Privacy & Cookies Policy

v1.5.0—last updated 2019-12-14

Overview

For us to operate our business and provide our services to You, it is sometimes necessary for us to collect or process information about You. In general terms, this information takes one or more of the following forms:

  • Information that you provide to us directly, such as in the situation where you complete an online form or send us a message via our website;
  • Information that is automatically sent to us by Your computer’s internet browser when you visit our website, such as your computer’s technical address (or “IP address”) or information about which particular internet browser you are using and so on;
  • Information about how you use our website or our services, such as which pages you visit, how frequently you visit the site, and so forth.

This privacy policy sets out the detail of what information we collect, as well as how that data is used and protected.

Our Commitment to Data Privacy

We are fully committed to maintaining the privacy of any information (“personal data”) that you provide to us. Furthermore, we commit to ensuring that such data is held securely, used appropriately, and only retained for as long as is necessary.

We designed our systems and services with privacy in mind, and we operate on a “data minimization” principle wherever possible. That is to say that we will only ever ask you for the minimum amount of information required to provide our services efficiently; we have no desire to retain (and therefore maintain) any more information than is necessary.

We aspire to comply to the fullest extent possible with applicable data protection regulations, in particular, the European Union’s General Data Protection Regulation (“GDPR”) and ePrivacy Directive, where applicable.

Who We Are

In terms of your use of this website, Fedorov & Demidenko GbR (We, Us, Our, Foundsiders, FelloWage, fellowage.io), act in the capacity of Data Controller, and should you have any questions or concerns about the data we hold about you, we can be contacted using the information below:

  • Data Controller: Foundsiders, Fedorov & Demidenko GbR
  • Correspondence Address:
    • Oleksii Fedorov, Ilona Demidenko, Software Products GbR
    • Friedrichstr. 123
    • 10117 Berlin
    • Germany
  • Email Correspondence: alex@fellowage.io

Definition of Personal Data

When we refer to “personal data,” we mean any information that allows us to identify you personally. Prominent examples include your name, email address, wage entry, and billing address.

We always seek to gain your explicit consent to providing this information before we collect it from you, although this may not be the only legal basis on which we collect the data.

Other types of information, such as your computer’s anonymized “IP” address or broad geographical location (a country), do not, generally, allow us to identify you directly.

However, because in their current form, European data privacy regulations are somewhat vague in this regard, we cover the use of such data here also.

Whom Do We Share Data With

We operate on a strict “need to know” basis for all data that we work with, and that is particularly true for any personal data. We only grant access to personal data to the following people/organizations:

  • Employees, contractors, and managing partners of Fedorov & Demidenko GbR who provide content-creation, design, marketing, sales, software development, or support services;
  • Our deployment and hosting technology supplier, Heroku, provides the application and database server infrastructure that our website(s) operate on. We ensure that all servers in use reside physically in the EU. We have signed a data processing agreement (DPA) with this data processor;
  • Our email automation platform, Mailgun, provides data processing services. This processing includes your email, message metadata and message body (message body is retained only for 72 hours), and may include your name. The processing happens when we need to send you an email (such as a successful registration notification, or a reset password email). We ensure that the processing of your data happens in the EU. We have signed a data processing agreement (DPA) with this data processor;
  • Our trusted payment automation platform, Stripe, provides data processing services. This processing includes your email, your full name, your billing address, your credit card information, and your browser session information via a cookie. We never store or process your credit card information directly—it’s all done by Stripe. The processing happens when you upgrade your account plan, each time your billing cycle ends (monthly or yearly, depending on the plan of your choice), and when you wish to cancel or downgrade your plan. If you are using the free plan, no payment data processing is required. Stripe is a US company, and to legally transfer your data outside of the EU, Stripe has implemented EU-U.S. and Swiss-U.S. Privacy Shield Policy. We have signed a data processing agreement (DPA) with this data processor;
  • Our live chat and support platform, Olark, provides data processing services. This processing includes your account ID (if you are logged in), your email and name (if you use the “Contact Us” form), session and unique visitor cookies, and your live chat message history. This processing takes place only if you use the live chat or contact form features of this website. Olark is a US company, and to legally transfer your data outside of the EU, Olark has committed to comply with Privacy Shield Principles. We have signed a data processing agreement (DPA) with this data processor.

Additionally, we may share your information with third parties in the following scenarios:

  • To conform to legal requirements, to respond to lawful court orders, subpoenas, warrants, or other requests by public authorities.
  • In case of a business transfer: As we continue to develop our business, we might buy or sell parts or whole businesses, subsidiaries, or business units, or we might change our legal form. In such transactions, customer information, generally, is one of the transferred business assets but remains subject to the promises made in any pre-existing Privacy policy (unless, of course, the customer consents otherwise). Also, in the unlikely event that our business will be acquired as a whole (or substantially all of its assets are acquired), customer information will, of course, be one of the transferred assets.

How do We Protect Your Data

  • Access Control: access to personal data is strictly limited in line with our policy detailed in the section “Who Do We Share Data With” on this page. We control access using individual user accounts, where we enforce a strong password policy.
  • Data Encryption: We secure this website with SSL encryption, which means that all traffic to and from our servers is encrypted. This encryption applies to our administrative access to the website as well as that of users of our services. Additionally, we use our own dedicated secure Virtual Private Network (VPN) when we access the site from anywhere on a public wifi network.
  • Selection of third-party service providers: We use a minimal number of third-party service providers, but some are essential for the provision of app and database servers, cloud services, email services, billing services, and support services. One of the core factors in the selection of such providers is their ability to provide secure systems and processes.

Access to Your Personal Data

In the situation where you have directly provided personal information to us (such as by completing an online form or contacting us for further information), you have several rights regarding the personal data that we hold:

  • You have the right to obtain from us confirmation about whether we hold any such data;
  • You have the right to require that we provide you with whatever data we are holding/processing about you, including the right for that data to be transferred to another data controller;
  • Even if you have consented to us processing your data, you have the right to withdraw that permission at any time. Typically, you can do so on My Data page;
  • You have the right to require us to rectify any incomplete or incorrect information held about you;
  • You have the right to require us to erase the data held about you (the “right to be forgotten”);

In the situation where we collect personal data automatically (such as from your internet browser or via internet Cookies or other similar technologies):

  • You have the right to object to the legal basis upon which we are collecting this data, and we must consider and respond to that objection;
  • While we consider your objection, you have the right to request the prevention of further processing of your data;
  • You have the right to make a complaint to the relevant data protection authority (In Berlin/Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)).
  • In most circumstances, you can exercise these rights without paying a fee to us.

To exercise any of the rights above, please send us an email at alex@fellowage.io.

Types of Data Collected

LinkedIn profile data

To sign up for this website, you have to use the “Sign up with LinkedIn” feature. This process proves your identity and allows us to validate the wage data you provide (i.e., whether you have the job title X at company Y at location Z).

Legal Basis A: You Have Given us Consent (GDPR Art 6(1)(a)). Before redirecting you to the LinkedIn authentication provider, we ask you to provide your explicit freely-given consent to permit us to process your data.

Legal Basis B: Our Legitimate interest (GDPR Art 6(1)(f)). To keep providing high-quality service to our users, we need to ensure that the quality of the data in the system is high.

Specifically, we collect the following information when you authenticate on our website with LinkedIn:

Your email address

We use your email address as a unique primary identifier of your user account, and the website uses it as a username for login purposes.

Additionally, we use your email within the tool LinkedIn Sales Navigator to manually find your LinkedIn public profile, and validate that the information you provided in your wage entry is correct. We perform this verification right after your initial account registration, and every time you change some fields of your wage information (i.e., job title, company, and location).

We do this to ensure that you and other users of the website can trust the quality of the data that we provide.

Additionally, we use your email to send you any transactional emails on the legal basis of legitimate interest. These are the emails that you can reasonably expect when signing up and using this Site and our Services:

  • Password creation email with recovery code (so that you can reset the password in the future if you happen to forget it);
  • Registration acceptance and rejection notification emails connected to your initial registration on our website;
  • Password reset email;
  • Reminders for you to update your wage entry to keep the wage data quality high in the website—this benefits you and other users likewise; We do not send these reminders more often than every half a year; You can always opt-out from this type of transactional email; Bear in mind that we reserve the right to hide or remove your wage entry if it is too outdated (older than a year) to keep the quality of the data set high;
  • Weekly report notifications about companies and job-title filters that you have explicitly subscribed to; We send these because you have asked us to send them in the interface of the website; You can always remove or add more companies/filters in your report on our site; You can always stop receiving these emails by removing all companies/filters from your report on our site;
  • Any marginal changes to the terms of use or this privacy policy;
  • Any alerts of security nature;
  • Emails with your order confirmations, receipts, and invoices;
  • Any alerts regarding your payment, billing, and subscription that require your attention and your action.

Storage: in the database, on your registration and account entry.

Retention: the lifetime of your user account.

Your first name and last name

We use your first name and last name in the verification mentioned above.

Also, we use this data whenever you wish to upgrade to a paid plan to auto-fill the first name and last name fields of the billing information form.

Storage A: in the database, on your registration entry.

Retention: until your registration is complete, or your registration expires, and our systems delete the expired registration entry. Registration entries expire after no activity in 7 days if they are not in the “accepted” state.

Storage B: in the database, on your account entry. This storage starts right after your registration request is accepted and is converted into a fully-functional user account.

Encryption: one-way encryption with your password. Only you can see or use this information while using our website. Even the database operator, with full access to the data, can’t read or use this data.

Retention: the lifetime of your user account.

Profile Picture URL

We use your LinkedIn profile picture URL in the verification mentioned above.

Storage: in the database, on your registration entry.

Retention: until your registration is complete, or your registration expires, and our systems delete the expired registration entry. Registration entries expire after no activity in 7 days if they are not in the “accepted” state.

Unique LinkedIn Identifier (ID)

We use your unique LinkedIn ID to ensure that there could be no more than a single user account per given LinkedIn profile.

Storage: in the database, on your registration entry.

Retention: the lifetime of your user account, or until your registration expires, and our systems delete the expired registration entry. Registration entries expire after no activity in 7 days if they are not in the “accepted” state.

Technical Data (such as “IP” address)

When you visit our website, our systems log a record of your visit in our server logs, and typically this record includes the technical “IP” address that is associated with your device.

Such server logs are widespread practice and are used to monitor technical resources, monitor high-level server activity, and, importantly to detect and prevent malicious or fraudulent activity on our systems.

This data can also be used, if required, to diagnose reports of technical issues. The storage of IP addresses allows us to identify patterns of behavior (such as repeated malicious attempts to access a system). IP addresses, in and of themselves, do not allow us in any way to identify you as an individual, especially given that it is ubiquitous for internet service providers to dynamically allocate IP addresses. Therefore IP addresses often routinely change.

Furthermore, we do not and will not use the content of server access logs to attempt to determine an identifiable individual. We, therefore, do not consider that data held within server logs falls within the scope of “personal data,” and accordingly, we do not seek your consent to collect it.

If such anonymous data is considered to fall within the scope of the applicable data protection regulations, the legal basis for processing such data is Our Legitimate interest (GDPR Art 6(1)(f)). The integrity, security, and performance of our systems and infrastructure is a vital part of the services that we offer. We consider that it is in our legitimate interest to maintain and protect our systems to this end.

Storage: in website logs, and infrastructure backups.

Retention: 6 months.

Website usage information

When you use our website, we record how you use it in a fully-anonymous fashion.

Every usage data record contains the following information:

  • Event type (e.g., “Entered wage entry,” “Logged in,” or “Viewed my company page”),
  • Timestamp when the event has occurred.
  • The anonymous cohort of the user:
    • “Pro” user, free user, or guest;
    • A/B testing group. Sometimes users get assigned to a specific testing group to improve the UX experience of our products. Every such group has enough entries that it won’t be possible to identify an individual using these;
    • How old the user account is (not the person behind it) (i.e., new, at least 1 day, at least 1 week, at least 1 month, at least 1 quarter, at least half a year, at least 1 year) (not applicable to guests).

Since this doesn’t store any user identifier and doesn’t store (nor allows us to derive) the exact timestamp of the account creation, we consider this information to be entirely anonymous. Also, the way these usage records are structured, they allow only aggregated use, because they can’t be correlated to each other.

Furthermore, we do not and will not use the content of usage records to attempt to determine an identifiable individual. We, therefore, do not consider that data held within usage records falls within the scope of “personal data,” and accordingly, we do not seek your consent to collect it.

If such anonymous data is considered to fall within the scope of the applicable data protection regulations, the legal basis for processing such data is Our Legitimate interest (GDPR Art 6(1)(f)). The ability to understand how users are using our products and where they are getting stuck is crucial for us to improve the usability of our products and for our business success.

Storage: in the database.

Retention: 12 months.

Your wage information

The purpose of this website is for users to share their wages (or salaries) with other users of the website. That is why you provide us with the following information in the registration process:

  • Your job title;
  • Name of the company where you’re employed;
  • Location (city, country) where you’re employed;
  • Your primary wage amount and currency;
  • Monetary estimation of the other benefits you receive from your employer.

Once your registration is complete, this data becomes available to other registered users of the system.

You can always update this data, or delete it. Since this website is a salary sharing platform, deleting this data restricts your access to the data of others, unless you have a “Pro” (paid) account.

This data is stored separately from your account in our systems. The connection between your account and your wage entry is encrypted one-way using your password. That means that nobody except you can correlate the wage entry and your account. Additionally, we add or subtract small numbers randomly from your wage and benefits amounts.

This process makes the entry pseudo-anonymous. We understand that given enough information about you, somebody could identify you as an individual (for example, your manager at work, who knows your title, salary, and benefits, could potentially connect this wage entry to you as a person, that is unless multiple persons could fit the data).

This website is a sharing platform, and by registering and providing your data, you willingly agree to share your wage information to the public. That is the whole point of this website.

Legal Basis A: We ask for your consent to process your wage information in this way as part of this privacy policy (GDPR Article6(1)(a)). However, please note that this is not the only lawful basis on which we process this data.

Legal Basis B: Processing is necessary for the performance of a contract (GDPR Art 6(1)(b)). Registering for this website is equivalent to sharing your wage information on this sharing platform. That is why, for us to complete your registration, we have to process your wage information as described above.

Legal Basis C: We ask for your consent to process your wage information in this way as part of the wage information entry form (GDPR Article6(1)(a)). This checkbox is mandatory because the sharing platform won’t function as one without it. (It’s the whole point of “sharing” part in the name).

Legal Basis D: Our legitimate interests (GDPR Art 6(1)(f)). For us to achieve our vision of increasing wage transparency, we require users to share their wage information and process as described above. Additionally, if users are not required to share this information, we won’t have a sufficiently valuable data, and as a result, we won’t have a successful business. We consider both: our vision and success of the business to be our legitimate interests.

Storage: in the database.

Encryption: the information itself is not encrypted. The connection between your user account and your wage entry is encrypted one-way with your password. That means that even the database operator is not able to read this connection information. Only you can.

Retention: the lifetime of your account.

Cookies and “Similar Technologies”

We have included cookies, web beacons, and similar technologies into one section because they all perform similar functions even if, from a technical perspective, they work slightly differently.

All of these technologies allow us to understand better how users are using our website and other related services. They can also be an essential part of providing certain online functionality.

They are all primarily small data files placed on your computer (or other devices) that allow us to tell when you have visited a particular page or performed a particular action (such as clicking a particular button) on our website.

Most websites use these technologies as they provide useful insight into how the services are being used, as well as improving speed, performance, and security, and enabling us to improve our personalization of your experience.

Cookies

These are small text files placed in the memory of your browser or device when you visit a website. Cookies allow a website to recognize a particular device or browser. There are several types of cookies:

  • Session cookies expire at the end of your browser session and allow us to link your actions during that particular browser session.
  • Persistent cookies are stored on your device in between browser sessions, allowing us to remember your preferences or actions across multiple sites.
  • First-party cookies are set by the site you are visiting.
  • Third-party cookies are set by a third party site separate from the site you are visiting.

There are several ways that you can influence how cookies are used on your particular device. Most commercial browsers (such as Chrome, Safari, Edge, Internet Explorer, Firefox) allow you to set preferences for whether to allow or block website cookies.

They will also provide tools that allow you to remove any cookies that have already been set. Using the “Help” functionality of your browser, or an internet search will help you to understand how to use these features for your particular browser.

Web beacons

  • Small graphic images (also known as “pixel tags” or “clear GIFs”) that may be included on our sites and services that typically work in conjunction with cookies to identify our users and user behavior.

Our uses of such technologies fall into the following general categories:

Web beacons: we don’t use web beacons.

Cookies. Here is the list of cookies that our website uses:

Cookie Type Expires In Description Purpose
fellowage First-party, Persistent When logging out or 1 month Logged in user’s session identifier and encrypted state. Required for login and most of the features of the application to function. Strictly necessary functionality
fellowage_cookieBanner First-party, Persistent 12 months Stores whether the user has given their consent for the use of essential (strictly necessary functionality) cookies Strictly necessary functionality
__stripe_sid First-party, Persistent 30 minutes Cookie set by Stripe software on behalf of this website. Required to remember who the user is. Required to reduce fraud Security, strictly necessary functionality when using payment functions of the website
__stripe_mid First-party, Persistent 12 months Cookie set by Stripe software on behalf of this website. Required to remember who the user is. Required to reduce fraud Security, strictly necessary functionality when using payment functions of the website
_okcs & _okck First-party, Session When logging out or closing the browser Cookie set by Olark software on behalf of this website. Identifies the visitor across devices and visits, to optimize the live-chat function on the website Functionality, necessary functionality when using live-chat and support features. We explicitly seek your consent before setting these the first time
_okbk First-party, Session When logging out or closing the browser Cookie set by Olark software on behalf of this website. It contains live-chat and “contact us” form software state Functionality, necessary functionality when using live-chat and support features. We explicitly seek your consent before setting these the first time
_oklv & _okla & _okac First-party, Session When logging out or closing the browser Cookie set by Olark software on behalf of this website. It contains various caches to improve the performance of the live-chat and “contact us” form Performance and strictly necessary when using live-chat and support features because they seem to not function at all without these. We explicitly seek your consent before setting these the first time
_ok First-party, Session When logging out or closing the browser Cookie set by Olark software on behalf of this website. It contains the unique identifier of this website. Security, and strictly necessary when using live-chat and support features. We explicitly seek your consent before setting these the first time
wcsid First-party, Session When logging out or closing the browser Cookie set by Olark software on behalf of this website. It contains a session identifier that keeps track of a single chat session. Functionality. And strictly necessary when using live-chat and support features. We explicitly seek your consent before setting these the first time
olfsk First-party, Persistent 24 months Cookie set by Olark software on behalf of this website. It maintains live-chat message history across pages and browser tabs. Functionality, and strictly necessary when using live-chat and support features. We explicitly seek your consent before setting these the first time.
hblid First-party, Persistent 24 months Cookie set by Olark software on behalf of this website. It identifies a unique visitor between visits so that the support agent can be much more helpful when the visitor uses the live-chat or support feature multiple times. Functionality. And strictly necessary when using live-chat and support features because live-chat software cannot work properly without it. We explicitly seek your consent before setting these the first time.

You can control your consent settings for these cookies on My Data page.

Website Analytics

We don’t use any third-party website analytics on this website. Instead, we’re collecting fully anonymous usage records, as described in the section “Website usage information” of this privacy policy, and use that information for website analytics purposes.

Other Google Services

We use several industry-standard Google services to provide particular pieces of website content. These include:

  • Google Fonts: We may use one or more of Google’s web fonts to ensure that our website content is displayed clearly and consistently across all of the different types of devices and browsers.

Each of these services involves our website making a connection to one or more Google servers, and may result in Google placing cookies on your device.

Google Fonts

By using Google Fonts, we make a connection to the Google Fonts API and, unless your browser has already stored a copy of the font in use (by visiting another website that uses it), your browser downloads a copy of that font.

This process happens in near real-time and means that our website content is displayed on your device in the way we had intended it, regardless of whether the particular font is installed on your device.

The Google Fonts API connection is unauthenticated, meaning that it works regardless of whether you are logged into Google. It does not rely on cookies being sent to Google.

Google may capture your device’s IP address as part of this process and uses this data only in aggregate form to understand the popularity of individual fonts.

More detail can be found on the Google Fonts FAQ page.

  • Under the Google Terms of Service, we ask for your consent to process your data in this way (GDPR Article6(1)(a)) as part of this privacy policy. However, please note that this is not the only lawful basis on which we process this data.
  • We consider that it is in our Legitimate Interest to process data in this way under GDPR Article 6(1)(f). The use of Google Fonts is a means of ensuring a clear and consistent display of our web content in a way that improves user experience. The data collected by Google Fonts is minimal, and we consider that it has a negligible impact on individuals’ data privacy.

Referrals

For the purpose of increasing wage transparency in the world, we make it easy for you to invite other users to create an account and share their wage information. We also may, at times, give bonuses to the inviter, invitee or both when the invitee successfully signs up (e.g., the increased company views monthly limits).

When you provide us with your friend, colleague, or acquaintance's email address and name, we act as a data processor on your behalf and send the invitation email to their email address. We also may use the provided name to personalize that email. Additionally, we may use your full name to allow the invitee to understand why they have received this email, as this is required by most email regulations.

Finally, we are taking great care to not send more than one such invitation email to a single email address. This way, if the invitee has already signed up for this site, or somebody else has invited them previously (including you), we won’t allow you to send another invitation. If you still want to send the invitation, you can copy your personal invitation link and send it to them using other means (e.g., your personal email account, instant messenger, etc.).

Our legal basis for sending this kind of email is our legitimate interest. We are unable to collect the consent of the invitee before sending them such communication. And we believe that it will beneficial to the invitee and to other users of the platform (including you) if they receive such invitation, sign up, share their wage entry, and gain access to wage information of other users, from the perspective of wage transparency.

Storage: we do not store this data. We process it once to send the invitation email and then discard it immediately.

What Information We Do Not Collect

We DO NOT collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information.

If you’re a child under the age of 16, you MAY NOT use this website or have an account for any of our products. We do not knowingly collect information from or direct any of our content specifically to children under 16. If we learn or have reason to suspect that you are a user who is under the age of 16, we will, unfortunately, have to close your account and delete any of your data.

Other countries may have different minimum age limits, and if you are below the minimum age for providing consent for data collection in your country, you may not use our website or our products without obtaining your parents’ or legal guardians’ consent.

Changes to this privacy policy

For any non-material changes (e.g., fixing the typo or wording), that doesn’t affect you as a customer, we’re going to make the changes and publish them on this website, and increase the minor or patch version number (second and third number in the version string respectively). By using this website, you accept this change automatically.

For any material changes, we commit to notify you via email and seek the acceptance of the new version of this privacy policy from you. If you attempt to use our website without accepting the new version, we’re going to seek your acceptance as the first thing when you log in. Such changes increase a major version number (the first number in the version string).