1. Your consent in relation to personal data
2. What is personal data?
Personal data means any information relating to you, provided that you can be identified or are identifiable (directly or indirectly) with such information, as defined in the GDPR.
References to personal data are to be interpreted as interchangeable with the concepts of “personal information” as defined in the CCPA and the Privacy Act.
3. Collection of personal data
We collect personal data in the following ways:
- When you visit our Website or use the App, we may automatically collect certain system-related information about your visit to the Website or your App usage.
- If you install the App via the GitHub marketplace, we will use your details to conduct automated dependency project health reporting.
- If you make an enquiry we will handle any personal data you have provided to us in order to respond to that enquiry. We may also retain this data for the purpose of performing contracts and technical administration.
- We also use “cookies” - see Section 8 below for further information.
4. Why do we collect, use and disclose personal data?
We may collect, hold, use and disclose your personal data for the following purposes:
- to enable you to access and use the Website and the App;
- to operate, protect, improve and optimize the Website and the App;
- to send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you; and
- to comply with our legal obligations, resolve any disputes that we may have with any of our users, and enforce our agreements with third parties.
In the context of the GDPR, this processing is lawful under Article 6 of the GDPR, as it is within the consent to processing that you provide to us, necessary for the performance of our contractual arrangement and for the purpose of our legitimate interests in operating the Website and the App.
If obliged to do so by law, we process personal data in order to meet duties of retention under applicable law. For further information on retention periods, please refer to Section 10 below.
5. To whom do we disclose your personal data?
Your personal data is very important and helpful for us to provide the Website and the App. In the context of the data processing above and the respective legal bases given (contract performance, legitimate interests, consent or processing obligations under law), your data may be passed on to the following categories of recipients:
- third party suppliers and service providers (including providers for the operation of the Website and the App);
- anyone to whom our assets or businesses (or any part of them) are transferred;
- specific third parties authorized by you to receive information held by us; or
- other persons, including government agencies, regulatory bodies and law enforcement agencies, or as required, authorized or permitted by law.
Further, we are entitled to outsource the processing of personal data (completely or partially) to external service providers which are acting on our behalf as data processors in the meaning of Article 4 no. 8 GDPR. When such third-party service providers are located outside of the European Union (EU) or the European Economic Area (EEA), for the purpose of transfers of data outside of the EU or EEA we will put in place the relevant EU Standard Contractual Clauses and appropriate safeguards in accordance with the requirements set by law and data protection authorities to ensure that your personal data is duly protected.
6. What are your data protection rights?
Deadpendency is committed to ensuring fair and transparent processing. You can access the information we hold about you by contacting us via deadpendency.com/contact. If you think that any information we hold about you is inaccurate, please contact us and we will take reasonable steps to ensure that it is corrected.
If you are resident in an EU country or the UK then you have the following specific rights under the GDPR:
- Right to information, Article 15 GDPR
- Right to rectification, Article 16 GDPR
- Right to deletion (right to be forgotten), Article 17 GDPR
- Right to restrict processing, Article 18 GDPR
- Right to data portability, Article 20 GDPR
- Right to object, Article 21 GDPR
If you are resident outside of the EU or UK then you may have similar rights under applicable regulations.
To exercise your right, please contact us via: deadpendency.com/contact. In order to be able to process your request, please note that we will use your personal data in accordance with Article 6 para. 1 (c) of the GDPR or any analogous regulation under applicable regulations.
If you are resident in the EU or UK then you have the right to lodge a complaint with a supervisory authority pursuant to Article 77 GDPR.
If you are resident in California then you have the specific rights set out in Section 12 below.
7. How can you withdraw your consent?
If you gave us your consent to process your personal data, please note that you may withdraw this consent at any time by contacting us via deadpendency.com/contact. Please note that your consent can only be withdrawn with future effect and such a withdrawal does not have any influence on the lawfulness of past processing. In some cases, we may be entitled to continue to process your personal data on a different legal basis – to perform a contract, for example.
We take reasonable steps to protect your personal data from misuse, interference and loss, as well as unauthorized access, modification or disclosure and we use a number of physical, administrative, personnel and technical measures to protect your personal data.
Access to personal data on our databases is subject to reasonable technical safeguards and is restricted to authorized staff on a strict need-to-know basis. Further, in appropriate cases, we require our external service providers with access to personal data to sign data processing agreements (Article 28 GDPR) that require them to take the necessary and reasonable steps to protect the personal data provided to them.
Despite these reasonable steps, no security system is impenetrable and, due to the inherent nature of the internet, we cannot guarantee that information, during transmission through the internet or while stored on our systems or otherwise, will be absolutely safe from unauthorized access by others.
10. How long is your data stored?
Your personal data is erased as soon as it is no longer required for the purposes stated. However, if necessary, we must continue to store your data until the retention periods and deadlines expire, set by the legislator or supervisory authorities. We may also retain your data until the statutory limitation periods have expired, provided that this is necessary for the establishment, exercise or defense of legal claims. After that, the relevant data will be routinely erased.
12. Consumer Privacy Act (CCPA) – specific provisions for California residents
The CCPA provides California resident users of the Website or the App (referred to in this section as “California consumers”) with specific rights regarding their personal data. This section describes California consumers' rights and explains how they can exercise them.
Access to Specific Information and Data Portability Rights:
California consumers have the right to certain information about our collection and use of their personal data over the past 12 months. Sections 3, 4 and 5 above describe the types of personal data that we collect, how we process it and the third parties with whom we share such information and the purpose for that sharing.
Exercising Access, Data Portability, and Deletion Rights:
California consumers have the right to request that we delete any of their personal data collected from them, subject to certain exceptions set out in the CCPA. These rights may be exercised by contacting us via deadpendency.com/contact. Only the relevant California consumer, or a person registered with the California Secretary of State that is authorized to act on a California consumer’s behalf, may make a verifiable consumer request related to that California consumer’s personal data. California consumers can also make a verifiable consumer request on behalf of their minor child. California consumers may only make a verifiable consumer request for access or data portability twice within a 12-month period.
The verifiable consumer request must
- provide sufficient information that allows us to reasonably verify identity; and
- describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
Response Timing and Format:
We will endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If more time is required (up to 90 days), we will inform you of the reason and extension period in writing. There is no fee for processing verifiable consumer requests unless it is excessive, repetitive, or manifestly unfounded.
We will not discriminate against any California consumers for exercising any of their CCPA rights.
Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits California consumers to request certain information regarding our disclosure of personal data to third parties for their direct marketing purposes. To make such a request, please contact us via deadpendency.com/contact.
13. Making a complaint
If you think we have breached the GDPR, CCPA or Privacy Act, or you wish to make a complaint about the way we have handled your information, you can contact us via https://deadpendency.com/contact. Please include your name and your email address or telephone number and clearly describe your complaint. We will acknowledge your complaint and respond to you regarding your complaint within a reasonable period of time. If you think that we have failed to resolve the complaint satisfactorily, you have the right to complaint to the relevant privacy regulator for your territory of residence:
- in Australia you can complain to the Office of the Australian Information Commissioner – see here: https://www.oaic.gov.au/privacy/privacy-complaints;
- in the EU you can complain to the supervisory authority of the Member State where you reside, where you work, or where you believe a GDPR infringement occurred;
- in the United States you can contact the Federal Trade Commission and lodge a complaint through the process set out at: https://www.ftccomplaintassistant.gov
- in the UK you have the right to lodge a complaint with the UK Information Commissioner’s Office which you can contact under https://ico.org.uk/global/contact-us.
14. Contact details