Legal

Sociality.io is built from the ground up with users' rights to privacy and information security in mind. To keep our services on the highest standards, we invest continuously in our infrastructure and processes. We are grateful for your trust in our platform and, the following resources represent our commitment to being transparent about our practices.

TABLE OF CONTENTS

Terms of Service

Last updated: October 7, 2022
THESE TERMS OF SERVICE CONSTITUE A LEGAL AGREEMENT BETWEEN YOU AND SOCIALITY. PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE ACCESSING, INSTALLING, USING AND/OR PURCHASING ANY OF THE SERVICES PROVIDED BY SOCIALITY, INCLUDING A FREE TRIAL.
BY ACCESSING, INSTALLING, USING OR PURCHASING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU ARE OF LEGAL AGE TO ENTER INTO AN AGREEMENT AND YOU HAVE READ AND ACCEPTED THESE TERMS OF SERVICE AS WELL AS THE PRIVACY POLICY AND ANY ADDITIONAL TERMS AND POLICIES SOCIALITY MAY PROVIDE FROM TIME TO TIME.
These Terms of Service are the general terms of our agreement with You to govern your access, purchase and use of the Service. Our agreement will also include special terms, such as subscription rates and payment terms depending on the subscription plan You purchased. If there are special terms applicable to the subscription plan chosen by You, these special terms will be made available to You and be an integral part of these ToS.

These Terms of Service, our Privacy Policy (https://sociality.io/privacy) and the special terms form the entire agreement (referred to below as the “ToS”) between You and Sociality.

“Sociality”, “We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
“You” are the individual or the entity (represented by an authorized individual) that enters into this agreement with us, in order to access, use and purchase the Service.

The “Service” provides a social media management platform that enables users, among others, to publish posts on social platforms at a scheduled time, reply to user messages on social media channels, monitor brand keywords on the public web results, analyse the performance of their social media pages and benchmark these pages with other pages' public data. You may find detailed information about the Service in our website available at https://sociality.io (the “Website”).

We advise you to print and keep the ToS in your files.

1. Acceptance of the ToS

1.1 You must first agree to the ToS in order to access, purchase and/or use the Service, including any free trial.

1.2 If You have any question or doubt regarding any provision of the ToS, please don’t purchase or use any part of the Service and send us an email at [email protected] regarding your concerns.

1.3 In order to accept the ToS, You must be of legal age to enter into an agreement. If You are a legal entity (organization, company, etc.) the person who accepts the ToS on your behalf represents and warrants that they have the authority to represent and bind You to the ToS.
1.4 You can accept the ToS by clicking to accept or agree to the ToS where available or by purchasing, accessing, using or installing the Service (free trials included). By performing one of these options, You represent and accept that You have read, understood and agreed to be bound by the ToS, like any written agreement signed by you.

2. Payment terms

2.1 The Service is provided on a subscription basis. You must pay the whole amount applicable to the subscription plan You chose and subscribed for. The prices applicable to different subscription plande and the payment methods are published on our Website available at https://sociality.io/pricing. Our plans are billed in advance on a monthly or yearly basis and are not refundable. You agree that You are liable to pay any taxes applicable to your obligations under the ToS and in relation to the Service.

2.2 You agree that if You change your subscription plan, You will be liable for the amount applicable to the new plan.
2.3 If You purchase a monthly subscription, You can upgrade or downgrade your subscription plan before the end of your existing plan, it will be reflected in the next billing cycle. You will also be able to see your invoice details in a separate page on your account. You agree that if You change your subscription plan or alter the content of your existing subscription plan, your next invoice amount will be updated in accordance with your altered subscription plan and the updated amount will apply to your next invoice.

2.4 If You purchase a yearly subscription, You can downgrade your subscription plan but there will be no reimbursement of the fee. If You wish to upgrade your yearly subscription plan, You must contact us by sending an email to [email protected]. You accept that the additional content will be invoiced separately.

2.5 You will enter your credit card details only once, when You make your first payment and You will give your approval that the following payments can and will be collected automatically from your credit card on the renewal dates of your subscription. We use Stripe Inc. for payment processing. We do not have access to your credit card information. We do not save or keep your credit card details and We do not accept responsibility for the payment processing.

3. Use of the Service

3.1 You represent that the information (such as identification or contact details) You provide to access and use the Service and to register your account is accurate and complete.

3.2 You agree that You should keep your passwords in strict confidentiality. You shall not communicate your password and your login details to any third parties. You are responsible for all the activities that occur under your password or account. We will not be liable for any loss or damage arising from your failure to properly safeguard your account or password. If You suspect any unauthorized use of your login details, You must immediately notify us by sending an email to [email protected].

3.3 Your rights arising from your subscription belong only to You and You shall not assign or transfer them to third parties. If We notice that You act in violation of these ToS or your subscription plan, We can immediately suspend or cancel your subscription at our discretion.
3.4 If we detect suspicious behaviour or activity on your account, your account will be blocked for 24 hours for security purposes. This usually happens if You frequently try to delete and re-add pages to avoid renewing or upgrading your subscription plan. If the suspicious behaviour or the activity continues, your account will be blocked for longer periods and possibly for a permanent period.
3.5 You agree that You will not reproduce, duplicate, copy, sell, resell, assign, and lease the Service for any purpose.
3.6 You agree that You will use the Service in a lawful manner and You will not or permit any other party (including other users) to violate personal rights, privacy rights, intellectual property rights, confidentiality rights and any other legally protected rights of any other person or entity.
3.7 You agree that You will not (i) attempt to reverse engineer or decompile or otherwise acquire the origin code of any software in the Service, (ii) use the Service to upload, link to or send any content that is false, misleading, defamatory, violates any third party right or contractual restriction or contains unlawful, racist, or discriminatory material, (iii) use the Service in a way that interferes with or disrupt the Service.
3.8 You agree that all the contents (such as text, photographs, etc.) that You download or post through the Service are accurate and don’t violate the intellectual property or confidential information of any third party. You agree that You will indemnify and hold us harmless from all claims, costs, damages and expenses awarded against or incurred or paid by us in connection with your breach of any third party’s intellectual property or similar rights.
3.9 You agree that You must take all kind of precautions (including using appropriate anti-virus software) to ensure that the information, content, material or data that You upload, post or share otherwise through the Service, are free from any virus, spyware, malware, trojan horses etc. or any other material that would harm the Service and the software.
3.10 You agree that You will not access, purchase and use the Service in order to create a competitive product or services.
3.11 You agree that We are not responsible to control and monitor your content, third parties’ content or the use of the Service by You or other users. You also agree that we may from time to time monitor the information transmitted or received through the Service for operational and other purposes. You also acknowledge that if at any time we decide to monitor the content, We still do not accept any liability for content or any loss or damage incurred as a result of the use of content. If We decide to monitor the content, We will treat any information in accordance with our Privacy Policy.
3.12 Any breach of the above mentioned terms under Article 3 should be considered as a material breach of the ToS.
3.13 You accept that You will defend and indemnify us together with our directors, employees, consultants and affiliates from and against every claim brought by a third party, and any related direct and direct liability, damage, loss and expense arising out of or connected with (i) your use of, or misuse of the Service; (ii) your violation of any provision of the ToS, any representation or warranty referenced in these ToS, or any applicable law or regulation; (iii) your violation of any third party right, including any intellectual property right or publicity, confidentiality, other property, or privacy right; or (iv) any dispute or issue between You and any third party. You also agree to cooperate with our defense of the said claims.

4. Adding users to your account

4.1 In accordance with your subscription plan, You can authorize individuals within your entity to access and use the Service (“Authorized User(s)”). You will ensure that all Authorized Users keep their login details and passwords strictly confidential. The Authorized Users will abide by the ToS and You will be liable for actions and omissions of the Authorized Users.

4.2 Each Authorized User must use their personal username and password to access the Service. The Authorized Users shall not let others use their usernames and passwords to access the Service. If We notice that any Authorized User under your subscription plan shares their access credentials with others, lets others access and use the Service with their access credentials or acts in violation of these ToS, We can immediately suspend or cancel your subscription at our discretion.

5. Security and privacy of your personal data

5.1 We treat the privacy of your personal data with the utmost importance. It is important that You are aware of how and why We may collect and process any personal data shared through the Service, the legal basis of the processing activities and your rights in connection with your personal data. Therefore, We advise You to read our Privacy Policy carefully, before purchasing a subscription and starting to use the Service. Please be aware that our Privacy Policy is an integral part of these ToS.
5.2 When You register an account with the Service and login to your account, You agree that We collect your personal data You provide with us. When You register an account with us (including for a free trial), We will ask You to provide your name, your email address, the name of your company, the country where your company is located and your phone number.
5.3 We collect and store the following data in accordance with the ToS and our Privacy Policy, in connection with the Service: (i) E-mail addresses, addresses and contact information, (ii) IP addresses, (iii) geographical location of the devices (country and city) and (iv) information that You (or your Authorized Users) allow us to access in your social media accounts.
5.4 We may also automatically collect and store information regarding your device and the browser via third parties’ software. In such a case, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures.
5.5 Our Data Processing Addendum must apply where You are the data controller and instruct us to process personal data in connection with the Service.
5.6 We process your personal data to the extent allowed by the applicable law (i) to provide You with better Service and comply with our obligations under these ToS, (ii) to inform You of new services, features or subscription plans, (iii) to gather commercial statistic and analyses regarding the use of the Service, (iii) to communicate with You, (iv) to make market researches, (v) to fulfil our legal duties and/or governmental authorities’ requests in accordance with the applicable law.
5.7 You agree that We can from time to time access your account with our user login details or external software in order to do the necessary investigations to provide you better Service.

5.8 Integration with third party social media platforms

The Service offers You a social media management tool that you may connect with your social media accounts and the Service uses these social media platforms' APIs, such as Facebook API, Instagram API, Twitter API, LinkedIn API and YouTube API services. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, We will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.
When You connect your social media accounts to the Service, You also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that We are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.
You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:
5.9 Please read our Privacy Policy for further details.

6. Limitation of liability

6.1 You agree that the Service and all materials and content are provided on “as is” basis, without any warranty. We disclaim any warranty whether express or implied (including but not limited to any implied warranty as to the quality or fitness for a particular purpose).
6.2 We do not represent or warrant that (i) the Service is accurate, complete or reliable, or (ii) You will have an uninterrupted use of the Service, or (iii) the website or the Service is free of any error or viruses, or (iv) You will obtain a specific result from the Service.
6.3 You may have access to links to other websites, portals, files or contents through the Service and the website. You acknowledge and accept that We do not verify these and We don’t have any control over them. You agree that We do not accept any liability regarding these websites, portals, files, contents, services or products that are reached through the links on the Service or the website. These links shall not be construed as an endorsement regarding the linked websites, their contents or owners.
6.4 Except for the representations and warranties expressly stated in the terms of Service, we do not make any representations or warranties and we hereby disclaim any other representations or warranties, whether oral or written, obtained by you from the Service or made by any of our officers, directors, employees or advisors.
6.5 You agree that We shall not be liable for any damage, direct or indirect or consequential or punitive damages (including any damage to your computer system or mobile device or any loss of data or loss of profits) which may be incurred by you related with the Service and our website.
6.6 To the fullest extent permitted by law, our total liability for any claims brought by You in connection with the Service or otherwise under the tos, whether in contract, tort or otherwise, shall be limited to the amount corresponding to the subscription fee You have paid us for the last three (3) months prior to the event or circumstance giving rise to your claim.

7. Intellectual property rights

7.1 All legal rights, title and interest attached to the Service, patents, copyrights, trademarks, knowhow and the Website including all kinds of intellectual property rights (whether registered or not) (“Intellectual Property Rights”) are owned by us or our licensors. Your subscription to the Service shall not be considered as an assignment or otherwise transfer of any Intellectual Property Rights.

7.2 You acknowledge and agree that the Service is a SaaS (software as a Service), which means that by subscribing to the Service, You are not purchasing the software and You will not be delivered copies of the software.
7.3 By subscribing to the Service, You will be granted a limited, non-exclusive, non-assignable, non-sublicensable, revocable license to access and use the Service included in your subscription plan. You agree that this license is strictly subject to the ToS and your compliance with the ToS.
7.4 You agree and represent that all elements of text, images or other content that You provide to us related with or via the Service are either owned by You or You have legal and binding rights to use them and that their usage related with or via the Service will not infringe intellectual property rights of any third party. Otherwise You accept to be responsible for any kind of claims made by such third parties to us regarding infringement of their intellectual property rights.
7.5 If You provide feedback regarding the Service then You hereby grant us an unrestricted, perpetual, irrevocable, non-exclusive, fully paid, royalty-free right to exploit the relevant feedback in any manner and for any purpose, including to improve the Service and create other products and services.

8. Audit rights

You agree that We have the right to monitor your use of the Service in order to verify that You use the Service in compliance with these ToS and your subscription plan. If We find out that You have used or permitted access to the Service in a manner that is not permitted under these ToS, We may terminate your subscription, in addition to any other damages We may be entitled to under the ToS and applicable law.

9. Suspension and termination of your subscription

9.1 The ToS will apply during the term of your original and renewed subscription beginning when You accept the ToS or first install, access or use the Service, unless and until terminated by You or us in accordance with the ToS.

9.2 You can terminate your subscription by unsubscribing to the Service within your registered account or by contacting customer service at [email protected] before the renewal date of your subscription. You also agree that there will be no reimbursement of the fee if You terminate your Subscription before the end of your existing plan and You will still be able to use the Service until such date.

9.3 You agree that We can suspend your subscription at any time if You fail to fulfil your payment obligations or You breach the ToS otherwise. In such a case, We will inform You by sending You an email regarding the reason for suspension and request You to remedy the breach in order to reactivate your subscription. If You fail to remedy the breach until the end of the period mentioned in the email, We will be entitled to terminate our agreement with you and end your subscription.
9.4 You agree that We are entitled to terminate our agreement with You and your account on the Service and end your subscription immediately at our sole discretion in case We believe that there is a material breach of the ToS by You (any breach of Section 3-Use of the Services will be considered a material breach). You also agree that We can terminate our agreement with You and your account or suspend your access to the Service at any time at our sole discretion without reason and without notice.
9.5 You agree that We are entitled to terminate our agreement with You and your account on the Service immediately if provision of the Service to You becomes illegal for any reason.
9.6 In the event of termination of the ToS, these ToS will forthwith become void, provided, however, all payment obligations accrued prior to termination and the provisions of Section 3.7, 6, 7.4 and 18 should survive after termination.

10. Amendment to the ToS

We reserve our right to change the ToS from time to time. When we make changes to the ToS, the updated version will be available at our website. You agree that if You continue to use the Service after the date on which the ToS have changed, this will be deemed as an acceptance of the updated ToS.

11. Modification of the Service

We reserve our right to modify, suspend or cease any features, functions, tools or other aspects of the Service, temporarily or permanently, at any time, without prior notice to you. In such cases, We will inform You by sending an e-mail or with an announcement on our Website. You accept that We will have no liability for any modification, suspension or termination of any of the features, functions, tools or other aspects of the Service and that there will be no refund of the subscription fees.

12. Entire Agreement

These ToS constitute and contain the entire agreement between You and us and supersede any and all prior agreements, arrangements and understandings between You and us relating to the Service.

13. Use of English language

These ToS are executed in the English language and the English version of the ToS shall govern in any conflict with any non-English version. The communications between You and us shall be in English.

14. No waiver

No failure or delay in exercising any right, power or privilege under these ToS shall operate as a waiver thereof. No waiver of any term of these ToS shall be deemed to be or construed as a further or continuous waiver of such term.

15. Severability

The unenforceability or invalidity of any provision of the ToS shall not affect the enforceability or validity of the rest of it.

16. Independent parties

Our relationship with You is that of independent contractors dealing at arm's length. Nothing in these ToS shall constitute us as partners, joint ventures or co-owners, or constitute either of us as the agent, employee or representative of the other.

17. Effective date and duration

17.1 These ToS shall become effective when You accept them by clicking to accept or agree to the ToS where available or when You purchase the Service or when You start using it (free trials included).
17.2 The ToS shall remain effective during your original subscription and as well as any renewed subscription until terminated by You or us in accordance with Section 8 of the ToS.

18. Governing law and dispute resolution

18.1 These ToS shall be governed by and construed in accordance with the laws of England and Wales.
18.2 Any dispute arising from the ToS or your use of the Service shall be referred to the jurisdiction of the courts of England.

Data Processing Agreement

Last updated: October 7, 2022
This Data Processing Agreement applies when You, as the data controller, instructs us to process certain personal data, which you give us access to, on behalf of You within the Services.
“We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
“You” are the individual or the entity (represented by an individual) that enters into this agreement with us, in order to use the Services.

The Services refer to the Services mentioned and described in our website available at https://sociality.io/ provided by us.

Terms not otherwise defined herein shall have the meaning as set forth in the Terms.
This agreement is an integral part of the Terms and any matters which are not regulated here shall be governed by the Terms.

Details of the processing

The scope of the personal data processed under this agreement is determined and controlled by You in your sole discretion, which may include, but is not limited to the personal data of your end users submitted to You through your social media pages, such as contact details, identification data and other information regarding their activities.
The subject matter of the processing is the provision of the Services to You in accordance with the Terms. Purposes of the processing are described within the Terms.

Our obligations

We will not process the personal data except on instructions from You as the data controller, unless We are required to do so by the applicable law.
Taking into account the nature of the processing, We will assist You by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the yours obligation to respond to requests for exercising the data subject’s rights laid down in the GDPR.
We will process the personal data only on documented instructions from You, including with regard to transfers of the personal data to a third country or an international organisation, unless We are required to do so by the applicable law. In such a case, We will inform You of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
We will ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
We will at your choice, delete or return all the personal data to You after the end of the provision of the Services relating to processing, and delete existing copies unless the applicable law requires storage of the personal data.
We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You.
We will make available to You all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by You or another auditor mandated by You.
We will assist You by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the data subject’s rights, taking into account the nature of the processing.

We will take all measures required pursuant to Article 32 of the GDPR.

We will assist You in ensuring compliance with the obligations pursuant to Article 32 to 36 of the GDPR, taking into account the nature of processing and the information available to us. of the GDPR.

In case of a personal data breach We will notify You without undue delay after becoming aware of the breach.

Your responsibilities as the data controller

Under this Data Processing Agreement, You shall be solely responsible for complying with the legal requirements relating to data protection and privacy. Your instructions to us for the processing of personal data shall comply with the applicable law and the GDPR.
You shall inform us without undue delay and comprehensively about any errors or irregularities related to the processing of personal data.

Sub-processing

We shall not subcontract any of our processing operations performed on behalf of You without your written authorization. You agree that this clause shall be considered a general written authorization in the meaning of Article 28.2 of the GDPR.
The sub-processors that are currently engaged by us are as follows:
Amazon Web Services, Inc., 410 Terry Avenue, Seattle, WA 98109 (“AWS”); AWS cloud is used to host our platform and Services;
DigitalOcean, LLC, 101 Avenue of the Americas, 10th Floor New York, NY 10013 , Digital Ocean is used to host our platform and Services;
Google Inc., headquartered at 1600 Amphitheatre Parkway Mountain View CA 94043, United States ; Google Cloud Platform is used to host our platform and Services;
Intercom R&D Unlimited Company, 2nd Floor, Stephen Court, 18-21 St. Stephen's Green, Dublin 2, Republic of Ireland; used for outbound messaging and messages measurement, optimization and integrations;
Microsoft Corporation Inc., One Microsoft Way, Redmond, WA 98052-6399, United States; Azure Cognitive Services API is used in gathering news;
Sentry.io by Functional Software, Inc., 1 Baker Street Suite 5B San Francisco, CA 94117 United States; used for tracking errors on our website;
Stripe, Inc., headquartered at 510 Townsend St, San Francisco, CA 94103, used for card payment processing;
The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA; used to manage e-mail campaigns;
Webhose Ltd, 7 Metsada St. B.S.R Tower 4, POB 195 Bnei Brak 5126112 ISRAEL; Webhose.io API is used in gathering news, blogs and online discussions;
Where We engage another processor We shall have a written contract that imposes the same obligations on the sub-processor as are imposed on us in this Data Processing Agreement.
If We intend to change the current sub-processors or engage other sub-processors, We will inform You and give You the opportunity to object to such changes in writing within 5 days after being notified. You hereby agree that You must have reasonable grounds that the engagement of the relevant sub-contractor imposes a risk to the protection of a personal data, to object to sub-processors.

Audit rights

We shall, in accordance with the applicable law, and in response to a reasonable written request by You, make available to You such information our possession or control related to our compliance with the obligations of data processors in connection with this agreement.
You may carry out or have an auditor carry out audits in order to review our compliance with technical and organizational security measures and our obligations pursuant to this agreement, upon written request and at least 30 days’ notice, during regular business hours and without interrupting our daily operations.
We shall, upon your written request and on at least 30 days’ notice, provide You with all information necessary for such audit, to the extent that such information is within our control and We are not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

Duration

This Data Processing Agreement shall remain effective as long as the Terms are effective.

Privacy Policy

Last updated: October 7, 2022

Preamble

This Privacy Policy describes what kind of personal data we may collect, store and process when you visit our Website and subscribe to our Service, what are the legal reasons to process such data, and how we will use and protect it.
As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 January 2021 (“UK GDPR”).
This Privacy Policy has been developed in compliance with the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and any matter that isn’t described here shall be subject to the applicable rules of the UK Data Protection Regime.
We may change the Privacy Policy from time to time due to changes on our Website or the Service or any other reason which requires us to do so; therefore, we recommend you check the Privacy Policy on a regular basis. In case of material changes, we will notify you (if you are already a customer and you have provided us your contact details) by sending you an email.
“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
The Service refers to the services mentioned and described on our Website.
We implement appropriate technical and organisational measures to safeguard your rights, freedoms and legitimate interests regarding processing of your personal data and ensure that processing of your personal data is performed in accordance with the UK Data Protection Regime. Please also see our Data Retention Policy, Records Retention Schedule and our Information Security Policy for further details on safety and protection of your data.
We will process your personal data in accordance with the principles of lawfulness, fairness and transparency under Article 5 of the UK GDPR. It means that we will process your personal data only if:

(i) you have given your consent to the processing of your personal data for one or more specific purposes; or

(ii) processing is necessary for the performance of a contract with you (when you subscribe to the Service), or

(iii) processing is necessary for compliance with a legal obligation, or

(iv) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

2. What type of personal data we process?

As the data controller, we collect certain data from (i) the visitors of the Website, (ii) our customers (usually corporate entities) who subscribed to the Service and (iii) individuals who are appointed and authorized by the customers to use and manage the Service on behalf of them.
We may collect your personal data when you visit the Website, subscribe for the Service, register an account with us, complete forms on the Website and contact us on a customer service issue.
We may process, among others, (i) your email address, (ii) invoices, (iii) information with respect to your browser and IP address, (iv) geographic location of the device (only country and city) and (iv) information that you and/or your employees or representatives allow us to access in your social media pages.
We may automatically collect and store the information regarding your device and the browser via third parties’ software such as cookies. In such cases, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organizational safeguards measures. Please see our Cookie Notice for further information regarding these technologies and how you can manage your cookies preferences.
The Service is a social media management service; therefore, we may obtain certain data from social media platforms via these platforms’ APIs. The scope of the data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. We will have access to such data only with your prior authorisation. Please see below the section on the “Integration with Third Party Social Media Platforms” for further details.
Please see below the table No. 1 and No.2 for detailed information on which data we process.

3. How do we use your personal data?

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.
Our third party partners may collect information using cookies in our services to deliver targeted ads displayed to you on third-party websites and applications. Please see our Cookie Policy to learn how to set your cookie preferences.
You may find further details on which data we may process, why we may process such data and the legal reason for such processing in Table No.1 and Table No.2 below.

Table No.1 - Visitors of the Website

Table No.2 - Subscribers of the Service

4. Transfer of personal data to third party organisations and countries

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.

Compliance with law

We may share your personal data where we are under a legal obligation to disclose such data. This could be based on an applicable law, a governmental request or a court order. We may also share your personal data with authorized bodies if we suspect illegal activities, violation of our Terms of Use and policies or fraud in order to protect our Website and the Service.

Third party service providers

We may transfer your personal data to a third country or to an international organization, provided that the conditions laid down in the UK GDPR are complied with and that there is an adequate level of protection and safeguards measures for the privacy of your personal data.

5. International data transfers

If your personal data is transferred to a third country or to an international organisation, you will have the right to be informed of the appropriate safeguards relating to the transfer.
Transfers of Personal Data from the European Union countries to the United Kingdom: According to the Trade and Cooperation Agreement (Art. FINPROV.10A), transfer of personal data from the E.U. countries to the UK was not considered as transfer to a third country until the end of April 2021, which was extended by two further months or until the date when an adequacy decision in relation to the UK is adopted by the European Commission. On 19 February 2021, the European Commission published its draft decisions on the UK’s adequacy under the GDPR and has found the UK to be adequate. On 14 April 2021, the European Data Protection Board announced that it has adopted its opinion on the European Commission’s adequacy decisions. The European Commission announced that it adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after their entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.
Transfers of Personal Data from the UK to EU countries: It is permitted according to the UK Data Protection Regime.
You may see below in Table 3 and Table 4 detailed information about the third party organisations that we share data with. When such third party organisations process personal data on behalf of us, we sign a data processing agreement with them, as required by the UK GDPR.

Table 3- Transfer of Personal Data within the EU (your data is not transferred outside of the EU)

Transfer of Personal Data outside of the UK and the EU (your data may be transferred outside of EU)

You may see below in Table 3 and Table 4 detailed information about the third party organisations that we share data with. When such third party organisations process personal data on behalf of us, we sign a data processing agreement with them, as required by the UK GDPR.
Pursuant to the GDPR, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses (“EU SCCs”) adopted by the European Commission.
The European Commission has adopted the decision 2021/914/EU on 4 June 2021, which provides for modernized EU SCCs. These new EU SCCs are not valid for restricted international transfers under UK GDPR. We are allowed to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. It is accepted that all contracts on the basis of the old EU SCCs will continue to provide appropriate safeguards for the purpose of the UK GDPR, until 21 March 2024.
From 21 March 2024, to transfer personal data outside of the UK and EU (except for countries which are granted an adequacy decision), we will enter into a contract on the basis of the international data transfer agreement (IDTA) or the international data transfer addendum to the EU SCCc for international data transfers (UK SCCs). We have already concluded data processing agreements and EU SCCs and/or UK SCCs with all the third-party organisations/sub-processors, which may transfer your data outside of the EU.

Table 4- Transfer of Personal Data outside of the UK and the EU (your data may be transferred outside of EU)

Integrations with third party social media platforms

The Service offers You a social media management tool that you may connect with your social media accounts and the Service uses these social media platforms' APIs, such as Facebook API, Instagram API, Twitter API, LinkedIn API and YouTube API services. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, we will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.
When you connect your social media accounts to the Service, you also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that we are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.
You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:

6. Data retention

We will not retain your personal data longer than is necessary for the purposes for which it was processed. Where it is no longer necessary to retain your personal data, we will either delete it or make it anonymous. Please see our Data Retention Policy for further details.

7. Your rights in connection with your privacy and your personal data

a. Automated individual decision making

You have the right not to be subject to a decision based solely on automated processing, including profiling, except when it is necessary for entering into, or performance of our agreement (the Terms) or the Services or is authorised by the applicable law to which We are subject.

b. Your right of access

You have the right to request us confirmation as to whether or not your personal data is being processed. If your personal data is processed, You will have access to your personal data and the following information: (i) the purposes of the processing, (ii) the categories of your personal data, (iii) the recipients or categories of recipient to whom your personal data have been or will be disclosed, (iv) where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period, (v) the existence of the right to request us rectification or erasure of your personal data, (vi) your right to lodge a complaint with a supervisory authority, (vii) where your personal data is not collected from the data subject, any available information as to their source, (viii) the existence of automated decision-making, including profiling.

c. Your right to rectification

You have the right to obtain the rectification of your inaccurate personal data. You also have the right to have your incomplete personal data completed.

d. Your right to data portability

You have the right to receive your personal data You shared with us in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted directly to another data controller, where it’s technically feasible and it does not adversely affect the rights and freedoms of others.

e. Your right to object to processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on (i) the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) the necessity for the purposes of our or a third party’s legitimate interests. In such case, we will cease to process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

f. Your right to object to direct marketing

You have the right to object at any time to processing of your personal data for direct marketing.

g. Your right to restriction of processing

You have the right to request us to restrict processing of your personal data if you contest the accuracy of your personal data or lawfulness of the processing. Upon your request, we will restrict the processing of your personal data, with the exception of storage and/or or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform You immediately if and when the restriction is lifted.

h. Your right to be forgotten

You have the right to request us to erase your personal data without undue delay where your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or you withdraw your consent and there is no other legal ground for the processing. In such case we will immediately delete your personal data except when the processing of your personal data is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the establishment, exercise or defence of legal claims.

i. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you think that the processing of your personal data infringes the applicable law.

8. Notification of a personal data breach

In the case of a personal data breach, we will notify the breach to the competent supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to you without undue delay, unless if;

(i) appropriate technical and organisational protection measures have been implemented, and those measures were applied to the personal data affected by the personal data breach, or

(ii) the subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize, have been implemented, or

(iii) it would involve disproportionate effort. In such a case, we will make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

9. Contact us

Please send us an email at [email protected] if you have any questions or concerns regarding this Privacy Policy and personal data processing.

Information Security

Last updated: October 7, 2022
“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
The Service refers to the services mentioned and described in our Website.

Overview

This Policy describes the technical and organisational measures we implement to keep personal data that we process safe and secure. Keeping personal data of our customers and visitors protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Purpose

The purpose of this Policy is to make sure that we are in compliance with the following requirements and principles under the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and provide adequate safety and protection to personal data.
According to the principle of integrity and confidentiality (Article 5(1)(f)) under the UK GDPR, “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Furthermore, article 32(1) of the UK GDPR stipulates that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
In this scope, we must ensure that personal data can only be accessed by authorized personnel, data we retain is accurate and complete and data remains accessible and usable.

Dedicated security team

Our security team is composed of security experts dedicated to improving the security of our organization. Our employees are trained on security incident response and are on call 24/7.

Technical security measures

A. Infrastructure

a. Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services and Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. Our Service is hosted on AWS’s servers in its European data center in Ireland and Google Cloud Platform’s servers in London, UK.
You can read more about their practices here:

b. Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorized access is performed using:
  •  Virtual private cloud (VPC), bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  •  Firewall that monitors and controls incoming and outgoing network traffic.
  •  Intrusion Detection and/or Prevention technologies solution (IDS/IPS) that monitors and blocks potential malicious packets.
  •  IP address filtering
  • c. DDoS protection

    We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

    d. Data encryption

    Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

    e. Business continuity, back-ups and disaster recovery

    We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
    All text and statistics data pertaining to the whole system are automatically backed up and saved every day at 01:00 in Google Cloud hosts located in London. Back-ups of each day are kept for 30 days and then automatically deleted. Multimedia data (visuals, video, excel files, presentation files) are not backed-up.
    Every Saturday, at 5 am, teams and accounts, which have been marked as “to be deleted” on the previous week and all sub-data of such teams and accounts are permanently deleted from the database.

    f. Application security monitoring

    We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
    We use technologies to monitor exceptions, logs and detect anomalies in our applications.
    We collect and store logs to provide an audit trail of our applications activity.
    We use monitoring such as open tracing in our microservices.

    g. Application security protection

    We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
    We use security headers to protect our users from attacks.
    We use security automation capabilities that automatically detect and respond to threats targeting our apps.

    h. Secure development

    We develop the following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
  •  Developers participate in regular security training to learn about common vulnerabilities and threats
  •  We review our code for security vulnerabilities
  •  We regularly update our dependencies and make sure none of them has known vulnerabilities
  •  We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  •  We use Dynamic Application Security Testing (DAST) to scan our applications
  •  We rely on yearly third-party security experts to perform penetration tests of our applications.
  • i. Payment information

    All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

    j. Responsible disclosure

    We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

    B. User protection

  •  

    2-factor authentication: We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.

  •  

    Account takeover protection: We protect our users against data breaches by monitoring and blocking brute force attacks.

  •  

    Single sign-on: Single sign-on (SSO) is offered for our enterprise customers. Single sign-on (SSO) is available using your Google account.

  •  

    Role-based access control: Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions.

  • Organisational security measures

    We believe that to establish efficient security and protection of personal data within our organisation, it is crucial to adopt a “culture of security awareness”. For this reason, we ask all our employees to be familiar with this Information Security Policy as well as our Privacy Policy, Data Retention and Erasure Policy and any other policies related to information security.
    Our employees sign an employment agreement, which contains a confidentiality undertaking, when joining the company to protect our customers' sensitive information.
    Our employees have access to personal data of the users of our Service and visitors of our Website on a need-to-know basis. Access to personal data is always limited to the extent necessary for the duties of such employees and administrators.
    Our employees do not have access to our users’ accounts except when a user encounters a technical problem regarding the Service. In the event of a technical problem, users can allow our technical team to have access to their account for 72 hours, to fix the problem. At the expiry of 72 hours, the access is automatically denied to our technical team and they have no longer access to the relevant user’s account.
    Our employees can use their own devices (mobile phones, tablets and computers) to access business email and applications we use for communication. All the employees are obliged to set strong passwords for the access to their devices, keep the passwords strictly confidential and change it on a regular basis. Employees must not leave their devices unlocked when unattended. At the end of employment of an employee, we restrict their access to their business email, our Slack account and all the other software that we use for internal communication and work.
    Bug Bounty Program: You can report vulnerabilities regarding our system by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

    Data Retention and Erasure

    Last updated: October 7, 2022

    Introduction

    We need to collect personal information of our employees and other people that we work with or have a business relationship with, to effectively carry out our business activities and to provide the services and products we offer to our customers.
    We are subject to the UK GDPR and the Data Protection Act 2018 ( together “UK Data Protection Regime”) and we need to have efficient data and records management accordingly. This policy aims to inform our employees, sub-contractors and other staff as well as our customers and visitors of our website on how we intend to comply with the data retention and erasure in accordance with the applicable legislation.
    This policy puts in place the rules for efficient data and records management, which meets the legislative and regulatory requirements as well as the business requirements. The data and records management will ensure that our business activities are conducted in a structured, efficient and accountable manner while delivering services to our customers and protecting the interests of our employees. It will also facilitate and manage protection, retention and erasure of personal data that we process and enforcement of individuals’ rights regarding their data.

    Key terms

    “We”, “us”, “our”, “Company” refers to Sociality.io Limited.
    “UK GDPR” means the Regulation (EU) 2016/679 as incorporated in the UK legislation.
    “records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

    What is the purpose of this policy?

    The purpose of this Data Retention and Erasure Policy is to set forth our policy on how to provide a structured and compliant data and records management system.
    Our data and records management system shall ensure that it provides an efficient and systematic management and control over the creation, receipt, maintenance, use, distribution, retention and erasure of such records.
    This policy is also to clarify the processes we use to store and destroy information and what information we retain for legal/regulatory reasons and for business reasons and their retention periods.
    Our objectives are (i) to retain personal data for as long as is necessary, (ii) to ensure safe and secure disposal of confidential and personal data, (iii) to ensure that records are retained for the legal, contractual and regulatory period, and (iv) to comply with the relevant data protection legislation and the contractual obligations.

    Who is the subject to this policy?

    This policy applies to all our employees, sub-contractors, third party representatives and any other staff within the Company. Compliance with this policy is mandatory for such persons and non-compliance may lead to disciplinary sanctions.

    Personal data and the storage limitation principle

    This Policy and our processing activities comply fully with the UK GDPR’s principle set forth in Article 5(1)(e) called “storage limitation”, which stipulates that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.

    Data retention and standard retention periods

    We will not keep personal data longer than we need to or are required by law. When determining our need to keep personal data, we will balance our needs with the impact of retention on individuals’ privacy.
    Our standard retention periods are shown in our Records Retention Schedule. We periodically review our standard records retention periods to ensure that they are not longer than we actually need.
    We may need to keep personal data longer than the standard retention periods to defend possible future legal claims or when we are served with a legal request for records or notified of the commencement of any litigation against us or an employee. In such a case, we will only keep the information which could possibly be relevant to such a claim and delete the rest.
    We may need to keep personal financial and tax data to comply with tax regulations for the period specified by applicable tax laws.

    Expiration of retention period

    At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

    How will the data be erased?

    A. Paper records

    We retain limited paper based personal information and when we do, we ensure that we retain it in a confidential and compliant manner. We use onsite-shredding to dispose of all paper materials.

    B. Electronic & IT records and systems

    We store our data in the cloud. We do not use external discs or USB devices to store data. We make sure that all unnecessary data is removed from the cloud in a way to ensure that it cannot be reconstructed.

    Erasure of the personal data

    Inactive users: All data related to the inactive customers (users) shall be automatically deleted every ninety days unless there is a legal ground to keep such information.
    Right to be forgotten: According to Article 17 of the UK GDPR, individuals have a “right to be forgotten”, which means they are entitled to request erasure of their personal data, verbally or in writing. This right only applies in the presence of one of the following conditions:

    (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

    (iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes,

    (iv) the personal data have been unlawfully processed;

    (v) the personal data have to be erased for compliance with an applicable legal obligation;

    (vi) the personal data have been collected in relation to the offer of information society services to a child

    The Company has the necessary procedures and measures to ensure that a request for erasure of a personal data is duly responded within the legal time limit and appropriate methods to erase such data, when the request complies with one of the above mentioned conditions. If we need an extension of time due to complexity or the volume of the request, we will inform the individual within one month of receipt of the request. If such personal data was disclosed to other recipients, the Company shall contact each recipient and inform them of the erasure.
    If such personal data was shared with third parties in accordance with our Privacy Policy, the Company will take every reasonable step taking into account available technology and cost of implementation, to inform other controllers who are processing such data to erase links to, copies or replication of such data.
    Users: Our customers (users) who subscribed to our services can also request erasure of their personal data via their user dashboard on our Website, as follows:

    (i) For the users of our Service, we provide a button of “delete my data and close my account” within their account with the Service. They may request erasure of their data by clicking that button.

    (ii) When we receive such a request through the software which we use for custom support communication, we will ask for confirmation from such users regarding their request.

    (iii) Once the user confirms their request, data of such user is marked as “to be erased” within our internal management panel (KIOSK) accessed only by authorized persons.

    (iv) Our system then sends an informative email to the managers regarding erasure of such user’s data, who verify whether the request complies with the above mentioned conditions and whether no other legal obligation or legitimate interest applies.

    (v) If the request complies with the above mentioned conditions, erasure of all data (text data, statistical data, multimedia data) starts on the following Saturday at UTC 05:00 to be completed on the same day.

    Refusal to comply with a request for erasure

    We may refuse to comply with a request for erasure when an individual’s right to erasure does not apply or when the request is manifestly unfounded or excessive. In such cases, we will inform the individual immediately about the refusal and the reasons for the refusal, reminding the individual of their right to make a complaint to the supervisory authority and to seek a judicial remedy, in any case at the latest within one month of the receipt of the request.

    An individual’s right to erasure does not apply if processing of the relevant personal data is necessary:

    (i) to exercise the right of freedom of expression and information; or

    (ii) to comply with a legal obligation;

    (iii) to perform a task carried out in the public interest or in the exercise of official authority; or

    (iv) for archiving purposes in the public interest, scientific or historical research or statistical purposes; or

    (v) to establish, exercise or defend a legal claim.


    Record Retention Schedule

    Last updated: October 7, 2022

    Key terms

    “We”, “us”, “our”, “Company” refers to Sociality.io Limited.
    “records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

    Introduction

    The purpose of this record retention schedule (RSS) is to ensure that our records management system functions properly and efficiently and no record is retained longer than needed. This RSS also serves as a guide for our employees with respect to their responsibility regarding record retention.
    This RSS is to be reviewed regularly to ensure that it complies with our Data Retention Policy.
    Records relating to a specific customer or user may need to be retained beyond the retention period mentioned below, in the following cases:

    (i) Legal proceedings or an official investigation,

    (ii) A crime is suspected or detected.

    At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.
    We categorize the records based on their content such as contracts, employee records etc. The RSS shows how long each category of record is retained based on business and legal requirements.
    Our RRS is organised as follows:

    I- Corporate Records

    II- Contracts

    III- Customer Information

    IV- Correspondence, E-mail and Other Communications

    V- Legal files and papers

    VI- Employee files and records

    VII-Tax Records

    I. Corporate records

    II. Contracts

    III. Customer information

    IV. Correspondence, e-mails and other communications

    VI. Employee files and records

    The Company keep employee files and records, if any, for as long as required by relevant employment and social security laws.

    VII. Tax records


    Compliance

    Last updated: October 7, 2022

    GDPR Compliance

    The General Data Protection Regulation (“GDPR”) is the data privacy and protection legislation of the European Union. Its purpose is to protect fundamental rights and freedoms of natural persons and their rights to protection of their personal data.
    The GDPR has an extra-territorial scope. It applies to the processing of personal data by a controller or processor not established in the European Union, when the processing activities are related to (i) the offering of goods or services to such data subjects who are in the European Union or (ii) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
    As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 January 2021. We are now compliant both with the GDPR and the UK GDPR.
    We have prepared the following data protection policies and documents:
  •  Privacy Policy
  •  Cookie Policy
  •  Information Security Technical and organisational measures
  •  Data Retention and Erasure Policy
  •  Record Retention Schedule
  • Please read the above mentioned documents to learn more about our data processing activities and protection of your personal data.

    Transfer of personal data from the EU to the UK:

    According to the Trade and Cooperation Agreement (Art. FINPROV.10A), transfer of personal data from the E.U. countries to the UK was not considered as transfer to a third country until the end of April 2021, which period was extended by two further months or until the date when an adequacy decision in relation to the UK is adopted by the European Commission. On 19 February 2021, the European Commission published its draft decisions on the UK’s adequacy under the GDPR and has found the UK to be adequate. On 14 April 2021, the European Data Protection Board announced that it has adopted its opinion on the European Commission’s adequacy decisions. The European Commission announced that it has adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after their entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.
    Pursuant to the GDPR, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the European Commission (“EU SCCs”).
    The European Commission has adopted the decision 2021/914/EU on 4 June 2021, which provides for modernized standard contractual clauses. These new EU SCCs are not valid for restricted international transfers under UK GDPR.
    We are allowed to enter into new contracts on the basis of the old EU SCCs until 21 September 2022. It is accepted that all contracts on the basis of the old EU SCCs will continue to provide appropriate safeguards for the purpose of the UK GDPR, until 21 March 2024. From 21 March 2024, to transfer personal data outside of the UK and EU (except for countries which are granted an adequacy decision), we will enter into a contract on the basis of the international data transfer agreement (IDTA) or the international data transfer addendum to the EU SCCc for international data transfers (UK SCCs). We have already concluded data processing agreements and EU SCCs and/or UK SCCs with all the third-party organisations/sub-processors, which may transfer your data outside of the EU.

    CCPA Compliance

    The California Consumer Privacy Act (CCPA), effective since 1 January 2020, is a data protection law that protects the residents of California and governs their rights regarding their personal data.
    According to the CCPA, data subjects have a right:

    (i) to access to all the data that a company has processed regarding them and receive a copy of such data,

    (ii) to receive a list of all the third parties that their personal data is transferred to,

    (iii) to know what personal data is being collected.

    We will always be transparent about the data we collect, why we collect and how we use such data, as well as the third parties’ access to such data. Our Privacy Policy provides a detailed explanation regarding these matters.
    We will never sell your information.
    If you have any question or concern regarding processing of your personal data by Sociality.io, please send us an email at [email protected].io and we will do our best to help you.

    PCI Compliance

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), which is an independent body that was created by the major payment card brands.
    We do not store credit card information but since we accept credit cards as a form of payment, we must be in compliance with PCI DSS. Our check-out process is handled by Stripe, a certified company to PCI Service Provider Level 1. Please see Stripe’s Security Page for more details.,

    Data Processing Addendum

    This Data Processing Addendum (“DPA”) is made by and between:
    • Data processor: Sociality.io Limited, a limited liability company registered in England and Wales.
      Company No: 11158083
      Address: 565 Green Lanes, Haringey, N8 0RL, London, England
      E-mail: [email protected]
      Tel:+44 7400 482759
      (“Processor”)

    • and
    • Data controller: The individual or the entity (represented by an authorized individual) that enters into Terms of Service with us, in order to access, use and purchase the Service.
      (“Controller”)

    • (each a ‘party’; together ‘parties’)
    WHEREAS:
    (A) Controller and Processor signed the Terms of Service of Sociality.io Limited available at https://sociality.io/legal- terms, as updated from time to time, which govern the Controller’s use of the Service (“ToS”).
    (B) This DPA is an integral part of the ToS between Controller and Processor and regulates the processing of personal data in line with the Data Protection Laws.
    (C) This DPA governs each party’s rights and obligations, in order to ensure that all processing of personal data is conducted in compliance with Data Protection Laws.
    NOW, IT IS AGREED AS FOLLOWS:

    1. Definitions

    1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
    “Data Protection Laws” means the UK General Data Protection Regulation which came into effect on 1 January 2021 (“UK GDPR”) and the Data Protection Act 2018.
    “DPA” means this Data Processing Addendum and all Annexes;
    “Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    “Sociality’s Privacy Policy” means the privacy policy, as amended from time to time, published at https://sociality.io/legal - privacy-policy
    “Services” means the software as a service offered by Sociality.io Limited in compliance with the ToS.

    2. Processing of personal data

    2.1 The Processor shall:

    (i) only process personal data in line with the instructions from the Controller, unless the Processor is required to do so by statutory law to which it is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that statutory law prohibits such information on important grounds of public interest.

    (ii) comply with all applicable Data Protection Laws in Processing of Personal Data. The Processor shall immediately notify the Controller if it is of the opinion that an instruction from the Controller is in violation of Data Protection Laws.

    2.2 The subject-matter, nature and purpose of the processing, the types of personal data and the categories of data subjects involved are specified in Annex 1.

    3. Duty of confidence

    The Processor shall obtain commitment of confidentiality from its employees as well as any temporary workers who may have access to or who it will allow to process Personal Data, unless that person is already under such a duty by statute. The Processor must also ensure that access to Personal Data is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Controller’s instructions.

    4. Technical and organisational measures

    4.1 The Processor shall in relation to Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

    5. Sub-processors

    5.1 The Processor shall not engage any sub-processor without the Controller’s specific or general written authorisation. If the Processor engages a sub-processor under the Controller’s general written authorisation, the Processor should let the Controller know of any intended changes and give the Controller a chance to object to them.
    5.2 The Controller agrees that the Processor uses the sub-processors listed in Annex 2. This clause shall be considered a general written authorization regarding the listed sub-processors.
    5.3 If the Processor engages a sub-processor, it must put a contract in place which should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the Data Protection Laws’ requirements and the sub-processor should offer an equivalent level of protection for the Personal Data.
    5.4 The Processor shall be liable to the Controller for a sub-processor’s compliance with its data protection obligations.

    6. Data subject rights

    6.1 The Processor shall take appropriate technical and organisational measures to help the Controller respond to requests from Data Subjects to exercise their rights in line with the Data Protection Laws.
    6.2 Taking into account the nature of the processing and the information available, the Processor must assist the Controller in meeting its obligations to:

    (i) keep Personal Data secure;

    (ii) notify Personal Data breaches to the relevant supervisory Authority;

    (iii) notify Personal Data breaches to Data Subjects;

    (iv) carry out data protection impact assessments (DPIAs) when required;

    (v) consult the relevant supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.

    6.3 The Processor shall:

    (i) promptly notify the Controller if it receives a request from a Data Subject under Data Protection Laws in respect of Personal Data; and

    (ii) ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before responding to the request.

    6.4 The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Personal Data, with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. The Processor shall co-operate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

    7. Deletion or return of personal data

    At the end of this Agreement, the Processor must:

    (i) at the Controller’s choice, delete or return to the Controller all the Personal Data it has been processing for it; and

    (ii) delete existing copies of the Personal Data unless Data Protection Laws require it to be stored

    Any deletion of Personal Data must be done in a secure manner.

    8. Audit rights

    The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits and inspections carried out by the Controller or by an auditor appointed by the Controller in relation to the Processing of Personal Data.

    9. Effective date and termination

    9.1 This Agreement shall be effective from the date it is signed by both Parties and until the Processor’s obligations in relation to the delivery of services are otherwise terminated, except for those provisions in this Agreement that shall continue to apply after termination.
    9.2 At the end of this Agreement,

    (i) The Processor (and its sub-processors) shall immediately stop the processing of Personal Data.

    (ii) The Processor shall at the Controller’s choice, delete or return to the Controller all the Personal Data it has been processing for it unless Data Protection Laws require it to be stored. ; and

    (iii) The Processor shall delete existing copies of the Personal Data unless Data Protection Laws require it to be stored.

    9.3 Any deletion of Personal Data must be done in a secure manner.
    9.4 The obligations under Article 9 shall survive termination of the Agreement.

    10. Notices

    All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

    11. Governing Law and Jurisdiction

    (i) This Agreement is governed by the laws of England and Wales.

    (ii) Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales.

    ANNEX I- Specifications

    Data Processor

    Sociality.io Limited, a limited liability company registered in England and Wales.

    Company No: 11158083

    Address: 565 Green Lanes, Haringey, N8 0RL, London, England

    E-mail: [email protected]

    Tel:+44 7400 482759

    Data Controller

    Customer who has subscribed to the Service by signing the ToS.

    Data Subjects

    Customers and clients (including their staff):

    Users who are authorised by the Controller to use the services of the Processor

    Categories of Personal Data

    Personal details of the data subjects: User information including name and e-mail address.

    IP information of the device used to connect to the service.

    Geographic location (country and city only) of the device used to connect the service.

    Special categories of data

    None.

    Processing Operations

    The processing activities will include the performance of the services pursuant to the Terms of Service entered into by the Data Exporter and the Privacy Policy of the Data Importer.

    Purpose of Processing

    Personal Data is processed to perform the services pursuant to the Terms of Service, to protect Data Processor’s website against attacks (ii) to provide the customers with the service available on the website, (iii) to develop business and customer relations, (iv) to provide technical support regarding the service, (v) to send customers updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the website and (vi) to fulfil legal obligations.

    ANNEX 2 - SUB-PROCESSORS

    A- Sub-processors within EU
    B- Sub-processors outside of the UK and EU