Privacy Policy / GDPR / Code of Conduct Footer / Minor Changes

.lighthouserc.json

@@ -9,10 +9,10 @@
     },
     "assert": {
       "assertions": {
-        "categories:performance": ["warn", {"minScore": 0.95}],
-        "categories:accessibility": ["error", {"minScore": 1}],
-        "categories:best-practices": ["error", {"minScore": 1}],
-        "categories:seo": ["error", {"minScore": 1}]
+        "categories:performance": ["warn", { "minScore": 0.95 }],
+        "categories:accessibility": ["error", { "minScore": 1 }],
+        "categories:best-practices": ["error", { "minScore": 1 }],
+        "categories:seo": ["error", { "minScore": 1 }]
       }
     }
   }

src/routes/+layout.svelte

@@ -46,7 +46,7 @@
         <p>
           Hack Zenith 2025 is fiscally sponsored by The Hack Foundation (d.b.a. Hack Club), a 501(c)(3) nonprofit (EIN:
           81-2908499). Hack Zenith 2025 is not an official Hack Club event. Use of Hack Club branding does not
-          constitute an endorsement, implied or otherwise, of Hack Zenith 2025 by Hack Club.
+          constitute an endorsement, implied or otherwise.
         </p>
       </div>
       <div class="links">
@@ -59,7 +59,10 @@
       <div class="links">
         <p class="title">Legal</p>
         <ul>
+          <!-- TODO: Add link to Code of Conduct (which does not exist yet) -->
+          <li><a href="/404">Code of Conduct</a></li>
           <li><a href="/privacy">Privacy policy</a></li>
+          <li><a href="/privacy/gdpr">GDPR compliance</a></li>
         </ul>
       </div>
     </div>

src/routes/+page.svelte

@@ -54,7 +54,7 @@
           id="email"
           type="email"
           name="email"
-          placeholder="[email protected]"
+          placeholder="[email protected]"
           required
           data-lp-igore
           data-lpignore="true"

src/routes/privacy/+page.svelte

@@ -3,88 +3,126 @@
 </script>
 
 <Page title="Privacy">
-  <h1>Privacy</h1>
+  <h1>Privacy Policy</h1>
 
-  <p>This privacy notice tells you what to expect us to do with your personal information.</p>
+  <p>
+    This privacy policy explains how Zenith and the Zenith team (referred to as "we" or "us") handles your personal
+    information. For residents of the European Economic Area (EEA) or the United Kingdom (UK) please also refer to our <a
+      href="/privacy/gdpr">GDPR statement</a
+    > for regulations that apply to you.
+  </p>
 
   <h2>Table of contents</h2>
   <ul>
     <li><a href="#contact">Contact details</a></li>
-    <li><a href="#information-collected">Information collected</a></li>
-    <li><a href="#lawful-bases">Our lawful bases for the collection and use of your data</a></li>
-    <li><a href="#retention">How long do we keep your data?</a></li>
-    <li><a href="#sharing">Who do we share your information with?</a></li>
-    <li><a href="#complaints">Complaining about our use of your personal data</a></li>
+    <li><a href="#information-collected">Information we collect</a></li>
+    <li><a href="#why-collect">Why we collect your information</a></li>
+    <li><a href="#lawful-bases">Our lawful bases for processing your data</a></li>
+    <li><a href="#sharing">Who we share your data with and why</a></li>
+    <li><a href="#retention">How long we keep your data for</a></li>
     <li><a href="#last-updated">Last updated</a></li>
+    <li><a href="#rights">Your rights</a></li>
+    <li><a href="#accessibility">Accessibility</a></li>
+    <li><a href="#complaints">Complain about our use of your data</a></li>
   </ul>
 
   <h2 id="contact">Contact details</h2>
   <p>
-    If you have data protection concerns, please send an email to <a href="mailto:[email protected]"
-      >[email protected]</a
-    > and we'll get back to you shortly.
+    If you have any concerns or questions regarding data protection, please reach out to us at <a
+      href="mailto:[email protected]">[email protected]</a
+    >. We'll respond to you as soon as possible. Please ensure that all emails adhere to our Code of Conduct.
   </p>
 
-  <h2 id="information-collected">What information do we collect and why?</h2>
+  <h2 id="information-collected">Information we collect</h2>
   <p>
-    When you ask to be notified when sign-ups open by using the form on our website, we collect and store your email so
-    we can notify you when sign-ups open.<br />
-    We also store the following information:
+    When you opt in to receive a notification via email using the form on our website, we collect, store, and process
+    the following information:
   </p>
   <ul>
-    <li>your IP address</li>
-    <li>your approximate location (the city and country we think you live in)</li>
-    <li>the time of day you sent the request</li>
+    <li><b>Email address:</b> Used to notify you when sign-ups open.</li>
+    <li><b>IP address, approximate location and time of request:</b> For security purposes and spam prevention.</li>
   </ul>
-  <p>We store this information for security purposes, and to prevent spam.</p>
-
-  <h2 id="lawful-bases">Our lawful bases for the collection and use of your data</h2>
   <p>
-    We're allowed to collect your data because by submitting your data (for example, your email) you're consenting to
-    your information being collected. We do not collect information about you from third parties. We only collect the
-    data that you or your device gives us.
+    We'll delete all of your data securely shortly after we have sent the email you signed up for, and no later than 12
+    months since you gave us the data, as outlined in the <a href="#retention">how long we keep your data for</a> section.
   </p>
 
-  <h2 id="retention">How long do we keep your data?</h2>
+  <h2 id="why-collect">Why we collect your information</h2>
+  <p>We collect the information you give us to:</p>
+  <ul>
+    <li>Provide the service you signed up for&mdash;for example, to send you an email when our sign up form opens.</li>
+    <li>Ensure the security of our systems and prevent abuse or spam.</li>
+    <li>Improve the quality of our services based on user patterns and preferences.</li>
+  </ul>
+
+  <h2 id="lawful-bases">Our lawful bases for processing your data</h2>
   <p>
-    When you ask to be notified when sign-ups open using the form on our website, we keep the information that you give
-    us until we send you that email and for no longer than 12 months.<br />
-    After then, we delete the information.
+    We process your data based on the consent you provide when submitting the sign-up notification form. We do not
+    collect information from third parties, and all data is obtained directly from you or your device. If you do not opt
+    in to receive email notifications, this policy does not apply to you. No data is sent, stored, or processed
+    otherwise.
   </p>
 
-  <h2 id="sharing">Who do we share your information with?</h2>
-  <p>Your information is processed by:</p>
+  <h2 id="sharing">Who we share your data with and why</h2>
+  <p>We may share your information with the following entities:</p>
   <ul>
     <li>
-      Cloudflare, which hosts our website and processes your information. Their DPA is <a
-        href="https://www.cloudflare.com/en-gb/cloudflare-customer-dpa/">here</a
-      >, and by using our services you agree to it.
+      <b>Google:</b> We store your data on Google Cloud's servers. See
+      <a href="https://cloud.google.com/terms/data-processing-addendum?hl=en">Google Cloud's data processing addendum</a
+      >.
+    </li>
+    <li>
+      <b>Safeguarding and Legal Obligations:</b> We may share your data with government agencies or legal authorities when
+      required by law or for safeguarding reasons.
     </li>
     <li>
-      Google, which securely stores your information for us to use when we need to. Their DPA <a
-        href="https://cloud.google.com/terms/data-processing-addendum/?hl=en">here</a
-      >, and by using our services you agree to it.
+      <b>With Your Consent:</b> Your data may be shared publicly on our website, social media, or other marketing channels
+      if you have told us you consent to this.
     </li>
   </ul>
   <p>
-    They are only allowed to use that information for the purposes of providing their services to us. They cannot use it
-    to, for example, sell you something.<br />
-    We may also share personal information with:
+    We may add or remove subprocessors at any time. They are under the same obligation as us to keep your data secure
+    and to delete it when you or we request them to.
   </p>
+
+  <h2 id="retention">How long we keep your data for</h2>
+  <p>
+    We keep your personal information with our subprocesses for up to 12 months, as outlined in the <a
+      href="#information-collected">information we collect</a
+    > section. However, we may delete your data sooner than this. After this period, your data will be permanently deleted.
+  </p>
+
+  <h2 id="rights">Your rights</h2>
+  <p>Your country may have data protection rights that apply to you. In most countries, you have the right to:</p>
   <ul>
-    <li>Organisations we need to share information with for safeguarding reasons</li>
-    <li>Organisations we're legally obliged to share personal information with</li>
-    <li>With your consent, publicly on our website, social media or other marketing and information media</li>
+    <li><b>Access:</b> Request a copy of your data.</li>
+    <li><b>Rectification:</b> Request corrections to your data.</li>
+    <li><b>Erasure:</b> Request the deletion of your data.</li>
+    <li><b>Restriction:</b> Request limitations on the processing of your data.</li>
+    <li><b>Objection:</b> Object to certain types of data processing.</li>
   </ul>
+  <p>
+    If you would like to exercise any of your rights, see the <a href="contact">contact details</a> section of this page.
+  </p>
+
+  <h2 id="complaints">Complain about our use of your data</h2>
+  <p>
+    If you have any concerns about how we handle your personal data or wish to have your data deleted, you can file a
+    complaint by contacting us at the email provided at the top of this privacy policy. To verify the request, please
+    contact us using the registered email address associated with the data, or provide proof that the data belongs to
+    you. Any additional information provided for the purpose of data deletion will be deleted after the request has been
+    dealt with.
+  </p>
 
-  <h2 id="complaints">Complaining about our use of your personal data</h2>
+  <h2 id="accessibility">Accessibility</h2>
   <p>
-    If you have any concerns about our use of your personal data, you can make a complaint to us using the contact
-    details at the top of this privacy notice.
+    If you require an accessible version of this website, please email <a href="mailto:[email protected]"
+      >[email protected]</a
+    > and we'll get back to you shortly. Please ensure that all emails adhere to our Code of Conduct.
   </p>
 
-  <h2 id="last-updated">Last updated</h2>
+  <h2 id="last-updated">Last Updated</h2>
   <p>
-    This privacy notice was last updated on the 5th of September, 2024. We may update this privacy notice at any time.
+    This privacy notice was last updated on the 7th of September, 2024. We may update this privacy notice at any time.
   </p>
 </Page>

src/routes/privacy/gdpr/+page.svelte

@@ -0,0 +1,96 @@
+<script>
+  import Page from '$lib/Page.svelte';
+</script>
+
+<Page title="GDPR compliance">
+  <h1>GDPR compliance statement</h1>
+
+  <p>
+    Zenith and the Zenith team (we, us) is committed to ensuring the privacy and protection of your personal data in
+    compliance with the General Data Protection Regulation (GDPR). This statement explains your additional rights as a
+    data subject under the GDPR. Please read our <a href="/privacy">Privacy Policy</a> for more information on how we collect,
+    store, and process personal data.
+  </p>
+
+  <h2>Data Controller</h2>
+  <p>
+    The Zenith Hacks Team is the data controller responsible for the processing of your personal data. If you have any
+    questions or concerns regarding the handling of your data, you may contact us at <a
+      href="mailto:[email protected]">[email protected]</a
+    >. We will respond to your inquiries as soon as possible. Please ensure that all emails adhere to our Code of
+    Conduct.
+  </p>
+
+  <h2>Legal Basis for Processing Your Data</h2>
+  <p>
+    Under the GDPR, we process your personal data based on your <strong>explicit consent</strong>, which you provide
+    when you submit your email address via our sign-up notification form. We only process data that you have actively
+    submitted and do not collect any data from third parties or by you visiting the website. Not submitting your email
+    thus does not allow us to process any of your data.
+  </p>
+  <p>
+    You have the right to withdraw your consent at any time. If you withdraw your consent, we will stop processing your
+    personal data and ensure that it is fully deleted as soon as possible and within compliance of the GDPR.
+  </p>
+
+  <h2>Data Security</h2>
+  <p>
+    We take data security seriously and employ industry-standard measures to protect your personal information from
+    unauthorized access, misuse, or disclosure. Your data is stored on Google's servers, <a
+      href="https://cloud.google.com/privacy/gdpr"
+      >which comply with GDPR regulations
+    </a>. We do not share your personal data with third parties unless required by law or with your explicit consent.
+  </p>
+
+  <h2>Your Rights Under GDPR</h2>
+  <p>As a data subject under the GDPR, you have the following rights regarding your personal data:</p>
+  <ul>
+    <li><strong>Right of Access:</strong> You may request access to the personal data we hold about you.</li>
+    <li><strong>Right to Rectification:</strong> You may request corrections to any inaccurate or incomplete data.</li>
+    <li>
+      <strong>Right to Erasure ("Right to be Forgotten"):</strong> You may request the deletion of your personal data, subject
+      to certain conditions.
+    </li>
+    <li>
+      <strong>Right to Restriction of Processing:</strong> You may request that we restrict the processing of your personal
+      data in certain circumstances.
+    </li>
+    <li>
+      <strong>Right to Data Portability:</strong> You may request that we provide your data in a structured, commonly used,
+      and machine-readable format, or that we transfer it to another data controller.
+    </li>
+    <li>
+      <strong>Right to Object:</strong> You may object to the processing of your personal data in certain circumstances,
+      such as for direct marketing purposes.
+    </li>
+  </ul>
+
+  <h2>Exercising Your Rights</h2>
+  <p>
+    To exercise any of your rights under the GDPR, please contact us at <a href="mailto:[email protected]"
+      >[email protected]</a
+    >. We may require proof that the data belongs to you before we can process your request. We will respond as soon as
+    possible and no later than 30 days after we have recieved your request.
+  </p>
+
+  <h2>International Transfers</h2>
+  <p>
+    If we transfer your personal data outside of the European Economic Area (EEA), we ensure that the data is protected
+    to GDPR standards through appropriate safeguards, such as standard contractual clauses or by working with
+    GDPR-compliant service providers like Google.
+  </p>
+
+  <h2>Filing a Complaint</h2>
+  <p>
+    If you believe that we are not processing your personal data in accordance with the GDPR, you have the right to file
+    a complaint with your <a href="https://www.edpb.europa.eu/about-edpb/about-edpb/members_en"
+      >local data protection authority or supervisory authority in the EEA</a
+    >. In the UK, this is the <a href="https://ico.org.uk/">ICO</a>.
+  </p>
+
+  <h2>Updates to This GDPR Compliance Statement</h2>
+  <p>
+    This GDPR Compliance Statement was last updated on the 7th of September 2024. We may update this statement at any
+    time to reflect changes in our processing activities or legal obligations.
+  </p>
+</Page>