APC data policy 2.0

We are committed to being transparent about the data we collect and how it is used. This document:

• Provides clear information about the types of data we collect.
• Informs how we process, protect and store the information.
• Clarifies your rights regarding the data you provide to us.
• Indicates how you can contact us for more details or to exercise your rights.

Introduction: APC’s data commitment

At APC, we manage not only the data we generate internally, but also data entrusted to us by the network, partners, organisations and individuals we work with. Mishandling this information can jeopardise the personal safety of those who rely on us to protect their sensitive data. For this reason, safeguarding data is not only a technical requirement – it is a core part of our ethics of care and our responsibility towards the safety and well-being of our partners and communities.

APC is committed to upholding the right to privacy and data security for everyone whose information we process. This applies both to:

• Services directly provided by APC, and
• Services provided through trusted third parties, in which case their applicable privacy policies will also apply, and we will refer you to them.

APC’s approach to data protection is guided by a comprehensive set of APC policies.1 These policies regulate the different layers and aspects of our communal infrastructure, both internally and externally.

If you would like further information about how your data is handled or wish to exercise your rights, we invite you to reach out to us by writing to privacy@apc.org

Data: Ethics of care and responsibility

Most commercial online services are designed to maximise data collection as part of their business model, resulting in the large-scale harvesting, storage and sharing of personal information – often without meaningful consent or control for users.

As a social justice and digital rights organisation, APC advocates for data ownership and practices that place the agency of individuals and communities over their data at the centre. We believe people should have real control over how their information is collected, used, stored and shared.

For APC, applying ethics of care and responsibility goes beyond simply complying with legal requirements: it means actively working to ensure that the way we collect, store, manage, share and delete data – whether on our servers, in the cloud or in local repositories – follows the highest standards of security, privacy and accountability.

As a networked organisation, we also support our members, partners and allies in adopting these same principles, promoting collective responsibility for safeguarding data across all our shared spaces.

Since 2025 APC, has applied one of the Feminist Principles of the Internet to its day-to-day work:

Privacy and data: We support the right to privacy and to full control over personal data and information online at all levels. We reject practices by states and private companies to use data for profit and to manipulate behaviour online. Surveillance is the historical tool of patriarchy, used to control and restrict women’s bodies, speech and activism. We pay equal attention to surveillance practices by individuals, the private sector, the state and non-state actors.

In line with this, our operations are guided using the following principles:

• APC uses, supports and advocates for the use of free/libre and open source software (FLOSS): “We are committed to creating and experimenting with technology using free/libre and open source software, tools and platforms. Promoting, disseminating and sharing knowledge about the use of FLOSS is central to our praxis.”
• APC maintains its own self-managed communal infrastructure, operating a secure interconnected set of platforms and tools.
• The APC technical systems and support team is responsible for APC’s operational security standards, and provides the necessary support for the organisation to follow these standards.
• APC collaboration and project implementation is centred on building consent, data ownership and privacy, both when working within the network as well as with other partners and allies.
• APC is committed to providing the necessary capacities to its network and partners (internal) and communities and individuals (external) on data protection, security and privacy.
• APC collects the minimum required data for any given purpose and only for the required time frame, after which the data is deleted.2
• APC makes the maximum effort to communicate in simple and plain language the purpose of collecting data about people or organisations, and asks for informed consent and/or provides an opt-in option whenever possible.
• When in doubt about the actual purpose of the collection of certain data, APC always opts for not collecting it.

About our services

APC is a fully remote organisation, with its network and partners operating and connecting from over 74 countries around the world. To support this global collaboration, we have developed our own communal infrastructure: an ecosystem of platforms and tools designed to enable us to work together, engage meaningfully, and drive transformative change.

Below is an overview of the various platforms and tools we use, along with details on how they are configured to collect and store data:

• We select our service providers based on their technical expertise, commitment to privacy, and environmental impact. The APC tech systems and support team is responsible for identifying providers, managing our communal infrastructure, and choosing the best location for different tools and services. APC servers are hosted at:

o GreenNet’s renewably powered servers: GreenNet is a not-for-profit collective established in 1985, providing internet services and hosting to supporters of peace, the environment and human rights.

o Hetzner: A German provider whose electricity is sourced from 100% renewable energies. Read Hetzner's privacy policy here.

• We use Drupal, a self-hosted content management system (CMS) and a very flexible and powerful software with safety at the core, for all our websites.
• Matomo and Plausible: Self-hosted analytic software, to have insights on what visitors look for and to improve our sites. Along with anonymised IP addresses, the software tracks country, page visited, duration of visit, returning visits over time, device type and model, operating system, browser, and incoming and outgoing traffic (i.e. where people come from and where they go next). Read more on Matomo’s privacy-respecting configurations here.
• APC has several self-hosted instances of Nextcloud for collaboration and storing of documents that may contain confidential or sensitive information. The ONLYOFFICE add-on is used to edit files online. Real-time collaboration on documents is critical to our work, and we acknowledge that open source solutions, while offering reliable functionalities, are not yet as smooth as tools hosted by big tech corporations. APC uses Nextcloud apps on the same self-hosted instance for a series of services such as polls, forms, calendars and appointments.
• APC has its own Etherpad instance, and when necessary also uses Riseup or Código Sur pads.
• APC uses LimeSurvey any time we need to gather information from partners and the larger community. Data that is considered sensitive is collected using APC's LimeSurvey online survey tool and transferred using encrypted email communications or another secure and encrypted channel. Data that is not considered sensitive can also be collected through email questionnaires or by other means that facilitate data collection and manipulation.
• APC’s main video/conference software is BigBlueButton (BBB), self-hosted on our servers. Occasionally we might use Jitsi or Zoom for large events. AI transcriptions and tracking features are disabled by default.
• APC uses the end-to-end encrypted messaging platform Signal anytime while on the move or at events.
• We use Mattermost for our internal communication and coordination.
• APC’s preferred email client is Thunderbird, an open source program previously maintained by Mozilla.
• The APC team uses PGP to encrypt its internal email traffic and whenever possible with partners. Our public keys can be found on the APC website at the bottom of individual bios in the section APC Team.
• APC maintains a set of mailing lists based on Mailman. APC newsletters are sent to people who actively subscribe to them.
• We use CiviCRM to keep track of contacts and interactions, and to send newsletters and event invitations.
• APC has social media accounts that are regularly updated on Bluesky, Facebook, Instagram, LinkedIn and Mastodon. We maintain our account on X to keep track of the community's history there, but we made a deliberate decision to not update it anymore.

Contact details

If you would like to get in touch with us with regard to your personal data, please contact us at privacy[@]apc[.]org

Use this email address if you want us to:

• Provide a copy of any personal information about you that we have stored in our systems.
• Delete personal information about you that we have stored in our systems

Changes to this document

This version of the data policy was last updated in September 2025 and represents a major revision of the previously published information. This document provides a comprehensive framework outlining APC’s policies, standards and practices related to responsible data management. It clarifies our commitment to the safety and protection of personal and sensitive data, and to upholding privacy across both APC’s public and private digital spaces.

APC’s approach to data is defined through a set of policies that govern the various layers and aspects of our communal infrastructure, both internally and externally. This document outlines the elements of those policies that are specifically relevant to APC websites and our online workspaces.

If there are any changes to APC’s data and privacy policies – whether related to processes, procedures or other relevant matters – they will be reflected in this document. We will update it on our website and other appropriate platforms to ensure it remains accurate and transparent, so you are informed about what data we collect, how we use it, and under what circumstances we may disclose it.

APC reserves the right to modify this document at any time. We encourage you to review it regularly. If significant changes are made, we will notify you via email or through a notice on our website’s homepage.