Privacy Policy

#### Scope and Updates to this Policy This Privacy Policy applies to any and all Catalyst services, including but not limited to: our website, our platform and any services offered therein by us, and feedback forms related to our services. By registering or using our platform, you consent to the policies outlined in this Privacy Policy. This policy does NOT apply to services operated by users of our platform, although such services must abide by our [terms of service](https://beta.catalystapp.co/Help/ToS). Catalyst may need to occasionally update this Privacy Policy in order to comply with new regulations or further our commitment to protecting your privacy. In the event of substantial or significant updates, Catalyst will notify users and visitors of changes through page banners, social media posts, and, in the event of significant changes, email notifications to all email addresses registered through the service. Catalyst may not necessarily notify users in the event of minor changes, such as, but not limited to, spelling or grammatical fixes, formatting updates, or other small changes which do not affect the meaning of this Policy. We encourage users to frequently review this Policy in order to fully understand our policies and stay up-to-date with any changes. You may review the changes and historical versions of this document at our public [GitHub commit history](https://github.com/catalyst-app/Catalyst/commits/master/internal_assets/legal/PRIVACY_POLICY.md). Continued usage of the platform and services therein or provision of personal information constitutes agreeance with our current Privacy Policy. If you wish to withdraw consent towards this policy or any future version, you must deactivate your account from your user settings. Doing so will result in deletion of user data per our [Deletion Standards](#md-header-deletion-standards-and-data-retention). If you wish for further modification of your data, please notify us through the methods outlined in the [Contact](#md-header-contact) section of this document. #### Data Collection and Usage In order to use our platform and services offered therein, we require personal information such as username, email address, and password. In addition to this required information, certain services require further information, such as social media profiles, nicknames, profile images, etc. When requests are made to our platform, data such as page visited, time of the request, IP address, and your browser may be logged temporarily. Doing so allows us to troubleshoot errors and streamline user experiences. These logs will only be accessible by Catalyst staff. In the event of an internal error or bug, we may log information about the request, including, but not limited to, IP address, time of the request, current and previous pages, error information, request information (including anonymized form data), and the logged in user (in order to request additional information for troubleshooting). This information is frequently purged and only accessible to Catalyst developers. By browsing our site, unless a "do not track" header is sent, you consent to allow Google to collect anonymized information including approximate location, device, and your browser, route (the path a user takes through the platform), and other similar information. We may analyze this data for aggregate trends and statistics, allowing us to gather important demographic information and to improve the user experience of the platform. All information transmitted to our service is encrypted using above-industry standard encryption, with additional care given to sensitive information such as passwords. #### Cookies and Tracking Information When you access our platform, small data files, called "cookies", may be stored on your computer. These cookies allow us to provide core functionalities of our service. You are permitted to disable these cookies, however, your ability to our platform may be severely impaired by this. We use Google Analytics to collect aggregated tracking information. If you elect to send a "do not track" header, as described in our [Data Collection and Usage](#md-header-data-collection-and-usage) policy, Google Analytics tracking will be disabled for your session. Aside from Google Analytics’ cookies, the only other cookies we may store are session cookies (which allow us to determine if a user is logged in) and a preference for whether or not the news banner has been hidden. #### Disclosure and Sharing of Personal Data We will not provide your personal information to third parties, with the following exceptions listed below. We will **never** sell your personal information under any circumstance. ##### Legal Requirements We will share your personal data if required by law, regulations, subpoenas, court orders, legal investigations, or other legal requirements by governmental authorities. Depending on the nature of the request, you may not be notified of this event. ##### Preventive Measures We may share your personal data, including IP address, email address, and other identifying information when we believe it is necessary in order to prevent financial loss to a third party, physical harm, illegal activity, or if required in order to investigate suspected violations of our Terms of Service. ##### User Initiated If you desire, we may share your personal data with a third party if explicitly requested. See the Contact section for information regarding who to contact and what proofs of ownership may be required. Additionally, we will share your personal data with anyone who you give access to through our platform. This can be in the form of private URLs, commission information, messages, etc. By giving access we will not be liable for any damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result, even if we have been advised of the possibility of such damages. ##### Administrative Reorganization We may transfer personal information to a successor entity in the event of a merger, acquisition, or other similar events. If this occurs, users will be duly notified and provided with options regarding account deletion. #### Privacy of Children's Data We recognize the privacy interests of children and take steps to ensure these interests. For users under the age of eighteen, we recommend that parents and guardians actively monitor and take a part in their children's online activities. Our site is not directed or targeted towards children under the age of thirteen, or sixteen in the European Union, nor do we knowingly collect data from children under this age. If we find a child under this age has provided us with personal information we will delete that information, as outlined in our [Deletion Standards and Data Retention](#md-header-deletion-standards-and-data-retention) policy. If your child is under this age and has provided us such information, please contact us as outlined in the [Contact](#md-header-contact) policy. #### Deletion Standards and Data Retention Upon deletion of information from our site, we will wipe images from disk and overwrite most personal information. However, certain types of information may persist after deletion for the following reasons: ##### Information which may still be in use or referenced by another party. Examples of such information would be commission type names, proofs of payment, or an artist's reviews. This information is retained in order to retain clarity for other parties, and, when applicable, is anonymized. You may request direct erasure of such items by writing to us as described in the Contact section. ##### Information may be retained in order to prevent other users from impersonating previous users. Information such as usernames and email addresses are retained in order to ensure new users cannot register and potentially assume the usernames or URLs of deleted or suspended users. This retained information is minimised to, at most, usernames and email addresses (or their complements, such as unique URLs). Therefore, if a well-known account is deleted, another user cannot claim its username. This information may be erased by writing to us as described in the Contact section. Doing so will release the username or other property to the public where it can be reused. ##### Information in backups We automatically create daily backups of all information within the site. These backups, or portions therein, may be retained as long as necessary in order to comply with legal obligations or assist in dispute resolutions. If you notify us of your account deletion and your account seems to be in good standing, we will take actions to remove it from our backups in a timely manner. If your account is deemed to not be in good standing or has demonstrated suspicious activity, we reserve the right to retain this information, as defined under the section regarding [Right to Erasure Including Retention and Disposal](#md-header-md-header-right-to-erasure-including-retention-and-disposal) #### Third Party Links User-generated content may provide links to external resources which we cannot control. We do not endorse any of these sites, nor are we responsible for the content or actions of any of these external resources/services. We instill safeguards in order to attempt to remove any links which may be deemed unsafe. However, no system is perfect, and malicious/deceitful links may get through. We are not at fault for any such links nor do we claim such responsibility. Your usage of external websites is subject to their terms of use and privacy policies. #### Security We do not mess around when it comes to security, using well-above industry practices for the transmittance and storage of such information. All information transmitted through our services employs at least 4096-bit RSA key encryption with Diffie-Hellman parameters through Transport Layer Security (TLS). Certain areas of the platform may use additional encryption mechanisms, such as AES or additional RSA encryption as deemed necessary. If your device and browser do not support these security mechanisms you will be unable to use the service. #### Transfer of Data Our systems are currently based in Europe, with certain aspects in the United States and Canada. As such, your personal data may be processed in the United States, Canada, United Kingdom or France, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world. By using our platform you agree to this Privacy Policy and consent to the transfer of any information to the United States, Canada, United Kingdom and/or France, which may not offer an equivalent level of protection to that of your home country. You may withdraw this consent at any time. Upon such withdrawal, we will immediately cease any further transfer of your data. Moreover, regardless of your home country, you may use the rights provided by the General Data Protection Regulation, as outlined in the [Rights to Your Information](#md-header-rights-to-your-information) section. #### Rights to Your Information In order to act on any of these rights please follow the instructions in the Contact section of this policy. Verification of your identity will be required. ##### Right to Rectification and Data Quality You have a right to rectify, update, or complete any inaccurate or missing data. The majority of these changes can be made through the platform’s interface, namely "Edit" and "Settings" pages. If the change you wish to make is not possible through the interface, [contact us](#md-header-contact) and we will resolve it. ##### Right to Access You have the right to obtain a copy of all personal data that we currently hold about you, such as personal information, messages, profiles, uploaded images, etc. The first ten requests within a calendar month will be completed within 30 days of verification with no charge. Additional requests within this period will incur a 1 USD fee per request. ##### Right to Data Portability Under certain circumstances, you can request that we migrate your data to another service provider. This is not an automatic right due to the unique nature of our services and relational data, however, we can attempt to work with other service providers in the event of such a request. ##### Right to Restrict Processing or Objection You have to right to request that we stop certain data processing activities that involve your data. This is not an automatic right as our ability to restrict processing will depend on the type of data, particularly those listed in our data retention policies. ##### Right to Erasure Including Retention and Disposal You have a right to request that we delete any of your personal data. This is not an automatic right, and what we are able to delete will depend on the type of data that we hold about you, as outlined in our data retention policies. #### Contact All requests regarding personal information or privacy should be directed to [[email protected]](mailto:[email protected]). Such requests should clearly define all applicable details of the request. ##### Questions Regarding This Privacy Policy If you have a question regarding this policy, you should email us at [[email protected]](mailto:[email protected]). ##### Requests Regarding Personal Information In order to make a request regarding personal information, ownership of account(s) in question must be verified. Verification requirements are determined on a case-by-case basis, however, typically you are at least required to provide verification of ownership of the email address associated with the account(s) in question. If the account in question has been deleted you must still use the email to which the account was registered. If account ownership cannot be verified we reserve the rights to deny any request regarding personal information, contact the legitimate account holder, and to contact appropriate legal authorities if applicable.