Privacy Policy

Privacy Policy

Version 5.0 (English) – August 22, 2024 | (Deutsche Version)

Read Version 4.0 – January 23, 2023
Read Version 3.0 – July 4, 2022
Read Version 2.0 – December 18, 2019
Read Version 1.0 – October 8, 2018

 

Least Authority TFA GmbH (“Least Authority,” “we,” “us”) is committed to protecting your privacy while you use Least Authority’s website, products and/or services. We want you to understand what information we collect about you, how we collect it, how that information is used and what choices you have with respect to the information. Below is our Privacy Policy, which applies to all the interactions you have with Least Authority. However, this Privacy Policy does not apply to any third-party applications or software that integrate with our services through our website, or any other third-party products, services or businesses.

 

I. Data Controller

The Data Controller of LeastAuthority.com and its associated services is Least Authority TFA GmbH, Thaerstraße 28a, 10249 Berlin, Germany.

 

II. Collecting, Processing and Storing of Personal Data and Purpose of the Usage of Personal Data

We operate this website in order to provide you with information about our products and services, and keep you up to date about Least Authority.

1. Our Website

You may use our website for purely informational purposes without disclosing your identity. In order to display the website to you, only access data is transmitted to our provider. 

The Least Authority website is currently hosted on WP Engine servers, which are based in the European Union. When using our website, the WP Engine collects the following data:

  • IP address (The WP Engine collects logs, which include full IP addresses and, unfortunately, there is no option to anonymize this data.);
  • Browser type/browser version;
  • Operating system used;
  • Language and version of the browser software;
  • Host name and accessing terminal;
  • Website from which the request comes;
  • Content of the request (specific page);
  • Date and time of the server request;
  • Access status/HTTP status code;
  • Referrer URL (the previously visited page);
  • Amount of data transmitted; and
  • Time zone difference from Greenwich Mean Time (GMT).

Read more about WP Engine’s privacy policy here.

Least Authority uses an open-source web analytics program with a strong privacy focus, called Matomo. It informs us about how visitors use our website. Using Matomo, we collect anonymous statistical data about the use of our website to optimize our online presence and for marketing and sales purposes. Only the first 2 ‘bytes’ of your IP address are stored, which makes it harder (1) to link your current visit to this website to future visits, and (2) to determine your exact location.

The information Matomo collects includes:

  • 2 byte masked user IP address; 
  • Date and time of the request;
  • Title of the page being viewed (Page title);
  • URL of the page being viewed (Page URL);
  • URL of the page that was viewed prior to the current page (Referrer URL);
  • Screen resolution being used;
  • Time in local user’s time zone;
  • Files that were clicked and downloaded (Download);
  • Links to an outside domain that were clicked (Outlink);
  • Pages generation time (the time it takes for webpages to be generated by the web server and then downloaded by the user — i.e, page speed);
  • Main Language of the browser being used (Accept-Language header); and
  • User Agent of the browser being used (User-Agent header).

The Matomo software runs exclusively on the server of our website. The storage of the personal data of users only takes place there. The data will not be passed on to other third parties. Please read Matomo’s full privacy policy here.

You can opt out of visitor data collection by Matomo by enabling the “Do Not Track” option in your browser. 

The legal basis for the processing of the data listed above is our legitimate interest to ensure the functionality, integrity and security of the website (Article 6 para. 1 (f) GDPR). 

The access data will be deleted as soon as they are no longer required for the purpose of their processing. 

You can object to the processing at any time on grounds relating to your particular situation. You can send us your objections via the contact data provided at the end of this Privacy Policy.

2. Cookies 

The technically necessary cookies we use are only applicable for administrators.

3. Social Media 

On our website, we do not use social network plug-ins. However, we have a social media presence that can be accessed by clicking on the respective social media logo (e.g., GitHub, LinkedIn, X (formerly Twitter), YouTube) on our website. No personal data is sent to the social networks before you click on the logos or links, which take you to the social network’s website.

In addition, you can also share certain contents of our website on social networks. When you click on the “share” logo on our website, the logos of the various social networks appear. If you click on one of these logos, you will be redirected to the website of the corresponding social network.  If you have an account and are logged in, or if you log in when prompted, you can share the desired content from our website.

We have no influence on the collected data and data procedure of any social network. Further information on the purpose and scope of data collection and processing of the respective network can be found in the data protection declaration of the respective network. There, you will also find further information on your rights and settings to protect your privacy when using social networks. Please note that personal data is not only processed by social networks if you are logged in: personal data, such as your IP address, can also be processed even if you do not have a social media account. We process your data with the utmost care but assume no liability for the behavior of the operators of the social networks or third parties.

4. Mailing List

If you wish to receive regular updates about our work, you may subscribe to our mailing list. To prevent misuse of your email address, the registration for the mailing list consists of a double opt-in procedure. Using the “Subscribe to Newsletter” field on our website, enter a valid, personal email address to subscribe to our newsletter. You will then shortly receive an email requesting you to confirm or “opt in” your email address. You will not receive a newsletter from us until you confirm your address using your email.

To manage our mailing list, we use MailerLite. For more information on MailerLite, please refer to the following resources and documents:

Through the MailerLite Dashboard, the information we have access to about each subscriber includes their email address and the IP address with which they signed up and opted in, as well as the date and time of sign up and opt in. In addition, when sending out newsletters through MailerLite, we only have access to the information if and when subscribers open the newsletter email, and if and when subscribers click on links in the newsletter. The email address provided for the newsletter mailing list is not shared or transferred to any other parties besides MailerLite.

We store the email address you provided to us in order to send you our newsletter. The legal basis for this is your consent (Article 6 para. 1(a) GDPR). We store your email address, IP address, date, time of sign up and opt in to be able to prove the granting of your consent to the subscription and, if necessary, to clarify a possible abuse of your personal data. The legal basis for this data processing is our legitime interest in proper documentation (Article 6 para. 1 (f) GDPR). Recording when and which newsletter(s) you have received, whether you opened the newsletter(s), and which links you interacted with, is based on our legitimate interest to record any possible case of unauthorized transmission after revocation and for marketing reasons. 

If you no longer wish to receive our newsletter emails, you can unsubscribe from our mailing lists at any time using the link at the bottom of any email sent using MailerLite, or contact us at contactus@leastauthority.com. We delete your personal data collected in connection with the mailing list subscription as soon as they are no longer required to achieve the purpose for which they were collected. In particular, if you unsubscribe from the newsletter, your personal data will be restricted for further processing and will only be used for the defense against possible legal claims. Your personal data will be completely erased after the expiration of the statute of limitation, unless we have conflicting legal obligations. 

You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data provided at the end of this Privacy Policy.

5. Contacting Us

You can contact us via our email address by filling out a form on our website or by scheduling a call with us. If you contact us via email or a form, your personal data transmitted with the email or form will be saved, but only used for the procession of the information or conversation.

If you schedule a call via our homepage, we use Calendly to book appointments with you. When you use Calendly to schedule a call with Least Authority, you voluntarily give Calendly certain information. This can include your name, email address and phone number; email addresses of other people; subject of the meeting; and any other information you provide them. Please inform yourself about Calendly’s privacy policy.  

We delete the data that we collect when you contact us after the processing is no longer necessary, which usually occurs when we properly address the issue or, if applicable, after the expiry of the legally binding storage obligations, or if you object to further processing. For example, we store the data required under commercial and tax law for the legally specified period of approximately ten years (see Section 257 HGB, Section 147 AO).

The legal basis for processing these data is your consent, as outlined in Article 6 para. 1 (a) GDPR. You may withdraw your consent given to processing these data at any time. 

The legal basis for the processing of data transmitted in the course of sending an email or scheduling a call is our legitime interest in the operation of our business (Article 6 para. 1 (f) GDPR), or, if intended by the contact, the performance of a contract (Article 6 para. 1 (b) GDPR). 

You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data provided at the end of this Privacy Policy.

6. Consultancy Services for Clients 

If you request our consultation services, we collect your name, contact information and other information given to us by you in the process of communicating about the desired services. Providing your personal data is required in order to send proposals and contracts for signing.

The personal data we collect in the process of fulfilling or concluding a contract will be deleted as soon as they are not required to achieve the purpose for which they were collected and after expiry of the applicable legally binding storage obligations. 

The legal basis for this processing is the performance of a contract (Article 6 para. 1 (b) GDPR), compliance with legal obligations (Article 6 para. 1 (c) GDPR), as well as our legitimate interest in proper documentation (Article 6 para. 1 (f) GDPR). 

You can revoke any consent you may have given at any time. You can object to the processing at any time on grounds relating to your situation. You can send us your objections or revocation via the contact data provided at the end of this Privacy Policy.

7. Job Applications

If you apply for a  job with us by email or via the form on our website (for employment, a freelance position, or an internship), the data you provide to us (such as your name, contact information, birth date, professional background, certificates, references etc.) will be processed by us for your job application. We use Softgarden to process your application and for further communication during the application process. You can find information about Softgarden’s privacy policy here.

The legal basis for processing your personal data in connection with the establishment of an employment relationship is primarily § 26 BDSG (German Data Protection Law – Bundesdatenschutzgesetz), which permits the processing of data required in connection with the decision to establish an employment relationship. The legal basis for processing your job application data in order to establish a working relationship between you and Least Authority is also provided in Article 6 para. 1 (b) GDPR. In the case that data processing is necessary to protect our legitimate interest, in particular if the data are required for legal actions after the application procedure has been completed, the legal basis for processing your job application data is provided in Article 6 para. 1 (f) GDPR. The job application data saved at our storage will be deleted 6 months after the end of the job application process unless we have conflicting legal obligations. If you agree, we keep your job application data at our storage for longer. In this case, your data will be deleted after your revocation.

Insofar as the processing is based on Article 6 para. 1 (f) GDPR, you have the right to object to the processing of your job application data on grounds relating to your particular situation. You can send us your objections via the contact data provided at the end of this Privacy Policy.

 

III. Transfer to Third Parties 

We will never sell, rent, or lease your personal data to a third party. However, we may share collected information for the purposes described in this Privacy Policy with third parties that help us to provide, improve, promote or support our services, and that help with our business operations and assist in the delivery of our services (e.g., payment processors, hosting services, analytics, content delivery services, CRM, etc.) in a manner that is consistent with this Privacy Policy and only to the extent permitted by data protection laws. We may also share information with third parties if required to do so by law or if you violate our contractual relationship. Our service providers have a legal obligation to ensure compliance with all data protection rules and they are often also bound by further contractual provisions on data protection.

We only transfer personal data to third parties if we have a legal permission to do so — in particular, if you have given consent to such a transfer, if the transfer is necessary for the provision of our services, if the transfer is required by law in this context, or if we have a necessary legitimate interest (see Article 6 para. 1 (a), (b), (c), (f) GDPR).

Beyond the service providers previously covered in this Privacy Policy, here are some additional examples of digital service providers we use to perform our work. Please note that we may change our third-party digital service providers at any time, at our discretion, without notice.   

  • We use DocuSign for the signing of our contracts. DocuSign has received approval for its application for Binding Corporate Rules (BCRs) from the EU Data Protection Authorities (DPA). You can find more info about how DocuSign protects privacy here.
  • We use Slack to internally communicate as a team to improve our services and be responsive to our clients’ needs. To learn more about Slack’s security, please refer to Slack’s data security, Slack’s GDPR compliance and Slack’s privacy policy.
  • Internally, we use Google Workspace for our email service, calendar, and internal document management. You can find more information about Google’s data protection commitments here
  • For billing purposes, data collected by us might be transferred to SuiteCRM, which we use for invoices. SuiteCRM’s privacy policy can be found here. To learn more about SuiteCRM and compliance with GDPR, please read here.
  • Internally, we use Float to plan capacity and work schedules. To learn more about Float, please refer to Float’s privacy policy, Float’s data processing agreement, and Float’s statement about data security and privacy.

Insofar as the processing is necessary for the purposes of the legitimate interests pursued by us (Article 6 para. 1 (f) GDPR), you have the right to object to the processing. You can revoke any consent you may have given at any time. You can send us your objections or revocation of your consent via the contact data provided at the end of this Privacy Policy.

If all or part of Least Authority is sold, merged, or otherwise transferred to another entity, your information may be transferred as part of that transaction. If that happens, Least Authority will take reasonable steps to make sure your information continues to be treated consistently with this privacy policy.

 

IV. Transfer to Recipients Outside the EU

As far as necessary for our purposes, we may transfer your data to recipients outside the EU. We only do this in accordance with the legal requirements for transfers to third countries. We only process or have the data processed in third countries when it is ensured that the third country or the recipient of the data in the third country guarantees an adequate level of data protection according to Article 44 to 49 GDPR and no compelling interest prevents the data transfer. This may take the form of an “adequacy decision” of the European Commission, which ensures that an adequate level of data protections has been ascertained overall for a certain third country. Alternatively, we can also transfer data on the basis of “EU standard contractual clauses.” 

Insofar as the processing is based on Article 6 para. 1 (f) GDPR, you have the right to object to the processing. You can revoke any consent you may have given at any time. You can send us your objections or revocation of your consent via the contact data provided at the end of this Privacy Policy.

 

V. Children’s Privacy

Least Authority does not provide services directly to children or proactively collect their information. If we discover that a child has provided us with personal information, we will promptly delete such information from our systems.

 

VI.  Data Subjects’ Rights

You can request from Least Authority at any time: 

  • Information as whether personal data concerning you are being processed, and, where that is the case, access to these personal data (Article 15 GDPR);
  • Rectification of inaccurate personal data concerning you, subject to relevant legal requirements (Article 16 GDPR);
  • Erasure of personal data concerning you unless there are conflicting interests (Article 17 GDPR);
  • Restriction of the processing of your personal data where one of the following applies:
    • You contest the accuracy of your personal data; 
    • The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; 
    • We no longer need your personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims; or
    • You have objected to processing pursuant to Article 21 para. 1 GDPR pending the verification whether our legitimate grounds override those of you (Article 18 GDPR).
  • To receive the personal data that you provided to us in a structured, common and machine-readable format or request transmission to another controller (Article 20 GDPR). In this case, please contact us at privacy@leastauthority.com and specify the information or processing activities to which your request relates. We will carefully consider your request and discuss with you how we can best fulfill it. 

You can revoke your consent once given to us at any time. As a result, we stop the data processing based on this consent in the future (Article 7 para. 3 GDPR). 

If we process your data pursuant to a legitimate interest or a legitimate interest of a third party (Article 6 para. 1 (f) GDPR), you can exercise your right to objections in accordance with Article 21 GDPR. Please direct any such request to privacy@leastauthority.com.

You have the right to lodge a complaint with the competent data protection supervisory authority (Article 77 GDPR). The supervisory authority responsible for Berlin, Germany is: 

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Friedrichstr. 219
10969 Berlin, Germany
Phone: 030/138 89-0
Homepage: http://www.datenschutz-berlin.de 

If you have any questions or complaints about data protection at Least Authority, we encourage you to contact us at privacy@leastauthority.com.

 

VII. Links to Other Websites

Least Authority’s website may contain links to third-party websites (companies or organizations other than Least Authority). Least Authority is not responsible for the privacy policy or the content of the website of any third party. We would strongly recommend carefully reading the privacy statements of third-party’ websites.

 

VIII. Ensuring Compliance 

We are committed to protecting the information that we receive from you. We take appropriate security measures to protect your information against unauthorized access to or unauthorized alteration, disclosure or destruction of data.

Least Authority has to comply with all applicable laws and regulations, including, but not limited to those of the European Union, Germany and the state of Berlin. For this reason, we may have to collect, process and retain your details for an extended period of time as a legal obligation (see Article 6 (1) (c), GDPR). 

We delete your personal data as soon as they are no longer required for the purposes pursued by the processing and as long as there are no conflicting legal storage obligations.

 

IX. Our Products Are Built for Privacy and Security

At Least Authority we develop usable products that advance digital security and preserve privacy as a fundamental human right. Since the inception of the company, we have been continuously working to build products and provide services that protect your data and your right to privacy.

Consistent with Article 25 of GDPR (“Data protection by design and by default”), we believe in security-by-design and security-by-default. Our software designs are inspired by end-to-end security and the “principle of least authority” (PoLA) — a security best practice requiring system components to only have the privilege necessary to complete their intended function and not more.

 

X. Changes to This Privacy Policy

We may modify this privacy policy at any time to comply with legal requirements as well as developments within our organization. When we do, we will revise the date at the bottom of this page. Each visit or interaction with our services will be subject to the new privacy policy. We will record past versions of this policy through an archive on this page. We encourage you to review our privacy policy whenever you use our services to stay informed about our policies. By using our services, you acknowledge and agree that it is your responsibility to review our privacy policy to be aware of modifications.

 

XI. Contact Information

Least Authority is dedicated to continuous improvement of all parts of the Service. If you have any questions or feedback on this Privacy Policy, please let us know by sending an email to contactus@leastauthority.com or privacy@leastauthority.com.

 

Version 5.0 – August 22, 2024