Privacy
1. Welcome to Datawrapper!
This privacy policy is updated to reflect the demands of GDPR (General Data Protection Regulation), effective May 25, 2018. The privacy policy is written to be understood by all users, clearly stating what data we collect, what we do with that data and how you can reach us should there be a concern.
Since we founded Datawrapper we aimed to minimize the need for data collection. We do not sell any data to third parties. Yet, we do share data with a number of platforms which we need to provide the service. We allow registering for an account using existing social media accounts. We do send out newsletters. We are using cookies to track charts and maps, in a technical, anonymous way. Finally, we use contracted service providers to provide our services. This privacy policy provides an overview for all our users, in order to be fully transparent about our use of personal data.
This website and it services are operated by:
Datawrapper GmbH
Raumerstraße 39, 10437 Berlin, Germany
e-mail: support@datawrapper.de
2. Overview: What information is being collected?
For the use of the website and the provision of services, we collect various types of data, some of which are provided by you as a user and some of which are necessary for the use of the website or arise from the use of the website.
Personal data are individual details about personal or professional circumstances of a specific or identifiable natural person, such as your name, your address, your telephone number, your date of birth, your payment data and your IP address.
Your personal data will only be passed on or otherwise transferred to third parties, if the transfer is necessary for contract processing (for example for payment processing or fulfilment of our contractual obligations) or if you have given your express consent. The information is not used for any other purpose.
If we use contracted service providers for individual functions of our offers via this website or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below. We also specify the defined criteria for the storage period.
Using Datawrapper and communicating with us there are several applications and forms of service where data is collected, below is an overview of all those sections:
- Datawrapper Website
- Datawrapper Application (the charting tool)
- Publishing Datawrapper Charts to a website (currently via iFrames, as pure JavaScript code in the future). Here we clarify in this data protection policy what data we collect, which is important for publishers using Datawrapper.
- Datawrapper Blog
- Datawrapper Academy (which we run via a Third Party platform, same as the one used for support tickets)
- Datawrapper Support (where we use a Third-Party platform)
- Newsletter
2.1. How do we collect data?
The data collected by using Datawrapper depends on what specific features are used. Here is a breakdown of when and how we collect data.
We in general take an approach to only collect the minimal data we need to provide our services and do not share user data with commercial Third Parties. However, we do share data to set-up and manage accounts with some external, contracted Third Parties. Below we provide a list of those external, contracted Third Party services we use to set-up and manage accounts. We have carefully selected such services and settings in compliance with GDPR and safety of the platform.
Datawrapper Website: For website visits we track visits and page views using Matomo (formerly Piwik), where the installation of the software is managed by us and hosted in Europe. At any time, you can opt out of this form of tracking using our cookie manager:
Datawrapper Blog: For blog visits we track visits and page views using Matomo (formerly Piwik), where the installation of the software is managed by us and hosted in Europe.
To manage your blog-specific cookie preferences please visit this page.
Setting up a user account: We receive and store personal data to manage accounts for single users and organizations. To set up an account, users can use their e-mail and a self-selected password or as an option they can use single-sign on tools by using their existing accounts on social networks, specifically Facebook, GitHub, Google or Twitter. We leave this decision to the user. Datawrapper recommends using your personal e-mail in order to not share more data than necessary.
Datawrapper App: The “app” is the software where users create charts or maps. Here we store e-mails of users in order to manage accounts and to connect all charts or maps created to an user. We allow the use of generic e-mail accounts (e.g. team@…), should this be a concern for you.
Tracking Datawrapper charts & maps: A published Datawrapper chart can be embedded into any website. To monitor this we use a self-developed, self-hosted tracking system with cookies. This technology only collects technical data, similar to services like Matomo. We do not collect the IP address of users, which is important. What we do collect is data in order to learn about global traffic, usage, but only from a technical point of view. Internally we are able connect user accounts with the number of charts produced and the number of “chart views” the published charts get. A “chart view” is a specific metric for Datawrapper, defined as a view of a chart on a public website. Internal views in the app are not part of the “chart view” metric. For users concerned with privacy we provide the option to use a non-personal e-mail for registering an account.
Support: For the use of our support offering and tutorials in our Datawrapper Academy we use HelpScout, where we receive information via e-mail or through technologies like cookies or web beacons, collecting primarily technical data to help us identify issues and help with support requests.
Newsletter: We sent out occasional newsletters using MailerLite. These e-mails are always and only for information of users, not for Third Party marketing or sharing with others. We have updated our policy based on a double opt in procedure to be compliant with GDPR.
Transactions/payments: To manage payments we rely on two external platforms, which we have contracted based on their functionality and standards of user security and privacy. These services are not authorized to use the personal data for any other purpose than fulfilling billing and payment.
2.2. Data Protection Principles
The following data protection principles apply to the use of our website and other services offered through it (e.g. contact form, registration, application):
- We protect your personal data by taking all reasonable and necessary technical and organizational possibilities so that they are not accessible to unauthorized third parties. Our website and other services offered through it therefore use appropriate encryption mechanisms for the provision of content and during the input and transmission of data. When communicating by e-mail, we also recommend the use of encryption for confidential information
- Person responsible in the meaning of. Art. 4 Para. 7 General Data Protection Regulation (GDPR) is Mirko Lorenz, Raumerstraße 39, 10437 Berlin, Germany (see also via „Imprint“ at our Website). You can contact our us in regard to data protection at support@datawrapper.de or via our postal address with the addition “Data Protection”.
- If you send us e-mail messages or other messages, in particular comments, or enter them directly on the Website, we will retain such messages in order to process the request, respond to questions and improve the Website, products and services. We delete the data arising in this context after the storage is no longer necessary or limit the processing if statutory retention obligations exist.
- If you provide feedback (for example on the Website), we may use and disclose this feedback for any purpose, as long as we do not provide it with your personal data, i.e. anonymously or pseudonymously. The collection of data contained in such feedback and the handling of all personal data contained therein is in accordance with the data protection principles set out herein. Should we want to use a quote or feedback with your name we ask specifically for your consent.
- You have the right to ask about your personal data free of charge at any time. Furthermore, you have the right at any time to revoke your consent to the use of your personal data with effect for the future and to request correction or deletion of the data stored by us.
In particular, you have the following rights towards us with regard to the personal data related to you:- Right to access information,
- Right to correction or erasure,
- right to limitation of processing,
- right of withdrawal of the consent to processing,
- Right to data transferability.
You also have the right to complain to a data protection supervisory authority about our processing of your personal data.
- Please contact the person responsible for data protection at support@datawrapper.de to request information and for withdrawal as well as for notification of a request for deletion; the data protection officer will then provide the information immediately or confirm the execution of your request for deletion. A deletion requested by you will then be carried out subject to statutory retention obligations. If a deletion cannot take place completely due to legal storage obligations, we limit the processing of the data concerned and inform you accordingly.
- For all data we collect we have reasonable organizational, technical and administrative measures to protect your data. To some part we rely on the procedures and security measures of other services, as listed above. In all cases we have ensured that the services we use comply with security guidelines. For services outside of the EU we have checked whether these services comply with EU rules or international equivalents such as updated Safe Harbour policies and agreements. At the time of publication of this privacy policy this was the case for all those services.
- At no time will we contact you to ask for sensible information such as your password or other information. Should you need support to retrieve your password please note that all passwords are encrypted and cannot be accessed even by us. Should you forget your password you might need to re-register as all the passwords are encrypted and not visible to us. We can then start a procedure to re-connect you to the charts you created. Depending on the number of charts we might need a call back number or other means to identify you reliably as the owner and creator of such charts.
- Be aware that no data transmission or storage system is guaranteed to be secure at all times. Should you believe that your data has been compromised in any way be in touch with us. Datawrapper will monitor security standards and actively inform users should we detect a breach.
2.3. Data we collect
Datawrapper collects two types of data: “Personal Data” and “Other Data”.
“Personal data” is defined as data that identifies, or could be used to identify, you as an individual. At Datawrapper we collect data when a user registers for an account. If it is a free account no data other than an e-mail and a password is necessary. Should you upgrade to a paid account, we further collect data needed to execute our contract and process payments, such as Credit Card or bank account as well as your address – for your business or your private address, should you use the paid service for yourself, for tax use.
“Other data” is defined as data we collect via technologies like cookies or beacons in order to monitor the usage of our service, for the purpose of managing resources and ensuring uptime of the service worldwide.
Data we collect may include:
- Browser and device data, such as IP address (stored shortened in accordance with data protection regulations), device type, operating system, Internet browser, screen resolution, model, language. This information serves the purpose of providing high availability and to help users with issues as well as to identify potential bugs of the software and fix them.
- Transaction data such as purchases of Datawrapper services and payments, based on credit card numbers or banking account information.
- Cookie and tracking technology data, such as time spent on the Datawrapper website, pages visited, language preferences, and other anonymous data.
- Company data such as company name, legal type, the postal address and VAT-ID Numbers in order to assign correct taxes in and outside the EU.
2.4. Personal Data which is provided actively by you as a user of the website and its services:
- As far as the website or an action via our website requires a registration, the basic data for the registration, determined by the respective registration form are transmitted, processed and stored and only collected, stored and used for the use of the website and its services as well as the provision of Datawrapper Services. The legal basis is Art. 6 Para. 1 S. 1 lit. b GDPDR.
In the context of such registration we are also entitled to inform you about changes, additions or new versions of the website, changes of our terms and conditions as well as these privacy statement and additional information provided via the website as well as e.g. about new products. - Newsletter: If you register for the subscription of a newsletter, this registration can take place under indication of the e-mail address without further data.
We use the so-called double opt-in procedure for sending the newsletter. As part of this process, we first send the user an e-mail to the specified e-mail address. However, the user will not receive a newsletter by e-mail until the user clicks on the link received in the e-mail and has expressly confirmed to us that we should activate the newsletter service. After your confirmation we will save your e-mail address only for the purpose of sending you the newsletter. The legal basis is Art. 6 Para. 1 S. 1 lit. a GDPDR.
We would like to point out that we evaluate your user behaviour when sending the newsletter. For this analysis, the e-mails sent contain so-called web beacons or tracking pixels, which represent single-pixel image files stored on our website. For evaluation purposes, we link the above data and web beacons to your e-mail address and an individual ID. You can object to this tracking at any time by clicking on the separate link provided in each e-mail or by informing us by another contact method. The information is stored for as long as you have subscribed to the newsletter. After a cancellation we store the data purely statistically and anonymously.
If at any time you no longer wish to receive newsletters from us, you can object to the newsletter subscription at any time without incurring any costs other than the transmission costs according to the basic rates. A message in text form to the contact data specified in the imprint is sufficient for this. Of course, you will also find a unsubscribe link in every newsletter. - Blog: We publish publicly available articles via our blog located at blog.datawrapper.de. To use our blog it is not necessary to be a registered user nor is the blog connected to user data in anyway. For each blog post have the option to leave comments, using third party applications. We do not have access nor control over the information posted to the blog comments. You will need to login or contact the third party applications if you want personal information to be deleted. To learn how the third party applications use your information, please review their respective privacy policies.
- Testimonials: We display personal testimonials of selected clients on our website for marketing purposes. As a general rule reach out to users where we want to display such information and will ask for formal consent via e-mail. With your consent we may then post your testimonial along with your name. If you wish to update or delete a testimonial you can contact us at any time via support@datawrapper.de and we remove such statements instantly.
- However, the server operators are subject to the same data protection standards as we are and are operated in the European Union of if outside the European Union with third-party providers, which provide the same level of data protection as defined in Art. 44 GDPDR.
2.5. Personal Data which is provided by you as a user of Datawrapper as an application
Datawrapper is a charting tool, enabling you as a user to upload data, create a visualization and embed the resulting chart, map, table or other form of visual on any website.
- If you would like to order in Datawrapper as a tool, it is necessary to register for an account. If it is a free account, no data other than an e-mail and a password is necessary. As mentioned above it is possible to use a non-personal, generic e-mail not displaying your name.
- Users have several options to open an account on Datawrapper, no matter whether this is a free or paid account. Single Sign-On means that you can create an account using sign-in services by Facebook, Google, GitHub and Twitter. These services authenticate your identity and will share certain personal information (your name, your email address) with Datawrapper. We can use this information to pre-fill sign in forms and to send out e-mails using a double opt-in system to validate your account. Using this option means that you might be sharing information with the respective providers. There is an option to not use these services by setting up the account yourself, manually.
- Should you upgrade to a paid account, it is necessary for the conclusion of the contract that you enter your personal data, which we need for the completion of your order. Required information for the execution of the contracts are asked for in the relevant order process. We process the data provided by you to process your order. For this purpose, we can pass on your payment data to our payment service provider. The legal basis for this is Art. 6 Para. 1 S. 1 lit. b GDPR.
- We may also process the information you provide to inform you of new features and services in our portfolio or to send you e-mails containing technical information.
- Due to commercial and tax regulations, we are obliged to store your address, payment and order data for a period of ten years. However, after two years we will restrict processing, i.e. this data will only be used to comply with legal obligations.
- To prevent unauthorized access to your personal data, especially financial data, the order process is encrypted using TLS technology.
2.6. Data collected directly in the context of your use of the website:
- In the case of a purely informational use of the website, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser transmits to our server. If you wish to view our website, we collect the following data, which are technically necessary for us to display our website to you and to guarantee its stability and security (legal basis is Art. 6 Para. 1 S. 1 lit. f GDPR):
- IP address (stored shortened in accordance with data protection regulations)
- date and time of the request
- Time zone difference to Greenwich Mean Time (GMT)
- Content of the request (specific page)
- Access status/HTTP status code
- the amount of data transferred in each case
- Website from which the request originates
- Browser name and version, language setting
- When you visit our website and when using the services offered via the website, the server sends one or more cookies – small files containing a string of characters – to the user’s computer or other data processing unit, which uniquely identifies the browser. We use cookies to improve the quality of the website, including to store usage preferences and track user trends.
Cookies can be set in one of the following types:- Transient cookies are automatically deleted when you close your browser. This includes in particular the session cookies. These store a so-called session ID, with which different requests of your browser can be assigned to the common session. This will allow your computer to be recognized when you return to our website. Session cookies are deleted when you log out or close your browser.
- Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in the security settings of your browser.
- You can set your browser to notify you when a cookie is sent. This opens up the possibility of either accepting or rejecting a cookie. The information collected and analyzed is used to improve the services and the website, to personalize the web experience, and to allow easy login to permanently set login cookies.
- We may use the services of third parties to evaluate the efficiency of the website and services and to determine how visitors use the website and or the services and, where appropriate, to provide a personalized user experience when evaluating cookies. The website may use web beacons (tracking pixels) and cookies provided by third parties for this purpose. The information collected by the provider includes the pages visited, navigation patterns and similar data. This data enables us to find out which product information is most interesting for users and which offers users prefer to view. Furthermore, we do not exclude the possibility that we transmit anonymous usage data for market research purposes. Although we may have commissioned third parties to log the data originating from our website, we have control over how this data may or may not be used. The cookie itself does not contain any personal data, but if you provide personal data when visiting the website and do not delete the cookie from your browser after providing this data, the provider collects the non-personal data stored in the cookie (such as the number of visits to the provider) and stores and processes this anonymously.
- If we use Flash cookies, these are not collected by your browser, but by your Flash plug-in. We also use HTML5 storage objects that are stored on your mobile device. These objects store the required data independently of your browser and do not have an automatic expiry date. If you do not wish the Flash cookies to be processed, you must install an appropriate add-on, e.g. “Better Privacy” for Mozilla Firefox (https://addons.mozilla.org/de/firefox/addon/betterprivacy/) or the Adobe Flash killer cookie for Google Chrome. You can prevent the use of HTML5 storage objects by using private mode in your browser. We also recommend that you regularly delete your cookies and your browser history manually.
- This website uses MATOMO, a web-analysis tool (WebAnalytics). You may choose not to be associated with a web analytics cookie (which identifies your computer) to avoid the collection and analysis of data collected on this website. You can decide here whether a unique web analysis cookie may be stored in your browser to enable the operator of the website to collect and analyse various statistical data. If you choose not to, click the following link to access our cookie manager, where you can revoke consent.
MATOMO is used on servers hosted by us.
2.7. Use of Social-Media-Plug-ins
- There is an option for published charts to add social media platforms, in order to share and distribute the content. If a user clicks on these links reposting or redistributing links and charts is managed through the respective services. These plug-ins are not managed by us, but by the the social media platforms based on accounts set up by users.
- We currently use the following social media plug-ins: Facebook, Google+, Twitter, Github, LinkedIn. We use an implementation of these plug-ins, which secures, that when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognize the provider of the plug-in used by the logo shown and/or the additional text information. We offer you the possibility to communicate directly with the provider of the plug-in via such a button. But only if you click on the marked field and thereby activate it, the plug-in provider receives the information that you have accessed the corresponding website. In the case of Facebook and Xing, the IP address is anonymized immediately after collection, according to the respective provider in Germany. By activating the plug-in, personal data is transferred from you to the respective plug-in provider and stored there (for US providers in the USA). Since the plug-in provider collects data mainly via cookies, we recommend that you delete all cookies before clicking on not yet activated button by using your browser’s security settings.
- We have no influence on the data collected and data processing processes, nor are we aware of the full extent of data collection, the purposes of processing, the storage periods. We also have no information on the deletion of the data collected by the plug-in provider.
- The plug-in provider stores the data collected about you as user profiles and uses these for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation takes place in particular (also for not logged in users) for the representation of demand-fair advertisement and in order to inform other users of the social network about your activities on our website. You have a right of objection to the creation of these user profiles, whereby you must contact the respective plug-in provider to exercise this right. Through the plug-ins we offer you the possibility to interact with social networks and other users, so that we can improve our offer and make it more interesting for you as a user. The legal basis for the use of the plug-ins is Art. 6 Para. 1 S. 1 lit. f GDPR.
- The data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in with the plug-in provider, your data collected with us will be directly assigned to your existing account with the plug-in provider. If you click the activated button and, for example, link the page, the plug-in provider also stores this information in your user account and shares it publicly with your contacts. We recommend that you log out regularly after using a social network, especially before activating the button, as this way you can avoid being assigned to your profile with the plug-in provider.
3. Where is the data stored?
Where possible we used self-hosted servers. In order to provide our service we do share your personal information with a number of contracted companies. These companies are authorized to use your personal information only as necessary to provide the services to us, such as managing billing and processing transactions. We share personal data with selected Third Parties. These parties are service providers helping us to perform our service. A transfer of data for any other purpose does not take place.
Below is a list of all services we use in addition to our own systems and servers. Further information on the purpose and scope of data collection and its processing by these services can be found in the data protection declarations of these providers notified below. They will also provide you with further information about your rights in this regard and setting options to protect your privacy:
- We do store user data on Amazon AWS servers, managed by us. More specifically we use AWS EU-Frankfurt (eu-central-1) for user data and USA-Virginia (us-east-1) for published charts. Further inquiries regarding security and other data protection measures can be send to: Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, United States, URL: https://aws.amazon.com/de/privacy/.
- ChargeBee is used for storage of user data for the purpose of invoicing and acts as an agent on our behalf. The company participates in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks. URL: https://www.chargebee.com/privacy/
- Stripe is used for the purpose of financial transactions such as payments and credit notes. https://stripe.com/de/privacy
- HelpScout: We use HelpScout as a support software and to provide user support in the Datawrapper Academy. Further information URL: https://www.helpscout.net/company/legal/gdpr/
- Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; further information in regard to personal data processed and/or stored: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=de. Google has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- GitHub Inc., 88 Colin P Kelly Jr Street,San Francisco, California 94107, https://help.github.com/articles/github-privacy-statement/. GitHub Inc has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework
- LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
- MailerLite. We use this service to send newsletters to users, on occasion. There is an option to opt-out of these mailings at the bottom of each of our mails. https://www.mailerlite.com/privacy-policy
4. How long will data be stored?
We store personal data for the period necessary to run the service, fulfil contracts and orders. This is driven by the need to manage accounts, both free. Additionally, we do store data based on obligations by law, for example for the matter of taxation.
Given the nature of our service we retain data of user accounts and specifically the charts a user has created even when these accounts are not in use or have been switched from paid to free. We do not delete any charts or make them unavailable. The reason is that that we try to avoid thousands of blanks in articles where Datawrapper charts or maps have been published.
Any Datawrapper user has the option to entirely delete an account at any time. Should there be specific cases (for example a user who has left an organization and wants to have her or his data deleted) please be in touch so that we can assist in either deleting or re-assigning created charts to an organization.
5. Datawrapper as a Data Processor
It is the nature of a browser charting tool that users upload data with the goal of publishing this information. This means that Datawrapper is acting as the users service provider. Be aware that you as the user responsible that privacy and copyrights of others are respected. Should there be a dispute (e.g. a user has uploaded data from a source without authorization or full publication rights) we will look into the case and take action immediately upon notice, either be the user or an external party.
6. Opt-out options for users
When you register for a Datawrapper account we will use your name and email address to send you emails either for information, marketing or transactional purposes. You may choose to opt out of these services to stop receiving such messages. To do that please follow the unsubscribe instructions at the bottom of these emails or contact us at support@datawrapper.de to unsubscribe you.
In rare occasions, we will also send you service related email announcements when it is necessary to do so. This includes cases where credit card transactions failed or when the service is temporarily not available because of maintenance. You cannot opt out to receive these messages was they are not promotional and needed to manage your user account.
7. Exclusions
On occasion we will display selected charts on our public gallery for promotional purposes, though always by naming the source of these visualizations. In such cases we will be in touch with the respective users to ask for their consent and agreement.
We might need to disclose personal data of single users based on requirements by law, for example should a mis-use of the site or the upload of unauthorized data occur. This might result in legal obligations or urgent needs to suspend or block an account. In such an event we will aim to notify a user that is affected by such actions.
8. Training and Awareness
We have named a person internally responsible for Data Protection, whose responsibility is to ensure that we meet the GDPR requirements now and in the future. We are reviewing our processes every three months, to ensure compliance. We are regularly discussing data protection guidelines with everyone in the team. Further we do evaluate any Third Party service we might be adding for compliance with GDPR regulations.