorities.
  • Other. We also may use your information to manage our business or perform functions as described to you at the time of collection, subject to your consent. Please read all online agreements carefully before accepting them.
 

With Whom We May Share Your Information

We do not share your personal information with others except as indicated within this Policy or when we inform you and allow you to opt out of having your personal information shared.

We may share information we collect about you, including personal information, in the following ways:

  • With subprocessors as defined in paragraph 9: Our third-party sub-processors.
  • Subcontractors. We may share your personal information with EEA-based subcontractors to improve The Service.
  • To comply with legal processes or to protect Diggle and our users and members. We may share your data: if we believe that disclosure is reasonably necessary to comply with Norwegian or EU law; to respond to a subpoena, court order, warrant, or other legal processes; to enforce applicable terms of use or this Policy, including investigation of potential violations thereof; to protect the safety, rights, or property of the public, any person, or Diggle; to detect, prevent, or otherwise address, security, or technical issues or illegal or suspected illegal activities (including fraud); or as evidence in litigation in which we are involved, as part of a judicial or regulatory proceeding. 
  • Business Transfers. We may engage in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding that involves transferring the information described in this Policy. In such transactions, customer information is typically one of the business assets that is transferred or acquired by a third party. If we are acquired by or merged with another company, if we sell or transfer a business unit or assets to another company, in the unlikely session of a bankruptcy proceeding, or as part of any other similar business transfer, you acknowledge that such transfers may occur.
  • Aggregate or De-identified Information. We may disclose aggregate, anonymous, or de-identified information about users for marketing, advertising, research, compliance, or other purposes.
  • Account Owner access. If you use an organization-provided e-mail address to access the Services and that organization is an Account Owner, they can request us to move your Account to that organization’s Company Workspace. The organization may then apply its policies to your use of The App and control, administer, suspend and delete access to, and downgrade your Account. If you want to avoid this type of disclosure, you should register an Account with your private email address.

Legal Basis for Processing Your Information

We rely on the following legal grounds to process your personal information:

  • Consent. We may use your personal information as described in this Policy, subject to your consent. To withdraw your consent, please contact us at [email protected]. You may also refrain from providing, or withdrawing, your consent for cookies. Please see Your Rights and Choices below for more information on opt-outs.
  • Performance of a contract. As applicable, we may need to collect and use the personal information of Diggle Users to perform our contractual obligations.
  • Legitimate Interests. We may use your personal information for our legitimate interests to provide our Platform and services and to improve our services and the content on our Platform. We also process information to improve the user experience. We may use technical information described in this Policy and personal information for our marketing purposes consistent with our legitimate interests and any choices we offer or consents that may be required under applicable law.

Your Rights and Choices

  • To keep your personal information accurate and complete, you can review your account information via your account settings page, including contact and subscription plan information. You may also contact us to request information about the personal data we have collected from you and to request the correction, modification, or deletion of such personal information. We will do our best to honor your requests subject to any legal and contractual obligations. If you would like to make a request, cancel your account or request we delete or no longer use your account information to provide services, contact us at [email protected]. Subject to applicable law, we will retain and use your account information only as necessary to comply with our legal obligations, resolve disputes and enforce our agreements.
  • E-mail. As described above, if you do not wish to receive promotional emails from us, you may opt out at any time by following the unsubscribe link contained in the email itself. Please note that processing your request may take up to ten (10) days. Please also note that if you opt out of receiving marketing communications from us, we may continue to send to you service-related emails which are not available for opt-out. If you do not wish to receive any service-related emails from us, you can deactivate your account.
  • Cookies. You may also refrain from providing, or withdrawing, your consent for cookies. Your browser’s help function should contain instructions on how to set your computer to accept all cookies, to notify you when a cookie is issued, or not to receive cookies at any time. Here, you may find instructions for your browser: https://cookies.insites.com/disable-cookies/.
  • Third Party Analytics Services. Some of the services used provide the ability to opt-out. For example, you may opt-out of Google Analytics, and promotional emails from us and our email marketing partner.
  • Google Analytics is only used on The Landing Page and is provided by Google Inc. You can prevent Google Analytics from using your information for analytics purposes on their Opt-Out page at https://tools.google.com/dlpage/gaoptout/.
  • Additional Rights. Subject to local law, you may have additional rights under the laws of your jurisdiction regarding your personal data, such as the right to complain to your local data protection authority.
  • Do Not Track. We do not currently recognize or respond to browser-initiated Do Not Track signals as there is no consistent industry standard for compliance.

International transfers

We collect information globally and may transfer, process, and store your information outside of your country of residence to wherever our third-party service providers or we operate to provide you the Services. Whenever we transfer your information, we take steps to ensure your data is always safe, including preventive measures.

For all international transfers through our sub-processors, we ensure that the recipient of your Personal Information offers an adequate level of protection by entering into appropriate back-to-back agreements with our sub-processors. All international transfers are based on the EU Commission-approved standard contractual clauses (“SCCs”).

A special note:

On 04 June 2021, the EU Commission adopted two new sets of standard contractual clauses (SCC): one set for the transfer of personal data from the EU to third countries (Cross-Border SCC) and another set addressing specific clauses in controller-processor data processing agreements (DPA-SCC).

The Cross-Border SCC became applicable on 27 June 2021. Until 27 September 2021, both the “old” SCC and the new SCC could be used for contracts; after that, the old SCC was no longer used for new contracts but was continued to be deemed “appropriate” for another 15 months as long as the subject matter of these contracts remains unchanged and provided that the old SCC were “appropriate” before. 

As of 27 December 2022, the use of the “old” SCC will no longer provide the necessary, appropriate safeguards for a data transfer to a third country. By then, they need to be replaced by the new Cross-Border SCC (or other appropriate means).

This means that (1) from 27 September 2021 onwards, only the new Cross Border SCC can be used for data transfers to third countries in new contracts, and (2) from 27 December 2022 onwards, all existing “old” SCC will need to have been replaced by the new SCC.

We have replaced our SCCs within this timeframe.

To ensure we comply with EU laws, we also moved our main server provider to Europe (Scaleway).  

Please also refer to our DPA. 

Our third-party sub-processors

These are the third-party data processors we use to provide The Service.

See our list of sub processors.

Security and Storage of Information

Keeping your data secure is highly important to us. We have implemented technical and organizational measures to ensure that all data sent to Diggle is handled securely. 

Diggle should be simple and intuitive to use. When inviting participants to join  a Diggle, you can choose between different security settings. Choosing higher security settings to ensure the desired level of privacy entails additional complexity for you and the participants. It will therefore remain possible to choose simple, less secure ways to use Diggle, such as sharing a URL to invite participants without them verifying their identity or sending the final results report back to participants. Therefore, we cannot take responsibility for any breach of privacy due to Diggle being used as a simple and easy way of interacting, and this information later reaches unauthorized persons.

Levels of security when joining a Diggle

When asking people to join a Diggle, you have several security options:

  • Live session
    • Access to participate (how long the session is active) expires automatically after 48 hours
    • Select a more extended log-in code than the default 8
    • Anonymous login vs Nickname login 
  • Invite by link
    • Expiration time is set manually
    • Default duration of the link is 48 hours
  • Email verification
    • We offer all customers the possibility for email invites with the need for verification using a six character code before joining a Diggle. This code is valid for 15 minutes with three login attempts.

We may change the configurations listed above without notice to provide a better or more secure experience for our users.

Data Security

You should take steps to protect against unauthorized access to your device and account by, among other things, choosing a robust password that nobody else knows or can easily guess and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.

We retain the personal data we collect for so long as reasonably necessary to fulfill the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute of limitations periods to bring and defend claims.

Processing

Scaleway is the data center provider for the Diggle application. Scaleway is located in France, so you can get full protection from GDPR. They list the following compliance and certifications:

  • ISO 27001:2013 – Information security management system
  • HDS – Health data hosting
  • ISO 50001:2018 – Energy management systems
  • GDPR
  • Tier 3 Uptime Institute: 2014
  • SWIPO

Scaleway employs a wide range of physical security measures to keep your data safe.

Scaleway’s compliance and certifications is covered here:
https://www.scaleway.com/en/about-us/our-certifications/ 

Scaleway’s security and resilience measures are covered here:
https://www.scaleway.com/en/security-and-resilience/ 

For the landing page we use DigitalOcean (US), for our hosting needs. The only personally identifiable information we store on this server is the contents of the access logs that we use to be able to identify malicious behavior. These access logs contain IP addresses. The logs are automatically deleted every two weeks.

Scaleway is also the hosting provider for images our users upload as part of the content they build

For the AI features in Diggle, we are using OpenAI. OpenAI receives only data relevant to the process of creating a Diggle, such as questions, responses, or additional prompts. This data is only used to provide the requested services and is not retained or used to train OpenAI’s models. OpenAI manages data according to strict retention policies and ensures compliance with GDPR and other applicable laws, including data encryption and access control measures.

Data at rest

  • DigitalOcean: Stored IP addresses are not encrypted at rest.
  • CloudFlare: Encrypts all data at rest, usually with disk-level encryption.
  • Google Analytics: Data is encrypted at rest (currently deactivated)
  • GSuite (Gmail, Meet): Data encrypted at rest.
  • Stripe: All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
  • Sentry: Uses encryption at rest.
  • Slack: Data at rest in Slack’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Slack’s systems—relational databases, file stores, database backups, etc
  • OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data.

Data in transit

We use standard TLS ≥ 1.2, so encryption of data-in-transit, and are rated A+ by 3rd party vendor, SSL Labs. Privacy and protection of user data are of the highest importance to us and we both have technical and operational support in place to ensure this. 

Backups and Data Loss Prevention

Data is backed up continuously, and we have an automatic failover system if the primary database fails. We are running a high availability managed Postgres database from Scaleway.

User Passwords

We hash and salt all passwords with the bcrypt algorithm. So no passwords will be leaked in the event of a breach.

Employee Passwords

Passwords that are used in the line of work are stored using a password management system. We enforce 2FA where applicable and that employees use screen locks whenever they are not by their workstations.

Payment Details

Credit card information is stored with Stripe, which is a Level 1 PCI compliant payment processor. Source: https://stripe.com/docs/security/guide

Security routines

Planned activityFrequency
Re-evaluation of transfer tools at appropriate intervals, developments in the third country that may affect the level of data protection, the necessity of our own mechanisms and to the degree they have been sufficiently implementedMinimum 2 times a year
Security training for personnelYearly and at beginning of employment
Revoke system, hardware and document accessAt end of employment
Firewall settings verification for workstations and Network2 times a year
Ensure all critical system libraries are up-to-dateContinuously
Unit and integration tests to ensure system functionality and securityContinuously
External penetration tests to ensure system securityBy continuously assessing the need for new tests

Human Resource Security

Diggle is developed by Specifique Norge as, a consulting company based in Oslo, Norway. Not everyone in Specifique works with Diggle and is not given access to information and systems that relate to Diggle. 

We have a process in place that ensures that employees are given access to information and systems on a need-to basis only. When employment has ended, we revoke all access that the concerned employee had. 

Our lead developer is responsible for the security of the IT infrastructure, develops plans against security threats, vulnerabilities, and risks ensures IT infrastructure supports security policies, and responds to information security incidents.

For everyone with access to systems and information, these guidelines must be respected: 

  • That employee will keep passwords, PIN codes, etc. entrusted to the employee, strictly confidential;
  • That employee uses at least 2-factor authentication for systems with user data. We also require password-protected SSH keys.
  • Firewall enabled on all workstations
  • That employee will log off the computer or activate the screensaver configured with a password immediately upon completion of each work session

Continuous improvements

Our engineering practices ensure that we have security in mind in all stages of a development lifecycle. We will do our utmost to minimize any type of risk. Examples of Engineering practices:

  • Clear code conventions enforced by static code analysis and automatic formatting.
  • Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection).
  • Continuous check-up to keep libraries up-to-date.
  • Continuous integration builds and testing with separate automated deployment for easy rollbacks.
  • Continuous improvement process with the entire product team where security issues are evaluated. Yearly security review of the entire code base.
  • All releases are tested before merging to production.
  • Passwords are always kept in a password manager or as configuration.

Changes to the Policy

This Policy is current as of the Effective Date set forth above. We may change this Policy from time to time, and if we do we’ll post any changes, including any material changes, on this page, so please be sure to check back periodically. If you continue to use Diggle after those changes are in effect, you agree to the revised Policy.

Contacting Us

If you have any questions or comments about this policy, please contact us at [email protected] 

Any notices must be sent to Diggle in English or Norwegian at [email protected].