This is the legacy site, please go to If you have graphs, learn how to migrate to the new version.

Graph Commons Privacy Statement

Graph Commons is a service offered by Alterlab, LLC (hereinafter: "we", "us" or "our"). We respect your privacy and are committed to protecting personal data. This privacy statement explains how we handle personal data when you access and use the Graph Commons Platform (and all related websites, software, applications, online services and tools referred to in this statement, regardless of how you access or use them, including mobile devices). This statement also informs you about your rights and how you can exercise those rights.

It is important that you read this privacy statement together with any other specific privacy statements we may provide to you on certain occasions when we are collecting or processing personal data about you, so that you are fully informed of how and why we are using your data. This privacy statement supplements our other notices and statements and is not intended to override them.

1. Data controller contact information

Alterlab, LLC, 19 Morris Ave. 11205, Brooklyn, New York, USA


2. The data we collect about you

Personal data means any information relating to an identified or identifiable natural person. It does not include anonymous information.

We may process the following personal data about you:

We do not collect any Special Categories of Personal Data about you.

3. How is personal data collected?

We use different methods to collect personal data from you and about you, including through:

4. Purposes and legal basis for the processing of personal data

We process personal data for certain purposes, described below. Furthermore, we process personal data based on a legal basis. These legal bases are, amongst others:

Purposes for which we will use personal data

We have set out below a description of all the purposes for which we use personal data, and the corresponding the legal bases we rely on to do so. Where appropriate, we have also specified what our legitimate interests are.

Note that we may process personal data on more than one legal basis depending on the specific purpose for which we are using that personal data.

Purpose Type of data Legal basis for processing
To register you as a user of the Graph Commons Platform (a) Identity
(b) Contact
Performance of a contract with you
To process the use of a Graph:
(a) Managing payments, fees and charges
(b) Verifying your identity and details of your payment method or credit card account
(c) Communicating with you, for example sending you notification about your invitation to a Graph.
(a) Identity
(b) Contact
(c) Transaction
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Our legitimate interests
To manage our relationship with you, which includes:
(a) Providing access to Platform services
(b) Notifying you about changes to our terms or privacy statement
(c) Asking you to leave a review or take a survey
(d) Investigating complaints
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Compliance with a legal obligation
(c) Our legitimate interests (to keep our records updated and to study how users use the Graph Commons Platform and associated products/services)
To administer and protect our business and our services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(a) Our legitimate interests (for running our business, administering our CRM, provision of administration and IT services, network security, prevent fraud and in the context of a business reorganization or group restructuring exercise)
(b) Compliance with a legal obligation
To enable you to partake in a competition or complete a survey (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Our legitimate interests (to study how users use the Graph Commons Platform and to develop and grow our business)
To deliver relevant Platform content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical
Our legitimate interests (to study how users use the Graph Commons Platform and to grow our business and inform our marketing and growth strategy)
To use data analytics to improve our Platform, products/services, marketing, user and Partner relationships and experiences (a) Technical
(b) Usage
Our legitimate interests (to define types of users for certain Platform services and to keep our services and website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about Graphs or other services available through the Graph Commons Platform that may be of interest to you (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications
Our legitimate interests (to develop the products and services available through the Graph Commons Platform)


We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what might be of interest to you. This is how we decide which services and offers may be relevant for you.

You will receive marketing communications from us if you have given us your consent (to extent required), if you have previously requested information from us, if you have used our services or purchased products or services through the Graph Commons Platform, and you have not opted out of receiving that marketing.

In every marketing e-mail, newsletter or product update, you will find a link to your subscriber preference center. Here you can update your preferences regarding the use of personal data, including an option to opt-out of all marketing communications.

We will not share your personal data with any company for marketing purposes unless we have received your consent to do so.

5. Provision to third parties

External Third Parties

In some cases we share personal data with third parties. We can share personal data with:

As follows from the above, we also utilize the services of third parties that function as “processors”. We are obliged to enter into a processor agreement with such service providers stipulating that they may only process personal data in accordance our instructions and subject our control.

We will only transfer personal data to the above mentioned third parties for the purposes stated in this privacy statement, and only to the extent that is permitted under the applicable law and regulations, or if we are obligated to provide the personal data to a competent authority.

Third parties to whom we transfer personal data are themselves responsible for compliance with privacy legislation. We are neither responsible nor liable for the processing of personal data by these third parties.

Third party websites and applications

The Graph Commons Platform includes references and hyperlinks to third-party websites and applications as well as to partner providers of multiple different types of services associated with a particular graph. These third-party links all have their own privacy statement and policies, which we recommend you to read carefully. We are in no way liable for the way these third parties handle personal data or comply with the applicable data protection law.

Where third parties provide Graphs or support the provision of services made available to you through the Graph Commons Platform, these third parties may receive certain personal data from you. Whilst we are not in control of any third parties to whom you request your data to be shared, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. Unless they obtain your explicit consent, we do not allow any third-party Graph or service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with your instructions.

To help constantly improve and tailor the service we provide to you through our Platform, we may use aggregated information so that we can administer and improve our services, analyse trends, gather broad demographic information and detect suspicious or fraudulent transactions and most importantly monitor and improve our operations on a day to day basis. In carrying out this activity, we may pass some information to third parties in aggregate and anonymised format.

6. International transfers

To be able to provide our services, it might be necessary that we transfer personal data to other countries inside or outside the EEA. Whenever we transfer personal data out of the EEA, we ensure an appropriate degree of protection is afforded to it. We take all measures necessary to transfer the personal data in a lawful manner to such countries. We ensure that at least one of the following safeguards applies:

7. Data security

We have put in place appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing and from loss, alteration, destruction or disclosure. These measures ensure an appropriate level of security. Amongst others, we limit access to personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

When you get the impression that your personal data is not appropriately secured, or if there are indications of misuse, please contact

8. Data retention

We will not store personal data longer than necessary to fulfil the purposes we collected it for, unless we are required by law to do so. After this retention period we will erase or anonymize personal data for research or statistical purposes.

9. Your legal rights

Under the GDPR you have the following rights in relation to your personal data:

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You can generally exercise your rights free of charge. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out above, please contact us via

10. Updates, cookies and contact

Changes to our privacy statement and your duty to inform us of changes to your personal data

We regularly review our privacy statement and reserve the right to change this privacy statement where needed. This version was updated on 5 August 2020.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Platform may become inaccessible or not function properly.

Contact details

If you have any questions about this privacy statement, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.