Legal

Sociality.io is built from the ground up with users' rights to privacy and information security in mind. To keep our services on the highest standards, we invest continuously in our infrastructure and processes. We are grateful for your trust in our platform and, the following resources represent our commitment to being transparent about our practices.

TABLE OF CONTENTS

Terms of Service

Last updated: October 27, 2023
THESE TERMS OF SERVICE CONSTITUE A LEGAL AGREEMENT BETWEEN YOU AND SOCIALITY. PLEASE READ THESE TERMS OF SERVICE CAREFULLY BEFORE ACCESSING, INSTALLING, USING AND/OR PURCHASING ANY OF THE SERVICES PROVIDED BY SOCIALITY, INCLUDING A FREE TRIAL.
BY ACCESSING, INSTALLING, USING OR PURCHASING OUR SERVICES (INCLUDING FREE TRIAL), WHICHEVER IS EARLIER, YOU ACKNOWLEDGE THAT YOU ARE OF LEGAL AGE TO ENTER INTO AN AGREEMENT AND YOU HAVE READ, UNDERSTOOD AND ACCEPTED TO BE BOUND BY THESE TERMS OF SERVICE, LIKE ANY WRITTEN AGREEMENT SIGNED BY YOU. IF YOU ARE ACCEPTING THE TERMS ON BEHALF OF A LEGAL ENTITY (ORGANISATION, COMPANY, ASSOCIATION, ETC.), YOU REPRESENT AND WARRANT THAT YOU HAVE THE FULL AUTHORITY TO REPRESENT AND BIND SUCH LEGAL ENTITY.
These Terms of Service are the general terms of our agreement with You to govern your access, purchase and use of the Service. Our agreement will also include special terms, such as subscription rates and payment terms depending on the subscription plan You purchased. If there are special terms applicable to the subscription plan chosen by You, these special terms will be made available to You and be an integral part of these Terms of Service.
These Terms of Service, and the special terms form the entire agreement (referred to below as the “ToS”) between You and Sociality.
“Sociality”, “We” and “us” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
Remember that our product is for commercial and company use only and you will need to provide your company details such as address and VAT number to complete your registration.

The “Service” provides a social media management platform that enables users, among others, to publish posts on social platforms at a scheduled time, reply to user messages on social media channels, monitor brand keywords on the public web results, analyse the performance of their social media pages and benchmark these pages with other pages' public data. You may find detailed information about the Service in our website available at https://sociality.io (the “Website”).

We advise you to print and keep the ToS in your files.

1. Acceptance of the ToS

1.1 You must first agree to the ToS in order to access, purchase and/or use the Service, including any free trial.

1.2 If You have any question or doubt regarding any provision of the ToS, please don’t purchase or use any part of the Service and send us an email at [email protected] regarding your concerns.

1.3 In order to accept the ToS, You must be of legal age to enter into an agreement. If You are a legal entity (organisation, company, etc.) the person who accepts the ToS on your behalf represents and warrants that they have the full authority to represent and bind You.
1.4 You can accept the ToS by clicking to accept or agree to the ToS where available or by purchasing, accessing, using or installing the Service (free trials included). By performing one of these options, You represent and accept that You have read, understood and agreed to be bound by the ToS, like any written agreement signed by you.

2. Payment terms

2.1 The Service is provided on a subscription basis. You must pay the whole amount applicable to the subscription plan You chose and subscribed for. The prices applicable to different subscription plans and the payment methods are published on our Website available at https://sociality.io/pricing. Our plans are billed in advance on a monthly or yearly basis and are not refundable. You agree that You are liable to pay any taxes applicable to your obligations under the ToS and in relation to the Service.

2.2 You agree that if You change your subscription plan, You will be liable for the amount applicable to the new plan.
2.3 If You purchase a monthly subscription, You can upgrade or downgrade your subscription plan before the end of your existing plan, it will be reflected in the next billing cycle. You will also be able to see your invoice details in a separate page on your account. You agree that if You change your subscription plan or alter the content of your existing subscription plan, your next invoice amount will be updated in accordance with your altered subscription plan and the updated amount will apply to your next invoice.

2.4 If You purchase a yearly subscription, You can downgrade your subscription plan but there will be no reimbursement of the fee. If You wish to upgrade your yearly subscription plan, You must contact us by sending an email to [email protected]. You accept that the additional content will be invoiced separately.

2.5 You will enter your credit card details only once, when You make your first payment and You will give your approval that the following payments can and will be collected automatically from your credit card on the renewal dates of your subscription. We use Stripe Inc. for payment processing. We do not have access to your credit card information. We do not save or keep your credit card details and We do not accept responsibility for the payment processing.
2.6 Without liability to You or prejudice to our other rights and remedies, We may disable your account or suspend your access to all or any portion of the Service, if you fail to pay any sums due to us within 15 days after the due date for payment.
2.7 If You are late in paying sums due to us, We may charge interest on the outstanding amount at a rate of four per cent (4%) over the Bank of England base lending rate, accruing daily until the full payment of the outstanding amount.

3. Use of the Service

3.1 Subject to the ToS, and payment of the subscription fee, You will be granted only a limited, non-exclusive, non-assignable, non-sublicensable, revocable right to access and use the Service included in your subscription plan during the subscription term, solely for your internal use and to permit the Authorised Users to use the Service, strictly in accordance with this ToS. You do not acquire any software and do not receive any copies of software. You agree that this licence is strictly subject to the ToS and your compliance with the ToS.
3.2 You represent that the information (such as identification or contact details) You provide to access and use the Service and to register your account is accurate and complete.

3.3 You agree that You should keep your login details (username and password) in strict confidentiality. You shall not communicate your login details to any third parties. You are solely responsible for all the activities that occur under your account or using your login details. We will not be liable for any loss or damage arising from your failure to properly safeguard your account or login details. If You suspect or become aware of any unauthorised access or use of your login details, You must immediately notify us by sending an email to [email protected].

3.4 If we detect suspicious behaviour or activity on your account, your account will be blocked for 24 hours for security purposes. This usually happens if You frequently try to delete and re-add pages to avoid renewing or upgrading your subscription plan. If the suspicious behaviour or the activity continues, your account will be blocked for longer periods and possibly for a permanent period.
3.5 In particular and without limitation, You agree that You will not (i) reproduce, modify, duplicate, create derivative works from or copy all or any portion of the Service, by any means, or (ii) sell, resell, assign, lease, distribute or display the Service to third parties, create public links to the Service, or frame or mirror all or a portion of the Service on any other server or device or otherwise commercially exploit or make the Service available to third parties, or (iii) attempt to reverse engineer, decompile, reverse compile or hack all or any part of the Service or use any other means to acquire the origin code of any software in the Service or attempt to gain unauthorised access to the Service or its systems or networks (iv) use the Services, to upload, link to or send any content that is false, misleading, defamatory, violates any third party right or contractual restriction or contains unlawful, racist, or discriminatory material, or (v) access, subscribe to or use the Service in any way in order to create a competitive product or service or for the purpose of competitive analysis, or (vi)(iii) use the Service in a way that interferes with or disrupt the Service.
3.6 You agree that You will use the Service in a lawful manner, in compliance with the ToS, the applicable laws and regulations. You will not or permit any other party (including other users) to violate personal rights, privacy rights, intellectual property rights, confidentiality rights and any other legally protected rights of any other person or entity.
3.7 You agree that all the contents (such as text, photographs, etc.) that You download or post through the Service are accurate and don’t violate the intellectual property or confidential information of any third party. You agree that You will indemnify and hold us harmless from all claims, costs, damages and expenses awarded against or incurred or paid by us in connection with your breach of any third party’s intellectual property or similar rights.
3.8 You agree that You must take all kind of precautions (including using appropriate anti-virus software) to ensure that the information, content, material or data that You upload, post or share otherwise through the Service, are free from any virus, spyware, malware, trojan horses etc. or any other material that would harm the Service and the software.
3.9 You agree that We are not responsible to control and monitor your content, third parties’ content or the use of the Service by You or other users. You also agree that we may from time to time monitor the information transmitted or received through the Service for operational and other purposes. You also acknowledge that if at any time we decide to monitor the content, We still do not accept any liability for content or any loss or damage incurred as a result of the use of content. If We decide to monitor the content, We will treat any information in accordance with our Privacy Policy.
3.10 You shall not directly or indirectly export, re-export or transfer the Service to any countries or individuals prohibited under any export laws.
3.11 Any breach of the above mentioned terms under this Section 3 should be considered as a material breach of the ToS and We reserve the right, without liability or prejudice to our other rights, to disable your account or suspend your access to all or any portion of the Service in the event of a breach of any provision of this Section 3
3.12 You accept that You will defend and indemnify us together with our directors, employees, consultants and affiliates from and against every claim brought by a third party, and any related direct and indirect liability, damage, loss and expense arising out of or connected with (i) your use of, or misuse of the Service; (ii) your violation of any provision of the ToS, any representation or warranty referenced in the ToS, or any applicable law or regulation; (iii) your violation of any third party right, including any intellectual property right or publicity, confidentiality, other property, or privacy right; or (iv) any dispute or issue between You and any third party. You also agree to cooperate with our defence of the said claims.

4. Adding users to your account

4.1 In accordance with your subscription plan, You can authorise individuals within your entity to access and use the Service (“authorised User(s)”). You will ensure that all Authorised Users keep their login details strictly confidential. The Authorised Users will abide by the ToS and You will be liable for actions and omissions of the Authorised Users as if they were your own.

4.2 Each Authorised User must use their personal username and password to access the Service. The Authorised Users shall not let others use their login details to access the Service. If We notice that any Authorised User under your subscription plan shares their login details with others, lets others access and use the Service with their login details or acts in violation of the ToS, We can immediately suspend or cancel your subscription at our discretion.

5. Security and privacy of your personal data

5.1 We treat the privacy of your personal data with the utmost importance. It is important that You are aware of how and why We may collect and process any personal data shared through the Service, the legal basis of the processing activities and your rights in connection with your personal data. Therefore, We advise You to read our Privacy Policy carefully, before purchasing a subscription and starting to use the Service.
5.2 When You register an account with the Service and login to your account, You agree that We collect your personal data You provide with us. When You register an account with us (including for a free trial), We will ask You to provide your name, your email address, the name of your company, the country where your company is located and your phone number.
5.3 We collect and store the following data in accordance with the ToS and our Privacy Policy, in connection with the Service: (i) E-mail addresses, addresses and contact information, (ii) IP addresses, (iii) geographical location of the devices (country and city) and (iv) information that You (or your Authorised Users) allow us to access in your social media accounts.
5.4 We may also automatically collect and store information regarding your device and the browser via third parties’ software. In such a case, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organisational safeguards measures.
5.5 Our Data Processing Addendum must apply where You are the data controller and instruct us to process personal data in connection with the Service.
5.6 We process your personal data to the extent allowed by the applicable law (i) to provide You with better Service and comply with our obligations under these ToS, (ii) to inform You of new services, features or subscription plans, (iii) to gather commercial statistic and analyses regarding the use of the Service, (iii) to communicate with You, (iv) to make market researches, (v) to fulfil our legal duties and/or governmental authorities’ requests in accordance with the applicable law.
5.7 You agree that We can from time to time access your account with our user login details or external software in order to do the necessary investigations to provide you better Service.

5.8 Integration with third party social media platforms

The Service offers You a social media management tool that you may connect with your social media accounts and the Service uses these social media platforms' APIs, such as Facebook API, Instagram API, Twitter API, LinkedIn API and YouTube API services. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, We will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.
When You connect your social media accounts to the Service, You also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that We are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.
You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:
5.9 Please read our Privacy Policy for further details.

6. Limitation of liability

6.1 You agree that the Service and all materials and content are provided on “as is” and “as available” basis, without any warranty. We disclaim any warranty, representation, condition, and all other terms of any kind whatsoever (including but not limited to any implied warranty as to the merchantability, quality or fitness for a particular purpose), whether express or implied by statute or common law, to the extent permitted by any applicable law.
6.2 We do not represent or warrant that (i) the Service is accurate, complete or reliable, or (ii) You will have an uninterrupted use of the Service, or (iii) the website or the Service is free of any error or viruses, or (iv) You will obtain a specific result from the Service.
6.3 You may have access to links to other websites, portals, files or contents through the Service and the website. You acknowledge and accept that We do not verify these links and We don’t have any control over them. You agree that We do not accept any liability regarding these websites, portals, files, contents, services or products that are reached through the links on the Service or the website. These links shall not be construed as an endorsement regarding the linked websites, their contents or owners.
6.4 We shall not be liable whether in tort (including for negligence or breach of statutory duty), contract, misrepresentation or otherwise for (i) any special, consequential, punitive or indirect damages, loss, charges, costs or expenses (including any damage to your computer system or mobile device), (ii) loss or corruption of data or information, or (iii) loss of profits, business, revenue, or anticipated savings or wasted expenditure, or (iv) damages to reputation.
6.5 To the fullest extent permitted by law, our total liability to You r in contract, tort, misrepresentation, under statute or otherwise arising from or related to this ToS and the Service, shall be limited to the amount corresponding to the subscription fee You have paid us for the last three (3) months prior to the event or circumstance giving rise to your claim.The existence of more than one claim will not enlarge this limit.

7. Intellectual property rights

7.1 All legal rights, title and interest attached to the Service, patents, copyrights, trademarks, knowhow and the Website including all kinds of intellectual property rights (whether registered or not) (“Intellectual Property Rights”) are owned and retained by us or our licensors. Except as expressly stated herein, this ToS shall not be construed as creating, conveying, transferring, or granting upon You or the Authorised Users, any rights, licence, or authority in or to the Service. No licences or rights under any patent, copyright, trademark, trade name, trade secret or other intellectual property (whether registered or unregistered) are granted to You or are to be implied by reason of this Agreement.

7.2 The results of any Service provided under this ToS and any deliverables do not constitute “works for hire”, “works made in the course of duty” or similar terms under the applicable law where the transfer of the intellectual property occurs on the performance of services.
7.3 By subscribing to the Service, You will be granted a limited, non-exclusive, non-assignable, non-sublicensable, revocable licence to access and use the Service included in your subscription plan. You agree that this licence is strictly subject to the ToS and your compliance with the ToS.
7.4 You agree and represent that all elements of text, images or other content that You provide to us related with or via the Service are either owned by You or You have legal rights to use them and that their usage related with or via the Service will not infringe intellectual property rights of any third party. Otherwise You accept to be responsible for any kind of claims made by such third parties to us regarding infringement of their intellectual property rights.
7.5 If You or the Authorised Users provide feedback or suggestions regarding the Service then You hereby grant us an unrestricted, perpetual, irrevocable, non-exclusive, fully paid, royalty-free, worldwide right to exploit them in any manner and for any purpose, including to improve the Service and create other products and services, without any acknowledgment or compensation.

8. Audit rights

You agree that We have the right to monitor your use of the Service in order to verify that You use the Service in compliance with these ToS and your subscription plan. If We find out that You have used or permitted access to the Service in a manner that is not permitted under these ToS, We may terminate your subscription, disable your account or suspend your access to all or any portion of the Service,, without liability or prejudice to our other rights.

9. Suspension and termination of your subscription

9.1 The ToS will apply during the term of your original and renewed subscription beginning when You accept the ToS or first install, access or use the Service, unless and until terminated by You or us in accordance with the ToS.

9.2 You can terminate your subscription by unsubscribing to the Service within your registered account or by contacting customer service at [email protected] before the renewal date of your subscription. You also agree that there will be no reimbursement of the subscription fee if You terminate your subscription before the end of your existing plan and You will still be able to use the Service until such date.

9.3 You agree that We can suspend your subscription at any time if You fail to fulfil your payment obligations or You breach the ToS otherwise. In such a case, We will inform You by sending You an email regarding the reason for suspension and request You to remedy the breach in order to reactivate your subscription. If You fail to remedy the breach until the end of the period mentioned in the email, We will be entitled to terminate our agreement with you and end your subscription.
9.4 You agree that We are entitled to terminate our agreement with You and your account on the Service and end your subscription immediately at our sole discretion in case We believe that there is a material breach of the ToS by You (any breach of Section 3-Use of the Services will be considered a material breach). You also agree that We can terminate our agreement with You and your account or suspend your access to the Service at any time at our sole discretion without reason and without notice.
9.5 You agree that We are entitled to terminate our agreement with You and your account on the Service immediately if provision of the Service to You becomes illegal for any reason.
9.6 In the event of termination of the ToS, these ToS will forthwith become void, provided, however, all payment obligations accrued prior to termination and the provisions of Section 3.7, 6, 7.4, 18 and 19 should survive after termination.

10. Amendment to the ToS

We reserve our right to change the ToS from time to time. When we make changes to the ToS, the updated version will be available at our website. You agree that if You continue to use the Service after the date on which the ToS have changed, this will be deemed as an acceptance of the updated ToS.

11. Modification of the Service

We reserve our right to modify, suspend or cease any features, functions, tools or other aspects of the Service, temporarily or permanently, at any time, without prior notice to you. In such cases, We will inform You by sending an e-mail or with an announcement on our Website. You accept that We will have no liability for any modification, suspension or termination of any of the features, functions, tools or other aspects of the Service and that there will be no refund of the subscription fees.

12. No Assignment

Your rights arising from your subscription to the Services belong only to You and You shall not assign or transfer such rights to any third party, except to the extent specified in this ToS.

13. Entire Agreement

These ToS constitute and contain the entire agreement between You and us and supersede any and all prior agreements, arrangements and understandings between You and us relating to the Service. No terms or conditions in your general conditions of purchase (including the terms in your purchase order) shall apply in connection with this agreement or the Service.

14. No waiver

No failure or delay in exercising any right, power or privilege under these ToS shall operate as a waiver thereof. No waiver of any term of these ToS shall be deemed to be or construed as a further or continuous waiver of such term.

15. Severability

The unenforceability or invalidity of any provision of the ToS shall not affect the enforceability or validity of the rest of it.

16. Independent parties

Our relationship with You is that of independent contractors dealing at arm's length. Nothing in these ToS shall constitute us as partners, joint ventures or co-owners, or constitute either of us as the agent, employee or representative of the other.

17. Effective date and duration

17.1 These ToS shall become effective when You accept them by clicking to accept or agree to the ToS where available or when You purchase the Service or when You start using it (free trials included).
17.2 The ToS shall remain effective during your original subscription and as well as any renewed subscription until terminated by You or us in accordance with Section 8 of the ToS.

18. No Third Party Rights

The Contracts (Rights of Third Parties) Act 1999 shall not apply to the ToS and no person other than the parties to this ToS shall have any rights under it. The terms of this ToS may be varied, amended, or modified or may be suspended, cancelled, or terminated by agreement in writing between the parties without the consent of any third party.

19. Governing law and dispute resolution

19.1 These ToS shall be governed by and construed in accordance with the laws of England and Wales.
19.2 Any dispute arising from the ToS or your use of the Service shall be referred to the exclusive jurisdiction of the courts of England (including non-contractual disputes or claims).

Privacy Policy

Last updated: October 27, 2023

Preamble

This Privacy Policy describes what kind of personal data we may collect, store and process when you visit our Website and subscribe to our Service, what are the legal reasons to process such data, and how we will use and protect it.
As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 January 2021 (“UK GDPR”).
This Privacy Policy has been developed in compliance with the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and any matter that isn’t described here shall be subject to the applicable rules of the UK Data Protection Regime.
We may change the Privacy Policy from time to time due to changes on our Website or the Service or any other reason which requires us to do so; therefore, we recommend you check the Privacy Policy on a regular basis. In case of material changes, we will notify you (if you are already a customer and you have provided us your contact details) by sending you an email.
“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
The Service refers to the services mentioned and described on our Website.
We implement appropriate technical and organisational measures to safeguard your rights, freedoms and legitimate interests regarding processing of your personal data and ensure that processing of your personal data is performed in accordance with the UK Data Protection Regime. Please also see our Data Retention Policy, Records Retention Schedule and our Information Security Policy for further details on safety and protection of your data.
We will process your personal data in accordance with the principles of lawfulness, fairness and transparency under Article 5 of the UK GDPR. It means that we will process your personal data only if:

(i) you have given your consent to the processing of your personal data for one or more specific purposes; or

(ii) processing is necessary for the performance of a contract with you (when you subscribe to the Service), or

(iii) processing is necessary for compliance with a legal obligation, or

(iv) processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms.

2. What type of personal data we process?

As the data controller, we collect certain data from (i) the visitors of the Website, (ii) our customers (usually corporate entities) who subscribed to the Service and (iii) individuals who are appointed and authorised by the customers to use and manage the Service on behalf of them.
We may collect your personal data when you visit the Website, subscribe for the Service, register an account with us, complete forms on the Website and contact us on a customer service issue.
We may process, among others, (i) your email address, (ii) invoices, (iii) information with respect to your browser and IP address, (iv) geographic location of the device (only country and city) and (iv) information that you and/or your employees or representatives allow us to access in your social media pages.
We may automatically collect and store the information regarding your device and the browser via third parties’ software such as cookies. In such cases, the software will be in compliance with the applicable law and such third parties that are in a contractual relationship with us will take the appropriate technical and organisational safeguards measures. Please see our Cookie Notice for further information regarding these technologies and how you can manage your cookies preferences.
The Service is a social media management service; therefore, we may obtain certain data from social media platforms via these platforms’ APIs. The scope of the data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. We will have access to such data only with your prior authorisation. Please see below the section on the “Integration with Third Party Social Media Platforms” for further details.
Please see below the table No. 1 and No.2 for detailed information on which data we process.

3. How do we use your personal data?

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.
Our third party partners may collect information using cookies in our services to deliver targeted ads displayed to you on third-party websites and applications. Please see our Cookie Policy to learn how to set your cookie preferences.
You may find further details on which data we may process, why we may process such data and the legal reason for such processing in Table No.1 and Table No.2 below.

Table No.1 - Visitors of the Website

Table No.2 - Subscribers of the Service

4. Transfer of personal data to third party organisations and countries

We may use your personal data (i) to operate our Website and to protect it against attacks (ii) to provide you with the Service, (iii) to develop our business and customer relations, (iv) to provide technical support regarding the Service, (v) to send you updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the Website and (vi) to fulfil our legal obligations.

Compliance with law

We may share your personal data where we are under a legal obligation to disclose such data. This could be based on an applicable law, a governmental request or a court order. Please see Section 5 Sharing Personal Data with Law Enforcement Authorities below for further information. We may also share your personal data with authorised bodies if we suspect illegal activities, violation of our Terms of Use and policies or fraud in order to protect our Website and the Service.

Third party service providers

We may transfer your personal data to a third country or to an international organisation, provided that the conditions laid down in the UK GDPR are complied with and that there is an adequate level of protection and safeguards measures for the privacy of your personal data.

5. Sharing Personal Data with Law Enforcement Authorities

We may share personal data with law enforcement authorities to comply with court orders, or other legislation and legal requirements.
We will only share personal data with a law enforcement authority if we can identify a lawful basis under Article 6 of the UK GDPR before sharing the personal data. For example, we may rely on compliance with a legal obligation as a lawful basis in certain circumstances where we are required by law to disclose personal data to law enforcement authorities or on the lawful basis of legitimate interest to enable law enforcement authorities to conduct a proper investigation of a suspect. Please refer to Section 1 Legal Basis of Data Processing above for further details on a lawful basis.
If the data requested is a special category data, we will also identify a condition for processing special category data under Article 9 of the UK GDPR and any relevant condition in Schedule 1 of the DPA 2018 before sharing special category data.
We will consider the circumstances of each request to determine whether there is a lawful basis for sharing the personal data.
Under the UK Data Protection Regime, we are also required to comply with the data minimisation principle, which means that the personal data we share must be adequate, relevant and limited to what is necessary for the purpose of sharing it with a law enforcement authority. We will apply this principle for each data request.
We will always ensure that the personal data is shared in compliance with our other data protection duties and obligations, including fairness, accuracy and security.
We will always carefully consider all requests from law enforcement authorities before we disclose the personal data requested to them and we will not share any personal data unless we are satisfied that the disclosure of personal data to the law enforcement authority is lawful.

6. International data transfers

If your personal data is transferred to a third country or to an international organisation, you will have the right to be informed of the appropriate safeguards relating to the transfer.
Transfers of Personal Data from the European Union countries to the United Kingdom: The European Commission announced that it adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after its entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.
Transfers of Personal Data from the UK to EU countries: It is permitted according to the UK Data Protection Regime.
Transfer of Personal Data from the UK to non-EU countries: Adequacy Decisions: The UK’s adequacy rules include the EEA and all countries, territories and international organisations covered by European Commission’s adequacy decisions valid as of 31 December 2020.
The UK- US Data Bridge was approved by the UK Parliament on 21 September 2023 and it will come into force on 12 October 2023. From thereon, organisations in the UK will be able to transfer personal data to organisations in the US that extend their certification under the Data Privacy Framework to the UK extension.
Standard Contractual Clauses: All contracts on the basis of the old EU SCCs will continue to provide appropriate safeguards for the purpose of the UK GDPR, until 21 March 2024. From 21 March 2024, to transfer personal data outside of the UK and EU (except for countries which are granted an adequacy decision), we will enter into a contract on the basis of the international data transfer agreement (IDTA) or the international data transfer addendum to the EU SCCc for international data transfers (UK SCCs or UK Addendum). We have already concluded data processing agreements and EU SCCs and/or UK SCCs with all the third-party organisations/sub-processors, which may transfer your data outside of the EU.
You may see below in Table 3 and Table 4 detailed information about the third party organisations that we share data with. When such third party organisations process personal data on behalf of us, we sign a data processing agreement with them, as required by the UK GDPR.

Table 3- Transfer of Personal Data within the EU (your data is not transferred outside of the EU)

Table 4- Transfer of Personal Data outside of the UK and the EU (your data may be transferred outside of EU)

Integrations with third party social media platforms

The Service offers You a social media management tool that you may connect with your social media accounts and the Service uses these social media platforms' APIs, such as Facebook API, Instagram API, Twitter API, LinkedIn API and YouTube API services. You can use the Service to manage your social media including for example by posting, liking or sharing contents or comments or sending messages on social media platforms such as Facebook, Instagram or Twitter. Once you send a content to a social media platform by using the Service, we will no longer be responsible for such content and the content will be subject to the terms and policies of the relevant social media platform.
When you connect your social media accounts to the Service, you also agree that We will have access to certain information such as your profile information in your social media accounts via these third party social media platforms’ APIs. The scope of data obtained from these platforms is subject to the type of APIs and the authorizations granted by the social media platforms. Please read carefully the privacy policies of the social media platforms you access via our Service. You accept that we are not liable for, and make no representations as to the third party social media platforms and their processing of your data and use of your content.
You can learn how to disconnect the Service from your social media accounts or manage your permissions granted to the Service from the following pages of the relevant social media platforms:

6. Data retention

We will not retain your personal data longer than is necessary for the purposes for which it was processed. Where it is no longer necessary to retain your personal data, we will either delete it or make it anonymous. Please see our Data Retention Policy for further details.

7. Your rights in connection with your privacy and your personal data

a. Automated individual decision making

You have the right not to be subject to a decision based solely on automated processing, including profiling, except when it is necessary for entering into, or performance of our agreement (the ToS) or the Services or is authorised by the applicable law to which We are subject.

b. Your right of access

You have the right to request us confirmation as to whether or not your personal data is being processed. If your personal data is processed, You will have access to your personal data and the following information: (i) the purposes of the processing, (ii) the categories of your personal data, (iii) the recipients or categories of recipient to whom your personal data have been or will be disclosed, (iv) where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period, (v) the existence of the right to request us rectification or erasure of your personal data, (vi) your right to lodge a complaint with a supervisory authority, (vii) where your personal data is not collected from the data subject, any available information as to their source, (viii) the existence of automated decision-making, including profiling.

c. Your right to rectification

You have the right to obtain the rectification of your inaccurate personal data. You also have the right to have your incomplete personal data completed.

d. Your right to data portability

You have the right to receive your personal data You shared with us in a structured, commonly used and machine-readable format. You also have the right to have your personal data transmitted directly to another data controller, where it’s technically feasible and it does not adversely affect the rights and freedoms of others.

e. Your right to object to processing

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on (i) the necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or (ii) the necessity for the purposes of our or a third party’s legitimate interests. In such case, we will cease to process your personal data unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

f. Your right to object to direct marketing

You have the right to object at any time to processing of your personal data for direct marketing.

g. Your right to restriction of processing

You have the right to request us to restrict processing of your personal data if you contest the accuracy of your personal data or lawfulness of the processing. Upon your request, we will restrict the processing of your personal data, with the exception of storage and/or or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform You immediately if and when the restriction is lifted.

h. Your right to be forgotten

You have the right to request us to erase your personal data without undue delay where your personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed or you withdraw your consent and there is no other legal ground for the processing. In such case we will immediately delete your personal data except when the processing of your personal data is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or for the establishment, exercise or defence of legal claims.

i. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you think that the processing of your personal data infringes the applicable law.

8. Notification of a personal data breach

In the case of a personal data breach, we will notify the breach to the competent supervisory authority not later than 72 hours after having become aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
If the breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the personal data breach to you without undue delay, unless if;

(i) appropriate technical and organisational protection measures have been implemented, and those measures were applied to the personal data affected by the personal data breach, or

(ii) the subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise, have been implemented, or

(iii) it would involve disproportionate effort. In such a case, we will make a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

9. Contact us

Please send us an email at [email protected] if you have any questions or concerns regarding this Privacy Policy and personal data processing.

Information Security

Last updated: October 27, 2023
“We”, “us” and “ours” refer to our company “SOCIALTY.IO LIMITED”, with its registered office at 565 Green Lanes, Haringey, N8 0RL, London, England, registered with the Company Registration Number: 11158083.
The Service refers to the services mentioned and described in our Website.

Overview

This Policy describes the technical and organisational measures we implement to keep personal data that we process safe and secure. Keeping personal data of our customers and visitors protected at all times is our highest priority. This security overview provides a high-level overview of the security practices put in place to achieve that objective. Have questions or feedback? Feel free to reach out to us at [email protected]

Purpose

The purpose of this Policy is to make sure that we are in compliance with the following requirements and principles under the UK GDPR and the Data Protection Act 2018 (together “UK Data Protection Regime”) and provide adequate safety and protection to personal data.
According to the principle of integrity and confidentiality (Article 5(1)(f)) under the UK GDPR, “personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
Furthermore, article 32(1) of the UK GDPR stipulates that “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
In this scope, we must ensure that personal data can only be accessed by authorised personnel, data we retain is accurate and complete and data remains accessible and usable.

Dedicated security team

Our security team is composed of security experts dedicated to improving the security of our organisation. Our employees are trained on security incident response and are on call 24/7.

Technical security measures

A. Infrastructure

a. Cloud infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Amazon Web Services and Google Cloud Platform. They provide strong security measures to protect our infrastructure and are compliant with most certifications. Our Service is hosted on AWS’s servers in its European data centre in Ireland and Google Cloud Platform’s servers in London, UK.
You can read more about their practices here:

b. Network level security monitoring and protection

Our network security architecture consists of multiple security zones. We monitor and protect our network, to make sure no unauthorised access is performed using:
  •  Virtual private cloud (VPC), bastion host or VPN with network access control lists (ACL’s) and no public IP addresses.
  •  Firewall that monitors and controls incoming and outgoing network traffic.
  •  Intrusion Detection and/or Prevention technologies solution (IDS/IPS) that monitors and blocks potential malicious packets.
  •  IP address filtering
  • c. DDoS protection

    We use Distributed Denial of Service (DDoS) mitigation services powered by an industry-leading solution.

    d. Data encryption

    Encryption in transit: All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Encryption at rest: All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database.

    e. Business continuity, back-ups and disaster recovery

    We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
    All text and statistics data pertaining to the whole system are automatically backed up and saved every day at 01:00 in Google Cloud hosts located in London. Back-ups of each day are kept for 30 days and then automatically deleted. Multimedia data (visuals, video, excel files, presentation files) are not backed-up.
    Every Saturday, at 5 am, teams and accounts, which have been marked as “to be deleted” on the previous week and all sub-data of such teams and accounts are permanently deleted from the database.

    f. Application security monitoring

    We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
    We use technologies to monitor exceptions, logs and detect anomalies in our applications.
    We collect and store logs to provide an audit trail of our applications activity.
    We use monitoring such as open tracing in our microservices.

    g. Application security protection

    We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
    We use security headers to protect our users from attacks.
    We use security automation capabilities that automatically detect and respond to threats targeting our apps.

    h. Secure development

    We develop the following security best practices and frameworks (OWASP Top 10, SANS Top 25). We use the following best practices to ensure the highest level of security in our software:
  •  Developers participate in regular security training to learn about common vulnerabilities and threats
  •  We review our code for security vulnerabilities
  •  We regularly update our dependencies and make sure none of them has known vulnerabilities
  •  We use Static Application Security Testing (SAST) to detect basic security vulnerabilities in our codebase
  •  We use Dynamic Application Security Testing (DAST) to scan our applications
  •  We rely on yearly third-party security experts to perform penetration tests of our applications.
  • i. Payment information

    All payment instrument processing is safely outsourced to Stripe which is certified as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

    j. Responsible disclosure

    We encourage everyone that practises responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them. Rewards are done at our discretion depending on the criticality of the vulnerability reported.

    B. User protection

  •  

    2-factor authentication: We provide a 2-factor authentication mechanism to protect our users from account takeover attacks. Setting up this extra security measure is optional but highly recommended to increase the security of sensitive data.

  •  

    Account takeover protection: We protect our users against data breaches by monitoring and blocking brute force attacks.

  •  

    Single sign-on: Single sign-on (SSO) is offered for our enterprise customers. Single sign-on (SSO) is available using your Google account.

  •  

    Role-based access control: Role-based access control (RBAC) is offered on all our accounts and allows our users to define roles and permissions.

  • Organisational security measures

    We believe that to establish efficient security and protection of personal data within our organisation, it is crucial to adopt a “culture of security awareness”. For this reason, we ask all our employees to be familiar with this Information Security Policy as well as our Privacy Policy, Data Retention and Erasure Policy and any other policies related to information security.
    Our employees sign an employment agreement, which contains a confidentiality undertaking, when joining the company to protect our customers' sensitive information.
    Our employees have access to personal data of the users of our Service and visitors of our Website on a need-to-know basis. Access to personal data is always limited to the extent necessary for the duties of such employees and administrators.
    Our employees do not have access to our users’ accounts except when a user encounters a technical problem regarding the Service. In the event of a technical problem, users can allow our technical team to have access to their account for 72 hours, to fix the problem. At the expiry of 72 hours, the access is automatically denied to our technical team and they have no longer access to the relevant user’s account.
    Our employees can use their own devices (mobile phones, tablets and computers) to access business email and applications we use for communication. All the employees are obliged to set strong passwords for the access to their devices, keep the passwords strictly confidential and change it on a regular basis. Employees must not leave their devices unlocked when unattended. At the end of employment of an employee, we restrict their access to their business email, our Slack account and all the other software that we use for internal communication and work.
    Bug Bounty Program: You can report vulnerabilities regarding our system by contacting [email protected]. Please include a proof of concept. We will respond as quickly as possible to your submission and won’t take legal actions if you follow the rules.

    Data Retention and Erasure

    Last updated: October 27, 2023

    Introduction

    We need to collect personal information of our employees and other people that we work with or have a business relationship with, to effectively carry out our business activities and to provide the services and products we offer to our customers.
    We are subject to the UK GDPR and the Data Protection Act 2018 ( together “UK Data Protection Regime”) and we need to have efficient data and records management accordingly. This policy aims to inform our employees, sub-contractors and other staff as well as our customers and visitors of our website on how we intend to comply with the data retention and erasure in accordance with the applicable legislation.
    This policy puts in place the rules for efficient data and records management, which meets the legislative and regulatory requirements as well as the business requirements. The data and records management will ensure that our business activities are conducted in a structured, efficient and accountable manner while delivering services to our customers and protecting the interests of our employees. It will also facilitate and manage protection, retention and erasure of personal data that we process and enforcement of individuals’ rights regarding their data.

    Key terms

    “We”, “us”, “our”, “Company” refers to Sociality.io Limited.
    “UK GDPR” means the Regulation (EU) 2016/679 as incorporated in the UK legislation.
    “records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

    What is the purpose of this policy?

    The purpose of this Data Retention and Erasure Policy is to set forth our policy on how to provide a structured and compliant data and records management system.
    Our data and records management system shall ensure that it provides an efficient and systematic management and control over the creation, receipt, maintenance, use, distribution, retention and erasure of such records.
    This policy is also to clarify the processes we use to store and destroy information and what information we retain for legal/regulatory reasons and for business reasons and their retention periods.
    Our objectives are (i) to retain personal data for as long as is necessary, (ii) to ensure safe and secure disposal of confidential and personal data, (iii) to ensure that records are retained for the legal, contractual and regulatory period, and (iv) to comply with the relevant data protection legislation and the contractual obligations.

    Who is the subject to this policy?

    This policy applies to all our employees, sub-contractors, third party representatives and any other staff within the Company. Compliance with this policy is mandatory for such persons and non-compliance may lead to disciplinary sanctions.

    Personal data and the storage limitation principle

    This Policy and our processing activities comply fully with the UK GDPR’s principle set forth in Article 5(1)(e) called “storage limitation”, which stipulates that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”.

    Data retention and standard retention periods

    We will not keep personal data longer than we need to or are required by law. When determining our need to keep personal data, we will balance our needs with the impact of retention on individuals’ privacy.
    Our standard retention periods are shown in our Records Retention Schedule. We periodically review our standard records retention periods to ensure that they are not longer than we actually need.
    We may need to keep personal data longer than the standard retention periods to defend possible future legal claims or when we are served with a legal request for records or notified of the commencement of any litigation against us or an employee. In such a case, we will only keep the information which could possibly be relevant to such a claim and delete the rest.
    We may need to keep personal financial and tax data to comply with tax regulations for the period specified by applicable tax laws.

    Expiration of retention period

    At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.

    How will the data be erased?

    A. Paper records

    We retain limited paper based personal information and when we do, we ensure that we retain it in a confidential and compliant manner. We use onsite-shredding to dispose of all paper materials.

    B. Electronic & IT records and systems

    We store our data in the cloud. We do not use external discs or USB devices to store data. We make sure that all unnecessary data is removed from the cloud in a way to ensure that it cannot be reconstructed.

    Erasure of the personal data

    Inactive users: All data related to the inactive customers (users) shall be automatically deleted every ninety days unless there is a legal ground to keep such information.
    Right to be forgotten: According to Article 17 of the UK GDPR, individuals have a “right to be forgotten”, which means they are entitled to request erasure of their personal data, verbally or in writing. This right only applies in the presence of one of the following conditions:

    (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

    (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

    (iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes,

    (iv) the personal data have been unlawfully processed;

    (v) the personal data have to be erased for compliance with an applicable legal obligation;

    (vi) the personal data have been collected in relation to the offer of information society services to a child

    The Company has the necessary procedures and measures to ensure that a request for erasure of a personal data is duly responded within the legal time limit and appropriate methods to erase such data, when the request complies with one of the above mentioned conditions. If we need an extension of time due to complexity or the volume of the request, we will inform the individual within one month of receipt of the request. If such personal data was disclosed to other recipients, the Company shall contact each recipient and inform them of the erasure.
    If such personal data was shared with third parties in accordance with our Privacy Policy, the Company will take every reasonable step taking into account available technology and cost of implementation, to inform other controllers who are processing such data to erase links to, copies or replication of such data.
    Users: Our customers (users) who subscribed to our services can also request erasure of their personal data via their user dashboard on our Website, as follows:

    (i) For the users of our Service, we provide a button of “delete my data and close my account” within their account with the Service. They may request erasure of their data by clicking that button.

    (ii) When we receive such a request through the software which we use for custom support communication, we will ask for confirmation from such users regarding their request.

    (iii) Once the user confirms their request, data of such user is marked as “to be erased” within our internal management panel (KIOSK) accessed only by authorised persons.

    (iv) Our system then sends an informative email to the managers regarding erasure of such user’s data, who verify whether the request complies with the above mentioned conditions and whether no other legal obligation or legitimate interest applies.

    (v) If the request complies with the above mentioned conditions, erasure of all data (text data, statistical data, multimedia data) starts on the following Saturday at UTC 05:00 to be completed on the same day.

    Refusal to comply with a request for erasure

    We may refuse to comply with a request for erasure when an individual’s right to erasure does not apply or when the request is manifestly unfounded or excessive. In such cases, we will inform the individual immediately about the refusal and the reasons for the refusal, reminding the individual of their right to make a complaint to the supervisory authority and to seek a judicial remedy, in any case at the latest within one month of the receipt of the request.

    An individual’s right to erasure does not apply if processing of the relevant personal data is necessary:

    (i) to exercise the right of freedom of expression and information; or

    (ii) to comply with a legal obligation;

    (iii) to perform a task carried out in the public interest or in the exercise of official authority; or

    (iv) for archiving purposes in the public interest, scientific or historical research or statistical purposes; or

    (v) to establish, exercise or defend a legal claim.


    Record Retention Schedule

    Last updated: October 27, 2023

    Key terms

    “We”, “us”, “our”, “Company” refers to Sociality.io Limited.
    “records” means all documents, regardless of the formats, which facilitate business activities, and are thereafter retained to provide evidence of transactions and functions. A record can be represented in paper, computer, photograph, slides, hard drives, servers, disks, PDF documents, etc.

    Introduction

    The purpose of this record retention schedule (RSS) is to ensure that our records management system functions properly and efficiently and no record is retained longer than needed. This RSS also serves as a guide for our employees with respect to their responsibility regarding record retention.
    This RSS is to be reviewed regularly to ensure that it complies with our Data Retention Policy.
    Records relating to a specific customer or user may need to be retained beyond the retention period mentioned below, in the following cases:

    (i) Legal proceedings or an official investigation,

    (ii) A crime is suspected or detected.

    At the end of any standard retention period, we will review whether we still need such personal data and if we don’t need it, we will either erase it or anonymise it. To anonymise means that such personal data will no longer be “in a form which permits identification of data subjects”.
    We categorise the records based on their content such as contracts, employee records etc. The RSS shows how long each category of record is retained based on business and legal requirements.
    Our RRS is organised as follows:

    I- Corporate Records

    II- Contracts

    III- Customer Information

    IV- Correspondence, E-mail and Other Communications

    V- Legal files and papers

    VI- Employee files and records

    VII-Tax Records

    I. Corporate records

    II. Contracts

    III. Customer information

    IV. Correspondence, e-mails and other communications

    VI. Employee files and records

    The Company keep employee files and records, if any, for as long as required by relevant employment and social security laws.

    VII. Tax records


    Compliance

    Last updated: October 27, 2023

    GDPR Compliance

    The General Data Protection Regulation (“GDPR”) is the data privacy and protection legislation of the European Union. Its purpose is to protect fundamental rights and freedoms of natural persons and their rights to protection of their personal data.
    The GDPR has an extra-territorial scope. It applies to the processing of personal data by a controller or processor not established in the European Union, when the processing activities are related to (i) the offering of goods or services to such data subjects who are in the European Union or (ii) the monitoring of their behaviour as far as their behaviour takes place within the European Union.
    As a company incorporated in the UK, we were subject to the GDPR (General Data Protection Regulation (EU) 2016/679) until the end of the Brexit transition period on 31 December 2020. Therefore, our practices and documentation with respect to data protection have always been in line with the GDPR. Following Brexit, the UK has implemented the GDPR into its national law with the UK General Data Protection Regulation which came into effect on 1 January 2021. We are now compliant both with the GDPR and the UK GDPR.
    We have prepared the following data protection policies and documents:
  •  Privacy Policy
  •  Cookie Policy
  •  Information Security Technical and organisational measures
  •  Data Retention and Erasure Policy
  •  Record Retention Schedule
  • Please read the above mentioned documents to learn more about our data processing activities and protection of your personal data.

    Transfer of personal data from the EU to the UK:

    The European Commission announced that it has adopted the adequacy decision for the UK on 28 June 2021, which allows personal data to flow freely between Europe and the UK. The adequacy decision includes a ‘sunset clause', which means that the decision will automatically expire four years after their entry into force. There will be a new decision if the UK continues to ensure an adequate level of data protection.
    Pursuant to the GDPR, in the absence of an adequacy decision, a controller or processor may transfer personal data to a third country only if it has provided appropriate safeguards, and on condition that enforceable rights and effective legal remedies for data subjects are available. Such safeguards may be provided for by standard data protection clauses adopted by the European Commission (“EU SCCs”).
    The European Commission has adopted the decision 2021/914/EU on 4 June 2021, which provides for modernised standard contractual clauses.
    All contracts on the basis of the old EU SCCs will continue to provide appropriate safeguards for the purpose of the UK GDPR, until 21 March 2024. From 21 March 2024, to transfer personal data outside of the UK and EU (except for countries which are granted an adequacy decision), we will enter into a contract on the basis of the international data transfer agreement (IDTA) or the international data transfer addendum to the EU SCCc for international data transfers (UK SCCs). We have already concluded data processing agreements and EU SCCs and/or UK SCCs with all the third-party organisations/sub-processors, which may transfer your data outside of the EU.

    CCPA Compliance

    The California Consumer Privacy Act (CCPA), effective since 1 January 2020, is a data protection law that protects the residents of California and governs their rights regarding their personal data.
    According to the CCPA, data subjects have a right:

    (i) to access to all the data that a company has processed regarding them and receive a copy of such data,

    (ii) to receive a list of all the third parties that their personal data is transferred to,

    (iii) to know what personal data is being collected.

    We will always be transparent about the data we collect, why we collect and how we use such data, as well as the third parties’ access to such data. Our Privacy Policy provides a detailed explanation regarding these matters.
    We will never sell your information.
    If you have any question or concern regarding processing of your personal data by Sociality.io, please send us an email at [email protected].io and we will do our best to help you.

    PCI Compliance

    The Payment Card Industry Data Security Standard (PCI DSS) is a set of technical and operational security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. PCI DSS is administered by the Payment Card Industry Security Standards Council (PCI SSC), which is an independent body that was created by the major payment card brands.
    We do not store credit card information but since we accept credit cards as a form of payment, we must be in compliance with PCI DSS. Our check-out process is handled by Stripe, a certified company to PCI Service Provider Level 1. Please see Stripe’s Security Page for more details.,

    Data Processing Addendum

    This Data Processing Addendum (“DPA”) is made by and between:
    • Data processor: Sociality.io Limited, a limited liability company registered in England and Wales.
      Company No: 11158083
      Address: 565 Green Lanes, Haringey, N8 0RL, London, England
      E-mail: [email protected]
      Tel:+44 7400 482759
      (“Processor”)

    • and
    • Data controller: The individual or the entity (represented by an authorised individual) that enters into Terms of Service with us, in order to access, use and purchase the Service.
      (“Controller”)

    • (each a ‘party’; together ‘parties’)
    WHEREAS:
    (A) Controller and Processor signed the Terms of Service of Sociality.io Limited available at https://sociality.io/legal- terms, as updated from time to time, which govern the Controller’s use of the Service (“ToS”).
    (B) This DPA is an integral part of the ToS between Controller and Processor and regulates the processing of personal data in line with the Data Protection Laws.
    (C) This DPA governs each party’s rights and obligations, in order to ensure that all processing of personal data is conducted in compliance with Data Protection Laws.
    NOW, IT IS AGREED AS FOLLOWS:

    1. Definitions

    1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:
    “Data Protection Laws” means the UK General Data Protection Regulation which came into effect on 1 January 2021 (“UK GDPR”) and the Data Protection Act 2018.
    “DPA” means this Data Processing Addendum and all Annexes;
    “Personal Data” means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    “Sociality’s Privacy Policy” means the privacy policy, as amended from time to time, published at https://sociality.io/legal - privacy-policy
    “Services” means the software as a service offered by Sociality.io Limited in compliance with the ToS.

    2. Processing of personal data

    2.1 The Processor shall:

    (i) only process personal data in line with the instructions from the Controller, unless the Processor is required to do so by statutory law to which it is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that statutory law prohibits such information on important grounds of public interest.

    (ii) comply with all applicable Data Protection Laws in Processing of Personal Data. The Processor shall immediately notify the Controller if it is of the opinion that an instruction from the Controller is in violation of Data Protection Laws.

    2.2 The subject-matter, nature and purpose of the processing, the types of personal data and the categories of data subjects involved are specified in Annex 1.

    3. Duty of confidence

    The Processor shall obtain commitment of confidentiality from its employees as well as any temporary workers who may have access to or who it will allow to process Personal Data, unless that person is already under such a duty by statute. The Processor must also ensure that access to Personal Data is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Controller’s instructions.

    4. Technical and organisational measures

    4.1 The Processor shall in relation to Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk.

    5. Sub-processors

    5.1 The Processor shall not engage any sub-processor without the Controller’s specific or general written authorisation. If the Processor engages a sub-processor under the Controller’s general written authorisation, the Processor should let the Controller know of any intended changes and give the Controller a chance to object to them.
    5.2 The Controller agrees that the Processor uses the sub-processors listed in Annex 2. This clause shall be considered a general written authorization regarding the listed sub-processors.
    5.3 If the Processor engages a sub-processor, it must put a contract in place which should include that the sub-processor will provide sufficient guarantees to implement appropriate technical and organisational measures in such a way that the processing will meet the Data Protection Laws’ requirements and the sub-processor should offer an equivalent level of protection for the Personal Data.
    5.4 The Processor shall be liable to the Controller for a sub-processor’s compliance with its data protection obligations.

    6. Data subject rights

    6.1 The Processor shall take appropriate technical and organisational measures to help the Controller respond to requests from Data Subjects to exercise their rights in line with the Data Protection Laws.
    6.2 Taking into account the nature of the processing and the information available, the Processor must assist the Controller in meeting its obligations to:

    (i) keep Personal Data secure;

    (ii) notify Personal Data breaches to the relevant supervisory Authority;

    (iii) notify Personal Data breaches to Data Subjects;

    (iv) carry out data protection impact assessments (DPIAs) when required;

    (v) consult the relevant supervisory authority where a DPIA indicates there is a high risk that cannot be mitigated.

    6.3 The Processor shall:

    (i) promptly notify the Controller if it receives a request from a Data Subject under Data Protection Laws in respect of Personal Data; and

    (ii) ensure that it does not respond to that request except on the documented instructions of the Controller or as required by applicable laws to which the Processor is subject, in which case the Processor shall to the extent permitted by applicable laws inform the Controller of that legal requirement before responding to the request.

    6.4 The Processor shall notify the Controller without undue delay upon the Processor becoming aware of a Personal Data Breach affecting Personal Data, with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. The Processor shall cooperate with the Controller and take reasonable commercial steps as are directed by the Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

    7. Deletion or return of personal data

    At the end of this Agreement, the Processor must:

    (i) at the Controller’s choice, delete or return to the Controller all the Personal Data it has been processing for it; and

    (ii) delete existing copies of the Personal Data unless Data Protection Laws require it to be stored

    Any deletion of Personal Data must be done in a secure manner.

    8. Audit rights

    The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits and inspections carried out by the Controller or by an auditor appointed by the Controller in relation to the Processing of Personal Data.

    9. Effective date and termination

    9.1 This Agreement shall be effective from the date it is signed by both Parties and until the Processor’s obligations in relation to the delivery of services are otherwise terminated, except for those provisions in this Agreement that shall continue to apply after termination.
    9.2 At the end of this Agreement,

    (i) The Processor (and its sub-processors) shall immediately stop the processing of Personal Data.

    (ii) The Processor shall at the Controller’s choice, delete or return to the Controller all the Personal Data it has been processing for it unless Data Protection Laws require it to be stored. ; and

    (iii) The Processor shall delete existing copies of the Personal Data unless Data Protection Laws require it to be stored.

    9.3 Any deletion of Personal Data must be done in a secure manner.
    9.4 The obligations under Article 9 shall survive termination of the Agreement.

    10. Notices

    All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

    11. Governing Law and Jurisdiction

    (i) This Agreement is governed by the laws of England and Wales.

    (ii) Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of England and Wales.

    ANNEX I- Specifications

    Data Processor

    Sociality.io Limited, a limited liability company registered in England and Wales.

    Company No: 11158083

    Address: 565 Green Lanes, Haringey, N8 0RL, London, England

    E-mail: [email protected]

    Tel:+44 7400 482759

    Data Controller

    Customer who has subscribed to the Service by signing the ToS.

    Data Subjects

    Customers and clients (including their staff):

    Users who are authorised by the Controller to use the services of the Processor

    Categories of Personal Data

    Personal details of the data subjects: User information including name and e-mail address.

    IP information of the device used to connect to the service.

    Geographic location (country and city only) of the device used to connect the service.

    Special categories of data

    None.

    Processing Operations

    The processing activities will include the performance of the services pursuant to the Terms of Service entered into by the Data Exporter and the Privacy Policy of the Data Importer.

    Purpose of Processing

    Personal Data is processed to perform the services pursuant to the Terms of Service, to protect Data Processor’s website against attacks (ii) to provide the customers with the service available on the website, (iii) to develop business and customer relations, (iv) to provide technical support regarding the service, (v) to send customers updates, security alerts and other administrative messages, (v) to gather commercial statistic and analyses regarding the usage of the website and (vi) to fulfil legal obligations.

    ANNEX 2 - SUB-PROCESSORS

    A- Sub-processors within EU
    B- Sub-processors outside of the UK and EU