Introduction

Open Source Collective (OSC) is committed to protecting the privacy and security of the data entrusted to us. While our operations are built on transparency and openness, we recognize that we handle private and sensitive information.

This Privacy Policy explains how your information is collected, used, disclosed, and safeguarded by OSC for the activities set out below. This policy applies to the Open Source Collective’s websites, domains, applications, services, and products.

This Policy does not cover third-party applications, websites, products, services, or platforms accessed through links that we may provide, which are not part of Open Source Collective. These sites are owned and run independently of us and have their own separate privacy and data collection policies. Any Personal Data you provide to these websites is subject to the third party’s privacy policy. We are not liable for the actions or policies of these independent sites and are not responsible for their content or privacy practices.

Definitions

• “Personal Data” means any information relating to an identified or identifiable individual (e.g., name, email, account details).
• “Processing” means any operation performed on Personal Data (e.g., collection, storage, use, disclosure).
• “Controller” means the entity determining the purposes and means of processing (OSC or our independent service providers).
• “Processor” means a service provider processing Personal Data on our behalf.

Some third-party services listed here act as independent controllers, meaning they determine how they process your data under their own policies. Others act as processors, meaning they process data only on our behalf and instructions.

Contact Us

If you have any questions or concerns about this privacy policy, please contact us at:

Email: [email protected]
Address: 440 N Barranca Ave #3939, Covina, CA 91723

This policy was last updated on August 21, 2025

---

Information We Collect

Websites

Our main website (oscollective.org) was designed specifically to provide information outward and does not use any cookies or beacons for tracking, analytics, or advertising purposes. Our website is built with WordPress and uses Yoast SEO.

Our documentation site (docs.oscollective.org) is hosted by GitBook. GitBook may use cookies and similar technologies and provides built-in analytics about documentation usage. Your use of our docs is therefore subject to GitBook’s Privacy Statement and Cookies Policy.

• GitBook Privacy
• GitBook Cookies

Open Collective Platform

We use the Open Collective platform (https://opencollective.com) to operate many of our services, including:

• Sending announcements and updates by email to our community,
• Managing fiscal hosting applications,
• Publishing budgets and financial reports,
• Collecting and processing contributions and expenses.

Open Collective, Inc. acts as an independent data controller for the personal data it processes. When you interact with us through the Open Collective platform, your personal data (such as your name, email address, account details, and activity on the platform) is collected and processed under Open Collective’s own Privacy Policy.

Payments and Payment Processors

When you make a contribution, submit an expense, or otherwise engage in financial transactions through Open Source Collective, payment details are processed directly by third-party providers. Each provider acts as an independent data controller for the personal data required to process your payment. Your payment data is handled in accordance with their respective privacy policies.

We currently use:

• Stripe – card payments, recurring payments, certain bank transfers (Stripe Privacy)
• PayPal – donations and some payments (PayPal Privacy)
• Wise – domestic and international transfers (Wise Privacy)

We also sometimes receive contributions via:

• GitHub Sponsors (GitHub Privacy)
• Patreon (Patreon Privacy)
• Coinbase (Coinbase Privacy)
• DRIPS (DRIPS Privacy)

We may also share limited personal/payment-related information with financial institutions (banks) as necessary to process incoming/outgoing transfers, donations, and reimbursements. These institutions act as independent controllers and process data in accordance with their own legal and regulatory obligations.

Community and Support Services

We use third-party platforms to support community interaction and provide user support.

• Zendesk (support tickets) - messages, names, and emails you send us at [email protected] may be stored in Zendesk (Zendesk Privacy).
• Discord (Community Conversations) - voluntary participation; subject to Discord Privacy.

Communications & Application Management

We use third-party services to manage community communications, surveys, applications, and internal operations.

• Airtable – used for applications and operational data. Airtable Privacy Policy
• SendGrid (Twilio SendGrid) – newsletters, announcements, mass email. Twilio SendGrid Privacy Policy
• Typeform – surveys, registrations, forms. Typeform Privacy Policy
• Notion – forms, collaboration, and documentation. Notion Privacy Policy

Contract Management

Dropbox - used to store and share contracts that may include personal data. Dropbox Privacy Policy

Productivity & Collaboration Tools

We use Google Workspace to support our internal operations, including email communications, virtual meetings, surveys through forms, calendaring, and document storage and collaboration.

• Google Privacy Policy
• Google Cloud Privacy Notice

Social Media & Community Platforms

We maintain official social media accounts to share updates and engage with our community. When you interact with us on these platforms (for example, by following, commenting, or messaging), your personal data is processed under the privacy policies of those platforms:

• LinkedIn – LinkedIn Privacy Policy
• Mastodon – mastodon.social Privacy Policy
• Bluesky – Bluesky Privacy Policy
• Buffer – post scheduling Buffer Privacy Policy

---

How We Use Personal Data

We use the information we collect to:

• Provide fiscal hosting and related services
• Process contributions, reimbursements, and other transactions
• Communicate with our community (announcements, newsletters, updates)
• Respond to inquiries and provide support
• Maintain legal and financial compliance
• Improve our services and community engagement

---

Sharing of Personal Data

We do not sell personal data. We share information only as necessary with trusted service providers listed in this policy, or where required by law, legal process, or to protect the rights and safety of OSC and our community.

---

Your Data Protection Rights

In accordance with GDPR, CCPA, and other applicable laws, you have the right to:

• Access the personal data we hold about you
• Request corrections or updates
• Request deletion (“right to be forgotten”)
• Request a copy of your data in a portable format

To exercise any of these rights, please contact us at [email protected]

You also have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable laws.

---

International Data Transfers

OSC is based in the United States. If you access our services from outside the U.S., your information may be transferred to and stored in the U.S. We rely on standard contractual clauses and other appropriate safeguards for international transfers where required by law.

---

Cookies and Tracking

Our main website does not use cookies for analytics, advertising, or tracking. Some of our third-party services (such as GitBook, Open Collective, or payment providers) may use cookies in accordance with their own policies, linked in this statement.

---

Legal Basis for Processing (GDPR)

We rely on different legal bases depending on the context:

• Consent – e.g., newsletters, optional forms, surveys, and community participation
• Contract – e.g., providing fiscal hosting and related services
• Legal obligations – e.g., tax and accounting compliance
• Legitimate interests – e.g., community engagement and platform improvement in ways that do not override your fundamental rights and freedoms

---

Data Retention

We retain data only as long as necessary for services or compliance.

• Financial transaction data: retained for at least seven (7) years under tax/accounting law.
• Support, communications, and other data: retained until no longer necessary.
• When data is no longer required, it is securely deleted or anonymized.

---

Your Choices

You may unsubscribe from newsletters at any time by following the unsubscribe instructions included in each email.
You may also request deletion or restriction of your data.

Open Collective accounts can be deleted following these instructions.

---

Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. These include:

• Encryption at rest and in transit
• Access controls and multi-factor authentication
• Secure storage practices
• Incident response procedures

Although no system is completely secure, we take data protection seriously and continually improve our safeguards.

---

Children’s Privacy

Our services are not directed to children under 16, and we do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without appropriate consent, we will delete it.

---

Changes to this Privacy Statement

OSC may update this policy. Material changes will be posted here and announced to subscribers via email.

---

Governance and Oversight

The Executive Director and Security Team are responsible for overseeing OSC’s data protection and compliance practices.