Legal

Sociality.io is built from the ground up with users' rights to privacy and information security in mind. To keep our services on the highest standards, we invest continuously in our infrastructure and processes. We are grateful for your trust in our platform and, the following resources represent our commitment to being transparent about our practices.

Table of Contents

Terms of Service

Last updated: December 12, 2020

THESE TERMS OF SERVICE CONSTITUE A LEGAL AGREEMENT BETWEEN YOU AND SOCIALITY. PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE ACCESSING, INSTALLING, USING AND/OR PURCHASING ANY OF THE SERVICES PROVIDED BY SOCIALITY, INCLUDING A FREE TRIAL.

BY ACCESSING, INSTALLING, USING OR PURCHASING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU ARE OF LEGAL AGE TO ENTER INTO AN AGREEMENT AND YOU HAVE READ AND ACCEPTED THESE TERMS OF SERVICE AS WELL AS THE PRIVACY POLICY AND ANY ADDITIONAL TERMS AND POLICIES SOCIALITY MAY PROVIDE FROM TIME TO TIME.

These Terms of Service are the general terms of our agreement with You to govern your access, purchase and use of the Service. Our agreement will also include special terms, such as subscription rates and payment terms depending on the subscription plan You purchased. If there are special terms applicable to the subscription plan chosen by You, these special terms will be made available to You and be an integral part of these Terms.

These Terms of Service, our Privacy Policy and the special terms form the entire agreement (referred to below as the "Terms") between You and Sociality.

“Sociality”, “We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

“You” are the individual or the entity (represented by an authorized individual) that enters into this agreement with us, in order to access, use and purchase the Service.

The Service provides a social media management platform that enables users to publish posts on social platforms at a scheduled time, reply to user messages on social media channels, monitor brand keywords on the public web results, analyse the performance of their social media pages and benchmark these pages with other pages' public data. You may find detailed information about the Service in our website available at https://sociality.io (the “Website”).

We advise you to print and keep the Terms in your files.

1. Acceptance of the Terms

1.1 You must first agree to the Terms in order to access, purchase and/or use the Service, including any free trial.

1.2 If You have any question or doubt regarding any provision of the Terms, please don’t purchase or use any part of the Service and send us an email at [email protected] regarding your concerns.

1.3 In order to accept the Terms, You must be of legal age to enter into an agreement. If You are a legal entity (organization, company, etc.) the person who accepts the Terms on your behalf represents and warrants that he/she has the authority to represent and bind You to the Terms.

1.4 You can accept the Terms by clicking to accept or agree to the Terms where available or by purchasing, accessing, using or installing the Service (free trials included). By performing one of these options, You represent and accept that You have read, understood and agreed to be bound by the Terms.

2. Payment Terms

2.1 You must pay the whole amount applicable to the parts of the Service You chose and subscribed for. The prices applicable to the Service and the payment methods are published on our web site available at https://sociality.io/pricing.

2.2 You agree that if You change your subscription plan, You will be liable for the amount applicable to the new plan.

2.3 You agree that You are liable to pay any taxes applicable to your obligations under the Terms and in relation to the Service.

2.4 If You purchase a monthly subscription, You can add new services or remove some of them from your subscription plan during your subscription month. When You do that, We will inform You that such a transaction will affect your next invoice amount. You will also be able to see your invoice details in a separate page on your account. You agree that if You alter the content of your subscription, your invoice amount will be updated in accordance with your modified subscription plan and the updated amount will apply to your next invoice.

2.5 If You purchase a yearly subscription, You can remove some of the services from your subscription plan but there will be no reimbursement of the fee. If You wish to expand the content of your yearly subscription plan, You must contact us by sending an email to [email protected]. You accept that the additional content will be invoiced separately.

2.6 You will enter your credit card details only once, when You make your first payment and You will give your approval that the following payments can and will be collected automatically from your credit card on the renewal dates of your subscription. We use Stripe Inc. for payment processing. We do not save or keep your credit card details and We do not accept responsibility for the payment processing.

3. Use of the Service

3.1 You represent that the information (such as identification or contact details) You provide to access and use the Service and to register your account is accurate and complete.

3.2 You agree that You should keep your passwords in strict confidentiality. You shall not communicate your password and your login details to any third parties. If You suspect any unauthorized use of your login details, You must immediately notify us by sending an email to [email protected].

3.3 Your rights arising from your subscription belongs only to You and You shall not assign or transfer them to third parties. If We notice that You act in violation of this Term, We can immediately suspend or cancel your subscription at our discretion.

3.4 You agree that You will not reproduce, duplicate, copy, sell, resell, assign, and lease the Service for any purpose.

3.5 You agree that You will use the Service in a lawful manner and You will not or permit any other party (including other users) to violate personal rights, privacy rights, intellectual property rights, confidentiality rights and any other legally protected rights of any other person or entity.

3.6 You agree that You will not (i) attempt to reverse engineer or decompile or otherwise acquire the origin code of any software in the Service, (ii) use the Service to upload, link to or send any content that is false, misleading, defamatory, violates any third party right or contractual restriction or contains unlawful, racist, or discriminatory material, (iii) use the Service in a way that interferes with or disrupt the Service.

3.7 You agree that all the contents (such as text, photographs, etc.) that You download or post through the Service are accurate and don’t violate the intellectual property of any third party. You agree that You will indemnify and hold us harmless from all claims, costs, damages and expenses awarded against or incurred or paid by us in connection with your breach of any third party’s intellectual property or similar rights.

3.8 You agree that You must take all kind of precautions (including using appropriate anti-virus software) to ensure that the information, content, material or data that You upload, post or share otherwise through the Service, are free from any virus, spyware, malware, trojan horses etc. or any other material that would harm the Service and the software.

3.9 You agree that You will not access, purchase and use the Service in order to create a competitive product or services.

3.10 You agree that We are not responsible to control and monitor your content, third parties’ content or the use of the Service by You or other users. You also agree that we may from time to time monitor the information transmitted or received through the Service for operational and other purposes. You also acknowledge that if at any time we decide to monitor the content, We still do not accept any liability for content or any loss or damage incurred as a result of the use of content. If We decide to monitor the content, We will treat any information in accordance with our Privacy Policy.

3.11 Any breach of the above mentioned terms under Article 3 should be considered as a material breach of the Terms.

3.12 You accept that You will defend and indemnify us together with our directors, employees, consultants and affiliates from and against every claim brought by a third party, and any related direct and direct liability, damage, loss and expense arising out of or connected with (i) your use of, or misuse of the Service; (ii) your violation of any provision of the Terms, any representation or warranty referenced in these Terms, or any applicable law or regulation; (iii) your violation of any third party right, including any intellectual property right or publicity, confidentiality, other property, or privacy right; or (iv) any dispute or issue between You and any third party. You also agree to cooperate with our defense of the said claims.

4. Adding Users to Your Account

4.1 You can add users to your account in accordance with your subscription plan provided that these users accept and approve to be bound by the Terms. The number of additional users shall not exceed the number of users permitted in your subscription plan.

4.2 Each user, including the users under the same subscription plan, must use his/her personal username and password to access the Service. Users shall not let others use their usernames and passwords to access the Service. If We notice that any user under your subscription plan shares his/her access credentials with others, let others access and use the Service with his/her access credentials or act in violation of this Term, We can immediately suspend or cancel your subscription at our discretion.

4.3 You will be liable for actions and omissions of the users under your subscription plan in relation to the use of the Service.

5. Security and Privacy of Your Personal Data

5.1 We treat the privacy of your personal data with the utmost importance.

5.2 When You register an account with the Service and login to your account, You agree that We collect your personal data You provide with us. When You register an account with us (including for a free trial), We will ask You to provide your name, your email address, the name of your company, the country where your company is located and your phone number.

5.3 We collect and store the following data in accordance with the Terms and our Privacy Policy, in connection with the Service: (i) E-mail addresses, addresses and contact information, (ii) IP addresses, (iii) information that You (or your users) allow us to access in your social media accounts.

5.4 We may also automatically collect and store the information regarding your device and the browser via third parties’ software. In such a case, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures.

5.5 We provide You a social media management service; therefore, We may obtain personal data from the social media platforms via these platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms.

5.6 The Data Processing Agreement annexed to the Terms (Annex 1) must apply where You are the data controller and instruct us to process personal data in connection with the Services.

5.7 We process your personal data to the extent allowed by the applicable law (i) to provide You with better Service, (ii) to inform You of new services, features or subscription plans, (iii) to gather commercial statistic and analyses regarding the use of the Service, (iii) to communicate with You, (iv) to make market researches, (v) to fulfil our legal duties and/or governmental authorities’ requests in accordance with the applicable law.

5.8 You agree that We can from time to time access your account with our user login details or external software in order to do the necessary investigations to provide you better Service.

5.9 Please read our Privacy Policy available at https://sociality.io/privacy for further details.

6. Limitation of Liability

6.1 YOU AGREE THAT THE SERVICES AND ALL MATERIALS AND CONTENT ARE PROVIDED ON “AS IS” BASIS, WITHOUT ANY WARRANTY. WE DISCLAIM ANY WARRANTY WHETHER EXPRESS OR IMPLIED (INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTY AS TO THE QUALITY OR FITNESS FOR A PARTICULAR PURPOSE).

6.2 WE DO NOT REPRESENT OR WARRANT THAT (I) THE SERVICES IS ACCURATE, COMPLETE OR RELIABLE, OR (II) YOU WILL HAVE AN UNINTERRUPTED USE OF THE SERVICE, OR (III) THE WEBSITE OR THE SERVICE IS FREE OF ANY ERROR OR VIRUSES, OR (IV) YOU WILL OBTAIN A SPECIFIC RESULT FROM THE SERVICE.

6.3 YOU MAY HAVE ACCESS TO LINKS TO OTHER WEBSITES, PORTALS, FILES OR CONTENTS THROUGH THE SERVICE AND THE WEBSITE. YOU ACKNOWLEDGE AND ACCEPT THAT WE DO NOT VERIFY THESE AND WE DON’T HAVE ANY CONTROL OVER THEM. YOU AGREE THAT WE DO NOT ACCEPT ANY LIABILITY REGARDING THESE WEBSITES, PORTALS, FILES, CONTENTS, SERVICES OR PRODUCTS THAT ARE REACHED THROUGH THE LINKS ON THE SERVICE OR THE WEBSITE. THESE LINKS SHALL NOT BE CONSTRUED AS AN ENDORSEMENT REGARDING THE LINKED WEBSITES, THEIR CONTENTS OR OWNERS.

6.4 EXCEPT FOR THE REPRESENTATIONS AND WARRANTIES EXPRESSLY STATED IN THE TERMS, WE DO NOT MAKE ANY REPRESENTATIONS OR WARRANTIES AND WE HEREBY DISCLAIM ANY OTHER REPRESENTATIONS OR WARRANTIES, WHETHER ORAL OR WRITTEN, OBTAINED BY YOU FROM THE SERVICE OR MADE BY ANY OF OUR OFFICERS, DIRECTORS, EMPLOYEES OR ADVISORS.

6.5 YOU AGREE THAT WE SHALL NOT BE LIABLE FOR ANY DAMAGE, DIRECT OR INDIRECT OR CONSEQUENTIAL OR PUNITIVE DAMAGES (INCLUDING ANY DAMAGE TO YOUR COMPUTER SYSTEM OR MOBILE DEVICE OR ANY LOSS OF DATA OR LOSS OF PROFITS) WHICH MAY BE INCURRED BY YOU RELATED WITH THE SERVICES.

6.6 TO THE FULLEST EXTENT PERMITTED BY LAW, OUR TOTAL LIABILITY FOR ANY CLAIMS BROUGHT BY YOU IN CONNECTION WITH THE SERVICE OR OTHERWISE UNDER THE TERMS, WHETHER IN CONTRACT, TORT OR OTHERWISE, SHALL BE LIMITED TO THE AMOUNT CORRESPONDING TO THE SUBSCRIPTION FEE YOU HAVE PAID US FOR THE LAST THREE (3) MONTHS PRIOR TO THE EVENT OR CIRCUMSTANCE GIVING RISE TO YOUR CLAIM.

7. Intellectual Property Rights

7.1 All legal rights, title and interest attached to the Service, patents, copyrights, trademarks, knowhow and the Website including all kinds of intellectual property rights (whether registered or not) (“ Intellectual Property Rights ”) are owned by us or our licensors. Your subscription to the Service shall not be considered as an assignment or otherwise transfer of any Intellectual Property Rights.

7.2 You acknowledge and agree that the Service is a SaaS (software as a Service), which means that by subscribing to the Service, You are not purchasing the software and You will not be delivered copies of the software.

7.3 By subscribing to the Service, You will be granted a limited, non-exclusive, non-assignable, non-sublicensable, revocable license to access and use the Service included in your subscription plan. You agree that this license is strictly subject to the Terms and your compliance with the Terms.

7.4 You agree and represent that all elements of text, images or other content that You provide to us related with or via the Service are either owned by You or You have legal and binding rights to use them and that their usage related with or via the Service will not infringe intellectual property rights of any third party. Otherwise You accept to be responsible for any kind of claims made by such third parties to us regarding infringement of their intellectual property rights.

7.5 If You provide feedback regarding the Service then You hereby grant us an unrestricted, perpetual, irrevocable, non-exclusive, fully paid, royalty-free right to exploit the relevant feedback in any manner and for any purpose, including to improve the Service and create other products and services.

8. Suspension and Termination of Your Subscription

8.1 The Terms will apply during the term of your original and renewed subscription beginning when You accept the Terms or first install, access or the use the Service, unless and until terminated by You or us in accordance with the Terms.

8.2 You agree that the subscription to the Service is on either monthly or yearly basis. You can terminate your subscription by unsubscribing to the Service within your registered account or by contacting customer service at [email protected] before the renewal date of your subscription. You also agree that there will be no reimbursement of the fee if You terminate your Subscription before its expiry date and You will still be able to use the Service until such date.

8.3 You agree that We can suspend your subscription at any time if You fail to fulfil your payment obligations or You breach the Terms otherwise. In such a case, We will inform You by sending You an email regarding the reason for suspension and request You to remedy the breach in order to reactivate your subscription. If You fail to remedy the breach until the end of the period mentioned in the email, We will be entitled to terminate our agreement with you and end your subscription.

8.4 You agree that We are entitled to terminate our agreement with You and your account on the Service and end your subscription immediately at our sole discretion in case We believe that there is a material breach of the Terms by You (any breach of Section 3-Use of the Services will be considered a material breach). You also agree that We can terminate our agreement with You and your account or suspend your access to the Service at any time at our sole discretion without reason and without notice.

8.5 You agree that We are entitled to terminate our agreement with You and your account on the Service immediately if provision of the Service to You becomes illegal for any reason.

8.6 In the event of termination of the Terms, this Terms will forthwith become void, provided, however, all payment obligations accrued prior to termination and the provisions of Section 3.7, 6, 7.4 and 17 should survive after termination.

9. Amendment to the Terms

We reserve our right to change the Terms from time to time. When we make changes to the Terms, the updated version will be available at our website. You agree that if You continue to use the Service after the date on which the Terms have changed, this will be deemed as an acceptance of the updated Terms.

10. Modification of the Service

We reserve our right to modify or cease certain features of the Service, temporarily or permanently. In such cases, We will notify You by sending an e-mail or with an announcement on our Website. You accept that We will have no liability for any modification, suspension or termination of any of the features of the Service and that there will be no refund of the subscription fees.

11. Entire Agreement

These Terms constitute and contain the entire agreement between You and us and supersede any and all prior agreements, arrangements and understandings between You and us relating to the Service.

12. Use of English Language

The Terms are executed in the English language and the English version of the Terms shall govern in any conflict with any non-English version. The communications between You and us shall be in English.

13. No Waiver

No failure or delay in exercising any right, power or privilege under this Terms shall operate as a waiver thereof. No waiver of any term of this Terms shall be deemed to be or construed as a further or continuous waiver of such term.

14. Severability

The unenforceability or invalidity of any provision of the Terms shall not affect the enforceability or validity of the rest of it.

15. Independent Parties

Our relationship with You is that of independent contractors dealing at arm's length. Nothing in this Terms shall constitute us as partners, joint ventures or co-owners, or constitute either of us as the agent, employee or representative of the other.

16. Effective Date and Duration

16.1 This Terms shall become effective when You accept the Terms by clicking to accept or agree to the Terms where available or You purchase the Service or You start using it (free trials included).

16.2 The Terms shall remain effective during your original subscription and as well as any renewed subscription until terminated by You or us in accordance with Section 8 of the Terms.

17. Governing Law and Dispute Resolution

17.1 This Terms shall be governed by and construed in accordance with the laws of the United Kingdom.

17.2 Any dispute arising from the Terms shall be referred to the jurisdiction of the courts of the UK.

Annex 1 - Data Processing Agreement

This Data Processing Agreement applies when You, as the data controller, instructs us to process certain personal data, which you give us access to, on behalf of You within the Services.

“We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

“You” are the individual or the entity (represented by an individual) that enters into this agreement with us, in order to use the Services.

The Services refer to the Services mentioned and described in our website available at https://sociality.io/ provided by us.

Terms not otherwise defined herein shall have the meaning as set forth in the Terms.

This agreement is an integral part of the Terms and any matters which are not regulated here shall be governed by the Terms.

Details of the Processing

The scope of the personal data processed under this agreement is determined and controlled by You in your sole discretion, which may include, but is not limited to the personal data of your end users submitted to You through your social media pages, such as contact details, identification data and other information regarding their activities.

The subject matter of the processing is the provision of the Services to You in accordance with the Terms. Purposes of the processing are described within the Terms.

Our Obligations

We will not process the personal data except on instructions from You as the data controller, unless We are required to do so by the applicable law.

Taking into account the nature of the processing, We will assist You by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the yours obligation to respond to requests for exercising the data subject’s rights laid down in the GDPR.

We will process the personal data only on documented instructions from You, including with regard to transfers of the personal data to a third country or an international organisation, unless We are required to do so by the applicable law. In such a case, We will inform You of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

We will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

We will at your choice, delete or return all the personal data to You after the end of the provision of the Services relating to processing, and delete existing copies unless the applicable law requires storage of the personal data.

We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You.

We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You.

We will assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights, taking into account the nature of the processing.

We will take all measures required pursuant to Article 32 of the GDPR.

We will assist You in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to us.

In case of a personal data breach We will notify You without undue delay after becoming aware of the breach.

Your Responsibilities as the Data Controller

Under this Data Processing Agreement, You shall be solely responsible for complying with the legal requirements relating to data protection and privacy. Your instructions to us for the processing of personal data shall comply with the applicable law and the GDPR.

You shall inform us without undue delay and comprehensively about any errors or irregularities related to the processing of personal data.

Sub-processing

We shall not subcontract any of our processing operations performed on behalf of You without your written authorization. You agree that this clause shall be considered a general written authorization in the meaning of Article 28.2 of the GDPR.

The sub-processors that are currently engaged by us are as follows:

Agile CRM Inc., First Floor, Plot No. 8 & 9, Jubilee Enclave, Opp. HITEX Entrance,, Hyderabad, Telangana 500084, India ; used for customer relations management processes;

Amazon Web Services, Inc., 410 Terry Avenue, Seattle, WA 98109 (“AWS”); AWS cloud is used to host our platform and Services;

DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor New York, NY 10013 , Digital Ocean is used to host our platform and Services;

Google Inc., headquartered at 1600 Amphitheatre Parkway Mountain View CA 94043, United States ; Google Cloud Platform is used to host our platform and Services;

Hotjar Limited, Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta; used for collecting customer feedbacks and understanding user behaviors;

Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland; used for outbound messaging and messages measurement, optimization and integrations;

Leadfeeder by Liidio Oy, Mikonkatu 17, 00100 Helsinki, Finland; used for identifying prospects and customers on our website;

Microsoft Corporation Inc., One Microsoft Way, Redmond, WA 98052-6399, United States; Azure Cognitive Services API is used in gathering news;

Sentry.io by Functional Software, Inc., 1 Baker Street Suite 5B San Francisco, CA 94117 United States; used for tracking errors on our website;

Stripe, Inc., headquartered at 510 Townsend St, San Francisco, CA 94103, used for card payment processing;

The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA; used to manage e-mail campaigns;

Webhose Ltd, 7 Metsada St. B.S.R Tower 4, POB 195 Bnei Brak 5126112 ISRAEL; Webhose.io API is used in gathering news, blogs and online discussions;

Mixpanel, One Front Street, 28th Floor, San Francisco, CA 94111; used to analyze and report user behaviours.

Where We engage another processor We shall have a written contract that imposes the same obligations on the sub-processor as are imposed on us in this Data Processing Agreement.

If We intend to change the current sub-processors or engage other sub-processors, We will inform You and give You the opportunity to object to such changes in writing within 5 days after being notified. You hereby agree that You must have reasonable grounds that the engagement of the relevant sub-contractor imposes a risk to the protection of a personal data, to object to sub-processors.

Audit Rights

We shall, in accordance with the applicable law, and in response to a reasonable written request by You, make available to You such information our possession or control related to our compliance with the obligations of data processors in connection with this agreement.

You may carry out or have an auditor carry out audits in order to review our compliance with technical and organizational security measures and our obligations pursuant to this agreement, upon written request and at least 30 days’ notice, during regular business hours and without interrupting our daily operations.

We shall, upon your written request and on at least 30 days’ notice, provide You with all information necessary for such audit, to the extent that such information is within our control and We are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

Duration

This Data Processing Agreement shall remain effective as long as the Terms are effective.


Privacy Policy

Last updated: December 12, 2020

Preamble

This Privacy Policy describes what kind of personal data we may collect, store and process when you visit our Website and subscribe to our Service, what are the legal reasons to process such data, and how we will use and protect it. This Privacy Policy has been developed in compliance with the GDPR (General Data Protection Regulation) and any matter that isn’t described here shall be subject to the terms of the GDPR.

We may change the Privacy Policy from time to time due to changes on our Website or the Service or any other reason which requires us to do so; therefore, we recommend you check the Privacy Policy on a regular basis. In case of material changes, we will notify you (if you are already a customer and provided us your contact details) by sending you an email.

“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083. The Service refers to the services mentioned and described in our Website.

We implement appropriate technical and organisational measures to safeguard your rights, freedoms and legitimate interests regarding processing of your personal data and ensure that processing of your personal data is performed in accordance with the GDPR. Please also see our Data Retention Policy, Records Retention Schedule and our Information Security Policy for further details on safety and protection of your data.

We will process your personal data in accordance with the principle of lawfulness, fairness and transparency under Article 5 of the GDPR. It means that we will process your personal data only if:

(i) you have given your consent to the processing of your personal data for one or more specific purposes; or
(ii) processing is necessary for the performance of a contract with you (when you subscribe to the Service), or
(iii) processing is necessary for compliance with a legal obligation, or
(iv) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

2. What type of personal data we process?

As the data controller, we collect certain data of the visitors of the Website, our customers (usually corporate entities), who subscribed to the Service and individuals who are appointed by the customers to use and manage the Service on behalf of them.

We may collect your personal data when you visit the Website, subscribe for the Service, register an account with us, complete forms on the Website and contact us on a customer service issue.

We may process, among others, (i) your email address, (ii) invoices, (iii) information with respect to your browser and IP address, (iv) information that you and/or your employees or representatives allow us to access in your social media pages.

We may automatically collect and store the information regarding your device and the browser via third parties’ software such as cookies. In such cases, the software will be in compliance with the applicable law. And such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures. Please see our Cookie Notice for further information regarding these technologies and how you can manage your cookies preferences.

The Service is a social media management service; therefore, we may obtain certain data from social media platforms via these platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. We will have access to such data only with your prior authorisation.

Please see below the table No. 1 and No.2 for detailed information on which data we process.

The Data Processing Agreement annexed to the Terms, which is available at https:// sociality.io/tr/terms, must apply where you are the data controller and instruct us to process personal data in connection with the Service.

3. How do we use your personal data?

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.

You may find further details on which data we may process, why we may process such data and the legal reason of such processing in Table No.1 and Table No.2 below.

Table No.1 – Visitors of the Website

VISITORS OF THE WEBSITE
Relevant Data Why do we proceed? Legal reason of processing
E-mail address Visitors to the Website can choose to provide us their email address in order for us to communicate with them and further explain our services and subscription terms. Art 6(1)(a) of the GDPR: Consent of the data subject.
Location (City) We process this information to learn about the local time zone and language of the operating system of the visitor so that we can send our automated messages in their language. Art 6(1)(f) of the GDPR: Our legitimate interest to send automated messages to the visitors who provided us their e-mail address for receiving further explanation regarding the Service and subscription terms in the appropriate language.
Information regarding the browser and operation system We process this information (i) to understand the origin of the problem when a visitor is experiencing a technical problem with the Website, (ii) to detect unauthorized interference with the Website and exercise our legal rights regarding such unauthorized interference. Art. 6(1)(f) of the GDPR: Our legitimate interest to ensure that the Website is functioning as it should be and to protect it against attacks and unauthorized interferences.
IP We process this information to determine the IP addresses of persons who attempt to breach our security and use the Website for unlawful purposes and to prevent them to re-enter the Website. Art 6(1)(f) of the GDPR: Our legitimate interest to ensure IT and information security of our website and the Service.

Table No.2 – Subscribers of the Service

SUBSCRIBERS OF THE SERVICE
Relevant Data Why do we proceed? Legal reason of processing
E-mail address We process the e-mail address of the users of the Service to enable them to create a user account with the Service, to verify that they are existing customers or users appointed by corporate customers and to communicate with them regarding the Service and pursuant to the customer contract (to send invoices or notices etc.) Art 6(1)(b)- processing is necessary for the performance of the contract between us and the customer.
Location (City) We process this information to learn about the local time zone and language of the operating system of the user so that we can send our automated messages in their language. Art 6(1)(f) of the GDPR: Our legitimate interest to send automated messages to our customers in the appropriate language.
Info rmation regarding the browser and operation system We process this information (i) to understand the origin of the problem when a visitor is experiencing a technical problem with the Website, (ii) to detect unauthorized interference with the Website and exercise our legal rights regardingsuch unauthorized interference. Art. 6(1)(f) of the GDPR: Our legitimate interest to ensure that the Website is functioning as it should be and to protect it against attacks and unauthorized interference.
IP We process this information t o determine the IP addresses of persons who attempt to breach our securi t y and use the Webs i te for unlawful purposes and to prevent them to re-enter the Website. Art 6(1)(f) of the GDPR: Our legitimate interest to ensure IT and information security of our website and the Service.
Username of the users appointed by the customers Users need to choose a username, which can be different than their real name and last name, in order (i) to sign up to their accounts and create a password and (ii)to log in to the Service. The users are identified with their usernames within the Service. Art 6(1)(b)- processing is necessary for the performance of the contract between us and the customer.
Profile picture of users / Logo of corporate customers The users can choose to upload a profile picture as part of their user's profile. It is optional to upload a profile picture. Art 6(1)(a) of the GDPR: Data subject's consent. When uploading the profile picture, the data subject must approve the processing of their profile picture to be used within the Service for description purposes and that the other users will have access to it.
Telephone number We process this information only if the user wants us to communicate with them regarding their subscription by phone. It is optional. Art 6(1)(a) of the GDPR: Consent of the data subject
Social media profiles and information regarding pages linked to the social media profiles. We provide a social media management platform and social media profiles and accounts of our users are the core of our business; therefore, we need to process such information. We have access to social media pages (Facebook, Instagram, Twitter, LinkedIn and YouTube) of our users, who act as the data controller and give us access to social media pages they choose to receive the Service for. Art 6(1)(b)- processing is necessary for the performance of the contract between us and the customer.
Contracts We keep our customer contracts in order to verify they are existing customers, to fulfil our obligations and to defend us from future legal claims. Art 6(1)(b)- processing is necessary for the performance of the contract between us and the customer.

Art.6(1)(f) of the GDPR: Our legitimate interest to defend us from future legal claims.
Invoices We keep our customers’ invoices. Art 6(1)(c) processing is necessary for compliance with a legal obligation to which we are subject. Tax and financial laws

4. Transfer of Personal Data to Third Party Organisations and Countries

We may transfer your personal data to a third country or to an international organization, provided that the conditions laid down in the GDPR are complied with and that there will be an adequate level of protection and safeguards measures for the privacy of your personal data.

If your personal data is transferred to a third country or to an international organisation, you will have the right to be informed of the appropriate safeguards relating to the transfer.

You may see below in Table 3 and Table 4 detailed information about the third party organisations that we share data with. When such third party organisations process personal data on behalf of us, we sign a data processing agreement with them, as required by the GDPR.

Table 3- Third Party Organisations Located in EU (your data is not transferred outside of EU)

RECIPIENT WHICH DATA DO WE TRANSFER? WHY DO WE TRANSFER DATA?
Hotjar Limited
Level 2, St Julian’s Business Centre, 3, Elia Zammit Street, St Julian’s STJ 1000, Malta
Users’ mouse movements when they use our Website.

Please see Hotjar’s Commitment to GDPR: https://www.hotjar.com/legal/compliance/gdpr-commitment/
We use Hotjar’s services to collect customer feedbacks and understand user behaviours.
Sqreen SAS
24, rue du Sentier 75002 Paris, France
E-mail addresses and IPs. Please see Sqreen’s Privacy Policy for further details: https://www.sqreen.com/privacy Art.6(1)(f) - Legitimate interest to ensure IT and information security for our website and the service.

Table 4- Third Party Organisations Located outside of EEA (your data may be transferred outside of EEA)

We have concluded data processing agreements and standard contractual clauses with the third-party organisations, which may transfer your data outside of the EU.

RECIPIENT WHICH DATA DO WE TRANSFER? WHY DO WE TRANSFER DATA?
Intercom, Inc. Intercom R&D Unlimited Company
55 2nd Street, 4th Floor San Francisco, California 94105
Information on the user’s profile in the Service and information provided by users when they send us messages on the Website. Please see Intercom’s Privacy Policy for further details: https://www.intercom.com/legal/privacy We use Intercom to communicate with the users of our Service for customer services and information requests from our users.
ProfitWell
200 OK, LLC 109 Kingston Street, Fourth Floor, Left Boston, Massachusetts 02111
Billing information and e-mail addresses of our customers. Please see ProfitWell’s Privacy Policy for further details: https://www.profitwell.com/privacypolicy We use ProfitWell to prepare our financial reports.
Announcekit Restpack Inc
2035 Sunset Lake Road Suite B-2 Newark, Delaware 19702
IP and browser information. Please see Restpack’s Privacy Policy for further details: https://restpack.io/restpack/privacy Announcekit customizes our announcements within the system for different countries.
Amazon Web Services Inc.
410 Terry Avenue, Seattle, WA 98109
Please see AWS’s Privacy Policy: https://aws.amazon.com/privacy/ AWC cloud is used to host our platform and Service.
Google LLC
1600 Amphitheatre Parkway Mountain View CA 94043, U.S.A.
Google Analytics: We transfer the usage habits of the users in a unanimous way. - to track user behaviour unanimously

Google Cloud Platform: All customers’ and visitors ’ data, which areprocessed.

Please see Google’s Privacy Policy for further details : https://policies.google.com/privacy
Google Cloud Platform: Our platform and Service is hosted by GCP.

Google Analytics: We use Google Analytics to understand the performance of our website and to improve our website.
DigitalOcean LLC
101 Avenue of the Americas, 10th Floor New York, NY 10013
Please DigitalOcean’s Privacy Policy for further details: https://www.digitalocean.com/legal/privacyshield/ Digital Ocean is hosting our platform and Services.
Cloudflare, Inc.
101 Townsend Street San Francisco, California 94107
Internet traffic logs (e.g. IP addresses) of visitors of our Website. Please see Cloudflare’s Privacy Policy for further details: https://www.cloudflare.com/privacypolicy/ We use Cloudflare for internet security services to protect our Website and the Service.
Stripe, Inc.
510 Townsend St, San Francisco, CA 94103
E-mail addresses and invoice details. Please see Stripe’s Privacy Policy for further details: https://stripe.com/ privacy-shield-policy We use Stripe services for our customers’ credit card payment processing. We do not process or store credit card details of the customers.
Mailchimp platform created by The Rocket Science Group, LLC
675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA
E-mail addresses Please see Mailchimp’s Privacy Policy for further details: https://mailchimp.com/legal/privacy/ We use the Mailchimp platformto send information or update about the Service.
Zapier, Inc.
Zapier, Inc.548 Market St #62411 San Francisco, California 94104
E-mail addresses and the monthly fee paid by the user. Please see Mixpanel’s Privacy Policy for further details: https://zapier.com/privacy Zapier automates processes between online software applications. It does not collect personal data, but it passes through their systems. We use Zapier to transfer data to ProfitWell.
Functional Software, Inc. (Sentry)
132 Hawthorne Street San Francisco, California 94107
Username, e-mail addresses and click gestures of the users. Please see Sentry’s Privacy Policy for further details: https://sentry.io/privacy/#eu-us-privacy-shield Sentry informs us if and when a user had a difficulty using the Service, by pointing out the username, e-mail address and the relevant button that caused such difficulty.
Slack Technologies, Inc. Slack Legal Department 500 Howard Street San Francisco, California 94105 Slack collects and processes e-mail addresses of our customers. Please see Slack’s Privacy Policy for further details: https://slack.com/intl/en-tr/privacy-policy We use Slack for communication of any trouble our customers encounter while using the Service. We receive notices of troubles through Slack platform.

5. Data Retention

We will not retain your personal data longer than is necessary for the purposes for which it was processed. Where it is no longer necessary to retain your personal data, we will either delete it or make it anonymous. Please see our Data Retention Policy for further details.

6. Your rights in connection with your privacy and your personal data

a. Automated individual decision making

You have the right not to be subject to a decision based solely on automated processing, including profiling, except when it is necessary for entering into, or performance of our agreement (the Terms) or the Services or is authorised by the applicable law to which We are subject.

b. Your right of access

You have the right to request us confirmation as to whether or not your personal data is being processed. If your personal data is processed, You will have access to your personal data and the following information: (i) the purposes of the processing, (ii) the categories of your personal data, (iii) the recipients or categories of recipient to whom your personal data have been or will be disclosed, (iv) where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period, (v) the existence of the right to request us rectification or erasure of your personal data, (vi) your right to lodge a complaint with a supervisory authority, (vii) where your personal data is not collected from the data subject, any available information as to their source, (viii) the existence of automated decision-making, including profiling.

c. Your right to rectification

You have the right to obtain the rectification of your inaccurate personal data that is inaccurate. You also have the right to have your incomplete personal data completed.

d. Your right to data portability

You have the right to receive your personal data You shared with us in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted directly to another data controller, where it’s technically feasible and it does not adversely affect the rights and freedoms of others.

e. Your right to object to processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on (i) the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) the necessity for the purposes of our or a third party’s legitimate interests. In such a case, we will cease to process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

f. Your right to object to direct marketing

You have the right to object at any time to processing of your personal data for direct marketing,

g. Your right to restriction of processing

You have the right to request us to restrict processing of your personal data if you contest the accuracy of your personal data or lawfulness of the processing. Upon your request, we will restrict the processing of your personal data, with the exception of storage and/or or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform You immediately if and when the restriction is lifted.

h. Your right to be forgotten

You have the right to request us to erase your personal data without undue delay where your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or you withdraw your consent and there is no other legal ground for the processing. In such case we will immediately delete your personal data except when the processing of your personal data is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the establishment, exercise or defence of legal claims.

i. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you think that the processing of your personal data infringes the applicable law.

7. Notification of a personal data breach

In the case of a personal data breach, we will notify the breach to the competent supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to you without undue delay, unless if;

(i) appropriate technical and organisational protection measures have been implemented, and those measures were applied to the personal data affected by the personal data breach, or
(ii) the subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize, have been implemented, or
(iii) it would involve disproportionate effort. In such a case, we will make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

8. Contact us

You can contact us through our email address [email protected] with respect to your questions or concerns regarding this Privacy Policy.


Information Security

Last updated: December 12, 2020

“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 278 Langham Road, N15 3NP, London, United Kingdom, registered with the Company Registration Number: 11158083.

The Service refer to the services mentioned and described in our Website.

Overview

This Policy describes the technical and organisational measures we implement to keep personal data that we process safe and secure. Keeping personal data of our customers and visitors protected at all times is our highest priority. This security overview provides a highlevel overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Purpose

The purpose of this Policy is to make sure that we are in compliance with the following requirements and principles under the GDPR and provide adequate safety and protection to personal data.

According to the principle of integrity and confidentiality (Article 5(1)(f)) under the GDPR, “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

Furthermore, article 32(1) of the GDPR stipulates that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

In this scope, we must ensure that personal data can only be accessed by authorized personnel, data we retain is accurate and complete and data remains accessible and usable.

Dedicated Security Team

Our security team is comprised of security experts dedicated to improving the security of our organization. Our employees are trained on security incident response and are on call 24/7.

Technical Security Measures

A. INFRASTRUCTURE

a. Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services and Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here:

AWS and Google Cloud Platform, they have been both certified for EU-US Privacy Shield.

b. Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:

  • Virtual private cloud (VPC), bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  • Firewall that monitors and controls incoming and outgoing network traffic.
  • Intrusion Detection and/or Prevention technologies solution (IDS/IPS) that monitors and blocks potential malicious packets.
  • IP address filtering

c. DDoS protection

We use Distributed Denial of Service (DDoS) mitigation services powered by an industryleading solution.

d. Data encryption

Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

e. Business continuity, back-ups and disaster recovery

We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

All text and statistics data pertaining to the whole system are automatically backed up and saved every day at 01:00 in Google Cloud hosts located in London. Back-ups of each day are kept for 30 days and then automatically deleted. Multimedia data (visuals, video, excel files, presentation files) are not backed-up.

Every Saturday, at 5 am, teams and accounts, which have been marked as “to be deleted” on the previous week and all subdata of such teams and accounts are permanently deleted from the database.

f. Application security monitoring

We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.

We use technologies to monitor exceptions, logs and detect anomalies in our applications.

We collect and store logs to provide an audit trail of our applications activity.

We use monitoring such as open tracing in our microservices.

g. Application security protection

We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.

We use security headers to protect our users from attacks.

We use security automation capabilities that automatically detect and respond to threats targeting our apps.

h. Secure development

We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).

We use the following best practices to ensure the highest level of security in our software:

  • Developers participate in regular security training to learn about common vulnerabilities and threats
  • We review our code for security vulnerabilities
  • We regularly update our dependencies and make sure none of them has known vulnerabilities
  • We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  • We use Dynamic Application Security Testing (DAST) to scan our applications
  • We rely on yearly third-party security experts to perform penetration tests of our applications.

i. Payment information

All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. Stripe has also been certified for EU-US Privacy Shield.

We don’t collect any payment information and are therefore not subject to PCI obligations.

j. Responsible disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

B. USER PROTECTION

  • 2-factor authentication: We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.
  • Account takeover protection: We protect our users against data breaches by monitoring and blocking brute force attacks.
  • Single sign-on: Single sign-on (SSO) is offered for our enterprise customers. Single sign-on (SSO) is available using your Google account.
  • Role-based access control: Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions.

Organisational Security Measures

We believe that to establish efficient security and protection of personal data within our organisation, it is crucial to adapt a “culture of security awareness”. For this reason, we ask all our employees to be familiar with this Information Security Policy as well as our Privacy Policy, Data Retention and Erasure Policy and any other policies related to information security.

Our employees sign an employment agreement, which contains a confidentiality undertaking, when joining the company to protect our customers' sensitive information. Our employees have access to personal data of the users of our Service and visitors of our Website on a need-to-know basis. Access to personal data is always limited to the extent necessary for the duties of such employees and administrators.

Our employees do not have access to our users’ accounts except when a user encounters a technical problem regarding the Service. In the event of a technical problem, users can allow our technical team to have access to their account for 72 hours, to fix the problem. At the expiry of 72 hours, the access is automatically denied to our technical team and they have no longer access to the relevant user’s account.

Our employees can use their own devices (mobile phones, tablets and computers) to access business e-mail and applications we use for communication. All the employees are obliged to set strong passwords for the access to their devices, keep the passwords strictly confidential and change it on a regular basis. Employees must not leave their devices unlocked when unattended. At the end of employment of an employee, we restrict their access to their business e-mail, our Slack account and all the other software that we use for internal communication and work.

Bug Bounty Program: You can report vulnerabilities regarding our system by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.


Data Retention And Erasure Policy

Last updated: December 12, 2020

INTRODUCTION

We need to collect personal information of our employees and other people that we work with or have a business relationship with, to effectively carry out our business activities and to provide the services and products we offer to our customers.

We are subject to the General Data Protection Regulation (“GDPR”) and the UK’s Data Protection Act and we need to have efficient data and records management accordingly. This policy aims to inform our employees, sub-contractors and other staff as well as our customers and visitors of our website on how we intend to comply with the data retention and erasure in accordance with the applicable legislation.

This policy puts in place the rules for an efficient data and records management, which meets the legislative and regulatory requirements as well as the business requirements. The data and records management will ensure that our business activities are conducted in a structured, efficient and accountable manner while delivering services to our customers and protecting the interests of our employees. It will also facilitate and manage protection, retention and erasure of personal data that we process and enforcement of individuals’ rights regarding their data.

KEY TERMS

“We”, “us”, “our”, “Company” refers to Sociality.io Limited.

“GDPR” means the Regulation (EU) 2016/679.

“records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

WHAT IS THE PURPOSE OF THIS POLICY?

The purpose of this Data Retention and Erasure Policy is to set forth our policy on how to provide a structured and compliant data and records management system.

Our data and records management system shall ensure that it provides an efficient and systematic management and control over the creation, receipt, maintenance, use, distribution, retention and erasure of such records.

This policy is also to clarify the processes we use to store and destroy the information and what information we retain for legal/regulatory reasons and for business reasons and their retention periods.

Our objectives are (i) to retain personal data for as long as is necessary, (ii) to ensure safe and secure disposal of confidential and personal data, (iii) to ensure that records are retained for the legal, contractual and regulatory period, and (iv) to comply with the relevant data protection legislation and the contractual obligations.

WHO IS SUBJECT TO THIS POLICY?

This policy applies to all our employees, sub-contractors, third party representatives and any other staff within the Company. Compliance with this policy is mandatory for such persons and non-compliance may lead to disciplinary sanctions.

PERSONAL DATA AND THE STORAGE LIMITATION PRINCIPLE

This Policy and our processing activities comply fully with GDPR’s principle set forth in Article 5(1)(e) called “storage limitation”, which stipulates that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.

DATA RETENTION AND STANDARD RETENTION PERIODS

We will not keep personal data longer than we need to or are required by law. When determining our need to keep personal data, we will balance our needs with the impact of retention on individuals’ privacy.

Our standard retention periods are shown in our Records Retention Schedule. We periodically review our standard records retention periods to ensure that they are not longer than we actually need.

We may need to keep personal data longer than the standard retention periods to defend possible future legal claims or when we are served with a legal request for records or notified

of the commencement of any litigation against us or an employee. In such case, we will only keep the information which could possibly be relevant to such a claim and delete the rest. We may need to keep personal financial and tax data to comply with tax regulations for the period specified by applicable tax laws.

EXPIRATION OF RETENTION PERIOD

At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

HOW WILL THE DATA BE ERASED?

A. Paper Records

We retain limited paper based personal information and when we do, we ensure that we retain it in a confidential and compliant manner. We use onsite-shredding to dispose of all paper materials.

B. Electronic & IT Records and Systems

We store our data in the cloud. We do not use external disc or USB devices to store data. We make sure that all unnecessary data is removed from the cloud in a way to ensure that it cannot be reconstructed.

ERASURE OF THE PERSONAL DATA

Inactive users: All data related to the inactive customers (users) shall be automatically deleted every ninety days unless there is a legal ground to keep such information.

Right to be forgotten: According to Article 17 of the GDPR, individuals have a “right to be forgotten”, which means they are entitled to request erasure of their personal data, verbally or in writing. This right only applies in the presence of one of the following conditions:

(i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
(iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes,
(iv) the personal data have been unlawfully processed;
(v) the personal data have to be erased for compliance with an applicable legal obligation;
(vi) the personal data have been collected in relation to the offer of information society services to a child

The Company has the necessary procedures and measures to ensure that a request for erasure of personal data is duly responded within the legal time limit and appropriate methods to erase such data, when the request complies with one of the abovementioned conditions. If we need an extension of time due to complexity or the volume of the request, we will inform the individual within one month of receipt of the request. If such personal data was disclosed to other recipients, the Company shall contact each recipient and inform them of the erasure.

If such personal data was shared with third parties in accordance with our Privacy Policy, the Company will take every reasonable step taking into account available technology and cost of implementation, to inform other controllers who are processing such data to erase links to, copies or replication of such data.

Users: Our customers (users) who subscribed to our services can also request erasure of their personal data via their user dashboard on our Website, as follows:

(i) For the users of our Service, we provide a button of “delete my data and close my account” within their account with the Service. They may request erasure of their data by clicking that button.
(ii) When we receive such a request through the software which we use for custom support communication, we will ask for confirmation from such users regarding their request.
(iii) Once the user confirms their request, data of such user is marked as “to be erased” within our internal management panel (KIOSK) accessed only by authorized persons.
(iv) Our system then sends an informative e-mail to the managers regarding erasure of such user’s data, who verify whether the request complies with the abovementioned conditions and whether no other legal obligation or legitimate interest applies.
(v) If the request complies with the abovementioned conditions, erasure of all data (text data, statistic data, multimedia data) starts on the following Saturday at UTC 05:00 to be completed on the same day.

REFUSAL TO COMPLY WITH A REQUEST FOR ERASURE

We may refuse to comply with a request for erasure when an individual’s right to erasure does not apply or when the request is manifestly unfounded or excessive. In such cases, we will inform the individual immediately aboutthe refusal and the reasons of the refusal, reminding the individual of their right to make a complaint to the supervisory authority and to seek a judicial remedy, in any case at the latest within one month of the receipt of the request.

An individual’s right to erasure does not apply if processing of the relevant personal data is necessary:

(i) to exercise the right of freedom of expression and information; or
(ii) to comply with a legal obligation;
(iii) to perform a task carried out in the public interest or in the exercise of official authority; or
(iv) for archiving purposes in the public interest, scientific or historical research or statistical purposes; or
(v) to establish, exercise of defend a legal claim.


Record Retention Schedule

Last updated: December 12, 2020

KEY TERMS

“We”, “us”, “our”, “Company” refers to Sociality.io Limited.

“records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

INTRODUCTION

The purpose of this record retention schedule (RSS) is to ensure that our records management system functions properly and efficiently and no record is retained longer than needed. This RSS also serves as a guide for our employees with respect to their responsibility regarding record retention.

This RSS is to be reviewed regularly to ensure that it complies with our Data Retention Policy.

Records relating to a specific customer or user may need to be retained beyond the retention period mentioned below, in the following cases:

(i) Legal proceedings or an official investigation,
(ii) A crime is suspected or detected.

At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

We categorize the records based on their content such as contracts, employee records etc. The RSS shows how long each category of record is retained based on business and legal requirements.

Our RRS is organised as follows:

I- Corporate Records
II- Contracts
III- Customer Information
IV- Correspondence, E-mail and Other Communications
V- Legal files and papers
VI- Employee files and records
VII-Tax Records

I. Corporate Records

Record Type Retention Period
Corporate records Life of the company
Licenses and permits Life of the company
Intellectual property documents Life of the company
Annual audit reports and financial statements Life of the company
Annual plans and budget Life of the company
Bank statements and cancelled cheques Life of the company
Interim financial statements Life of the company

II. Contracts

Record Type Retention Period
Contracts (including customer contracts) and correspondence and notices related to contracts and the services 7 years following the termination of the contracts. The legal limitation period is 6 years for breach of contracts. We retain such records for 7 years to be able to defend possible future legal actions.
Information relating to customers’ subscriptions Same retention period applied to relevant customer contract
Information contained in or relating to any communications sent through the Website regarding the Service under a customer contract Same retention period applied to relevant customer contract.

III. Customer Information

Record Type Retention Period
Information about a computer, including visits to and use of our Website (including an IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths) 90 days following the termination of the customer contract or trial period.
Information provided when completing a profile on our website 90 days following the termination of the customer contract or trial period. We may retain such information longer if requested by the customer for future subscriptions.
Information provided for the purpose of subscribing to email notifications and/or newsletters Until the customer chooses to “unsubscribe”.
Information contained in or relating to any communications sent through the Website 90 days following the termination of the customer contract or trial period.
Customer invoices and payment details 7 years. Companies Act and VAT Act

IV. Correspondence, E-mails and Other Communications

Record Type Retention Period
Correspondence that is material to a particular contract or relates to a significant project 7 years after expiration or termination of the relevant project and/or the contract.
Record Type Retention Period
Legal memoranda and opinions Permanent
Litigation files 3 years following expiry of appeals or time for filing appeals
Court orders Permanent

VI. Employee Files and Records

The Company keep employee files and records, if any, for as long as required by relevant employment and social security laws.

Record Type Retention Period
Job applications / interviews of unsuccessful candidates During the evaluation of the application and until the final decision
Employee personnel records (annual leave, performance evaluations, notices, training) 6 years + 6 months following the termination of the contracts.

The limitation period to bring a civil legal action is 6 years.
Employment contracts 6 years + 6 months following the termination of the contracts.

The limitation period to bring a civil legal action is 6 years.
Bank details of employees During the employment term
Employee earning records (including details of overtime, bonuses, sick pay, and all other records and documents relating to the calculation and payment of employee pay) 7 years (or to end of any tax enquiry, if longer) Limitation period on potential claims
Employee related/payroll tax records (including annual returns of taxable pay and tax paid) 7 years Companies Act Finance Act 1998 Limitation period on potential claims

VII. Tax Records

Record Type Retention Period
Tax-exemption documents and related correspondence Permanent
Tax bills, receipts, statements Permanent
Tax returns Permanent
Sales/use of tax records Permanent
Annual information returns Permanent
Logo
World
Facebook Twitter Linkedin Medium Sociality Github