Online Safety Act Network

Data and Privacy Policy


OSA Network supported by Reset (“we”, “us”, “our”) respects your right to privacy.

This Privacy Policy (“Policy”) outlines the personal data processing we undertake in connection with the OSA Network website which is supported by Reset, including the mobile-dedicated website (the “Website”). It will also apply, and be updated accordingly, to all future online offerings operated by or on behalf of Reset.

This Policy does not address our other personal data processing operations. Additional policies and procedures addressing these processes are in place and we provide relevant information to data subjects at the point of data collection, or subsequently, as required by law.

This Policy is subject to regular review. Subsequent updates and amendments, including any that may be required by law, will be documented below and communicated to data subjects where necessary.

Data controller

The data controller for data collected and processed in accordance with this Policy is Reset, which is a project of Luminate Projects Limited, a private limited company registered with Companies House in the United Kingdom (#12433857) and a part of the Luminate Group of companies, including Luminate US Services LLC, Luminate Holdings LLC, and Luminate UK Services Limited (Companies House number 11125848) (“Luminate Group”).

Luminate Group fund and support non-profit and for-profit organisations and advocate for policies and actions that drive change across civic empowerment, data and digital rights, financial transparency, and independent media.

Any questions regarding this Policy or any other data protection issue related to Reset should be submitted to our Data Protection focal point via email to [email protected] or by post to:

Luminate Projects Limited
36-38 Hatton Garden, Holborn
London EC1N 8EB
United Kingdom
Email: [email protected]

Guiding principles

Reset and the Luminate Group of companies are committed to building fair and just societies and ensuring the rights of people and communities are upheld in the design and use of data and technology. They are also committed to complying with data protection laws globally.

Reset is a new initiative founded by Luminate and the Sandler Foundation that will engage globally in philanthropic and programmatic work that addresses digital threats to democracy through public policy advocacy and civic engagement.

We engage some third-party service providers in order to help us in meeting these objectives and as far as possible, we ensure that those third parties are equally committed to respecting individual rights. We do this by prioritising vendors and selecting service providers who operate transparently and engage third parties on terms that respect individuals’ privacy and data protection.

We also institute appropriate technical and organisational measures and strive to provide a high level of protection against unauthorised access to, and potential misuse of, the personal data we process.

What we process and why

In accordance with our guiding principles, we have followed a privacy-by-design and data minimisation approach in the design and build of our website.

The personal data that we collect from persons (or data subjects) who visit our website is accordingly limited to the Internet protocol (IP) address of the computer accessing the site; the browser software and operating system that the computer uses; and the Internet address (URL) of the outside website from which visitor came.

This information is processed for technical purposes in our legitimate interest, which provides a legal basis for such processing. Specifically, we process personal data for the purposes of (i) providing basic statistical information about the use of our website; and (ii) assisting in diagnosing technical problems and defending attacks against it.

If you choose to sign up to our mailing list we collect the information you provide – your name and email address – in order to send you updates about our work, when you sign-up online to receive emails from us. The legal basis for this processing is your consent, which you may withdraw at any time by unsubscribing to our emails.

Additional personal information – name, email, contact number and job title – is collected from users of the Website who wish to apply for funding from Reset. The legal basis for the processing of this data is the performance of a contract, which requires us to process your personal information in order to facilitate what is the start of a potential contractual relationship.

More detailed information concerning the processing of funding application data is provided during the application process.

Data retention

After 48 hours, we delete or anonymise all personal data processed for technical purposes. Anonymisation is achieved through the aggregation of statistical data that prevents the re-identification of individual users.

On occasion, we may need to retain personal data for longer than 48 hours. This includes for the purposes of conducting tests, diagnosing technical problems and defending against attacks on our website. In these situations, we will delete personal data as soon as it is no longer needed for the purpose for which it was kept.

Information regarding the retention of data processed in connection with funding applications is provided during the application process.

Sensitive data

We do not directly collect any sensitive data (or “special category data” as defined in EU law) through our website. All internet usage generates additional “metadata” that is collected and retained by internet service providers. This data can be accessed by law enforcement and intelligence agencies, who may extrapolate upon it to build up detailed “pictures” of specific individuals and communities. Individuals concerned about this kind of surveillance are encouraged to take measures to protect their privacy, for example by using the Tor browser or a VPN.

Tracking & cookies

Like all websites, the Reset website uses “cookies” and other technical measures to monitor and protect the website against malicious traffic and to collect limited analytical data in order to understand how users engage the information we provide.

In accordance with our guiding principles, the Reset website honours “Do Not Track” requests and has limited the cookies it deploys to the following:

  • Strictly necessary Cloudflare cookies to protect the Website against DDoS attacks
  • Matomo performance cookies to provide Reset with analytical information about the use of the website, which is only deployed with visitors’ consent (see further below)
  • Strictly necessary Django cookies to facilitate user logins and protect the Website against attempts to inject malicious code into registration forms

Opting in and out of cookies

If you accepted the Matomo cookies, these will have been deployed with your consent, which provides a legal basis for the processing of the analytical data they collect about your use of the Website. If you declined the cookies, they will not have been deployed.

The Cloudflare and Django cookies perform essential Website security functions and as such it is not possible to opt-out.

Browser settings can also be used to manage cookie preferences. Each browser is different, so check the Help or Settings menu of your particular browser to learn how to change your cookie preferences.

Information security

We take all reasonable steps to ensure that personal data is processed securely and treated in accordance with this Policy. The technical and organisational measures to prevent unauthorised access to personal data include limiting staff and sub-processor access to personal data in accordance with specific job responsibilities or contractual obligations, the encryption of data where possible, the institution of security protocols and staff training.

Although we do our best to protect personal data, information transmitted over the internet remains vulnerable to interception – for this reason, the transmission of any personal data to our websites or via email to us is therefore at the data subjects’ own risk.

Data sharing and sub-processors


We work with carefully selected third-party service providers who perform certain data processing tasks in order to maintain this Website. These third parties - Matomo, Heroku and Cloudflare - are engaged by Reset on terms which ensure confidentiality and compliance with data protection laws.

Sharing within the Luminate Group

Reset is a project of Luminate Projects Limited, a private limited company registered with Companies House in the United Kingdom (#12433857) and a part of the Luminate Group of companies, including Luminate US Services LLC, Luminate Holdings LLC, and Luminate UK Services Limited (Companies House number 11125848) (“Luminate Group”).

We share some data within the Luminate Group to accomplish our goals. We share this on the basis of our legitimate interests to operate globally. For example, If you submit an application for funding to Reset or are awarded a grant, the information you provide may be transferred from your country of residence to other countries in which Luminate Group operates, including the United States, so that your application can be processed and any subsequent contract prepared and executed. Further information about this data processing is provided during the application and grant delivery process.

International transfers of data

Where we transfer your data outside of the European Union or the European Economic Area, we will ensure that your data is appropriately protected by requiring the recipient to respect and uphold your rights as a data subject under all applicable laws and by making the transfer subject to an international transfer safeguard, for example, the Standard Contractual Clauses issued by the European Commission.

External websites

The Website includes links to external websites, which may process your data or use cookies – for example links to our Twitter page, Our Guide to Open Calls, or other external resources and social media platforms. You can find out more about these services and their use of cookies through their respective websites and privacy policies. Please remember we cannot control the way those external websites collect and retain your personal data, so you use those external services at your own risk.

Your rights

Individuals whose personal data is processed by Reset have the following rights:

  • The right to be informed as to whether Reset holds data about them;
  • The right of access to that information;
  • The right to have inaccurate data corrected;
  • The right to have their data deleted;
  • The right to opt-out of particular data processing operations;
  • The right to receive their data in a form that makes it “portable”;
  • The right to object to data processing;
  • The right to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate.

To make a subject access request or complaint related to the processing of your personal data contact [email protected] or write to:

Luminate Projects Limited
36-38 Hatton Garden, Holborn
London EC1N 8EB
United Kingdom

You also have the right to bring concerns to your national data protection regulator if you feel that your personal data has been unlawfully processed. For example, data subjects covered by EU law may also be entitled to lodge complaints in regard to data processing or the handling of subject access requests with data protection supervisory authority in their country of residence. Relevant supervisory authority names and contact details are listed here. The Data Protection Authority in the United Kingdom is the Information Commissioner’s Office (ICO). If you need any further information about your rights or want to lodge a concern or complaint, you may contact the ICO here.

Changes & revisions

In the event of any updates to this Policy, the date and nature of the change will be listed below. Should a change to the Policy result in a material impact on the handling of any personal data provided by consent, Reset will contact the data subjects to inform them of the changes and seek their consent as appropriate.

See further:

Policy published 24 April 2020.