This privacy policy tells you what to expect us to do with your personal information when you contact us, sign up to be a Rebel or use one of our services.

We’ll tell you:

• What your data protection rights are
• How we collect your data
• What purposes we are using it for
• Where your data is stored
• How the data is protected
• Who has access to your data
• When your data is removed from our systems
• How changes to this policy are handled

Contact information

If you have any questions regarding how we handle your data or if you would like to make a request, please send an email to tech@extinctionrebellion.nl mentioning the email address you used to sign up.

Summary (a.k.a. what you are probably looking for)

The personal information you provide us with is mainly used to help us integrate you into the movement. To facilitate this, the data is stored centrally in Action Network (US based) and propagated to the relevant local group integrator(s) who can access it on our self-hosted cloud storage service.

If you provided it, your phone number may also be used in mass mobilisation campaigns (Rebel Ringing) or inviting you to relevant channels on Telegram.

Your Data Protection rights

Under data protection law, you have rights you should be aware of. Your rights depend on our reason for processing your data. Compliance to data protection laws such as the GDPR in NL is supervised by the “Autoriteit gegevensbescherming”. You can read more about it on their website (mostly in Dutch).

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us if you wish to make a request.

Your right of information

You have the right to know what personal information we process and why we do so. Specifically, you have the right to know with which third parties we share this information. This right always applies. This document should provide you with all of this information, but do not hesitate to ask us if you have any questions. You can read more about this here.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this here. Also see the section “When is your data deleted’.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your data in certain circumstances. You can read more about this here.

Your right to object to processing

You have the right to object to the use of your data for direct marketing or because of a specific personal situation. You can read more about this here.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us to another organisation, or give it to you. The right only applies if we are processing information based on your consent or under a contract. You can read more about this here.

Your right to complain

You have the right to complain about the way we process your personal information to the authorities. Please let us try to resolve the issue first and contact us.

If you remain dissatisfied, you can follow this link to see how to file a complaint.

How we collect information

Almost all the information we collect is provided directly by you. The only case in which we receive personal information indirectly is when one of our rebels gives us your contact details to use in case of an emergency or prolonged detention by the police.

You provide us with information through online forms or physical ones at gatherings. On the application form we ask for your name, e-mail address, municipality and phone number (optional) on the grounds of legitimate interest. This information is necessary for us to put you in touch with the right person. This is in our interest, as well as in yours, to help you find your way in the movement as quickly as possible. We believe these interests outweigh the invasion of your privacy, which we limit in the following ways:

• We request only a small amount of data
• Your data is used only for the stated purposes
• Your data is stored encrypted
• You have the right to object to the use of your data at any time.

We use Matomo to track visitors to our website (extinctionrebellion.nl) to gain insights into how the website is used. The tracking is performed based on anonymised IP-address, the operating system and browser you are using, installed browser extensions, configured browser language and/or any of the information listed here. No cookies are used.

This data is retrieved when you visit the website, but not stored. It is only used to calculate a number by which subsequent actions may be recognized. This number is deleted after 24 hours.

What data is collected

The data we collect may include the following personal details:

• Name, contact details (such as email address and phone number) and municipality.
• In what options for contributing you are interested. This information is used by local group integrators to help rebels find a place in the movement.
• What affinity group(s) you are the representative of.

If you are participating in a high risk action, we may also collect:

• Contact details (name and phone number) of someone to call in case of an emergency or when you’re held for longer than 6 hours.
• Any information you want us to mention in this case.
• Any special circumstances we should be aware of. This might include medical information, for which we ask explicit permission to process.

As this is data is more sensitive than the rest, we have a special policy regarding it’s retention (see the “When is your data deleted” section).

Additionally, we keep track of who has signed what form and when. This data would allow us to infer that someone is interested in joining an affinity group or estimate someone’s involvement, but it is currently only used during the integration process.

Where is the data stored

All data is stored on Action Network’s servers in the United States. Action Network is committed to a long-term goal of using only renewable energy, but this does not seem to be the case yet. We have a contract in place that regulates how they can use your data. Also see Action Networks privacy notice.

Additionally, some data is synced to spreadsheets on XR NL’s NextCloud for use by local integrators (see section ‘Who has access to the data’ for details). This service is hosted on XR NL-owned servers in Switzerland running on 100% renewable energy. Also see NextCloud’s privacy policy. During the syncing process, the data is temporarily stored on a Digital Ocean server in the Netherlands server region.

When a local groups is large enough to have a local integration circle, they may use additional systems to coordinate their integration efforts. Please contact your local group if you want to know more about this.

All Action Network data is also backed up daily to our Swiss servers mentioned above.

Finally, some data might temporarily be stored on the personal devices used by XR’s Action Network administrators. This happens only when the data needs to be inspected or modified manually. You can find our policy for handling data in this special case here.

How your data is protected

Your data is encrypted with industry standard technologies in rest (on disk) and in transit (when sent over the internet). We also keep all software we use up to date so any known vulnerabilities are patched before they become a threat.

For what purposes is the data used

In general, we only process your data based on legitimate interest. We do not sell your data in any way, shape or form.

Email addresses are used for a variety of purposes:

• Identification in Action Network
• National and local newsletters and other organisation-wide communications (like announcements and calls for action).
• A means of contact by our integrators when you signed up
• Confirmation mails after signing petitions and joining the movement

All personal rebel data is linked to their email address. Action Network does this automatically and currently does not provide any other means of identifying people.

Names are only used to facilitate friendly and personal communication.

Phone numbers are used to automatically invite new rebels to relevant Telegram channels after they have been to an introduction meeting. Additionally, phone numbers may be used in Rebel Ringing campaigns or by local group integrators on any medium (Signal, Telegram, Whatsapp, SMS…).

We use the submitted municipality to determine which local group is closest to you and enable the right local group integrator to contact you.

Information about in what way a rebel would like to contribute is used by the integrators to suggest working circles that might be of interest to the new rebel.

All of the personal information above and some extra metadata (date of submitting the sign up form and which other forms they have already submitted) is also synced with a NextCloud spreadsheet (See section “Who has access to the data” for access details) to help local group integrators integrate new rebels. For example: they may use the contact information to contact new rebels and use the metadata to determine which information they should send the new rebel.

Affinity group information is displayed on the website for people looking for affinity groups (if this option was checked in the affinity group form). Additionally, it is synced with a NextCloud spreadsheet (See section “Who has access to the data” for access details) for use by local action integrators.

We do not do any automatic decision-making or profiling based on your data.

Who has access to the data

The data is mainly stored in Action Network, a US based non-profit. Action Network supports limited access control rules, which are used to authorize people to do as little as possible while enabling them to do what they need to do. We are working on a system that allows more fine-grained access control.

Access control is managed by the Action Network subcircle (subcircle of the national tech circle). We currently have three levels of direct access:

1. Admin. An admin has access to all rebel data and can download/upload it for manual inspection of modification. Candidates for admin access are people from the national tech circle and the integration circle.
2. Local group integrator. There are some local group integrators with direct read access to personal data, but cannot download it. We try to keep the number of local group integrators with this level of access to a minimum.
3. Newsletter. This level of access only allows for sending emails to all rebels. Candidates for this level of access are people from the national newsletter team.

Please contact the national tech circle at tech@extinctionrebellion.nl for an up-to-date overview of exactly who has access to what.

Additionally, all local group integrators have indirect read-only access to personal rebel data from the rebels in their local group through NextCloud. Similarly, action integrators have access to affinity group data from those in their local group through a different spreadsheet.

Finally, phone numbers and names may be sent out to trusted rebels as part of Rebel Ringing campaigns. These rebels have been vouched for by a rebel in the circle of truth of the Rebel Ringing coordination team.

When is your data deleted

At the moment, we have no policy about removing data after a fixed period of time, except for the data from arrestee form. These form submissions are deleted (from the online database; not the backups) one month after the action has taken place, but we do keep contact details in our system in a way that it can not be traced back to the form if we have explicit permission to do so.

Backups of the data are removed after 6 months.

You can unsubscribe from out emails by clicking the “Unsubscribe” link in our emails, but this does not remove your data from our systems. To do this, please send an email with your name and the email address you used to sign up to tech@extinctionrebellion.nl.

Changes to this Privacy Policy

We keep our privacy policy under regular review to make sure it is up to date and accurate. We will notify you by email when there are changes.