People vs Big Tech is an open network of civil society organisations and concerned citizens working together to challenge the power and abuses of Big Tech. Learn more.

This Privacy Policy (“Policy”) addresses the data processing we undertake in connection with the People vs Big Tech website (the “Website”).

This Policy does not address our other personal data processing operations. Additional policies and procedures addressing these processes are or will be put in place and we will provide relevant information to data subjects at the point of data collection, or subsequently, as required by law.

This Policy is subject to regular review. Subsequent updates and amendments will be documented below and communicated to data subjects where necessary.

Data controllers

The data controllers for data collected and processed in accordance with this Policy are SumOfUs and Reset acting as joint controllers. More information about the organisations can be found on their websites.

SumOfUs is the project manager of People vs Big Tech, conducting research, creating emails and content and making day to day decisions in order to run the project. Reset provides the technical infrastructure to run the Website and mailing list and reviews audience engagement data to inform and support project decision making. Both organisations contribute to decision making about the purposes and means of data processing in accordance with this Policy.

SumOfUs and Reset have entered into an agreement supporting their relationship that sets out how they will manage their obligations under data protection laws as joint controllers, including in relation to responding to data subject requests.


Any questions regarding this Policy or other data protection issues related to People vs. Big Tech should be submitted to:

[email protected]

Guiding principles

SumOfUs and Reset are committed to challenging the power and abuses of Big Tech together with you. We are guided by the princples outlined in the People’s Declaration and held accountable by a network of groups around the world striving to increase public and political support for Big Tech accountability.

All internet usage generates additional “metadata” that is collected and retained by internet service providers. This data can be accessed by law enforcement and intelligence agencies, who may extrapolate upon it to build up detailed “pictures” of specific individuals and communities. Individuals concerned about this kind of surveillance are encouraged to take measures to protect their privacy, for example by using the Tor browser or a VPN.

What we process, why and the legal basis for this

Mailing list

If you choose to sign up for more information or updates, we will collect the information you provide – your name, country, and email address – in order to send you those updates via emails. The legal basis for this processing is your consent, which you may withdraw at any time by unsubscribing to our emails or contacting us above.

Website data

The personal data that we collect from Website visitors is limited to the Internet protocol (IP) address of the computer accessing the site; the browser software and operating system that the computer uses; and the Internet address (URL) of the outside website from which visitor came.

This information is processed for technical purposes on the basis of our legitimate interests in obtaining basic, aggregated statistical information about the use of our website; and assisting in diagnosing technical problems and defending against attacks.

This information is collected using cookies, which are deployed on the basis of Website visitor consent. More information about this can be found in the Cookies section below.

Data retention

Mailing list

If you subscribe to our mailing list, we retain your name and email address for as long as you remain subscribed.

Website data

After 48 hours, we delete or anonymise all personal data processed for technical purposes. We anonymise any statistical or analytical data through aggregation that prevents the re-identification of individual users.

On occasion, we may need to retain personal data for longer than 48 hours. This includes the purposes of conducting tests, diagnosing technical problems and defending against attacks on our Website. In these situations, we will delete personal data as soon as it is no longer needed for the purpose for which it was kept.

Sensitive data

We do not collect or process any sensitive data, or “special category data” as defined in UK and EU data protection laws.

Tracking and cookies

Our Website uses cookies and other technical measures to monitor and protect against malicious traffic and to collect limited analytical data in order to understand how users engage with the Website. We respect “do not track” requests and only deploy non-essential cookies (e.g. those that gather analytics and statistics) on the basis of your consent.

We have limited the cookies deployed to the following:

  • Strictly necessary Cloudflare cookies to protect the Website against DDoS attacks
  • Strictly necessary application cookies to facilitate user logins and protect the Website against attempts to inject malicious code into registration forms
  • Matomo performance cookies to provide Reset with analytical information about the use of the website, which is only deployed with visitors’ consent (see further below)

Opting in and out of cookies

If you accepted the Matomo cookies, these will have been deployed with your consent. Matomo cookies collect analytical data about your use of the Website. If you declined the cookies, they will not have been deployed.

The Cloudflare and application cookies perform essential Website security functions and as such, it is not possible to opt-out.

Browser settings can also be used to manage cookie preferences. Each browser is different, so check the Help or Settings menu of your particular browser to learn how to change your cookie preferences.

Information security

We take all reasonable steps to ensure that personal data is processed securely and treated in accordance with this Policy. The technical and organisational measures to prevent unauthorised access to personal data include limiting staff and processor access to personal data in accordance with specific job responsibilities or contractual obligations, the encryption of data where possible, the institution of security protocols and staff training.

Although we do our best to protect personal data, information transmitted over the internet remains vulnerable to interception – for this reason, the transmission of any personal data to our websites or via email to us is therefore at the data subjects’ own risk.

Data sharing and processors


We engage third-party service providers to perform certain data processing tasks that enable us to run the Website and mailing list, these include:

These third parties are engaged on terms that ensure the confidentiality of data and compliance with applicable data protection laws.

Data sharing

No personal data will be shared with any parties outside of Reset and SumOfUs.

International transfers of data

Where we transfer your data outside of the European Union or the European Economic Area, we will ensure that your data is appropriately protected by requiring the recipient to respect and uphold your rights as a data subject under all applicable laws and by making the transfer subject to an international transfer safeguard, for example, the Standard Contractual Clauses issued by the European Commission.

External websites

The Website includes links to external websites, or other external resources and social media platforms that may process your data or use cookies. You can find out more about these services and the way they process data through their respective websites and privacy policies. Please note we cannot control the way those external websites collect and retain your personal data, so you use those external services at your own risk.

Your rights

Individuals whose personal data is processed in accordance with this Policy may have the following rights available:

  • The right to be informed as to whether we hold data about them;
  • The right of access to that information;
  • The right to have inaccurate data corrected;
  • The right to have their data deleted;
  • The right to opt-out of particular data processing operations;
  • The right to receive their data in a form that makes it “portable”;
  • The right to object to data processing;
  • The right to receive an explanation about any automated decision making and/or profiling, and to challenge those decisions where appropriate.

To make a subject access request or complaint related to the processing of your personal data under this Policy contact [email protected].

You also have the right to bring concerns to your national data protection regulator if you feel that your personal data has been unlawfully processed. For example, data subjects covered by EU law may also be entitled to lodge complaints in regard to data processing or the handling of subject access requests with data protection supervisory authority in their country of residence. Relevant supervisory authority names and contact details are listed here.

Changes and revisions

If we make changes to this Policy, the date and nature of the change will be listed below. Should a change to the Policy result in a material impact on the handling of any personal data, we will contact the impacted data subjects to inform them directly.