For more information regarding Trust and additional resources, visit Gloo's Legal Center
Trust is the currency of relationship. Relationships catalyze our growth. Churches, faith and recovery organizations (Frontline Champions) facilitate relationships to promote growth journeys. Gloo’s Trust architectures (Privacy, Security and Compliance) therefore, must solve for Trust, the condition precedent to relationship and growth.
However, when it comes to privacy, it's a complex problem; meaning we are all still working out our feelings around privacy in the public square, positions can change and reasonable minds can disagree.
From a data privacy perspective, Frontline Champions have more personal information than even our banking institutions. They have our names and email addresses, our giving information (which may be a surrogate for our spiritual journeys), maybe even information about our health, marriages and relationships. The only information more sensitive would be information about our children; they have that too.
Gloo feels the responsibility and recognizes the opportunity to help Frontline Champions level up their own Trust architectures, whether by operating their platform services from Gloo (and Gloo’s Trust architecture), by leading out by modeling progressive approaches to data privacy or providing Trust resources like the Data Safe Church eBook.
Therefore, we celebrate the advances and the innovation represented by the GDPR (General Data Protection Regulation) the CCPA (California Consumer Protection Act). While they may be imperfect and are likely to continue to change, they stimulate our progress toward increased protection of individuals’ personal information and, ultimately, build Trust. So while Gloo solves for Trust, a level above these regulations, we also solve for the laws and these laws have helped us more clearly articulate our organizational and product strategies and commitment to individuals and Frontline Champions.
Further, as described below, we consider information about religion to be a special category of data (sensitive personal information) that receives the highest level of data privacy protection, express consent from the data subject. Information about health, for example information related to COVID-19, is also a special category receiving special treatment.
To that end, we have developed a series of principles (the very top layer of our Trust by Design process) which apply to all product development activities, influenced by and in alignment with the GDPR and CCPA, that best reflect our commitments and aspirations around data privacy. These principles are core to our Trust by Design process.
When you use products and services from the Gloo platform, you can rest assured that the Trust by Design process was central to its development.
Be forewarned, these principles depend on definitions found in GDPR and CCPA. We can continue to unpack these further in the future to provide more context. These concepts are also reflected in the terms set forth in our
Data Protection Addendum, which all parties agree to when they use products and services from the Gloo platform.
We will make an appropriate decision regarding whether we will be a “controller / business” or “processor / service provider” with respect to any new Product Line we plan to launch before we launch it, and be clear and consistent with data subjects and customers about which of the two we are. When we determine the purposes and means of processing personal information collected in connection with a Product Line, we act as a “business” or “controller” of such personal information. For example, our audience activation services. By contrast, when we receive personal information from a third party and only process it on that third party’s instructions, we act as a “service provider” or “processor” vis-à-vis the third party. For example, Church Analytics. There are advantages and disadvantages to being a business versus a service provider. Operating as a business with respect to a Product Line means we are primarily responsible for ensuring that we comply with data privacy laws, being transparent about how we use personal information in connection with the Product Line, and administering data subject rights of individuals receiving our services. For those reasons, we err on the side of being a “business.”
Where we act as a business in regards to a Product Line, we generally form a direct connection to the data subject and we will only process individuals’ personal information where we have a lawful basis to do so. In general, this means that we must issue clear privacy notices to data subjects before collecting their personal information which explain how and why we plan to collect, use, store, and disclose their personal information, and then have some demonstrable means of showing that a data subject consented to us processing their personal information as described in our privacy notices if they disclose their personal information to us. The form of consent we seek from data subjects may vary, depending upon the circumstances and the types of personal information we wish to process. The more sensitive the types of personal information at issue are, and the more unexpected the ways in which we plan to process personal information are from the data subject’s perspective, the greater the necessity usually for us to ensure we have express, informed, unambiguous, prior consent from data subjects before we process their personal information. Since we often process quite sensitive types of personal information about individuals, our default rule is that we have to: (i) ensure we have a data subject’s express (i.e., opt-in) and informed consent before processing their personal information; (ii) allow data subjects to withdraw their consent upon request; and (iii) permit data subjects to choose what data processing activities of ours they consent to or not consent to, whenever such activities have little relation to one another (i.e., avoid an all-or-nothing approach to consent).
Where we act as a service provider in regards to a Product Line, we may only process the personal information we receive from a Champion that uses that Product Line in accordance with the Champion’s instructions and our agreement with them.We try to avoid transferring personal information wherever possible, and wherever we do transfer personal information, we may only do so when operating in a business context, where we have a direct relationship to the data subject, and in accordance with all applicable laws. Further, when we do transfer personal information, in addition to accepting our terms of service and privacy policy, we generally require a specific opt-in consent directing us to share the data to specific third parties (e.g., data subject check box directing us to share the data to a third party). While some of our products may involve the transfer of personal information, we prioritize the development of product offerings that do not involve selling, such as where we only sell aggregate analytics that contain no personal information. We take an expansive view as to what constitutes transfer, and generally consider the term to encompass any disclosure of personal information from us to a third party which allows the third party to determine the means and purposes of processing the personal information, unless our disclosure of the personal information was made with the specific and express consent (and therefore on the instruction) of the data subject. We believe this principle honors the spirit of data minimization.
We believe data subject rights under the GDPR and the CCPA reflect innovation around the protection of individuals’ personal information and, ultimately, build trust. We believe, as a general principle, that data subjects deserve these rights.