Legal

Sociality.io is built from the ground up with users' rights to privacy and information security in mind. To keep our services on the highest standards, we invest continuously in our infrastructure and processes. We are grateful for your trust in our platform and, the following resources represent our commitment to being transparent about our practices.

Table of Contents

Terms of Service

Last updated: September 12, 2021

THESE TERMS OF SERVICE CONSTITUE A LEGAL AGREEMENT BETWEEN YOU AND SOCIALITY. PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE ACCESSING, INSTALLING, USING AND/OR PURCHASING ANY OF THE SERVICES PROVIDED BY SOCIALITY, INCLUDING A FREE TRIAL.

BY ACCESSING, INSTALLING, USING OR PURCHASING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU ARE OF LEGAL AGE TO ENTER INTO AN AGREEMENT AND YOU HAVE READ AND ACCEPTED THESE TERMS OF SERVICE AS WELL AS THE PRIVACY POLICY AND ANY ADDITIONAL TERMS AND POLICIES SOCIALITY MAY PROVIDE FROM TIME TO TIME.

These Terms of Service are the general terms of our agreement with You to govern your access, purchase and use of the Service. Our agreement will also include special terms, such as subscription rates and payment terms depending on the subscription plan You purchased. If there are special terms applicable to the subscription plan chosen by You, these special terms will be made available to You and be an integral part of these ToS.

These Terms of Service, our Privacy Policy (https://sociality.io/privacy) and the special terms form the entire agreement (referred to below as the “ToS”) between You and Sociality.

“Sociality”, “We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

“You” are the individual or the entity (represented by an authorized individual) that enters into this agreement with us, in order to access, use and purchase the Service.

The “Service” provides a social media management platform that enables users, among others, to publish posts on social platforms at a scheduled time, reply to user messages on social media channels, monitor brand keywords on the public web results, analyse the performance of their social media pages and benchmark these pages with other pages' public data. You may find detailed information about the Service in our website available at https://sociality.io (the “Website”).

We advise you to print and keep the ToS in your files.

1. Acceptance of the ToS

1.1 You must first agree to the ToS in order to access, purchase and/or use the Service, including any free trial.

1.2 If You have any question or doubt regarding any provision of the ToS, please don’t purchase or use any part of the Service and send us an email at [email protected] regarding your concerns.

1.3 In order to accept the ToS, You must be of legal age to enter into an agreement. If You are a legal entity (organization, company, etc.) the person who accepts the ToS on your behalf represents and warrants that they have the authority to represent and bind You to the ToS.

1.4 You can accept the ToS by clicking to accept or agree to the ToS where available or by purchasing, accessing, using or installing the Service (free trials included). By performing one of these options, You represent and accept that You have read, understood and agreed to be bound by the ToS, like any written agreement signed by you.

2. Payment Terms

2.1 The Service is provided on a subscription basis. You must pay the whole amount applicable to the subscription plan You chose and subscribed for. The prices applicable to different subscription plande and the payment methods are published on our Website available at https://sociality.io/pricing. Our plans are billed in advance on a monthly or yearly basis and are not refundable. You agree that You are liable to pay any taxes applicable to your obligations under the ToS and in relation to the Service.

2.2 You agree that if You change your subscription plan, You will be liable for the amount applicable to the new plan.

2.3 If You purchase a monthly subscription, You can upgrade or downgrade your subscription plan before the end of your existing plan, it will be reflected in the next billing cycle. You will also be able to see your invoice details in a separate page on your account. You agree that if You change your subscription plan or alter the content of your existing subscription plan, your next invoice amount will be updated in accordance with your altered subscription plan and the updated amount will apply to your next invoice.

2.4 If You purchase a yearly subscription, You can downgrade your subscription plan but there will be no reimbursement of the fee. If You wish to upgrade your yearly subscription plan, You must contact us by sending an email to [email protected]. You accept that the additional content will be invoiced separately.

2.5 You will enter your credit card details only once, when You make your first payment and You will give your approval that the following payments can and will be collected automatically from your credit card on the renewal dates of your subscription. We use Stripe Inc. for payment processing. We do not have access to your credit card information. We do not save or keep your credit card details and We do not accept responsibility for the payment processing.

3. Use of the Service

3.1 You represent that the information (such as identification or contact details) You provide to access and use the Service and to register your account is accurate and complete.

3.2 You agree that You should keep your passwords in strict confidentiality. You shall not communicate your password and your login details to any third parties. You are responsible for all the activities that occur under your password or account. We will not be liable for any loss or damage arising from your failure to properly safeguard your account or password. If You suspect any unauthorized use of your login details, You must immediately notify us by sending an email to [email protected].

3.3 Your rights arising from your subscription belong only to You and You shall not assign or transfer them to third parties. If We notice that You act in violation of these ToS, We can immediately suspend or cancel your subscription at our discretion.

3.4 You agree that You will not reproduce, duplicate, copy, sell, resell, assign, and lease the Service for any purpose.

3.5 You agree that You will use the Service in a lawful manner and You will not or permit any other party (including other users) to violate personal rights, privacy rights, intellectual property rights, confidentiality rights and any other legally protected rights of any other person or entity.

3.6 You agree that You will not (i) attempt to reverse engineer or decompile or otherwise acquire the origin code of any software in the Service, (ii) use the Service to upload, link to or send any content that is false, misleading, defamatory, violates any third party right or contractual restriction or contains unlawful, racist, or discriminatory material, (iii) use the Service in a way that interferes with or disrupt the Service.

3.7 You agree that all the contents (such as text, photographs, etc.) that You download or post through the Service are accurate and don’t violate the intellectual property or confidential information of any third party. You agree that You will indemnify and hold us harmless from all claims, costs, damages and expenses awarded against or incurred or paid by us in connection with your breach of any third party’s intellectual property or similar rights.

3.8 You agree that You must take all kind of precautions (including using appropriate anti-virus software) to ensure that the information, content, material or data that You upload, post or share otherwise through the Service, are free from any virus, spyware, malware, trojan horses etc. or any other material that would harm the Service and the software.

3.9 You agree that You will not access, purchase and use the Service in order to create a competitive product or services.

3.10 You agree that We are not responsible to control and monitor your content, third parties’ content or the use of the Service by You or other users. You also agree that we may from time to time monitor the information transmitted or received through the Service for operational and other purposes. You also acknowledge that if at any time we decide to monitor the content, We still do not accept any liability for content or any loss or damage incurred as a result of the use of content. If We decide to monitor the content, We will treat any information in accordance with our Privacy Policy.

3.11 Any breach of the above mentioned terms under Article 3 should be considered as a material breach of the ToS.

3.12 You accept that You will defend and indemnify us together with our directors, employees, consultants and affiliates from and against every claim brought by a third party, and any related direct and direct liability, damage, loss and expense arising out of or connected with (i) your use of, or misuse of the Service; (ii) your violation of any provision of the ToS, any representation or warranty referenced in these ToS, or any applicable law or regulation; (iii) your violation of any third party right, including any intellectual property right or publicity, confidentiality, other property, or privacy right; or (iv) any dispute or issue between You and any third party. You also agree to cooperate with our defense of the said claims.

4. Adding Users to Your Account

4.1 In accordance with your subscription plan, You can authorize individuals within your entity to access and use the Service (“Authorized User(s)”). You will ensure that all Authorized Users keep their login details and passwords strictly confidential. The Authorized Users will abide by the ToS and You will be liable for actions and omissions of the Authorized Users.

4.2 Each Authorized User must use their personal username and password to access the Service. The Authorized Users shall not let others use their usernames and passwords to access the Service. If We notice that any Authorized User under your subscription plan shares their access credentials with others, lets others access and use the Service with their access credentials or acts in violation of these ToS, We can immediately suspend or cancel your subscription at our discretion.

5. Security and Privacy of Your Personal Data

5.1 We treat the privacy of your personal data with the utmost importance. It is important that You are aware of how and why We may collect and process any personal data shared through the Service, the legal basis of the processing activities and your rights in connection with your personal data. Therefore, We advise You to read our Privacy Policy carefully, before purchasing a subscription and starting to use the Service. Please be aware that our Privacy Policy is an integral part of these ToS.

5.2 When You register an account with the Service and login to your account, You agree that We collect your personal data You provide with us. When You register an account with us (including for a free trial), We will ask You to provide your name, your email address, the name of your company, the country where your company is located and your phone number.

5.3 We collect and store the following data in accordance with the ToS and our Privacy Policy, in connection with the Service: (i) E-mail addresses, addresses and contact information, (ii) IP addresses, (iii) geographical location of the devices (country and city) and (iv) information that You (or your Authorized Users) allow us to access in your social media accounts.

5.4 We may also automatically collect and store information regarding your device and the browser via third parties’ software. In such a case, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures.

5.5 Our Data Processing Addendum must apply where You are the data controller and instruct us to process personal data in connection with the Service.

5.6 We process your personal data to the extent allowed by the applicable law (i) to provide You with better Service and comply with our obligations under these ToS, (ii) to inform You of new services, features or subscription plans, (iii) to gather commercial statistic and analyses regarding the use of the Service, (iii) to communicate with You, (iv) to make market researches, (v) to fulfil our legal duties and/or governmental authorities’ requests in accordance with the applicable law.

5.7 You agree that We can from time to time access your account with our user login details or external software in order to do the necessary investigations to provide you better Service.

5.8 Integration with Third Party Social Media Platforms

The Service offers You a social media management tool that you may connect with your social media accounts. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, We will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.

When You connect your social media accounts to the Service, You also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that We are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.

Facebook Data Policy: https://www.facebook.com/policy.php
Instagram Data Policy: https://help.instagram.com/519522125107875
Twitter Privacy Policy: https://twitter.com/en/privacy
Linkedin Privacy Policy: https://www.linkedin.com/legal/privacy-policy

You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:

Facebook and Instagram: https://www.facebook.com/help/942196655898243
Twitter: https://help.twitter.com/en/managing-your-account/connect-or-revoke-access-to-third-party-apps
Linkedin: https://www.linkedin.com/pulse/remove-third-party-apps-connected-your-linkedin-hector-rodriguez/

5.9 Please read our Privacy Policy for further details.

6. Limitation of Liability

6.1 YOU AGREE THAT THE SERVICE AND ALL MATERIALS AND CONTENT ARE PROVIDED ON “AS IS” BASIS, WITHOUT ANY WARRANTY. WE DISCLAIM ANY WARRANTY WHETHER EXPRESS OR IMPLIED (INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY AS TO THE QUALITY OR FITNESS FOR A PARTICULAR PURPOSE).

6.2 WE DO NOT REPRESENT OR WARRANT THAT (I) THE SERVICE IS ACCURATE, COMPLETE OR RELIABLE, OR (II) YOU WILL HAVE AN UNINTERRUPTED USE OF THE SERVICE, OR (III) THE WEBSITE OR THE SERVICE IS FREE OF ANY ERROR OR VIRUSES, OR (IV) YOU WILL OBTAIN A SPECIFIC RESULT FROM THE SERVICE.

6.3 YOU MAY HAVE ACCESS TO LINKS TO OTHER WEBSITES, PORTALS, FILES OR CONTENTS THROUGH THE SERVICE AND THE WEBSITE. YOU ACKNOWLEDGE AND ACCEPT THAT WE DO NOT VERIFY THESE AND WE DON’T HAVE ANY CONTROL OVER THEM. YOU AGREE THAT WE DO NOT ACCEPT ANY LIABILITY REGARDING THESE WEBSITES, PORTALS, FILES, CONTENTS, SERVICES OR PRODUCTS THAT ARE REACHED THROUGH THE LINKS ON THE SERVICE OR THE WEBSITE. THESE LINKS SHALL NOT BE CONSTRUED AS AN ENDORSEMENT REGARDING THE LINKED WEBSITES, THEIR CONTENTS OR OWNERS.

6.4 EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES EXPRESSLY STATED IN THE TERMS OF SERVICE, WE DO NOT MAKE ANY REPRESENTATIONS OR WARRANTIES AND WE HEREBY DISCLAIM ANY OTHER REPRESENTATIONS OR WARRANTIES, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICE OR MADE BY ANY OF OUR OFFICERS, DIRECTORS, EMPLOYEES OR ADVISORS.

6.5 YOU AGREE THAT WE SHALL NOT BE LIABLE FOR ANY DAMAGE, DIRECT OR INDIRECT OR CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING ANY DAMAGE TO YOUR COMPUTER SYSTEM OR MOBILE DEVICE OR ANY LOSS OF DATA OR LOSS OF PROFITS) WHICH MAY BE INCURRED BY YOU RELATED WITH THE SERVICE AND OUR WEBSITE.

6.6 TO THE FULLEST EXTENT PERMITTED BY LAW, OUR TOTAL LIABILITY FOR ANY CLAIMS BROUGHT BY YOU IN CONNECTION WITH THE SERVICE OR OTHERWISE UNDER THE TOS, WHETHER IN CONTRACT, TORT OR OTHERWISE, SHALL BE LIMITED TO THE AMOUNT CORRESPONDING TO THE SUBSCRIPTION FEE YOU HAVE PAID US FOR THE LAST THREE (3) MONTHS PRIOR TO THE EVENT OR CIRCUMSTANCE GIVING RISE TO YOUR CLAIM.

7. Intellectual Property Rights

7.1 All legal rights, title and interest attached to the Service, patents, copyrights, trademarks, knowhow and the Website including all kinds of intellectual property rights (whether registered or not) (“Intellectual Property Rights”) are owned by us or our licensors. Your subscription to the Service shall not be considered as an assignment or otherwise transfer of any Intellectual Property Rights.

7.2 You acknowledge and agree that the Service is a SaaS (software as a Service), which means that by subscribing to the Service, You are not purchasing the software and You will not be delivered copies of the software.

7.3 By subscribing to the Service, You will be granted a limited, non-exclusive, non-assignable, non-sublicensable, revocable license to access and use the Service included in your subscription plan. You agree that this license is strictly subject to the ToS and your compliance with the ToS.

7.4 You agree and represent that all elements of text, images or other content that You provide to us related with or via the Service are either owned by You or You have legal and binding rights to use them and that their usage related with or via the Service will not infringe intellectual property rights of any third party. Otherwise You accept to be responsible for any kind of claims made by such third parties to us regarding infringement of their intellectual property rights.

7.5 If You provide feedback regarding the Service then You hereby grant us an unrestricted, perpetual, irrevocable, non-exclusive, fully paid, royalty-free right to exploit the relevant feedback in any manner and for any purpose, including to improve the Service and create other products and services.

8. Audit Rights

You agree that We have the right to monitor your use of the Service in order to verify that You use the Service in compliance with these ToS and your subscription plan. If We find out that You have used or permitted access to the Service in a manner that is not permitted under these ToS, We may terminate your subscription, in addition to any other damages We may be entitled to under the ToS and applicable law.

9. Suspension and Termination of Your Subscription

9.1 The ToS will apply during the term of your original and renewed subscription beginning when You accept the ToS or first install, access or use the Service, unless and until terminated by You or us in accordance with the ToS.

9.2 You can terminate your subscription by unsubscribing to the Service within your registered account or by contacting customer service at [email protected] before the renewal date of your subscription. You also agree that there will be no reimbursement of the fee if You terminate your Subscription before the end of your existing plan and You will still be able to use the Service until such date.

9.3 You agree that We can suspend your subscription at any time if You fail to fulfil your payment obligations or You breach the ToS otherwise. In such a case, We will inform You by sending You an email regarding the reason for suspension and request You to remedy the breach in order to reactivate your subscription. If You fail to remedy the breach until the end of the period mentioned in the email, We will be entitled to terminate our agreement with you and end your subscription.

9.4 You agree that We are entitled to terminate our agreement with You and your account on the Service and end your subscription immediately at our sole discretion in case We believe that there is a material breach of the ToS by You (any breach of Section 3-Use of the Services will be considered a material breach). You also agree that We can terminate our agreement with You and your account or suspend your access to the Service at any time at our sole discretion without reason and without notice.

9.5 You agree that We are entitled to terminate our agreement with You and your account on the Service immediately if provision of the Service to You becomes illegal for any reason.

9.6 In the event of termination of the ToS, these ToS will forthwith become void, provided, however, all payment obligations accrued prior to termination and the provisions of Section 3.7, 6, 7.4 and 18 should survive after termination.

10. Amendment to the ToS

We reserve our right to change the ToS from time to time. When we make changes to the ToS, the updated version will be available at our website. You agree that if You continue to use the Service after the date on which the ToS have changed, this will be deemed as an acceptance of the updated ToS.

11. Modification of the Service

We reserve our right to modify, suspend or cease any features, functions, tools or other aspects of the Service, temporarily or permanently, at any time, without prior notice to you. In such cases, We will inform You by sending an e-mail or with an announcement on our Website. You accept that We will have no liability for any modification, suspension or termination of any of the features, functions, tools or other aspects of the Service and that there will be no refund of the subscription fees.

12. Entire Agreement

These ToS constitute and contain the entire agreement between You and us and supersede any and all prior agreements, arrangements and understandings between You and us relating to the Service.

13. Use of English Language

These ToS are executed in the English language and the English version of the ToS shall govern in any conflict with any non-English version. The communications between You and us shall be in English.

14. No Waiver

No failure or delay in exercising any right, power or privilege under these ToS shall operate as a waiver thereof. No waiver of any term of these ToS shall be deemed to be or construed as a further or continuous waiver of such term.

15. Severability

The unenforceability or invalidity of any provision of the ToS shall not affect the enforceability or validity of the rest of it.

16. Independent Parties

Our relationship with You is that of independent contractors dealing at arm's length. Nothing in these ToS shall constitute us as partners, joint ventures or co-owners, or constitute either of us as the agent, employee or representative of the other.

17. Effective Date and Duration

17.1 These ToS shall become effective when You accept them by clicking to accept or agree to the ToS where available or when You purchase the Service or when You start using it (free trials included).

17.2 The ToS shall remain effective during your original subscription and as well as any renewed subscription until terminated by You or us in accordance with Section 8 of the ToS.

18. Governing Law and Dispute Resolution

18.1 These ToS shall be governed by and construed in accordance with the laws of England and Wales.

18.2 Any dispute arising from the ToS or your use of the Service shall be referred to the jurisdiction of the courts of England.

Data Processing Agreement

Last updated: September 12, 2021

This Data Processing Agreement applies when You, as the data controller, instructs us to process certain personal data, which you give us access to, on behalf of You within the Services.

“We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

“You” are the individual or the entity (represented by an individual) that enters into this agreement with us, in order to use the Services.

The Services refer to the Services mentioned and described in our website available at https://sociality.io/ provided by us.

Terms not otherwise defined herein shall have the meaning as set forth in the Terms.

This agreement is an integral part of the Terms and any matters which are not regulated here shall be governed by the Terms.

Details of the Processing

The scope of the personal data processed under this agreement is determined and controlled by You in your sole discretion, which may include, but is not limited to the personal data of your end users submitted to You through your social media pages, such as contact details, identification data and other information regarding their activities.

The subject matter of the processing is the provision of the Services to You in accordance with the Terms. Purposes of the processing are described within the Terms.

Our Obligations

We will not process the personal data except on instructions from You as the data controller, unless We are required to do so by the applicable law.

Taking into account the nature of the processing, We will assist You by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the yours obligation to respond to requests for exercising the data subject’s rights laid down in the GDPR.

We will process the personal data only on documented instructions from You, including with regard to transfers of the personal data to a third country or an international organisation, unless We are required to do so by the applicable law. In such a case, We will inform You of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

We will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

We will at your choice, delete or return all the personal data to You after the end of the provision of the Services relating to processing, and delete existing copies unless the applicable law requires storage of the personal data.

We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You.

We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You.

We will assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights, taking into account the nature of the processing.

We will take all measures required pursuant to Article 32 of the GDPR.

We will assist You in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to us.

In case of a personal data breach We will notify You without undue delay after becoming aware of the breach.

Your Responsibilities as the Data Controller

Under this Data Processing Agreement, You shall be solely responsible for complying with the legal requirements relating to data protection and privacy. Your instructions to us for the processing of personal data shall comply with the applicable law and the GDPR.

You shall inform us without undue delay and comprehensively about any errors or irregularities related to the processing of personal data.

Sub-processing

We shall not subcontract any of our processing operations performed on behalf of You without your written authorization. You agree that this clause shall be considered a general written authorization in the meaning of Article 28.2 of the GDPR.

The sub-processors that are currently engaged by us are as follows:

Amazon Web Services, Inc., 410 Terry Avenue, Seattle, WA 98109 (“AWS”); AWS cloud is used to host our platform and Services;

DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor New York, NY 10013 , Digital Ocean is used to host our platform and Services;

Google Inc., headquartered at 1600 Amphitheatre Parkway Mountain View CA 94043, United States ; Google Cloud Platform is used to host our platform and Services;

Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland; used for outbound messaging and messages measurement, optimization and integrations;

Microsoft Corporation Inc., One Microsoft Way, Redmond, WA 98052-6399, United States; Azure Cognitive Services API is used in gathering news;

Sentry.io by Functional Software, Inc., 1 Baker Street Suite 5B San Francisco, CA 94117 United States; used for tracking errors on our website;

Stripe, Inc., headquartered at 510 Townsend St, San Francisco, CA 94103, used for card payment processing;

The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA; used to manage e-mail campaigns;

Webhose Ltd, 7 Metsada St. B.S.R Tower 4, POB 195 Bnei Brak 5126112 ISRAEL; Webhose.io API is used in gathering news, blogs and online discussions;

Where We engage another processor We shall have a written contract that imposes the same obligations on the sub-processor as are imposed on us in this Data Processing Agreement.

If We intend to change the current sub-processors or engage other sub-processors, We will inform You and give You the opportunity to object to such changes in writing within 5 days after being notified. You hereby agree that You must have reasonable grounds that the engagement of the relevant sub-contractor imposes a risk to the protection of a personal data, to object to sub-processors.

Audit Rights

We shall, in accordance with the applicable law, and in response to a reasonable written request by You, make available to You such information our possession or control related to our compliance with the obligations of data processors in connection with this agreement.

You may carry out or have an auditor carry out audits in order to review our compliance with technical and organizational security measures and our obligations pursuant to this agreement, upon written request and at least 30 days’ notice, during regular business hours and without interrupting our daily operations.

We shall, upon your written request and on at least 30 days’ notice, provide You with all information necessary for such audit, to the extent that such information is within our control and We are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

Duration

This Data Processing Agreement shall remain effective as long as the Terms are effective.


Privacy Policy

Last updated: September 12, 2021

Preamble

This Privacy Policy describes what kind of personal data we may collect, store and process when you visit our Website and subscribe to our Service, what are the legal reasons to process such data, and how we will use and protect it.

As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 Janvier 2021 (“UK GDPR”).

This Privacy Policy has been developed in compliance with the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and any matter that isn’t described here shall be subject to the applicable rules of the UK Data Protection Regime.

We may change the Privacy Policy from time to time due to changes on our Website or the Service or any other reason which requires us to do so; therefore, we recommend you check the Privacy Policy on a regular basis. In case of material changes, we will notify you (if you are already a customer and you have provided us your contact details) by sending you an email.

“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

The Service refers to the services mentioned and described on our Website.

We implement appropriate technical and organisational measures to safeguard your rights, freedoms and legitimate interests regarding processing of your personal data and ensure that processing of your personal data is performed in accordance with the UK Data Protection Regime. Please also see our Data Retention Policy, Records Retention Schedule and our Information Security Policy for further details on safety and protection of your data.

We will process your personal data in accordance with the principles of lawfulness, fairness and transparency under Article 5 of the UK GDPR. It means that we will process your personal data only if:

(i) you have given your consent to the processing of your personal data for one or more specific purposes; or
(ii) processing is necessary for the performance of a contract with you (when you subscribe to the Service), or
(iii) processing is necessary for compliance with a legal obligation, or
(iv) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

2. What type of personal data we process?

As the data controller, we collect certain data from (i) the visitors of the Website, (ii) our customers (usually corporate entities), who subscribed to the Service and (iii) individuals who are appointed and authorized by the customers to use and manage the Service on behalf of them.

We may collect your personal data when you visit the Website, subscribe for the Service, register an account with us, complete forms on the Website and contact us on a customer service issue.

We may process, among others, (i) your email address, (ii) invoices, (iii) information with respect to your browser and IP address, (iv) geographic location of the device (only country and city) and (iv) information that you and/or your employees or representatives allow us to access in your social media pages.

We may automatically collect and store the information regarding your device and the browser via third parties’ software such as cookies. In such cases, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures. Please see our Cookie Notice for further information regarding these technologies and how you can manage your cookies preferences.

The Service is a social media management service; therefore, we may obtain certain data from social media platforms via these platforms’ APIs. The scope of the data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. We will have access to such data only with your prior authorisation. Please see below the section on the “Integration with Third Party Social Media Platforms” for further details.

Please see below the table No. 1 and No.2 for detailed information on which data we process.

3. How do we use your personal data?

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.

Our third party partners may collect information using cookies in our services to deliver targeted ads displayed to you on third-party websites and applications. Please see our Cookie Policy to learn how to set your cookie preferences.

You may find further details on which data we may process, why we may process such data and the legal reason for such processing in Table No.1 and Table No.2 below.

Table No.1 – Visitors of the Website

VISITORS OF THE WEBSITE
Relevant Data Why do we proceed? Legal reason of processing
Email address Visitors of the Website can share their email address in order for us to communicate with them and further explain our services and subscription terms. Art 6(1)(a) of the UK GDPR: Consent of the data subject.
Location (City) We process this information to learn about the local time zone and language of the operating system of the visitors so that we can send our automated messages in their language. Art 6(1)(f) of the UK GDPR: Our legitimate interest to send automated messages to the visitors who shared their email addresses for receiving further explanation regarding the Service and the subscription terms in the appropriate language.
Information regarding the browser and operating system We process this information (i) to understand the origin of the problem when a visitor is experiencing a technical problem with the Website, or (ii) to detect unauthorized interference with the Website and exercise our legal rights regarding such unauthorized interference. Art. 6(1)(f) of the UK GDPR: Our legitimate interest to ensure that the Website is functioning as it should be and to protect it against attacks and unauthorized interferences.
IP We process this information to determine the IP addresses of persons who attempt to breach our security and use the Website for unlawful purposes and to prevent them to re-enter the Website. Art 6(1)(f) of the UK GDPR: Our legitimate interest to ensure IT and information security of our Website and the Service.

Table No.2 – Subscribers of the Service

SUBSCRIBERS OF THE SERVICE
Relevant Data Why do we proceed? Legal reason of processing
Email address We process the email addresses of the users of the Service to enable them to create a user account with the Service, to verify that they are existing customers or users appointed by corporate customers and to communicate with them regarding the Service and pursuant to the customer contract (to send invoices or notices etc.) Art 6(1)(b) of the UK GDPR: processing is necessary for the performance of the contract between us and the customer.
Location (City) We process this information to learn about the local time zone and language of the operating system of the user so that we can send our automated messages in their language. Art 6(1)(f) of the UK GDPR: Our legitimate interest to send automated messages to our customers in the appropriate language.
Information regarding the browser and operating system We process this information (i) to understand the origin of the problem when a visitor is experiencing a technical problem with the Website, (ii) to detect unauthorized interference with the Website and exercise our legal rights regarding such unauthorized interference. Art. 6(1)(f) of the UK GDPR: Our legitimate interest to ensure that the Website is functioning as it should be and to protect it against attacks and unauthorized interference.
IP We process this information to determine the IP addresses of persons who attempt to breach our security and use the Website for unlawful purposes and to prevent them to re-enter the Website. Art 6(1)(f) of the UK GDPR: Our legitimate interest to ensure IT and information security of our Website and the Service.
Username of the users appointed by the customers Users must choose a username, which can be different then their real name and last name, in order (i) to sign up to their accounts and create a password and (ii) to log in to the Service. The users are identified with their usernames within the Service. Art 6(1)(b) of the UK GDPR: processing is necessary for the performance of the contract between us and the customer.
Profile picture of users / Logo of corporate customers The users can upload a profile picture as part of their user's profile. It is optional to upload a profile picture. Art 6(1)(a) of the UK GDPR: Data subject's consent. When uploading the profile picture, the data subject must approve the processing of their profile picture to be used within the Service for description purposes and that the other users will have access to it.
Telephone number We process this information only if the user wants us to communicate with them regarding their subscription by phone. It is optional. Art 6(1)(a) of the UK GDPR: Consent of the data subject
Social media profiles and information regarding pages linked to the social media profiles. We provide a social media management platform and social media profiles and accounts of our users are the core of our business; therefore, we need to process such information. We have access to social media pages (Facebook, Instagram, Twitter, LinkedIn and YouTube) of our users, who act as the data controller and give us access to social media pages they choose to receive the Service for. Art 6(1)(b) of the UK GDPR: processing is necessary for the performance of the contract between us and the customer.
Contracts We keep our customer contracts in order to verify they are existing customers, to fulfil our obligations and to defend us from future legal claims. Art 6(1)(b) of the UK GDPR: processing is necessary for the performance of the contract between us and the customer.

Art.6(1)(f) of the UK GDPR: Our legitimate interest to defend us from future legal claims.
Invoices We keep our customers’ invoices. Art 6(1)(c) of the UK GDPR: processing is necessary for compliance with a legal obligation to which we are subject.
Tax and financial laws

4. Transfer of Personal Data to Third Party Organisations and Countries

Compliance with law

We may share your personal data where we are under a legal obligation to disclose such data. This could be based on an applicable law, a governmental request or a court order. We may also share your personal data with authorized bodies if we suspect illegal activities, violation of our Terms of Use and policies or fraud in order to protect our website and the services.

Third Party Service Providers

We may transfer your personal data to a third country or to an international organization, provided that the conditions laid down in the UK GDPR are complied with and that there will be an adequate level of protection and safeguards measures for the privacy of your personal data.

If your personal data is transferred to a third country or to an international organisation, you will have the right to be informed of the appropriate safeguards relating to the transfer.

Transfers of Personal Data from the European Union countries to the United Kingdom: According to the Trade and Cooperation Agreement (Art. FINPROV.10A), transfer of personal data from the E.U. countries to the UK was not considered as transfer to a third country until the end of April 2021, which was extended by two further months or until the date when an adequacy decision in relation to the UK is adopted by the European Commission.
On 19 February 2021, the European Commission published its draft decisions on the UK’s adequacy under the GDPR and has found the UK to be adequate. On 14 April 2021, the European Data Protection Board announced that it has adopted its opinion on the European Commission’s adequacy decisions. The European Commission has announced that it has adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after their entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.

Transfers of Personal Data from the UK to EU countries: It is permitted according to the UK Data Protection Regime.

You may see below in Table 3 and Table 4 detailed information about the third party organisations that we share data with. When such third party organisations process personal data on behalf of us, we sign a data processing agreement with them, as required by the UK GDPR.

Table 3- Transfer of Personal Data within the EU (your data is not transferred outside of the EU)

RECIPIENT WHICH DATA DO WE TRANSFER? WHY DO WE TRANSFER DATA?
Sqreen SAS
24, rue du Sentier 75002 Paris, France
E-mail addresses and IPs.

Please see Sqreen’s Privacy Policy for further details: https://www.sqreen.com/privacy
Art.6(1)(f) - Legitimate interest to ensure IT and information security for our website and the service.
Amazon Web Services Inc.
410 Terry Avenue, Seattle, WA 98109
Our Service is hosted on AWS’s servers in its European data center in Ireland.

Please see AWS’s Privacy Policy: https://aws.amazon.com/privacy/
AWC cloud is used to host our platform and Service.

Table 4- Transfer of Personal Data outside of the EU (your data may be transferred outside of EU)

We have concluded data processing agreements and standard contractual clauses with the third-party organisations, which may transfer your data outside of the EU.

Pursuant to the GDPR, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the European Commission. The European Commission has adopted the decision 2021/914/EU on 4 June 2021, which provides for modernized standard contractual clauses. Standard contractual clauses which are concluded before 27 September 2021 on the basis of the decision 2001/497/EC or the decision 2010/87/EU will be deemed to apply until 27.12.2022. We will sign new standard contractual clauses with our third party service providers who are not based in the European Union or the UK, until then.

RECIPIENT WHICH DATA DO WE TRANSFER? WHY DO WE TRANSFER DATA?
Intercom, Inc. Intercom R&D Unlimited Company
55 2nd Street, 4th Floor San Francisco, California 94105
Information on the user’s profile in the Service and information provided by users when they send us messages on the Website.
Please see Intercom’s Privacy Policy for further details: https://www.intercom.com/legal/terms-and-policies#eu-us_access-questions
We use Intercom to communicate with the users of our Service for customer services and information requests from our users.
ProfitWell
200 OK, LLC 109 Kingston Street, Fourth Floor, Left Boston, Massachusetts 02111
Billing information and e-mail addresses of our customers. Please see ProfitWell’s Privacy Policy for further details: https://www.profitwell.com/privacy-policy We use ProfitWell to prepare our financial reports.
Announcekit Restpack Inc
2035 Sunset Lake Road Suite B-2 Newark, Delaware 19702
IP and browser information.
Please see Restpack’s Privacy Policy for further details: https://restpack.io/restpack/privacy
Announcekit customizes our announcements within the system for different countries.
Google LLC
1600 Amphitheatre Parkway Mountain View CA 94043, U.S.A.
Google Analytics: We transfer the usage habits of the users in a unanimous way. - to track user behaviour unanimously

Google Cloud Platform: All customers’ and visitors’ data, which are processed. We use Google Cloud Platform’s servers located in London, UK.

Please see Google’s Privacy Policy for further details: https://policies.google.com/privacy
Google Cloud Platform: Our platform and Service is hosted by GCP.
Google Analytics: We use Google Analytics to understand the performance of our website and to improve our website.
DigitalOcean LLC
101 Avenue of the Americas, 10th Floor New York, NY 10013
Please DigitalOcean’s Privacy Policy for further details: https://www.digitalocean.com/legal/privacy-shield/ Digital Ocean is hosting our platform and Services.
Cloudflare, Inc.
101 Townsend Street San Francisco, California 94107
Internet traffic logs (e.g. IP addresses) of visitors of our Website.
Please see Cloudflare’s Privacy Policy for further details: https://www.cloudflare.com/privacypolicy/
We use Cloudflare for internet security services to protect our Website and the Service.
Stripe, Inc.
510 Townsend St, San Francisco, CA 94103
E-mail addresses and invoice details.

Please see Stripe’s Privacy Policy for further details: https://stripe.com/privacy-shield-policy
We use Stripe services for our customers’ credit card payment processing. We do not process or store credit card details of the customers.
Mailchimp platform created by The Rocket Science Group, LLC
675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
E-mail addresses Please see Mailchimp’s Privacy Policy for further details: https://mailchimp.com/legal/privacy/ We use Mailchimp platform to send information or update about the Service.
Functional Software, Inc. (Sentry)
132 Hawthorne Street San Francisco, California 94107
Username, e-mail addresses and click gestures of the users.

Please see Sentry’s Privacy Policy for further details: https://sentry.io/privacy/#eu-us-privacy-shield
Sentry informs us if and when a user had a difficulty using the Service, by pointing out the username, e-mail address and the relevant button that caused such difficulty.
Slack Technologies, Inc.
Slack Legal Department 500 Howard Street San Francisco, California 94105
Slack collects and processes e-mail addresses of our customers.
Please see Slack’s Privacy Policy for further details: https://slack.com/intl/en-tr/privacy-policy
We use Slack for communication of any trouble our customers encounter while using the Service. We receive notices of troubles through Slack platform.
Microsoft Corporation
One Microsoft Way Redmond, Washington 98052
Microsoft may collect your personal data when you are visiting our Website and offer appropriate opt-out choices as required by data protection laws.

Please see Microsoft Privacy Statements for further details: https://privacy.microsoft.com/en-us/privacystatement
We use Microsoft Clarity, which is a user behavior analytics tool that helps us understand how users are interacting with our Website through features such as session replays and heatmaps.

Integration with Third Party Social Media Platforms

The Service offers you a social media management tool that you may connect with your social media accounts. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, we will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.

When you connect your social media accounts to the Service, you also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that we are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.

Facebook Data Policy: https://www.facebook.com/policy.php
Instagram Data Policy: https://help.instagram.com/519522125107875
Twitter Privacy Policy: https://twitter.com/en/privacy
Linkedin Privacy Policy: https://www.linkedin.com/legal/privacy-policy

You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:

Facebook and Instagram: https://www.facebook.com/help/942196655898243
Twitter: https://help.twitter.com/en/managing-your-account/connect-or-revoke-access-to-third-party-apps
Linkedin: https://www.linkedin.com/pulse/remove-third-party-apps-connected-your-linkedin-hector-rodriguez/

5. Data Retention

We will not retain your personal data longer than is necessary for the purposes for which it was processed. Where it is no longer necessary to retain your personal data, we will either delete it or make it anonymous. Please see our Data Retention Policy for further details.

6. Your rights in connection with your privacy and your personal data

a. Automated individual decision making

You have the right not to be subject to a decision based solely on automated processing, including profiling, except when it is necessary for entering into, or performance of our agreement (the Terms) or the Services or is authorised by the applicable law to which We are subject.

b. Your right of access

You have the right to request us confirmation as to whether or not your personal data is being processed. If your personal data is processed, You will have access to your personal data and the following information: (i) the purposes of the processing, (ii) the categories of your personal data, (iii) the recipients or categories of recipient to whom your personal data have been or will be disclosed, (iv) where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period, (v) the existence of the right to request us rectification or erasure of your personal data, (vi) your right to lodge a complaint with a supervisory authority, (vii) where your personal data is not collected from the data subject, any available information as to their source, (viii) the existence of automated decision-making, including profiling.

c. Your right to rectification

You have the right to obtain the rectification of your inaccurate personal data that is inaccurate. You also have the right to have your incomplete personal data completed.

d. Your right to data portability

You have the right to receive your personal data You shared with us in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted directly to another data controller, where it’s technically feasible and it does not adversely affect the rights and freedoms of others.

e. Your right to object to processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on (i) the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) the necessity for the purposes of our or a third party’s legitimate interests. In such case, we will cease to process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

f. Your right to object to direct marketing

You have the right to object at any time to processing of your personal data for direct marketing,

g. Your right to restriction of processing

You have the right to request us to restrict processing of your personal data if you contest the accuracy of your personal data or lawfulness of the processing. Upon your request, we will restrict the processing of your personal data, with the exception of storage and/or or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform You immediately if and when the restriction is lifted.

h. Your right to be forgotten

You have the right to request us to erase your personal data without undue delay where your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or you withdraw your consent and there is no other legal ground for the processing. In such case we will immediately delete your personal data except when the processing of your personal data is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the establishment, exercise or defence of legal claims.

i. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you think that the processing of your personal data infringes the applicable law.

7. Notification of a personal data breach

In the case of a personal data breach, we will notify the breach to the competent supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to you without undue delay, unless if;

(i) appropriate technical and organisational protection measures have been implemented, and those measures were applied to the personal data affected by the personal data breach, or
(ii) the subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize, have been implemented, or
(iii) it would involve disproportionate effort. In such a case, we will make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

8. Contact us

Please send us an email at [email protected] if you have any questions or concerns regarding this Privacy Policy and personal data processing.


Information Security

Last Updated: September 12, 2021

“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

The Service refers to the services mentioned and described in our Website.

Overview

This Policy describes the technical and organisational measures we implement to keep personal data that we process safe and secure. Keeping personal data of our customers and visitors protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Purpose

The purpose of this Policy is to make sure that we are in compliance with the following requirements and principles under the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and provide adequate safety and protection to personal data.

According to the principle of integrity and confidentiality (Article 5(1)(f)) under the UK GDPR, “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Furthermore, article 32(1) of the UK GDPR stipulates that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

In this scope, we must ensure that personal data can only be accessed by authorized personnel, data we retain is accurate and complete and data remains accessible and usable.

Dedicated Security Team

Our security team is composed of security experts dedicated to improving the security of our organization. Our employees are trained on security incident response and are on call 24/7.

TECHNICAL SECURITY MEASURES

A. INFRASTRUCTURE

a. Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services and Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. Our Service is hosted on AWS’s servers in its European data center in Ireland and Google Cloud Platform’s servers in London, UK.

You can read more about their practices here:

b. Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • Virtual private cloud (VPC), bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  • Firewall that monitors and controls incoming and outgoing network traffic.
  • Intrusion Detection and/or Prevention technologies solution (IDS/IPS) that monitors and blocks potential malicious packets.
  • IP address filtering

c. DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

d. Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

e. Business continuity, back-ups and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
All text and statistics data pertaining to the whole system are automatically backed up and saved every day at 01:00 in Google Cloud hosts located in London. Back-ups of each day are kept for 30 days and then automatically deleted. Multimedia data (visuals, video, excel files, presentation files) are not backed-up.
Every Saturday, at 5 am, teams and accounts, which have been marked as “to be deleted” on the previous week and all sub-data of such teams and accounts are permanently deleted from the database.

f. Application security monitoring

We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
We use technologies to monitor exceptions, logs and detect anomalies in our applications.
We collect and store logs to provide an audit trail of our applications activity.
We use monitoring such as open tracing in our microservices.

g. Application security protection

We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
We use security headers to protect our users from attacks.
We use security automation capabilities that automatically detect and respond to threats targeting our apps.

h. Secure development

We develop the following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them has known vulnerabilities
  • We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  • We use Dynamic Application Security Testing (DAST) to scan our applications
  • We rely on yearly third-party security experts to perform penetration tests of our applications.

i. Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

j. Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

B. USER PROTECTION

  • 2-factor authentication: We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.
  • Account takeover protection: We protect our users against data breaches by monitoring and blocking brute force attacks.
  • Single sign-on: Single sign-on (SSO) is offered for our enterprise customers. Single sign-on (SSO) is available using your Google account.
  • Role-based access control: Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions.

ORGANISATIONAL SECURITY MEASURES

We believe that to establish efficient security and protection of personal data within our organisation, it is crucial to adopt a “culture of security awareness”. For this reason, we ask all our employees to be familiar with this Information Security Policy as well as our Privacy Policy, Data Retention and Erasure Policy and any other policies related to information security.

Our employees sign an employment agreement, which contains a confidentiality undertaking, when joining the company to protect our customers' sensitive information.

Our employees have access to personal data of the users of our Service and visitors of our Website on a need-to-know basis. Access to personal data is always limited to the extent necessary for the duties of such employees and administrators.

Our employees do not have access to our users’ accounts except when a user encounters a technical problem regarding the Service. In the event of a technical problem, users can allow our technical team to have access to their account for 72 hours, to fix the problem. At the expiry of 72 hours, the access is automatically denied to our technical team and they have no longer access to the relevant user’s account.

Our employees can use their own devices (mobile phones, tablets and computers) to access business email and applications we use for communication. All the employees are obliged to set strong passwords for the access to their devices, keep the passwords strictly confidential and change it on a regular basis. Employees must not leave their devices unlocked when unattended. At the end of employment of an employee, we restrict their access to their business email, our Slack account and all the other software that we use for internal communication and work.

Bug Bounty Program: You can report vulnerabilities regarding our system by contacting s[email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.


Data Retention and Erasure

Last updated: September 12, 2021

INTRODUCTION

We need to collect personal information of our employees and other people that we work with or have a business relationship with, to effectively carry out our business activities and to provide the services and products we offer to our customers.

We are subject to the UK GDPR and the Data Protection Act 2018 ( together “UK Data Protection Regime”) and we need to have efficient data and records management accordingly. This policy aims to inform our employees, sub-contractors and other staff as well as our customers and visitors of our website on how we intend to comply with the data retention and erasure in accordance with the applicable legislation.

This policy puts in place the rules for efficient data and records management, which meets the legislative and regulatory requirements as well as the business requirements. The data and records management will ensure that our business activities are conducted in a structured, efficient and accountable manner while delivering services to our customers and protecting the interests of our employees. It will also facilitate and manage protection, retention and erasure of personal data that we process and enforcement of individuals’ rights regarding their data.

KEY TERMS

“We”, “us”, “our”, “Company” refers to Sociality.io Limited.

UK GDPR” means the Regulation (EU) 2016/679 as incorporated in the UK legislation.

records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

WHAT IS THE PURPOSE OF THIS POLICY?

The purpose of this Data Retention and Erasure Policy is to set forth our policy on how to provide a structured and compliant data and records management system.

Our data and records management system shall ensure that it provides an efficient and systematic management and control over the creation, receipt, maintenance, use, distribution, retention and erasure of such records.

This policy is also to clarify the processes we use to store and destroy information and what information we retain for legal/regulatory reasons and for business reasons and their retention periods.

Our objectives are (i) to retain personal data for as long as is necessary, (ii) to ensure safe and secure disposal of confidential and personal data, (iii) to ensure that records are retained for the legal, contractual and regulatory period, and (iv) to comply with the relevant data protection legislation and the contractual obligations.

WHO IS SUBJECT TO THIS POLICY?

This policy applies to all our employees, sub-contractors, third party representatives and any other staff within the Company. Compliance with this policy is mandatory for such persons and non-compliance may lead to disciplinary sanctions.

PERSONAL DATA AND THE STORAGE LIMITATION PRINCIPLE

This Policy and our processing activities comply fully with the UK GDPR’s principle set forth in Article 5(1)(e) called “storage limitation”, which stipulates that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.

DATA RETENTION AND STANDARD RETENTION PERIODS

We will not keep personal data longer than we need to or are required by law. When determining our need to keep personal data, we will balance our needs with the impact of retention on individuals’ privacy.

Our standard retention periods are shown in our Records Retention Schedule. We periodically review our standard records retention periods to ensure that they are not longer than we actually need.

We may need to keep personal data longer than the standard retention periods to defend possible future legal claims or when we are served with a legal request for records or notified of the commencement of any litigation against us or an employee. In such a case, we will only keep the information which could possibly be relevant to such a claim and delete the rest.

We may need to keep personal financial and tax data to comply with tax regulations for the period specified by applicable tax laws.

EXPIRATION OF RETENTION PERIOD

At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

HOW WILL THE DATA BE ERASED?

A. Paper Records

We retain limited paper based personal information and when we do, we ensure that we retain it in a confidential and compliant manner. We use onsite-shredding to dispose of all paper materials.

B. Electronic & IT Records and Systems

We store our data in the cloud. We do not use external discs or USB devices to store data. We make sure that all unnecessary data is removed from the cloud in a way to ensure that it cannot be reconstructed.

ERASURE OF THE PERSONAL DATA

Inactive users: All data related to the inactive customers (users) shall be automatically deleted every ninety days unless there is a legal ground to keep such information.

Right to be forgotten: According to Article 17 of the UK GDPR, individuals have a “right to be forgotten”, which means they are entitled to request erasure of their personal data, verbally or in writing. This right only applies in the presence of one of the following conditions:

(i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
(iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes,
(iv) the personal data have been unlawfully processed;
(v) the personal data have to be erased for compliance with an applicable legal obligation;
(vi) the personal data have been collected in relation to the offer of information society services to a child

The Company has the necessary procedures and measures to ensure that a request for erasure of a personal data is duly responded within the legal time limit and appropriate methods to erase such data, when the request complies with one of the above mentioned conditions. If we need an extension of time due to complexity or the volume of the request, we will inform the individual within one month of receipt of the request. If such personal data was disclosed to other recipients, the Company shall contact each recipient and inform them of the erasure.

If such personal data was shared with third parties in accordance with our Privacy Policy, the Company will take every reasonable step taking into account available technology and cost of implementation, to inform other controllers who are processing such data to erase links to, copies or replication of such data.

Users: Our customers (users) who subscribed to our services can also request erasure of their personal data via their user dashboard on our Website, as follows:

(i) For the users of our Service, we provide a button of “delete my data and close my account” within their account with the Service. They may request erasure of their data by clicking that button.
(ii) When we receive such a request through the software which we use for custom support communication, we will ask for confirmation from such users regarding their request.
(iii) Once the user confirms their request, data of such user is marked as “to be erased” within our internal management panel (KIOSK) accessed only by authorized persons.
(iv) Our system then sends an informative email to the managers regarding erasure of such user’s data, who verify whether the request complies with the above mentioned conditions and whether no other legal obligation or legitimate interest applies.
(v) If the request complies with the above mentioned conditions, erasure of all data (text data, statistical data, multimedia data) starts on the following Saturday at UTC 05:00 to be completed on the same day.

REFUSAL TO COMPLY WITH A REQUEST FOR ERASURE

We may refuse to comply with a request for erasure when an individual’s right to erasure does not apply or when the request is manifestly unfounded or excessive. In such cases, we will inform the individual immediately about the refusal and the reasons for the refusal, reminding the individual of their right to make a complaint to the supervisory authority and to seek a judicial remedy, in any case at the latest within one month of the receipt of the request.

An individual’s right to erasure does not apply if processing of the relevant personal data is necessary:

(i) to exercise the right of freedom of expression and information; or
(ii) to comply with a legal obligation;
(iii) to perform a task carried out in the public interest or in the exercise of official authority; or
(iv) for archiving purposes in the public interest, scientific or historical research or statistical purposes; or
(v) to establish, exercise or defend a legal claim.


Record Retention Schedule

Last updated: September 12, 2021

KEY TERMS

“We”, “us”, “our”, “Company” refers to Sociality.io Limited.

“records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

INTRODUCTION

The purpose of this record retention schedule (RSS) is to ensure that our records management system functions properly and efficiently and no record is retained longer than needed. This RSS also serves as a guide for our employees with respect to their responsibility regarding record retention.

This RSS is to be reviewed regularly to ensure that it complies with our Data Retention Policy.

Records relating to a specific customer or user may need to be retained beyond the retention period mentioned below, in the following cases:

(i) Legal proceedings or an official investigation,
(ii) A crime is suspected or detected.

At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

We categorize the records based on their content such as contracts, employee records etc. The RSS shows how long each category of record is retained based on business and legal requirements.

Our RRS is organised as follows:

I- Corporate Records
II- Contracts
III- Customer Information
IV- Correspondence, E-mail and Other Communications
V- Legal files and papers
VI- Employee files and records
VII-Tax Records

I. Corporate Records

Record Type Retention Period
Corporate records Life of the company
Licenses and permits Life of the company
Intellectual property documents Life of the company
Annual audit reports and financial statements Life of the company
Annual plans and budget Life of the company
Bank statements and cancelled cheques Life of the company
Interim financial statements Life of the company

II. Contracts

Record Type Retention Period
Contracts (including customer contracts) and correspondence and notices related to contracts and the services 7 years following the termination of the contracts. The legal limitation period is 6 years for breach of contracts. We retain such records for 7 years to be able to defend possible future legal actions.
Information relating to customers’ subscriptions Same retention period applied to relevant customer contract
Information contained in or relating to any communications sent through the Website regarding the Service under a customer contract Same retention period applied to relevant customer contract.

III. Customer Information

Record Type Retention Period
Information about a computer, including visits to and use of our Website (including an IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths) 90 days following the termination of the customer contract or trial period.
Information provided when completing a profile on our website 90 days following the termination of the customer contract or trial period. We may retain such information longer if requested by the customer for future subscriptions.
Information provided for the purpose of subscribing to email notifications and/or newsletters Until the customer chooses to “unsubscribe”.
Information contained in or relating to any communications sent through the Website 90 days following the termination of the customer contract or trial period.
Customer invoices and payment details 7 years. Companies Act and VAT Act

IV. Correspondence, E-mails and Other Communications

Record Type Retention Period
Correspondence that is material to a particular contract or relates to a significant project 7 years after expiration or termination of the relevant project and/or the contract.
Record Type Retention Period
Legal memoranda and opinions Permanent
Litigation files 3 years following expiry of appeals or time for filing appeals
Court orders Permanent

VI. Employee Files and Records

The Company keep employee files and records, if any, for as long as required by relevant employment and social security laws.

Record Type Retention Period
Job applications / interviews of unsuccessful candidates During the evaluation of the application and until the final decision
Employee personnel records (annual leave, performance evaluations, notices, training) 6 years + 6 months following the termination of the contracts.

The limitation period to bring a civil legal action is 6 years.
Employment contracts 6 years + 6 months following the termination of the contracts.

The limitation period to bring a civil legal action is 6 years.
Bank details of employees During the employment term
Employee earning records (including details of overtime, bonuses, sick pay, and all other records and documents relating to the calculation and payment of employee pay) 7 years (or to end of any tax enquiry, if longer) Limitation period on potential claims
Employee related/payroll tax records (including annual returns of taxable pay and tax paid) 7 years Companies Act Finance Act 1998 Limitation period on potential claims

VII. Tax Records

Record Type Retention Period
Tax-exemption documents and related correspondence Permanent
Tax bills, receipts, statements Permanent
Tax returns Permanent
Sales/use of tax records Permanent
Annual information returns Permanent

Compliance

Last updated: September 12, 2021

GDPR Compliance

The General Data Protection Regulation (“GDPR”) is the data privacy and protection legislation of the European Union. Its purpose is to protect fundamental rights and freedoms of natural persons and their rights to protection of their personal data.

The GDPR has an extra-territorial scope. It applies to the processing of personal data by a controller or processor not established in the European Union, when the processing activities are related to (i) the offering of goods or services to such data subjects who are in the European Union or (ii) the monitoring of their behaviour as far as their behaviour takes place within the European Union.

As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 Janvier 2021. We are now compliant both with the GDPR and the UK GDPR.

We have prepared the following data protection policies and documents:

  • Privacy Policy
  • Cookie Policy
  • Information Security Technical and organisational measures
  • Data Retention and Erasure Policy
  • Record Retention Schedule

Please read the above mentioned documents to learn more about our data processing activities and protection of your personal data.

Transfer of personal data from the EU to the UK:

According to the Trade and Cooperation Agreement (Art. FINPROV.10A), transfer of personal data from the E.U. countries to the UK was not considered as transfer to a third country until the end of April 2021, which period was extended by two further months or until the date when an adequacy decision in relation to the UK is adopted by the European Commission. On 19 February 2021, the European Commission published its draft decisions on the UK’s adequacy under the GDPR and has found the UK to be adequate. On 14 April 2021, the European Data Protection Board announced that it has adopted its opinion on the European Commission’s adequacy decisions. The European Commission has announced that it has adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after their entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.

Pursuant to the GDPR, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the European Commission. The European Commission has adopted the decision 2021/914/EU on 4 June 2021, which provides for modernized standard contractual clauses. Standard contractual clauses which are concluded before 27 September 2021 on the basis of the decision 2001/497/EC or the decision 2010/87/EU will be deemed to apply until 27.12.2022. We will sign new standard contractual clauses with our third party service providers, who are not based in the European Union or the UK, until then.

CCPA Compliance

The California Consumer Privacy Act (CCPA), effective since 1 January 2020, is a data protection law that protects the residents of California and governs their rights regarding their personal data.

According to the CCPA, data subjects have a right:

(i) to access to all the data that a company has processed regarding them and receive a copy of such data,
(ii) to receive a list of all the third parties that their personal data is transferred to,
(iii) to know what personal data is being collected.

We will always be transparent about the data we collect, why we collect and how we use such data, as well as the third parties’ access to such data. Our Privacy Policy provides a detailed explanation regarding these matters.

We will never sell your information.

If you have any question or concern regarding processing of your personal data by Sociality.io, please send us an email at [email protected] and we will do our best to help you.

PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), which is an independent body that was created by the major payment card brands.

We do not store credit card information but since we accept credit cards as a form of payment, we must be in compliance with PCI DSS. Our check-out process is handled by Stripe, a certified company to PCI Service Provider Level 1. Please see Stripe’s Security Page for more details.

Logo
World
Facebook Twitter Linkedin