CodeDragon is currently down for maintenance. But we'll be back soon...

...with new features and servers to show for it, to improve your experience of teaching and learning HTML development! As we make the migration, we're putting forward our new Privacy Policy for our existing users to review. We hope to be back by the middle of January, 2023.

Should you have any questions or queries regarding the slight modifications we've made, please get in touch at contact@codedragon.org .

Thank you for your continued patience.
The CodeDdraig Team, December 2023

Our new Privacy Policy.

CodeDragon Privacy Policy

Dated and effective from: 10th January 2024.

Effective under the laws of: England, United Kingdom (UK).

1. Definitions

All references in this document to "the Site" or "the Services" should be taken as referring to "CodeDragon" (https://codedragon.org).

All references in this document to "us", "we" and "our" should be taken as referring to "The CodeDdraig Organisation", the non-profit body which owns and maintains CodeDragon, and its staff and volunteers.

All references in this document to "User(s)", "you" and "your" should be taken as referring to any user who visits CodeDragon, or signs up for an account, and acts as the "Data Subject" for the purposes of this Policy.

"Personally Identifiable Data" or "PID" is any data we hold which could be used to trace back to you, an individual user. This could be, but is not limited to your name or email address.

2. Introduction

2.a. What is this document?

CodeDragon, and The CodeDdraig Organisation, the non-profit which runs CodeDragon (read more here: https://codedragon.org/legal) take your data, and your privacy very seriously.

This document explains what data we collect, how and why we collect it, and how you can exercise your legal rights over this data. It also explains our use of cookies.

Please read the following document in its entirety when you visit CodeDragon, especially when creating an account.

2.b. Data protection laws

When you use CodeDragon, with an account or otherwise, we collect data about you and your computer. Generally, this data will be "private" - it can only be seen by you and us, but in other cases it will be "public" - anyone who visits CodeDragon can see it.

To protect you and your PID from unfair practice and "data breaches" (if we are hacked, and personal data you trust us with is made public), many jurisdictions have created data protection laws, which we, as a Data Controller (someone collecting data) must abide by.

Normally, an organisation collecting personal data based in the UK would have to register with the Information Commissioner's Office (ICO) (https://ico.org.uk) annually. However, as we are a non-profit organisation, and:

  • only process information necessary to establish or maintain membership or support;
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
  • only hold information about individuals whose data you need to process for this exempt purpose (i.e. existing as a non-profit and operating CodeDragon);
  • the personal data we process is restricted to personal information that is necessary for this exempt purpose;
  • only keep the information while the individual is a member or supporter (User) or as long as necessary for member/supporter (User) administration,

we are exempt from registering. However, if we suffer a data breach, we will still report it to the ICO (see Section 8), and if you wish to complain to the ICO about our conduct, you may do so (see Section 9).

This version of the Privacy Policy was drafted to comply with the EU General Data Protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679, which came into force across the EU (see list of current member states here: https://europa.eu/european-union/about-eu/countries_en#28members) on 25th May 2018.

Whilst we recognise that not all of our users are normally resident in one of these countries, we follow the rules set out in the GDPR for all of our users, regardless of their physical location, for the following reasons:

  1. We are normally located in the UK, currently an EU member state, and so are bound by these laws.
  2. Our server is physically located in London, UK, and thus any issues would be handled under UK and, therefore, EU law.
  3. We think that the GDPR, and data protection are very important for our users, and will therefore undertake commitments made in it for all our users, regardless of their jurisdiction.

We have endeavoured to be compliant with all aspects of the GDPR, and wish to protect your rights in the EU, however, we make no representations that CodeDragon is appropriate or available for use in other locations. Those who access or use CodeDragon in other jurisdictions do so in the knowledge that CodeDragon may not be compliant with that jurisdiction's data protection laws.

2.c. Collecting PID

We collect certain data from all users who visit the site, regardless of whether they create an account or not.

2.c.i. If you do not have an account

If you are using CodeDragon, but do not have an account, we do not collect PID about you.

If you are using CodeDragon, but have not created an account, the entirety of this Policy excluding Section 5 applies to you when using the Services.

By using CodeDragon without an account, it is deemed that you have read, understood, and accepted the terms of the entirety of this Policy excluding Section 5. This includes the fact that we may collect your data. If you do not agree with the entirety of this Policy excluding Section 5, do not use CodeDragon.

2.c.ii. If you do have an account, or are creating an account

If you are using CodeDragon, and do have an account, or are about to create an account, we do collect PID about you.

The lawful purpose for this, as mandated by the GDPR, is that we have your clear consent to collect, store and process your PID. You give us this consent by accepting this agreement when signing up. You do this by ticking the box with the caption:

I agree to the Terms of Use and the Privacy Policy

on our sign up page.

If you are under 16 years old, we gain your parent or guardian's consent to do this, when they tick the box with the caption:

Parent or guardian (aged over 16 years) approves this sign up, and agrees to the Terms of Use and Privacy Policy

on our sign up page.

If you are using CodeDragon, and have created an account (regardless of whether you are signed into it), or are about to create an account, the entirety of this Policy applies to you when using the Services.

By using CodeDragon with an account, or by creating an account, it is deemed that you have read, understood, accepted and agreed to abide by the terms of the entirety of this Policy. This includes the fact that we may collect your data. If you do not agree with the entirety of this Policy, do not use CodeDragon.

2.d. Changes to this Policy

If any changes are made to this Policy with which you disagree, you must stop using CodeDragon.

If you have an account, this means you must delete it.

For more information about changes to this Policy, please see Section 10.d.

2.e. Terms of Use

All users, regardless of whether they hold an account, should also read and must agree to our Terms of Use: https://codedragon.org/legal/terms.

3. Cookies

3.a. What are cookies?

Cookies are small text files placed on your device by a website. Their content is set by the website, and they allow the website to "pick up where it left off" if you leave the website and then return, by storing your preferences and some data in your device's memory.

Most cookies automatically expire - this means that they will delete themselves from your device after a set period of time has elapsed.

3.b. CodeDragon's use of cookies

CodeDragon uses cookies to enhance user experience, and to collect demographic and statistical data about our user base. Please read the rest of this Policy to learn about the different cookies we use.

3.c. Managing cookies

If you wish, you can manage all cookies set by CodeDragon manually by following the instructions here: http://www.allaboutcookies.org/manage-cookies.

4. For all users

Whether you create an account on the Site or not, we still collect some data about the device you use to access the Site. None of this is PID.

4.a. Cookie consent

For all users accessing the Site, we need to gain your consent to collect the non-PID and store cookies on your device. We do this by getting you to agree expressly to the Privacy Policy and Terms of Use.

We attain this agreement by showing you a "modal" (also known as a "dialog box") which contains the statement:

By continuing to use CodeDragon, you affirm that you agree with the relevant sections of the Privacy Policy and Terms of Use, including the use of cookies.

followed by a link to this Policy, on a modal (dialog box) which appears when you visit the site for the first time.

If you click "I agree" to this statement, we store a cookie called cookieconsent_status on your device to tell the code not to show this message again, until the cookie expires. This cookie expires after 1 year. You can manage this cookie by following the instructions in Section 3.c.

As no data is actually collected by us here, your GDPR rights are not applicable.

4.b. Google Analytics

CodeDragon uses a third party called Google Analytics to collect data about the devices of users, their geographical location (limited to cities and countries) and their demographics (gender and age, if signed into a Google Account), to give us a better picture of our user base.

None of the data collected by Google Analytics is personally identifiable (the data cannot be used to link back to you as a person), thus the GDPR rights to access, rectification and erasure are not applicable.

If you do not want data about your device collected in this way, please install the official Google Analytics opt-out extension from the following URL: https://tools.google.com/dlpage/gaoptout.

Google Analytics identifies your device by storing 3 cookies on it, which expire after the length of time given in brackets: _ga (2 years), _gid (24 hours), _gat_UA-112001019-1 (90 days). These times are reset every time you visit CodeDragon. You can manage these cookies by following the instructions in Section 3.c.

You can learn more about the cookies used by Google Analytics here (note: this page is technical documentation): https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.

5. For account holders

When you have an account on CodeDragon, we collect and store Personally Identifiable Data (PID) from you.

5.a. Collecting and storing PID

We have access to all your PID at all times.

5.a.i. When you sign up

When you sign up for a CodeDragon account, we create an Account Database Entry (ADE) in our database for you.

Some of your PID is publicly available on your profile page. It is marked with {P} on the list below.

Some of your PID is hashed in your ADE. This means that no-one, not even us or you, can see the original entry. It is marked with {H} on the list below.

The following PID is entered into your ADE during the user creation process:

  • Full name {P}
  • Email address
  • Gender
  • Country of origin
  • Password {H}
  • Under 13 years of age?
    • If so, then: Parent's full name
  • Newsletter consent (optional)

A username is automatically generated for you, which is also stored in your ADE, and is publicly available and not hashed. Please see Section 4.d. of our Terms of Use for more information about this. The username is not PID.

5.a.ii. When you create Content on the Site

When you create or edit a project on the Site, or post a comment on a project, we keep a log that you have done this in your ADE.

A project or comment in itself is not PID, but your PID may be displayed next to a comment or project you create.

We accept no responsibility for any PID you include in a project or comment.

5.a.ii.1. Projects

When you create a project, it can be set to Public, Private or Unlisted. This setting cannot be changed once the project has been created.

Public = anyone, regardless of whether they have an account, can see your project on the CodeDragon website. Your project may appear anywhere on the CodeDragon website, as well as on our social media channels and in external search engine results (such as Google).

Private = only you, when signed into your account, can see your project on the CodeDragon website. It is not shown anywhere other than on your dashboard and on your profile (only you can see it on your profile).

Unlisted = anyone, regardless of whether they have an account, who has a link to your project can see your project on the CodeDragon website. However, the project is not listed in search results, "Trending projects", your profile pages, or in the "Users also liked" section of projects. Your project may still appear in external search engine results (such as Google).

If any projects are marked as Private or Unlisted, these will only be shown to you when you visit your profile page. Other users will not be able to see them on your profile page. However, other users will see a message at the bottom of your profile page stating the amount of Private or Unlisted projects that you have created and they cannot access.

5.a.iii. When you are logged in, and are otherwise using the Site

5.a.iii.1. Feeds

Each user has a 'feed' of events and information, delivered automatically to their dashboard. This may include information about projects that you created or that users you follow have created. Other users that follow your profile will receive an automated feed 'item' when you:

  • Create a project
  • Delete a project
  • Like a project
  • Comment on a project

You will also receive the same feed item. However, your followers will not receive feed items regarding your private or unlisted projects. Only information about public projects will be delivered to followers. Regardless, you will receive information about your own private and unlisted projects.

5.a.iii.2. session cookie

The session cookie is created automatically when you visit the CodeDragon website. It is used to identify your session on our website and to associate certain back-end variables with it. These include, but are not limited to, the username of the authenticated user (if any), your session duration, and other analytics data.

5.a.iii.3. token cookie

The token cookie is create automatically when you select the 'Remember me' option during sign in. It stores a token for an extended period of time which keeps you signed in while it exists.

5.a.iii.4. hide-donation cookie

This cookie is created when you dismiss the donation prompt on your dashboard. Once it has been created, it ensures that the prompt is not shown to you on the same device for an extended period of time.

5.a.iii.5. Freshchat cookies

When you use our live chat tool (powered by Freshchat), certain cookies are stored on your computer (by Freshworks Inc, a third party). A full list of those cookies can be found here.

5.a.iii.6. Flagging

If you find inappropriate content on the site, you can report it to us with the "Flag" button. All information entered on a Flag form will be kept private, unless under Section 6 of this Policy.

5.b. Third parties

N.B. Some of the third parties listed here are not based in the EU, but in the United States of America. Those which are in the USA may be certified under the EU-US Privacy Shield, which means that the third party in the USA voluntarily agrees to abide by EU data protection laws, i.e. the GDPR. You can read more about the EU-US Privacy Shield, and what it means for you here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en.

We share your PID with the following third parties.

5.b.i. Algolia

Name of company: ALGOLIA SAS

Country of registration: France, an EU member state

Company registration number: 788680858

Link to data processing addendum (latest version signed by us): Click here

What the third party does: Provides fast searching functionality on our website

What PID they get from us: The full name of users as well as extensive information about projects (only public projects)

Why do they need the PID: The PID is displayed to users in the search bar when a query term is deemed to match a user or project

Other notes: Full legal information is available at https://www.algolia.com/policies/legal

5.b.ii. Mailchimp

Name of company: The Rocket Science Group, LLC

Country of registration: United States of America (Georgia), not an EU member state

Company registration number: 0028959

Link to GDPR data processing addendum (latest version signed by us): Click here

What the third party does: Provides newsletter subscriber management and campaign creation/sending

What PID they get from us: The email address and first and last name of users

Why they need the PID: The names are used to personalise messages and the email address to dispatch newsletters

Other notes: Certified under the EU-US Privacy Shield

5.b.iii. Sendgrid

Name of company: Sendgrid Inc.

Country of registration: United States of America (Colorado), not an EU member state

Company registration number: 20091597249

Link to data processing addendum (latest version signed by us): Click here

What the third party does: Provides transactional emails, such as those you receive when you forget your password, or to verify a new account

What PID they get from us: The email address and first and last name of users

Why they need the PID: The names are used to personalise messages and the email address to dispatch the messages

Other notes: Certified under the EU-US Privacy Shield

5.b.iv. Stream

Name of company: Stream.io Inc.

Country of registration: United States of America (Colorado), not an EU member state

Company registration number: 20151529126

Link to data processing addendum (latest version signed by us): Does not exist

What the third party does: Handles following, likes and comments of users and projects

What PID they get from us: All user data we hold, although only your username and full name are actually processed

Why they need the PID: To operate the following, likes and comments system

Other notes: Certified under the EU-US Privacy Shield

5.b.v. Freshchat

Name of company: Freshworks Inc.

Country of registration: United States of America (California), not an EU member state.

Company registration number: C3670338

Link to data processing addendum: Click here

What the third party does: Handles live chat on our website. Your name, username and email address are automatically sent to Freshchat when you're signed in and you visit any page on CodeDragon.

Why they need the PID: We store your name, username, and email address on Freshchat to give you quicker support and to identify you quicker.

Other notes: Certified under the EU-US Privacy Shield.

5.b.vi. Google

Name of company: Google Cloud EMEA Ltd

Country of registration: Ireland

Link to data processing addendum: Click here

What the third party does: Hosts and stores all user and project data, as well as processing all data about incoming requests to the service.

Why they need the PID: Google process the data on a legitimate interest basis in order to be able to provide and host the service.

5.c. Exercising your GDPR rights over data we hold

The GDPR provides you with 8 rights over your personal data. These, and the ways in which you may exercise them, are listed below.

In any case, if you are not able to exercise the rights using your Account Settings page on the Site, you can contact us to make a request that an action is carried out on your behalf.

Where we suggest that you contact us, please see Section 9 for more information.

5.c.i. The right to be informed (GDPR Articles 12, 13 and 14)

You can exercise this right by reading this Policy, and contacting us if anything is unclear.

5.c.ii. The right to access (GDPR Articles 12 and 15)

You can exercise this right by reading this Policy and viewing your Account Settings page on the Site, where all PID we store about you is displayed.

5.c.iii. The right to rectification (correction) (GDPR Articles 12 and 16)

You can exercise this right by emailing the correct PID to us. See your Account Settings page on the Site for more information.

When you rectify your PID on the Site, it may take up to 72 hours for the rectified data to be indexed by our third parties.

We reserve the right to retain the un-corrected PID for up to 30 days after you make the rectification, in case law enforcement authorities request to see the un-corrected PID.

5.c.iv. The right to erasure (GDPR Articles 12 and 17)

You can exercise this right by deleting your account on your Account Settings page on the Site.

When you delete your PID on the Site, it may take up to 72 hours for the deletion to take place in the indices of our third parties.

Note that this action is irreversible and permanent.

We reserve the right to retain your PID for up to 30 days after you delete your account, in case law enforcement authorities request to see the PID.

5.c.v. The right to restriction of processing (GDPR Articles 12 and 18)

You cannot exercise this right, as we store your data for a lawful purpose, as defined and agreed to in Section 2.c.ii..

5.c.vi. The right to data portability (GDPR Articles 12 and 20)

You can exercise this right be downloading a copy of all PID we store about you from your Account Settings page on the Site, in a machine-readable format.

This format is "JavaScript Object Notation", more commonly known as "JSON". A detailed guide to interpreting JSON can be found at the following URL: https://developers.squarespace.com/what-is-json.

If you wish to convert your PID to another commonly used machine-readable format, such as Extensible Markup Language (XML) or Comma Separated Values (CSV), you can do so with the following converter websites:

JSON to XML converter: http://convertjson.com/json-to-xml.htm

JSON to CSV converter: http://convertcsv.com/json-to-csv.htm

5.c.vii. The right to prevent processing

You cannot exercise this right, as we store your data for a lawful purpose, as defined and agreed to in Section 2.c.ii..

5.c.viii. The right to not be subject to automated decision making

You cannot exercise this right, as you are not subjected to automated decision making when using CodeDragon.

6. Sharing your data with law enforcement

We may disclose data we collect through the Site (including PID) to third parties not listed in Section 5.b. in the following circumstances, when required or requested to do so by law enforcement or other legal authorities:

  • under applicable law, including laws outside your country of residence;
  • to comply with legal processes;
  • to respond to requests from public and government authorities, such as schools and law enforcement, including such authorities outside your country of residence;
  • to enforce our Terms of Use;
  • to protect our rights, privacy, safety, or property, you, or others;
  • to allow us to pursue available remedies or limit the damages that we may sustain.

7. Cross-border data transfer

CodeDragon is based in the UK, which is in the EU. Personally identifiable data which we collect may be transferred to, and stored at, any of our affiliates, partners, or service providers (including third parties) which may be inside or outside the EU, including the United States of America.

Please see Section 5.b. for more information about which of our third parties are based outside the EU, and which are covered under the EU-US Privacy Shield.

8. Cyber attacks and data breaches

We maintain a database of PID on our computer systems, from those users who sign up for an account with us. If we, or one of our third parties suffered from a cyber attack, the perpetrators could gain unlawful access to this database, and use the information in it to commit identity theft from users.

We carry out regular audits of security, and believe the likelihood to such an attack to be very low, but in the unlikely event that an attack does take place, the privacy of our users' PID is paramount.

For the purposes of reporting data breaches to authorities, our Data Protection Officer is the Director of the CodeDdraig Organisation.

8.a. If we are attacked

If our computer systems are attacked directly, and we believe that the privacy of PID could be at risk, the following protocol will be followed:

When we become aware of a cyber attack:

  • Open a cyber attack log, to document all actions taken.
  • Ascertain scale of attack to decide an on appropriate course of action.
  • Place a notice on the Site to state that a cyber attack has taken place and is being investigated, and email all account holders with a message to the same effect.
  • Make copies of server logs to share with authorities.

Within 72 hours of us becoming aware of the cyber attack:

  • Find out the extent of the data breach - i.e. what PID about which users was taken.
  • Email known affected users to inform them that they have been targeted, the actions taken, and advice to keep their account secure (such as changing passwords).
  • Make a report to the ICO (https://ico.org.uk), containing a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned;
    • the categories and approximate number of personal data records concerned;
    • the name and contact details of the data protection officer;
    • a description of the likely consequences of the personal data breach;
    • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

Within 2 weeks of us becoming aware of the cyber attack, and when investigations by authorities have concluded:

  • Conduct an internal review into the handling of the attack.
  • Remove warning notices on the Site, replace with a notice about the outcomes of the above review, and email all account holders with a message to the same effect.
  • Close the cyber-attack log.

8.b. If one of our third parties is attacked

If the computer systems of one of our third parties listed in Section 5.b. is attacked, and we believe that the privacy of PID could be at risk, we will take advice from that third party, and follow the protocol in Section 8.a., save that we are not under obligation to report to any authority - this is the obligation of the attacked third party.

9. If you have a problem

If you have a problem, question or would like to exercise your rights over your PID but cannot, you can contact us.

You can do this by emailing us at privacy [at] codedragon [dot] org. Please include your username and details of your query. You will normally receive a response from us within 30 days from the receipt of your message.

If you believe we have acted dishonestly, unlawfully or incorrectly, or have other concerns about our handling of PID, you can make a complaint to the ICO. Details of how to do this are given on the ICO website: https://ico.org.uk/make-a-complaint.

10. Contractual Information

10.a. Choice of law and venue

You agree that this Policy, for all purposes, will be governed and construed in accordance with the laws of the England, UK, applicable to contracts to be wholly performed therein, and any action based on, relating to, or alleging a breach of this Policy must be brought in a court of law in England, UK.

10.b. Choice of language

If we provide you with a translation of the English language version of this Policy, then you agree that the translation is provided for informational purposes only, and does not modify the English language version. In the event of a conflict between a translation and the English version, the English version will govern.

10.c. No waiver

No waiver of any term of this Policy will be deemed a further or continuing waiver of such term or any other term, and our failure to assert any right or provision under this Policy will not constitute a waiver of such right or provision.

10.d. Changes to this Policy

We may change this Policy from time to time. You can always find the latest version of the Privacy Policy at https://codedragon.org/legal/privacy. The date of the most recent revisions will appear on this page, and in this document.

We will give at least 14 days notice of any change to this Policy by placing a notice on the CodeDragon website (for those without accounts) and by emailing all users with accounts with messages to this effect.

Your continued use of CodeDragon constitutes your acceptance of any changes to or revisions of the Privacy Policy.

10.e. Entire agreement

This document, together with all and any appendices, constitutes the entire Privacy Policy and supersedes all previous privacy policies relating to the use of CodeDragon.

Revision date: 26th December 2023.

Our previous Privacy Policy can be viewed below.

CodeDragon Privacy Policy

Dated and effective from: 31st January 2020.

Effective under the laws of: England, United Kingdom (UK).

1. Definitions

All references in this document to "the Site" or "the Services" should be taken as referring to "CodeDragon" (https://codedragon.org).

All references in this document to "us", "we" and "our" should be taken as referring to "The CodeDdraig Organisation", the non-profit body which owns and maintains CodeDragon, and its staff and volunteers.

All references in this document to "User(s)", "you" and "your" should be taken as referring to any user who visits CodeDragon, or signs up for an account, and acts as the "Data Subject" for the purposes of this Policy.

"Personally Identifiable Data" or "PID" is any data we hold which could be used to trace back to you, an individual user. This could be, but is not limited to your name or email address.

2. Introduction

2.a. What is this document?

CodeDragon, and The CodeDdraig Organisation, the non-profit which runs CodeDragon (read more here: https://codedragon.org/legal) take your data, and your privacy very seriously.

This document explains what data we collect, how and why we collect it, and how you can exercise your legal rights over this data. It also explains our use of cookies.

Please read the following document in its entirety when you visit CodeDragon, especially when creating an account.

2.b. Data protection laws

When you use CodeDragon, with an account or otherwise, we collect data about you and your computer. Generally, this data will be "private" - it can only be seen by you and us, but in other cases it will be "public" - anyone who visits CodeDragon can see it.

To protect you and your PID from unfair practice and "data breaches" (if we are hacked, and personal data you trust us with is made public), many jurisdictions have created data protection laws, which we, as a Data Controller (someone collecting data) must abide by.

Normally, an organisation collecting personal data based in the UK would have to register with the Information Commissioner's Office (ICO) (https://ico.org.uk) annually. However, as we are a non-profit organisation, and:

  • only process information necessary to establish or maintain membership or support;
  • only process information necessary to provide or administer activities for people who are members of the organisation or have regular contact with it;
  • only hold information about individuals whose data you need to process for this exempt purpose (i.e. existing as a non-profit and operating CodeDragon);
  • the personal data we process is restricted to personal information that is necessary for this exempt purpose;
  • only keep the information while the individual is a member or supporter (User) or as long as necessary for member/supporter (User) administration,

we are exempt from registering. However, if we suffer a data breach, we will still report it to the ICO (see Section 8), and if you wish to complain to the ICO about our conduct, you may do so (see Section 9).

This version of the Privacy Policy was drafted to comply with the EU General Data Protection Regulation (GDPR) http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679, which came into force across the EU (see list of current member states here: https://europa.eu/european-union/about-eu/countries_en#28members) on 25th May 2018.

Whilst we recognise that not all of our users are normally resident in one of these countries, we follow the rules set out in the GDPR for all of our users, regardless of their physical location, for the following reasons:

  1. We are normally located in the UK, currently an EU member state, and so are bound by these laws.
  2. Our server is physically located in London, UK, and thus any issues would be handled under UK and, therefore, EU law.
  3. We think that the GDPR, and data protection are very important for our users, and will therefore undertake commitments made in it for all our users, regardless of their jurisdiction.

We have endeavoured to be compliant with all aspects of the GDPR, and wish to protect your rights in the EU, however, we make no representations that CodeDragon is appropriate or available for use in other locations. Those who access or use CodeDragon in other jurisdictions do so in the knowledge that CodeDragon may not be compliant with that jurisdiction's data protection laws.

2.c. Collecting PID

We collect certain data from all users who visit the site, regardless of whether they create an account or not.

2.c.i. If you do not have an account

If you are using CodeDragon, but do not have an account, we do not collect PID about you.

If you are using CodeDragon, but have not created an account, the entirety of this Policy excluding Section 5 applies to you when using the Services.

By using CodeDragon without an account, it is deemed that you have read, understood, and accepted the terms of the entirety of this Policy excluding Section 5. This includes the fact that we may collect your data. If you do not agree with the entirety of this Policy excluding Section 5, do not use CodeDragon.

2.c.ii. If you do have an account, or are creating an account

If you are using CodeDragon, and do have an account, or are about to create an account, we do collect PID about you.

The lawful purpose for this, as mandated by the GDPR, is that we have your clear consent to collect, store and process your PID. You give us this consent by accepting this agreement when signing up. You do this by ticking the box with the caption:

I agree to the Terms of Use and the Privacy Policy

on our sign up page.

If you are under 16 years old, we gain your parent or guardian's consent to do this, when they tick the box with the caption:

Parent or guardian (aged over 16 years) approves this sign up, and agrees to the Terms of Use and Privacy Policy

on our sign up page.

If you are using CodeDragon, and have created an account (regardless of whether you are signed into it), or are about to create an account, the entirety of this Policy applies to you when using the Services.

By using CodeDragon with an account, or by creating an account, it is deemed that you have read, understood, accepted and agreed to abide by the terms of the entirety of this Policy. This includes the fact that we may collect your data. If you do not agree with the entirety of this Policy, do not use CodeDragon.

2.d. Changes to this Policy

If any changes are made to this Policy with which you disagree, you must stop using CodeDragon.

If you have an account, this means you must delete it.

For more information about changes to this Policy, please see Section 10.d.

2.e. Terms of Use

All users, regardless of whether they hold an account, should also read and must agree to our Terms of Use: https://codedragon.org/legal/terms.

3. Cookies

3.a. What are cookies?

Cookies are small text files placed on your device by a website. Their content is set by the website, and they allow the website to "pick up where it left off" if you leave the website and then return, by storing your preferences and some data in your device's memory.

Most cookies automatically expire - this means that they will delete themselves from your device after a set period of time has elapsed.

3.b. CodeDragon's use of cookies

CodeDragon uses cookies to enhance user experience, and to collect demographic and statistical data about our user base. Please read the rest of this Policy to learn about the different cookies we use.

3.c. Managing cookies

If you wish, you can manage all cookies set by CodeDragon manually by following the instructions here: http://www.allaboutcookies.org/manage-cookies.

4. For all users

Whether you create an account on the Site or not, we still collect some data about the device you use to access the Site. None of this is PID.

4.a. Cookie consent

For all users accessing the Site, we need to gain your consent to collect the non-PID and store cookies on your device. We do this by getting you to agree expressly to the Privacy Policy and Terms of Use.

We attain this agreement by showing you a "modal" (also known as a "dialog box") which contains the statement:

By continuing to use CodeDragon, you affirm that you agree with the relevant sections of the Privacy Policy and Terms of Use, including the use of cookies.

followed by a link to this Policy, on a modal (dialog box) which appears when you visit the site for the first time.

If you click "I agree" to this statement, we store a cookie called cookieconsent_status on your device to tell the code not to show this message again, until the cookie expires. This cookie expires after 1 year. You can manage this cookie by following the instructions in Section 3.c.

As no data is actually collected by us here, your GDPR rights are not applicable.

4.b. Google Analytics

CodeDragon uses a third party called Google Analytics to collect data about the devices of users, their geographical location (limited to cities and countries) and their demographics (gender and age, if signed into a Google Account), to give us a better picture of our user base.

None of the data collected by Google Analytics is personally identifiable (the data cannot be used to link back to you as a person), thus the GDPR rights to access, rectification and erasure are not applicable.

If you do not want data about your device collected in this way, please install the official Google Analytics opt-out extension from the following URL: https://tools.google.com/dlpage/gaoptout.

Google Analytics identifies your device by storing 3 cookies on it, which expire after the length of time given in brackets: _ga (2 years), _gid (24 hours), _gat_UA-112001019-1 (90 days). These times are reset every time you visit CodeDragon. You can manage these cookies by following the instructions in Section 3.c.

You can learn more about the cookies used by Google Analytics here (note: this page is technical documentation): https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.

5. For account holders

When you have an account on CodeDragon, we collect and store Personally Identifiable Data (PID) from you.

5.a. Collecting and storing PID

We have access to all your PID at all times.

5.a.i. When you sign up

When you sign up for a CodeDragon account, we create an Account Database Entry (ADE) in our database for you.

Some of your PID is publicly available on your profile page. It is marked with {P} on the list below.

Some of your PID is hashed in your ADE. This means that no-one, not even us or you, can see the original entry. It is marked with {H} on the list below.

The following PID is entered into your ADE during the user creation process:

  • Full name {P}
  • Email address
  • Gender
  • Country of origin
  • Password {H}
  • Under 13 years of age?
    • If so, then: Parent's full name
  • Newsletter consent (optional)

A username is automatically generated for you, which is also stored in your ADE, and is publicly available and not hashed. Please see Section 4.d. of our Terms of Use for more information about this. The username is not PID.

5.a.ii. When you create Content on the Site

When you create or edit a project on the Site, or post a comment on a project, we keep a log that you have done this in your ADE.

A project or comment in itself is not PID, but your PID may be displayed next to a comment or project you create.

We accept no responsibility for any PID you include in a project or comment.

5.a.ii.1. Projects

When you create a project, it can be set to Public, Private or Unlisted. This setting cannot be changed once the project has been created.

Public = anyone, regardless of whether they have an account, can see your project on the CodeDragon website. Your project may appear anywhere on the CodeDragon website, as well as on our social media channels and in external search engine results (such as Google).

Private = only you, when signed into your account, can see your project on the CodeDragon website. It is not shown anywhere other than on your dashboard and on your profile (only you can see it on your profile).

Unlisted = anyone, regardless of whether they have an account, who has a link to your project can see your project on the CodeDragon website. However, the project is not listed in search results, "Trending projects", your profile pages, or in the "Users also liked" section of projects. Your project may still appear in external search engine results (such as Google).

If any projects are marked as Private or Unlisted, these will only be shown to you when you visit your profile page. Other users will not be able to see them on your profile page. However, other users will see a message at the bottom of your profile page stating the amount of Private or Unlisted projects that you have created and they cannot access.

5.a.iii. When you are logged in, and are otherwise using the Site

5.a.iii.1. Feeds

Each user has a 'feed' of events and information, delivered automatically to their dashboard. This may include information about projects that you created or that users you follow have created. Other users that follow your profile will receive an automated feed 'item' when you:

  • Create a project
  • Delete a project
  • Like a project
  • Comment on a project

You will also receive the same feed item. However, your followers will not receive feed items regarding your private or unlisted projects. Only information about public projects will be delivered to followers. Regardless, you will receive information about your own private and unlisted projects.

5.a.iii.2. session cookie

The session cookie is created automatically when you visit the CodeDragon website. It is used to identify your session on our website and to associate certain back-end variables with it. These include, but are not limited to, the username of the authenticated user (if any), your session duration, and other analytics data.

5.a.iii.3. token cookie

The token cookie is create automatically when you select the 'Remember me' option during sign in. It stores a token for an extended period of time which keeps you signed in while it exists.

5.a.iii.4. hide-donation cookie

This cookie is created when you dismiss the donation prompt on your dashboard. Once it has been created, it ensures that the prompt is not shown to you on the same device for an extended period of time.

5.a.iii.5. Freshchat cookies

When you use our live chat tool (powered by Freshchat), certain cookies are stored on your computer (by Freshworks Inc, a third party). A full list of those cookies can be found here.

5.a.iii.6. Flagging

If you find inappropriate content on the site, you can report it to us with the "Flag" button. All information entered on a Flag form will be kept private, unless under Section 6 of this Policy.

5.b. Third parties

N.B. Some of the third parties listed here are not based in the EU, but in the United States of America. Those which are in the USA may be certified under the EU-US Privacy Shield, which means that the third party in the USA voluntarily agrees to abide by EU data protection laws, i.e. the GDPR. You can read more about the EU-US Privacy Shield, and what it means for you here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en.

We share your PID with the following third parties.

5.b.i. Algolia

Name of company: ALGOLIA SAS

Country of registration: France, an EU member state

Company registration number: 788680858

Link to data processing addendum (latest version signed by us): Click here

What the third party does: Provides fast searching functionality on our website

What PID they get from us: The full name of users as well as extensive information about projects (only public projects)

Why do they need the PID: The PID is displayed to users in the search bar when a query term is deemed to match a user or project

Other notes: Full legal information is available at https://www.algolia.com/policies/legal

5.b.ii. Mailchimp

Name of company: The Rocket Science Group, LLC

Country of registration: United States of America (Georgia), not an EU member state

Company registration number: 0028959

Link to GDPR data processing addendum (latest version signed by us): Click here

What the third party does: Provides newsletter subscriber management and campaign creation/sending

What PID they get from us: The email address and first and last name of users

Why they need the PID: The names are used to personalise messages and the email address to dispatch newsletters

Other notes: Certified under the EU-US Privacy Shield

5.b.iii. Sendgrid

Name of company: Sendgrid Inc.

Country of registration: United States of America (Colorado), not an EU member state

Company registration number: 20091597249

Link to data processing addendum (latest version signed by us): Click here

What the third party does: Provides transactional emails, such as those you receive when you forget your password, or to verify a new account

What PID they get from us: The email address and first and last name of users

Why they need the PID: The names are used to personalise messages and the email address to dispatch the messages

Other notes: Certified under the EU-US Privacy Shield

5.b.iv. Stream

Name of company: Stream.io Inc.

Country of registration: United States of America (Colorado), not an EU member state

Company registration number: 20151529126

Link to data processing addendum (latest version signed by us): Does not exist

What the third party does: Handles following, likes and comments of users and projects

What PID they get from us: All user data we hold, although only your username and full name are actually processed

Why they need the PID: To operate the following, likes and comments system

Other notes: Certified under the EU-US Privacy Shield

5.b.v. Freshchat

Name of company: Freshworks Inc.

Country of registration: United States of America (California), not an EU member state.

Company registration number: C3670338

Link to data processing addendum: Click here

What the third party does: Handles live chat on our website. Your name, username and email address are automatically sent to Freshchat when you're signed in and you visit any page on CodeDragon.

Why they need the PID: We store your name, username, and email address on Freshchat to give you quicker support and to identify you quicker.

Other notes: Certified under the EU-US Privacy Shield.

5.c. Exercising your GDPR rights over data we hold

The GDPR provides you with 8 rights over your personal data. These, and the ways in which you may exercise them, are listed below.

In any case, if you are not able to exercise the rights using your Account Settings page on the Site, you can contact us to make a request that an action is carried out on your behalf.

Where we suggest that you contact us, please see Section 9 for more information.

5.c.i. The right to be informed (GDPR Articles 12, 13 and 14)

You can exercise this right by reading this Policy, and contacting us if anything is unclear.

5.c.ii. The right to access (GDPR Articles 12 and 15)

You can exercise this right by reading this Policy and viewing your Account Settings page on the Site, where all PID we store about you is displayed.

5.c.iii. The right to rectification (correction) (GDPR Articles 12 and 16)

You can exercise this right by emailing the correct PID to us. See your Account Settings page on the Site for more information.

When you rectify your PID on the Site, it may take up to 72 hours for the rectified data to be indexed by our third parties.

We reserve the right to retain the un-corrected PID for up to 30 days after you make the rectification, in case law enforcement authorities request to see the un-corrected PID.

5.c.iv. The right to erasure (GDPR Articles 12 and 17)

You can exercise this right by deleting your account on your Account Settings page on the Site.

When you delete your PID on the Site, it may take up to 72 hours for the deletion to take place in the indices of our third parties.

Note that this action is irreversible and permanent.

We reserve the right to retain your PID for up to 30 days after you delete your account, in case law enforcement authorities request to see the PID.

5.c.v. The right to restriction of processing (GDPR Articles 12 and 18)

You cannot exercise this right, as we store your data for a lawful purpose, as defined and agreed to in Section 2.c.ii..

5.c.vi. The right to data portability (GDPR Articles 12 and 20)

You can exercise this right be downloading a copy of all PID we store about you from your Account Settings page on the Site, in a machine-readable format.

This format is "JavaScript Object Notation", more commonly known as "JSON". A detailed guide to interpreting JSON can be found at the following URL: https://developers.squarespace.com/what-is-json.

If you wish to convert your PID to another commonly used machine-readable format, such as Extensible Markup Language (XML) or Comma Separated Values (CSV), you can do so with the following converter websites:

JSON to XML converter: http://convertjson.com/json-to-xml.htm

JSON to CSV converter: http://convertcsv.com/json-to-csv.htm

5.c.vii. The right to prevent processing

You cannot exercise this right, as we store your data for a lawful purpose, as defined and agreed to in Section 2.c.ii..

5.c.viii. The right to not be subject to automated decision making

You cannot exercise this right, as you are not subjected to automated decision making when using CodeDragon.

6. Sharing your data with law enforcement

We may disclose data we collect through the Site (including PID) to third parties not listed in Section 5.b. in the following circumstances, when required or requested to do so by law enforcement or other legal authorities:

  • under applicable law, including laws outside your country of residence;
  • to comply with legal processes;
  • to respond to requests from public and government authorities, such as schools and law enforcement, including such authorities outside your country of residence;
  • to enforce our Terms of Use;
  • to protect our rights, privacy, safety, or property, you, or others;
  • to allow us to pursue available remedies or limit the damages that we may sustain.

7. Cross-border data transfer

CodeDragon is based in the UK, which is in the EU. Personally identifiable data which we collect may be transferred to, and stored at, any of our affiliates, partners, or service providers (including third parties) which may be inside or outside the EU, including the United States of America.

Please see Section 5.b. for more information about which of our third parties are based outside the EU, and which are covered under the EU-US Privacy Shield.

8. Cyber attacks and data breaches

We maintain a database of PID on our computer systems, from those users who sign up for an account with us. If we, or one of our third parties suffered from a cyber attack, the perpetrators could gain unlawful access to this database, and use the information in it to commit identity theft from users.

We carry out regular audits of security, and believe the likelihood to such an attack to be very low, but in the unlikely event that an attack does take place, the privacy of our users' PID is paramount.

For the purposes of reporting data breaches to authorities, our Data Protection Officer is the Director of the CodeDdraig Organisation.

8.a. If we are attacked

If our computer systems are attacked directly, and we believe that the privacy of PID could be at risk, the following protocol will be followed:

When we become aware of a cyber attack:

  • Open a cyber attack log, to document all actions taken.
  • Ascertain scale of attack to decide an on appropriate course of action.
  • Place a notice on the Site to state that a cyber attack has taken place and is being investigated, and email all account holders with a message to the same effect.
  • Make copies of server logs to share with authorities.

Within 72 hours of us becoming aware of the cyber attack:

  • Find out the extent of the data breach - i.e. what PID about which users was taken.
  • Email known affected users to inform them that they have been targeted, the actions taken, and advice to keep their account secure (such as changing passwords).
  • Make a report to the ICO (https://ico.org.uk), containing a description of the nature of the personal data breach including, where possible:
    • the categories and approximate number of individuals concerned;
    • the categories and approximate number of personal data records concerned;
    • the name and contact details of the data protection officer;
    • a description of the likely consequences of the personal data breach;
    • a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects

Within 2 weeks of us becoming aware of the cyber attack, and when investigations by authorities have concluded:

  • Conduct an internal review into the handling of the attack.
  • Remove warning notices on the Site, replace with a notice about the outcomes of the above review, and email all account holders with a message to the same effect.
  • Close the cyber attack log.

8.b. If one of our third parties is attacked

If the computer systems of one of our third parties listed in Section 5.b. is attacked, and we believe that the privacy of PID could be at risk, we will take advice from that third party, and follow the protocol in Section 8.a., save that we are not under obligation to report to any authority - this is the obligation of the attacked third party.

9. If you have a problem

If you have a problem, question or would like to exercise your rights over your PID but cannot, you can contact us.

You can do this by emailing us at privacy [at] codedragon [dot] org. Please include your username and details of your query. You will normally receive a response from us within 30 days from the receipt of your message.

If you believe we have acted dishonestly, unlawfully or incorrectly, or have other concerns about our handling of PID, you can make a complaint to the ICO. Details of how to do this are given on the ICO website: https://ico.org.uk/make-a-complaint.

10. Contractual Information

10.a. Choice of law and venue

You agree that this Policy, for all purposes, will be governed and construed in accordance with the laws of the England, UK, applicable to contracts to be wholly performed therein, and any action based on, relating to, or alleging a breach of this Policy must be brought in a court of law in England, UK.

10.b. Choice of language

If we provide you with a translation of the English language version of this Policy, then you agree that the translation is provided for informational purposes only, and does not modify the English language version. In the event of a conflict between a translation and the English version, the English version will govern.

10.c. No waiver

No waiver of any term of this Policy will be deemed a further or continuing waiver of such term or any other term, and our failure to assert any right or provision under this Policy will not constitute a waiver of such right or provision.

10.d. Changes to this Policy

We may change this Policy from time to time. You can always find the latest version of the Privacy Policy at https://codedragon.org/legal/privacy. The date of the most recent revisions will appear on this page, and in this document.

We will give at least 14 days notice of any change to this Policy by placing a notice on the CodeDragon website (for those without accounts) and by emailing all users with accounts with messages to this effect.

Your continued use of CodeDragon constitutes your acceptance of any changes to or revisions of the Privacy Policy.

10.e. Entire agreement

This document, together with all and any appendices, constitutes the entire Privacy Policy and supersedes all previous privacy policies relating to the use of CodeDragon.

Revision date: 31st January 2020.