Privacy Policy

Privacy Policy Of Stepto.Support Website

Introduction

Thank you for visiting the Stepto.Support Website (the Website). Our purpose is to provide information on support services for people with sexual interest in children, to prevent corresponding offences. We achieve this using different channels – such as a map of available services in the EU, interactive chat function and contact form. Note that the chat and contact form follow the informative goal exclusively; they are not established to e.g., provide therapeutic advice, but rather to navigate people to places where they can obtain it. We also seek to obtain information on how the website is used, in order to improve it and obtain aggregated, anonymous or anonymised research insights. Your privacy is paramount to us. In achieving our goals, we seek to process as little personal data as possible. Personal data flows on our platform were carefully designed to prevent identification of users. We do not sell or share your data, nor do we use it for marketing or advertising. In this privacy policy, you will find information on:

  • Who is legally responsible for the data processing (data controller).
  • The data collection and processing that we carry out when you visit
    our website and use its different components.
  • Your rights as a data subject.

We also use cookies on our website, please see our Cookies policy.
This document can be printed for reference by using the print command
in the settings of any browser.

Data Controllers

Name IANUS Technologies (IANUS) Charité – Universitätsmedizin Berlin (CUB)
Role and tasks on the platform
  • Sole administrator of the platform
  • Website metrics collection
  • Technical security implementation
  • Platform maintenance
  • Collection of user behaviour analytics
  • Primary data subject contact
  • Chat operations and transcript collection
  • User data processing from chat; Email management
  • Metrics evaluation
Contact details of the lead representative for the platform Evangelos Michos – e.michos@ianus-technologies.com Isabel Schilg – isabel.schilg@charite.de
Contact details of the data protection officer (email) steptosupport@2ps-project.eu datenschutzbeauftragte@charite.de
Organisation’s address IANUS Technologies Ltd, Spyrou Kyprianou 85, Eleneio Megaro, Larnaca, 6051, Cyprus Charitépl. 1, 10117 Berlin, Germany
Organisation’s website https://ianus-technologies.com https://www.charite.de/en/

What data do we collect, for what purpose, and on what legal basis?

Purposes and bases for processing

ID Processing purpose Description & legal basis for processing
A. Addressing the inquiry submitted via the contact form. The user of the platform can ask general questions through the contact form. The processing of personal data is based on the legitimate interest in addressing inquiries submitted via the contact form.
B. Operating the platform (passive provision of information) Personal data is utilized to deliver informative services. The processing of personal data is based on the legitimate interest in providing the informative service through the platform.
C. Enhancing the quality of the platform To continuously enhance the quality of the platform, personal data of the users of the platform is collected and processed. Personal data is utilized to offer comprehensive information about the performance of the platform and the behaviour of the user of the platform. The processing of personal data is based on the legitimate interest in enhancing the quality on the platform.
D. Ensuring the safety and security of the services on the platform To ensure that the services on the platform are used in a manner that complies with applicable laws and regulations and to prevent abuse and fraud, certain information is tracked from the users of the platform. The processing of personal data is based on the legitimate interest in ensuring the safety and security of the services on the platform.
E. Addressing questions in chat regarding support, guidance and alternative pathways The processing of personal data is based on the legitimate interest in ensuring the safety and security of the services on the platform. The user of the chat functionality can ask different questions regarding support, guidance, and alternative pathways for individuals of the target group. The processing of personal data is based on the legitimate interest to address questions asked during the chat with the online operator.

Data Collected

We collect the following types of personal data, depending on which part of the platform you’re using.

Website

  • Masked IP addresses
    • Processing purpose – B.
    • Upon visiting the website, your IP address is collected and automatically pseudonymised by removal of two latter octets of information (e.g., 192.168.12.23 à 192.168.xxx.xxx). This means that it is impossible for us to identify you; at most, we can tell which country you are connecting from.
    • This masked IP address is processed in order to demonstrate location of relevant services and resources. It is also used to produce aggregated, anonymous findings on the use of the website.
    • Stored by IANUS; deleted until aggregated findings are extracted (max 2 years after the end of the project – September 2027).
  • User behaviour on the platform
    • Processing purpose – C
    • Using cookies, we analyse user behaviour on the platform – such as date and time of the visit, which pages are visited, how long users stay on a page, and what interactions they perform (e.g., clicking buttons or filling out forms).
  • § Important – This information is not connected to your full IP address or any identifier tied to your person. Instead, every time you connect, a randomly generated ID is generated by the system; we do not seek to track you across sessions.
    • Stored by IANUS; deleted until aggregated findings are extracted (max 2 years after the end of the project – September 2027).

Chat

  • IP address
    • Processing purpose – E.
    • Processing this IP address is necessary to enable the chat functionality.
    • Stored on servers of Talkative (established chat plugin provider), in the AWS cloud, in a database storing millions of interactions between IP addresses using Talkative.
  • Chat message content
    • Processing purpose – C.
    • We make it clear that personal data should not be conveyed through the chat function; however, we consider that it might happen nonetheless.
    • We’ve established a dedicated editing and storing procedure to handle this risk. Each chat transcript is stored on Talkative’s servers and made accessible to CUB only. Having received suitable training, CUB staff members acting as Talkative Administrators will manually review each transcript and anonymise it, if needed (in max 2 business days from the chat interaction). They will download the transcript (at which stage it is deleted from Talkative’s servers), remove all personal data from it, and upload it to CUB servers.

Contact form

  • Email address
    • Processing purpose – A.
    • The e-mail address is requested from the user of the platform when completing the contact form on the platform. This is to enable a response to the inquiry.
    • Stored by CUB; it will be deleted after max. 21 days from last interaction.
  •  Message content
    • Processing purpose – A.
    • We make it clear that personal data should not be conveyed through the contact form; however, we consider that it might happen nonetheless.
    • Stored by CUB; it will be deleted after max. 21 days from last interaction.

Third country data transfers

There exists a potential risk if personal data of EU data subjects is transferred to jurisdictions without adequate data protection standards, potentially breaching Articles 44-50 GDPR.

In the StS platform’s context, this affects transfers to Talkative (UK-based) and Google Analytics (US; see our cookies policy for further information).

Talkative stores chat transcripts and uses AWS (US) for storing the IP address & time of interaction of all its conversations. EU to UK transfers are covered by the Commission’s adequacy decision, and Talkative is responsible for maintaining sufficiently high

standards of protection in transferring data to AWS. AWS certifications suggest compliance with international data transfer standards. Situation in which an entity would request access to Talkative StS data from AWS is extremely unlikely. Coupled with a low chance of transcripts holding personal data and miniscule utility of this data, the likelihood and impact of this risk are limited, if not negligible.

Google Analytics data, in the form of a randomly generated Unique ID (per session only) holds even less of a utility, and the likelihood of it posing an additional risk by virtue of being transferred to the US is negligible. Nevertheless, this data transfer is protected by guarantees of the EU-US Data Privacy Framework (confirmed by European Commission’s adequacy decision).

User personal rights

Users may exercise certain rights regarding their data processed within the platform.

ID Data subject right In place? Explanation if not in place
1. Right of access Data subjects have the right to learn if data is being processed by the owner, obtain disclosure regarding certain aspects of the processing and obtain a copy of the data undergoing processing. (Article 15 GDPR) YES N/A
2. Right to rectification Users have the right to verify the accuracy of their data and ask for it to be updated or corrected. (Article 16 GDPR) YES N/A
3. Right to erasure Users have the right to obtain the erasure of their data from the owner. (Article 17 GDPR) YES N/A
4. Right to restriction of processing Users have the right to restrict the processing of their data. In this case, the owner will not process their data for any purpose other than storing it. (Article 18 GDPR) YES N/A
5. Right to data portability Users have the right to receive their data in a structured, commonly used and machine-readable format and, if technically feasible, to have it transmitted to another controller without any hindrance. (Article 20 GDPR) NO The right does not apply, as all processing activities rely on legitimate interest only. There would be a very limited scope in any case, as data subjects are actively discouraged from providing any personal data in any of the activities covered by this DPIA.
6. Right to object Data subjects have the right to object to the processing of their data if the processing is carried out on a legal basis other than consent. (Article 21 GDPR) YES N/A
7. Right not to be subject to automated individual decision-making No automated individual decision-making on the platform and/or chat functionalities. (Article 22 GDPR) NO This is not applicable as there are no automated individual decision-making on the platform and/or the chat functionalities.
8. Right to withdraw consent Data subjects have the right to withdraw consent where they have previously given their consent to the processing of their Personal Data. (Article 7(3) GDPR) NO All processing of personal data relies on the legal basis of legitimate interest.
9. Right to lodge a complaint Data subjects have the right to bring a claim before their competent data protection authority. (Article 77 GDPR) YES N/A

These data subject rights apply to StS platform’s datasets in the following manner:

Dataset Data subject rights from arts. 15, 16, 17, 18 and 21? Data controller responsible Explanation of limitation on the exercise of data subject rights (if applicable)
Website – Masked IP addresses (pre-masking) No IANUS The pre-masked IP addresses are immediately pseudonymised after collection, there isn’t a time window during which the data subject rights could be meaningfully exercised.
Website – Masked IP addresses No IANUS Following pseudonymisation, it is impossible to identify the IP address of the data subject and distinguish it from other IP addresses. For example, if two data subjects have IP addresses of 192.168.1.20 and 192.168.44.528, the stored IP address in the form of 192.168.xxx.xxx could pertain to both of them.
Website – User behaviour on the platform No IANUS User behaviour data are collected per session, and in such a way that makes identifying the data subject practically impossible.
Google Analytics – Unique user ID No IANUS (for Google Analytics) As this is a randomly assigned user ID, tied to the website, Google has no way of verifying the identity of the data subject making the request.
Chat – Users – IP address Yes CUB (for Talkative and AWS) N/A
Chat – Users – Chat message content (original transcript) No CUB (for Talkative) In this case, there is a very small window where the data subject could request e.g., a right to erasure, before CUB anonymises the transcript and deletes the original (max 2 business days from collection). At the same time, CUB only has access to the transcript – it would not be possible to identify the data subject, unless they provide additional information. The process of processing their request would most likely extend beyond the planned anonymisation procedure.
Contact form – email address Yes CUB N/A
Contact form – message content Yes CUB N/A

Additional considerations

This Website does not support “Do Not Track” requests. To determine whether any of the third-party services it uses honour the “Do Not Track” requests, please read their privacy policies.

Changes To This Privacy Policy

We reserve the right to make changes to this privacy policy at any time by notifying the website’s users on this page and/or – as far as technically and legally feasible – sending a notice to users via any contact information available to us. It is strongly recommended to check this page often, referring to the date of the last modification listed at the bottom.

Legal information

This privacy statement has been prepared primarily on the basis of Arts. 13 and 14 of Regulation (EU) 2016/679 (General Data Protection Regulation). This document relates solely to this website, if not stated otherwise within this document.