Privacy Notice

Privacy notices can be long and full of legal jargon that is hard to understand.

So we’ve pulled out the most important questions that you might have about our privacy notice and answered them below in the Summary. It will take about 5 minutes or so to read.

If you wish, you can read the full privacy notice at the bottom of this page.

This notice applies to:

1. The personal data processing we undertake in connection with the Online Safety Act Network’s (“OSA Network”) activities,
2. the OSA Network website, which is supported by Reset Tech, including the mobile-dedicated website,
3. and the OSA Network newsletter, also operated by Reset Tech.

Subsequent updates and amendments, including any that may be required by law, will be documented below and communicated to data subjects where necessary.

This Privacy Notice is drafted in accordance with UK data protection laws (“data protection laws”). As of July 2025, this is the UK GDPR and the Data Protection Act 2018, which may be amended from time to time.

The OSA Network is led by Maeve Walsh and Professor Lorna Woods OBE and aims to keep all those with an interest in the successful implementation of the Online Safety Act informed and connected. There is no formal membership or association, and different individuals and organisations may collaborate from time to time. You can find more info here.

When you liaise with a specific organisation or individual, and no longer via the OSA Network email, we encourage you to read their privacy notice should you have any questions relating to their data processing. This privacy notice will no longer apply.

This website and the newsletter are operated by Reset Tech, a global philanthropic network. We operate in the US, UK, Germany, and Australia.

For more information about how Reset Tech handles personal data outside the OSA Network, please see our privacy notice.

That depends on who you are and our relationship with you. We’ve set out a few examples below:

• If you sign up for our newsletter, we will use your name and email address.
• If you are a stakeholder or expert in our sector, we will use your name, contact information, role, organisation and information about your areas of interest or expertise to inform our work.
• If you are a stakeholder or expert and have agreed to exchange information to feed into policy briefings, open letters or other OSA Network initiatives, we may keep your name, contact information, role, organisation and information about your areas of interest or expertise, as well as the information and opinions you shared to inform our work.
• We may also organise roundtables, calls, workshops or other forums for information exchange, which requires us to process your contact information and information regarding your organisation and work.

For all of the above, we will keep records of our interactions with you (for example, our email correspondence and notes of meetings).

Some personal data is more sensitive than other data (for example, information about your health, your sexual orientation or sex life, your political affiliation, or your race and ethnicity). We try to minimise our collection of sensitive personal data, but sometimes it’s necessary (for example, if you’re a politician, we will naturally keep a record of your political party). We will always make sure we collect and use such information in accordance with applicable data protection laws.

Reset Tech, the operator of the website, tries as hard as it can to keep your data safe. For example, Reset Tech makes sure that only people who need to can see your data, encrypts data where it can, and has strict contracts with its vendors handling personal data.

As a network of online safety practitioners, the OSA Network collaborators are also committed to keeping your personal data safe.

Yes. We share your personal data amongst the OSA Network collaborators and partners, and applicable vendors and service providers. If you email us or OSA Network collaborators, the personal data will necessarily be shared with the applicable email provider, as they act as a data processor for that communication. When you sign up for the OSA Newsletter, your sign-up personal data will necessarily be shared with Mailchimp, our newsletter data processor. We may share your personal data in other circumstances (for example, to comply with legal obligations on us).

Yes. Reset Tech, the website operator, is a global network. Reset Tech entities share systems. We also use vendors in different countries. We try as hard as we can to keep your personal data secure when shared internationally, including carefully vetting our vendors, entering into agreements guaranteeing the security of personal data and your rights, and—of course—only transferring personal data that is necessary.

The same applies to many OSA Network collaborators, who also have entities across different countries and share data across systems.

You have rights over your personal data and how we use it. If we’ve asked for your consent to use your personal data (for example, for our newsletter), you can withdraw your consent at any time. In certain circumstances, you can object to our use of your personal data or ask us to delete it; however, we may not be able to fully do so. For more details about your rights and how you exercise them, see Your Rights section below.

If you have any questions, particularly regarding personal data processing in relation to this website or Reset Tech’s processing as an OSA Network collaborator, you can email Reset Tech’s Data Protection Officer, Molly Waiting, at dpo@reset.tech. If you feel like we haven’t addressed your concerns, you can always contact your data protection authority (for example, the ICO in the UK or the BlnBDI in Berlin).\

You may also contact us at the provided email address on the OSA Network website: hello@onlinesafetyact.net

The OSA Network has evolved from the successful work that Professor Lorna Woods OBE and Maeve Walsh, along with William Perrin OBE, carried out at Carnegie UK during the passage of the Online Safety Bill. You can find more information here.

Maeve Walsh is the OSA Network Director. You can read more about her here. Lorna Woods is a Professor of Internet Law at Essex University who works with Maeve Walsh to organise the OSA Network. You can read more about her here and here.

Reset Tech, the website operator and OSA Network collaborator, operates through a global network of entities. These include:

United States

• Reset Tech and Reset Tech Action: 6218 Georgia Avenue NW Suite #1, PMB 3134 WASHINGTON, DC 20011, USA

United Kingdom

• Reset Tech UK Limited: c/o Sedulo, Office 605, Albert House, 256-260 Old Street, London EC1V 9DD

Germany

• Reset Tech GmbH: Friedrichstr. 114A, 10117 Berlin, Germany
• Reset Tech gGmbH: Friedrichstr. 155, 10117 Berlin, Germany

Australia

• Reset.tech Australia: Suite 403, 418 A Elizabeth St, Surry Hills, NSW 2010

In this notice, we refer to Reset Tech as a single organisation and so (unless specified otherwise) we mean the entities outlined above.

This notice applies to individuals who interact with us in relation to the work of the OSA Network. For example, general visitors to our website, individuals subscribed to our newsletter, and stakeholders and experts who contribute to or interact with the work of the OSA Network.

The notice provides information about how we will use your personal data and your rights in relation to your personal data.

If we start a new project or activity in relation to the OSA Network, we may provide you with additional privacy notices with more information.

OSA Network

If you interact with the OSA Network, we may collect the following information:

• Name
• Role and organisation
• Contact details
• Information about your expertise and experience
• Records of your communication with us
• Records of any meetings
• Records of any documents or other information you shared with us

Certain types of personal data are sensitive and merit more protection. For example, information about your race or ethnic origins, political opinions, sex life or sexual orientation, religious beliefs, health information, biometric and genetic data. Criminal information (information about convictions or allegations about convictions) also merits additional protection and special consideration. Financial information (bank details, identity documents, etc) can also cause harm when misused, so we endeavor to treat these as sensitive, as well.

We do not usually collect sensitive personal data about you. We will only process these types of personal data about you if we have a valid reason for doing so and only if the applicable data protection laws allow us to do so. For example, if we hold an event and you provide your access or dietary requirements, or if you share political opinions with us in relation to the OSA Network’s activities.

Website

In accordance with our guiding principles, we have designed and built our website using a privacy-by-design and data minimisation approach.

The personal data that we collect from website visitors is accordingly limited to the Internet protocol (IP) address of the computer accessing the site; the browser software and operating system that the computer uses; and the Internet address (URL) of the outside website from which visitor came.

We do not directly collect sensitive data (or “special category data” as defined in the applicable data protection laws) through our website. All internet usage generates additional “metadata” that is collected and retained by internet service providers. This data can be accessed by law enforcement and intelligence agencies, who may extrapolate upon it to build up detailed “pictures” of specific individuals and communities. Individuals concerned about this kind of surveillance are encouraged to take measures to protect their privacy, for example by using the Tor browser or a VPN.

Cookies

The OSA Network website uses “cookies” and other technical measures to monitor and protect the website against malicious traffic and to collect limited analytical data in order to understand how users engage with the information we provide. This website honours “Do Not Track” requests and has limited the cookies it deploys to the following:

• Strictly necessary Cloudflare cookies to protect the Website against DDoS attacks
• Matomo performance cookies to provide Reset Tech with analytical information about the use of the website, which is only deployed with visitors’ consent. If you accepted the Matomo cookies, these will have been deployed with your consent, which provides a legal basis for the processing of the analytical data they collect about your use of the Website. If you declined the cookies, they will not have been deployed.
• Strictly necessary Django cookies to facilitate user logins and protect the Website against attempts to inject malicious code into registration forms.

The Cloudflare and Django cookies perform essential website security functions, and as such, it is not possible to opt out. Browser settings can also be used to manage cookie preferences. Each browser is different, so check the Help or Settings menu of your particular browser to learn how to change your cookie preferences.

We collect your personal data from different types of sources:

• Directly from you. For example, when you sign up for our newsletter or send us an email.
• Indirectly from another source. For example, if one of our OSA Network collaborators or partners shares your information with us.
• Through cookies. As set out above.
• When it is available publicly. For example, if you write an article about an area in which we are interested.

What is a “lawful basis”?

We can only use your personal data if we have a valid reason. In Europe, this is known as a lawful basis of processing. Below we explain the lawful bases which we think apply to our use of personal information. Processing sensitive personal data requires additional conditions of processing.

Lawful Bases and Conditions

Legitimate interests is a flexible lawful basis which allows us to use your personal data provided that:

• We have a good reason to do so. For example, to evaluate whether we should collaborate with you as part of the OSA Network.
• You can reasonably expect that we would use your personal information in this way. In other words, our use of your personal information shouldn’t be a surprise. This may be the case where you shared documents with us for the purposes of the OSA Network initiatives, such as open letters or policy work.
• It fits with your rights, and it doesn’t affect you unfairly. Your rights are explained in the Your Rights section below.

When we rely upon legitimate interests as a lawful basis, our use of your personal information must be fair and balanced, and we need to consider the points above.

Consent is when we ask for your permission to use your personal information for a specific purpose. For example, if we ask to use a quote from you to promote our work, or if you signed up for the newsletter. You always have the right to withdraw your consent. Just send us an email or contact us at hello@onlinesafetyact.net.

We may also need to process your personal information to comply with a legal obligation on our part.

Finally, we all hope to avoid litigation where possible, but we may need to use your personal data as part of a legal claim.

The purposes for which we use your personal data

We use your personal data for the following reasons (and the most relevant lawful bases are listed afterwards):

Promoting the OSA Network and its work, our partners’ work, and our principles, for example, through our newsletters, articles and speaking engagements.

Consent and Legitimate Interests

Evaluating our impact and areas for improvement, for example, considering specific elements of the OSA implementation, whether and how to support new and existing collaborators.

Legitimate Interests, Manifestly Made Public, Public Interest

Running and participating in events

Consent and Legitimate Interests (and, if we need to process dietary or accessibility information, explicit consent)

Handling any concerns or queries which arise during the course of our work

Legitimate Interests, Legal Obligation (if we’re legally obliged to respond), and potentially to address Legal Claims

Operation of our Website

Specifically, we process personal data for the purposes of (i) providing basic statistical information about the use of our website; and (ii) assisting in diagnosing technical problems and defending against attacks.

Legitimate Interests and Legal Obligation (for example, where we need to confirm that our use of funding did not violate legal restrictions)

Newsletter

Consent

We may contact you when you give us your contact details or when we believe that you may wish to hear from us. Some of these communications may be administrative (for example, to respond to a query or request from you), and some may be promotional (for example, a newsletter with updates about our work).

We’ll only contact you when we’re allowed to do so. And you can request that we cease contacting you with promotional material at any time. Please note that we may still send you administrative communications.

The OSA Network operates as a network of advocates, researchers, campaigners, and civil society organisations to keep them informed and connected during the Online Safety Act’s implementation. Its goal is necessarily to share information across different stakeholders to allow for better implementation of the OSA. Many of the collaborators have entities in different jurisdictions. They will likely share data across systems and with relevant partners to be able to meet their objectives in relation to the OSA Network and the implementation of the OSA.

Reset Tech, one of the OSA Network collaborators and the website operator, is a federated network of entities. These entities share systems and staff, and so your personal data will be shared among these entities if needed.

Newsletter

The OSA Network uses Mailchimp to send the newsletter, which is also operated by Reset Tech. You can find Mailchimp's privacy notice here.

Email inbox

The email address hello@onlinesafetyact.net is operated by Reset Tech. Communications may be shared between collaborators as needed.

Website

Reset Tech works with carefully selected third-party service providers who perform certain data processing tasks to maintain this Website. These third parties—Matomo, Heroku, and Cloudflare—are engaged by Reset Tech on terms that ensure confidentiality and compliance with UK data protection laws.

Other

There are other circumstances in which we may share your information:

• If we transfer the OSA Network or the website to another organisation;
• With co-funders or other stakeholders;
• With our professional advisors (for example, lawyers and accountants);
• If we’re under a legal or regulatory obligation to do so, and;
• In connection with any legal proceedings or prospective legal proceedings, in order to establish, exercise or defend our legal rights.

If we share your personal data with any other third party, we will let you know in advance, where possible.

We will not sell your personal data.

All OSA Network collaborators engage some third-party service providers in order to help them undertake their work and as far as possible, they ensure that those third parties are equally committed to respecting individual rights. This will include their data storage provider (most organisations now rely on some sort of cloud storage), or their email provider. They do this by prioritising vendors and selecting service providers who operate transparently and engage third parties on terms that respect individuals’ privacy and data protection.

You can find more information on the OSA Network collaborators' websites.

International transfers

If you share personal data with any of the OSA Network collaborators, they may also transfer your personal data internationally, for example where they rely on international data processors or international cloud storage providers as part of their infrastructure, to do their work.

Where we transfer your data outside of the United Kingdom or the European Economic Area, we will ensure that your data is appropriately protected by requiring the recipient to respect and uphold your rights as a data subject under applicable data protection laws and by making the transfer subject to an international transfer safeguard, for example, the Standard Contractual Clauses issued by the European Commission and the Information Commissioner’s Office’s Addendum or the Information Commissioner’s Office’s International Data Transfer Agreement.

This website includes links to other websites. This notice only covers the processing of this website and the OSA Network’s activities. It does not cover the other websites. We encourage you to read the privacy notices on other websites you visit.

The success of the OSA Network depends in part on people amplifying our messages, and we have provided social media links to allow you to easily share content from our website with your networks or to follow us on social media. In doing so, your personal data may be disclosed to these social media platforms.

We have no control over how social media platforms use your personal data. We encourage you to read the privacy notices on the various social media platforms you use (and engage with their privacy tools).

Find out more about how these social media platforms use your personal data:

• LinkedIn
• Bluesky

As a network of online safety practitioners, the security of information (particularly personal data) is important to us.

OSA Network collaborators institute appropriate technical and organisational measures and strive to provide a high level of protection against unauthorised access to, and potential misuse of, the personal data they process in relation to the OSA Network.

Although we do our best to protect personal data, information transmitted over the internet remains vulnerable to interception – for this reason, the transmission of any personal data to this Website or via email to us is therefore at the data subjects’ own risk.

Reset Tech, the operator of this website, undertakes the following in relation to its data processing:

• Requiring third parties to use appropriate measures to protect the confidentiality and security of personal data.
• Restricting access to personal data within Reset Tech to those who have a need to know the information for the purposes described above. This may include your managers and their designees, personnel in People Operations, IT, Legal, Finance and Accounting and Internal Audit. All personnel will generally have access to employees’ business contact information such as name, position, telephone number, postal address and email address.
• Global policies on IT security and data protection, with training provided to staff, as needed.
• Implementing industry best practices in data protection, such as zero trust models, least privilege access, encryption of data at rest and in transit, and cross-platform authentication services

Interested in learning more about online safety? Check out the National Center for Cyber Security.

OSA Network

We keep your personal data for as long as we reasonably need it for the purposes set out in section 5. This would usually be five years after the dissolution of the OSA Network.

Website

After 48 hours, we delete or anonymise all personal data processed for technical purposes. Anonymization is achieved through the aggregation of statistical data that prevents the re-identification of individual users.

On occasion, we may need to retain personal data for longer than 48 hours. This includes the purposes of conducting tests, diagnosing technical problems and defending against attacks on our website. In these situations, we will delete personal data as soon as it is no longer needed for the purpose for which it was kept.

You are in control of your personal information. In certain circumstances, when we use your personal information, you have the right to:

• Ask for a copy of the personal information we hold about you. We may ask you for proof of your identity. We will give you a copy of your personal information unless we consider that an exemption applies. If we withhold any of your personal information, we’ll explain why.
• Ask that we erase the personal information we hold about you. We may not be able to erase your information (for example, we may be legally obliged to keep your personal information), but we will consider and respond to your request.
• Ask that we correct any personal information that we hold about you that you believe to be incorrect.
• Ask that we restrict the use of your personal information if you believe the information we hold is incorrect, or if we don’t have a valid reason for using your personal information.
• To change your mind and withdraw your consent.
• Ask us to stop using your personal information, if we are relying on legitimate interests as our lawful basis.

Ask for us to port (or transfer) your personal data to a third party in certain circumstances.

If you have questions about this website, this privacy notice, or how we handle personal data, please contact the OSA Network at hello@onlinesafetyact.net. For questions about this website, you may contact Reset Tech’s DPO at dpo@reset.tech.

If you have any concerns about the way we are handling your personal information, or if you’ve raised a question or a complaint that we haven’t dealt with, you can (in certain cases) contact your data protection regulator directly. For example, the Information Commissioner’s Office in the UK.

We may update this notice from time to time. If we update this notice in a way that significantly changes how we use your personal data we will bring these changes to your attention where reasonably possible. Otherwise, you can access the latest version on our website.

Last updated: October 2025