Asterisk Labs Privacy Policy

1. Introduction

Welcome to Asterisk Labs. We are a worker-owned research lab operating at the intersection of deep learning, Earth observation and climate science. Our mission is to make the most of open data for positive social and scientific impact.

This Privacy Policy explains how we collect, use, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Your privacy is of the utmost importance to us, and we are committed to being transparent about how we handle your data.

2. Who We Are

Name: Asterisk Labs

Contact Email: privacy@asterisk.coop

For the purposes of this policy, Asterisk Labs is the "Data Controller," meaning we are responsible for deciding how your personal data is processed.

3. The Data We Collect

We collect and process different types of personal data depending on our interaction with you. We adhere to the principle of data minimisation, ensuring we only collect the information that is necessary for a specific, legitimate purpose.

Job Applicants:

Data: Name, contact details (email, phone number), CV, cover letter, links to professional work (e.g., papers, code, projects), and any other information you provide as part of your application.
Purpose: To assess your suitability for a role at Asterisk Labs.

Stakeholders, Collaborators & Consultation Participants:

Data: Name, email address, organisation, job title, and the feedback or insights you provide.
Purpose: To gather expert and non-expert feedback for our research projects and reports, such as the AI vision for the Copernicus Programme.

4. How and Why We Use Your Data (Legal Basis)

Under the UK GDPR, we must have a lawful basis for processing your personal data.

Job Applicants: We process your data for the purpose of recruitment. The legal basis is our legitimate interest in assessing and selecting suitable candidates to fill our open positions. We may also process your data on the basis of performance of a contract if we proceed to an offer of employment.
Stakeholders, Collaborators & Consultation Participants: We process your data based on your explicit consent. When you provide feedback or participate in a consultation, you will be presented with a clear privacy notice and a checkbox to confirm your agreement for us to process your data for the stated purpose of our research. We will not share your personal data with any third parties unless we have obtained your explicit consent to do so. For certain projects, we may seek your permission to share your name, organisation, and feedback with our funders or other parties who have contracted us for the project. This sharing would only occur with your specific, opt-in consent and for a clearly defined purpose.

5. How We Store and Protect Your Data

We are committed to ensuring your data is secure. We use secure, cloud-based platforms, such as Google Forms and Google Drive, which are GDPR compliant and adhere to strict security standards.

Security Measures: Data is encrypted both in transit (TLS) and at rest (AES-256). Access is strictly controlled using two-factor authentication (2FA) and role-based permissions, ensuring that only authorised personnel can view or process your data.
Staff Training: All staff handling personal data receive GDPR compliance training.
No Third-Party Subcontractors: We do not engage any third-party subcontractors for processing your personal data. All data is managed internally.
No Publication without Consent: We will not publish your name or attribute any statements to you in our public reports or materials without your specific, additional consent.

6. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected.

Job Applicants: We will retain your data for the duration of the recruitment process and for a period of up to six months thereafter to address any questions or legal challenges. After this period, your data will be securely deleted.
Stakeholders, Collaborators & Consultation Participants: Your data will be retained for the duration necessary to fulfil the requirements of the specific project contract (e.g., to write a final report). We will securely delete your data within three months after the contract ends.

7. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data. To exercise any of these rights, please contact us at privacy@asterisk.coop. We will respond to your request within one month.

The right to be informed: To be informed about how we collect and use your data.
The right of access: To request a copy of the personal data we hold about you.
The right to rectification: To have inaccurate data corrected.
The right to erasure: To request that your data be deleted.
The right to restrict processing: To limit how your data is used.
The right to data portability: To request a copy of your data in a format that can be easily transferred.
The right to object: To object to our processing of your data.
The right to withdraw consent: You have the right to withdraw your consent at any time. This will not affect the lawfulness of processing carried out before you withdrew your consent.

8. Cookies and Third-Party Websites

Our website does not use cookies or any other tracking technologies to collect your personal data. We are committed to a minimal data collection approach.

Our website may contain links to third-party websites. This privacy policy does not apply to those websites. We encourage you to read the privacy policies of any third-party sites you visit.

9. How to Complain

If you have a complaint about our handling of your data, you can contact us directly at privacy@asterisk.coop. You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO).

10. Changes to This Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal reasons. We will post any updates on this page.

Last updated: 6 August 2025