This briefing statement has been prepared by Something Inc Limited (referred to in this statement as the “Something™”, “we”, “us”, or “our”), to outline the steps that we are taking to try to ensure that any processing of personal data we undertake in the course of our business is secure, lawful and in compliance with the EU General Data Protection Regulation (“GDPR”) when this comes into force on 25 May 2018.
What is the GDPR?
The GDPR is the European Union’s new legislative framework to protect the personal data and privacy of EU citizens in the digital age.
The core purpose and emphasis of this legislation is entirely centred upon the rights of individuals to prevent the unlawful misuse, accidental loss, damage or destruction of their personal data.
The GDPR aims to put control of personal data into the hands of individuals (data subjects), who will be able to request access to their data, ask for their data to be erased, and require their data to be ported to another organisation.
Our policies and commitment to data protection
Something™'s policy is to comply with local laws that apply to our business related to the use of personal data and to ensure that we meet the applicable standards set out in such laws.
We have existing processes and procedures in place to meet the requirements of the current privacy regulatory regime, and we are in the process of developing these to attain GDPR compliance.
Our plans for GDPR compliance
Core to our strategy are the GDPR’s six data processing principles, which set out that personal data must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and, where necessary, kept up to date;
- retained only for as long as necessary; and
- processed in an appropriate manner to maintain security.
Our compliance strategy consists of various separate and overlapping parts that we have summarised below:
Internal audit, data mapping and gap analysis
We have carried out an audit of personal data processed by Something™ mapping the route from acquisition through aspects of its processing to verify where data is located, why we gather it, and how we process it.
We will record instances where data is transferred, or stored outside of the European Economic Area, and are committed to undertaking Data Privacy Impacts Assessments (DPIAs) of core business functions if a high risk to the rights of data subjects is identified during this process.
Governance, documentation and accountability
In order for Something™ to demonstrate our compliance with GDPR, the following action points have been or will be implemented:
- We are in the process of adopting internal policies and measures which embrace data protection by design and data protection by default.
- Prior to 25 May 2018, we will publish a privacy statement that will clearly and transparently set out the purpose/s for which we intend to process personal data, and the information that we may need to provide to enable us to process personal data fairly and in accordance with the GDPR.
- Amendments to our existing contracts will be issued in respect of the Something™'s services in order to ensure that appropriate contractual arrangements are in place between us governing the flow of personal data as required under the GDPR.
- Technical and organisational measures are being implemented to protect personal data that we process from unauthorised or unlawful processing and against accidental loss, destruction or damage including.
- In the coming months, we will also be maintaining the process and make sure everything we do moving forward is GDPR compliant. Dependant on the phases and the required additional development of the GDPR law. this will be reviewed on a 6-month basis and the relevant amends and activity will be undertaken to mitigate.
- Consent notices will be forwarded where appropriate, to ensure that personal information is processed fairly and lawfully by Something™.
- We are committed to the education and training of our employees, officers and other individuals who work for us, about GDPR.
- We will be establishing clear communication channels to allow our personnel, clients and other relevant third parties to report breaches or violations of the GDPR.
The GDPR is not a process that ends on 25 May 2018, and Something™ will continue to implement and improve our data protection practices on an ongoing and evolving basis.
What you should be doing for your own GDPR compliance
It is important to remember that you, as a business entity and data controller or processor in your own right, will have legal obligations under the GDPR.
You should be confident that any providers (data processors) which you work with have a suitably robust approach to data protection; that you understand the obligations of the GDPR; and that you are well prepared to meet them through the adoption of strategies like those set out above.
What to do if you have further questions
If you would like any additional information regarding our procedures and commitment to becoming GDPR compliant, please contact us by email at [email protected] in the first instance.
Information collection and use
Something™ is the only owner of the information collected on its websites. The information we collect about visitors to our website includes the visitor’s browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.
The aim of Something™ activity is not collecting, selling or lending the information to the others. We collect this information to better understand how our website visitors use Something™, and to monitor and protect the security of the website. We do not share, sell, rent, or trade personal information with third parties for their commercial purposes.
We do not intentionally collect sensitive personal information, such as social security numbers, genetic data, health information, or religious information. Although Something™ does not request or intentionally collect any sensitive personal information, we realise that you might store this kind of information in your account, such as in a repository. If you store any sensitive personal information on our servers, you are consenting to our storage of that information on our servers, which are in the United Kingdom.
We do not host advertising on Something™. We may occasionally embed content from third-party sites, such as YouTube and Vimeo, and that content may include ads. While we try to minimise the number of ads our embedded content contains, we can't always control what third parties show.
We may share User Personal Information with a limited number of third-party vendors who process it on our behalf to provide or improve our service, and who have agreed to privacy restrictions similar to our own Privacy Statement. Our vendors perform services such as network data transmission, and other similar services. When we transfer your data to our vendors under Privacy Shield, we remain responsible for it.
Cookies are series of data stored on the hard disk of the user which for example include the anonymous identifier of the user. The cookies are set up to remember the fact of being logged in the Service if the user wished so as well as for statistical aims. By using our website, you agree that we can place these types of cookies on your computer or device. If you disable your browser or device’s ability to accept cookies, you will not be able to log in or use Something™’s services.
Certain pages on our site may set other third-party cookies. For example, we may embed content, such as videos, from another site that sets a cookie. While we try to minimise these third-party cookies, we can’t always control what cookies this third-party content sets.
Find out more about cookies and how to manage them.
We use Google Analytics as a third-party tracking service, but we don’t use it to track you individually or collect personal user information. We use Google Analytics to collect information about how our website performs and how our users, in general, navigate through and use Something™. This helps us evaluate our users' use of Something™, compile statistical reports on activity, and improve our content and website performance.
Google Analytics gathers certain simple, non-personally identifying information over time, such as your IP address, browser type, internet service provider, referring and exit pages, timestamp, and similar data about your use of Something™. We do not link this information to any of your personal information such as your username.
Something™ will not, nor will we allow any third-party to, use the Google Analytics tool to track our users individually, collect any personal information other than IP address; or correlate your IP address with your identity. Google provides further information about its own privacy practices and offers a browser add-on to opt out of Google Analytics tracking.
If you do not want online services to collect and share certain kinds of information about your online activity from third-party tracking services, you can set the Do Not Track privacy preference in your browser.
We do not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site with the exception of basic Google Analytics tracking and occasional user behaviour tracking performed with Hotjar and Full Story analytics tool. The tracking data is collected exclusively to improve the UX and performance of the Service and website. Something™ does not record any personal data with Hotjar as all text entered to the Service during tracking is suppressed before the data is sent back to Hotjar servers.
Because we do not share this kind of data with third-party services or permit this kind of third-party data collection on Something™ for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser's Do Not Track setting. If you wish, you can opt out from Google Analytics tracking here, from Hotjar here, and from Full Story here.
Something™ uses certain vendors in providing its Services. All services either fully comply with GDPR regulations or are to implement it shortly.
- Amazon Web Services – hosting infrastructure for the Service (United Kingdom and United States)
- Google Cloud – hosting infrastructure for Something™'s website (United Kingdom)
- Imgix - Image asset hosting (United States and Global)
- Google G Suite – email communication with clients (United States)
- Hotjar – UX analytics (EU/Malta)
- Full Story – UX analytics (United States)
Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.
Something™ uses AWS and Google Cloud for hosting infrastructure and to store client data for the Service's website. Physical servers for both services are located in the United Kingdom and United States.
All data uploaded by the Users belong to the Users. Something™ does not claim any rights to intellectual property uploaded by the Users.
Despite that Something™ hosts all data entered by the user, the ones all the time belong to the user. Something™ will never sell or by purpose make accessible the data entered by the user to the third-party as well as will never use them for the benefit of his own business. Our procedures obey the privacy of our users and their data.
Information rights and publicity
Unless you notify Something™ otherwise in writing, You hereby grant to Something™ and its wholly owned subsidiaries a limited license to use Your trade names, trademarks, service marks, logos, domain names and other distinctive brand features in presentations, marketing materials, websites, customer lists, and financial reports.
Access to Personally Identifying Information
If your personal information changes, or if you no longer desire to access or use the Service, you may correct, update, amend or delete it by contacting our customer support team at [email protected].
Global Privacy Practices
Information that we collect will be stored and processed in the United Kingdom in accordance with this Privacy Statement. However, we understand that we have users from different countries and regions with different privacy expectations, and we try to meet those needs.
We provide the same standard of privacy protection to all our users around the world with the same levels of notice, choice, accountability, security, data integrity, access, and recourse, regardless of their country of origin or location. We work hard to comply with the applicable data privacy laws wherever we do business. Additionally, we require that if our vendors or affiliates have access to personal information, they must comply with our privacy policies and with applicable data privacy laws, including signing data transfer agreements.
- Something™ provides clear methods of unambiguous, informed consent at the time of data collection, when we do collect your personal data.
- We collect only the minimum amount of personal data necessary unless you choose to provide more. We do not encourage you to give us more data than you are comfortable sharing.
- We offer you simple methods of accessing, correcting or deleting the data we have collected.
Protection of Certain Personal Information
Something™ discloses potentially personal information only to those of its employees, contractors, and affiliated organisations that (1) need to know that information in order to process it on Something™’s behalf or to provide services available in connection with the Service and (2) have agreed not to disclose it to others. Some of those employees, contractors and affiliated organisations may be located outside of your home country; by using Something™’s Website, you consent to the transfer of information to such individuals and organisations in order to support our provision to you of the Website. These supporting partners may be authorised to, for example, process payments on our behalf or provide customer support. Transfers to subsequent third parties are covered by the provisions in this Policy regarding notice and choice and the service agreements with our customers. However, in each case, these partners are authorised to use your personally identifying information only as necessary to provide the services we request.
Something™ takes all measures reasonably necessary to protect against the unauthorised access, use, alteration, or destruction of potentially personally identifying and personally identifying information.
Right of access and Right to be Forgotten
Something™ doesn’t ask for more personal data from our users than we need to provide our services to you. If you want to erase all personal information that we have about you, please send a request to [email protected]. We have gone through our Privacy Statement to provide more context and transparency, though, so our users understand exactly why we ask for information and what we’ll do with it.