Privacy Policy

1. Data controller and contact details

For the purposes of data protection law, the primary data controller for the Services is:

Vector for Good, Corp (Delaware, USA)
Email: privacy@vectorforgood.com

The International Intersectional Safety Foundation (“IISF”) acts as a research and standards body aligned with Vector for Good’s mission. Where IISF determines purposes and means of processing, IISF may also be a controller or joint controller.

2. Categories of personal data we process

We may process the following categories of personal data:

• Identification and contact – name, email address, organization, role or title, and similar details you provide via forms or correspondence.
• Usage and technical data – IP address, browser type, device identifiers, pages visited, timestamps, referring URLs, and interaction logs generated when you access the Services.
• Communications data – content of messages you send us (for example, accessibility reports, research inquiries, partnership proposals, or support requests).
• Research and pilot project data – where you participate in a research project, pilot, or early-access deployment, we may process telemetry, survey, or contextual data as described in a project-specific notice, consent form, or data processing agreement.

We do not intentionally collect special categories of data (such as health, biometric, or precise location data) via the public-facing site alone. Where such data is processed for research or safety analytics, it is done under separate, explicit documentation and safeguards.

3. Sources of data

We obtain personal data from:

• You directly, when you submit forms, subscribe to updates, or contact us.
• Your use of the Services, via server logs and analytics tools.
• In some cases, from partners or public sources (for example, professional profiles or conference attendee lists) where this is lawful and relevant to our mission and your expectations.

4. Purposes and legal bases for processing

We process personal data only where we have a lawful basis under applicable law, including GDPR where it applies. Our main purposes and legal bases are:

• Operating and securing the Services – to provide, maintain, monitor, and protect the websites, including troubleshooting, analytics, and security monitoring. Legal basis: legitimate interests in operating secure, reliable services.
• Responding to inquiries and managing relationships – to respond to your questions, partnership requests, or research proposals and to manage ongoing collaborations. Legal basis: performance of a contract or steps taken at your request and legitimate interests in engaging with stakeholders.
• Communications and updates you request – to send you newsletters, research updates, or event information where you have opted in or reasonably expect such communications. Legal basis: consent or legitimate interests, depending on jurisdiction and channel.
• Research, safety analytics, and product development – to design, test, and evaluate safety, accessibility, and privacy-enhancing technologies, using appropriate safeguards and, where required, explicit consent or formal agreements. Legal bases: legitimate interests, consent, or contract, depending on context.
• Compliance and legal obligations – to comply with applicable laws, respond to lawful requests, and enforce our rights. Legal basis: legal obligation and legitimate interests.

5. Recipients of personal data

We may share personal data with:

• Service providers (processors) – providers of hosting, analytics, email delivery, customer relationship tools, security monitoring, and similar services, bound by contracts to process data only on our instructions and to protect it.
• Research partners – where you participate in a joint study, pilot, or collaboration, data may be shared with partner institutions under data processing or data sharing agreements.
• Legal and regulatory recipients – authorities, courts, or advisors where required to comply with law, enforce agreements, or protect rights, safety, or security.

We do not sell personal data as that term is defined in many US state privacy laws. If this changes, we will update this Policy and provide required notices and opt-out mechanisms.

6. International data transfers

We are based in the United States and may process data in the US and other countries that may not provide the same level of data protection as your home jurisdiction. When we transfer personal data from the European Economic Area (EEA), the UK, or Switzerland, we use appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized under GDPR, where required.

7. Data retention

We keep personal data only for as long as necessary for the purposes described in this Policy or as required by law. Retention periods depend on the type of data and context, for example:

• Contact and communications data – typically retained for the duration of our relationship plus a limited period for record keeping and dispute resolution.
• Usage and analytics data – retained for operational and security purposes for a limited period, then aggregated or anonymized.
• Research and pilot project data – retained according to project‑ specific protocols, contracts, or ethical requirements communicated to participants.

8. Your rights

Depending on your location and applicable law (including GDPR if you are in the EEA, UK, or Switzerland), you may have the right to:

• Request access to the personal data we hold about you.
• Request correction of inaccurate or incomplete data.
• Request deletion of your data in certain circumstances (“right to be forgotten”).
• Object to or request restriction of certain processing, including processing based on legitimate interests.
• Request data portability for information you provided, where technically feasible.
• Withdraw consent where processing is based on your consent, without affecting the lawfulness of processing before withdrawal.

To exercise these rights, contact privacy@vectorforgood.com. We may need to verify your identity before responding. If you believe we have not handled your concerns appropriately, you may lodge a complaint with your local data protection authority.

9. Security

We implement technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include access controls, encryption in transit where appropriate, and regular review of systems and vendors. No system is completely secure, and we cannot guarantee absolute security.

10. Children's data

Our public-facing Services are not directed to children under 16, and we do not knowingly collect personal data from children via the site. If you believe we have collected data from a child in violation of this Policy, please contact us so we can investigate and, where appropriate, delete the data.

11. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal obligations, or processing activities. When we do, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Services after changes take effect constitutes your acceptance of the updated Policy.