USER PRIVACY STATEMENT
Terms and Objectives
Data Controller: Mentionlytics Ltd, 20-22 Wenlock Road, London, N1 7GU, UK
Data Processor: Mentionlytics Ltd, 20-22 Wenlock Road, London, N1 7GU, UK
Website – https://www.mentionlytics.com/
User: A person that uses the Website. This person can be a registered user of the application or a website visitor without logging in.
User Account: The account used by a User to have access to the services provided by the Data Controller through the Website.
The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that affects businesses around the world when it becomes into effect on 25th of May 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of a User located in the EU. Personal data is any piece of data that is used alone or with other data, identifying a person. If an organization collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens, it needs to comply with the GDPR. The GDPR replaces an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Data Controller Users. The GDPR also outlines the rights of a User around his/her personal data. An EU User has the right to ask for details about the way his/her personal data is used. A User has the right to request his/her personal data be corrected, provided to him/her, prohibited for certain uses, or removed completely from the database of the Data Controller.
The User’s personal data is processed by the Data Controller creating a User Account and verifying the User via e-mail. Furthermore, the User’s personal data is processed for marketing actions, to which the User agrees while creating a User Account. Such marketing actions include sending e-mails for new features, services or commercial information about the Data Controller. While creating a User Account, the User agrees to the processing of his/her personal data by the “connected platforms” for purposes connected with the processing of electronic payments and support.
2. Data Encryption
Data Controller encrypts User’s personal data both at rest and in transit via Google Cloud, Amazon AWS, and Microsoft Azure. All these top cloud service providers are designed, built, and are operating with security top of mind both at rest and in transit by default. VPC Service Controls keeps sensitive data private while using GCP’s fully managed storage and data processing capabilities. It constructs an invisible border around everything in the application that prevents its data from escaping and having the power to set up, reconfigure and tear down these virtual perimeters at will. Well-defined VPC service controls can give admins a greater level of control to prevent data exfiltration from cloud services as a result of breaches or insider threats. With this managed service, Data Controller configures private communication between cloud resources and hybrid VPC networks. By expanding perimeter security from on-premise networks to data stored in GCP services, Data Controller feels confident running sensitive data workloads in the cloud. VPC service gives Data controller precise control over which a User can access GCP resources with Access Context Manager. These policies help ensure the appropriate level of protection is in place when allowing access to data in cloud resources from the Internet. Google Cloud is the first cloud provider to offer virtual security perimeters for API-based services with simplicity, speed, and flexibility that far exceeds what organizations can achieve in a physical, on-premises environment.
Data controller encrypts data at rest and transit between the communication among the database and the application. Access to the database is achieved only by using a VPN service from a specific IP address. All post forms with personal data of a User are available via an Https service. Profile images or any other image is Https enabled. The entire application of the Data Controller is available under an Https service.
We would like to highlight that no local/in-house servers have been used or utilised for any purpose related to customer support or platform usage.
3. Vulnerability Management
Data controller has a solid vulnerability management process in place, across the entire ecosystem. The vulnerability management program of the Data Controller includes the adaptation to modern networks by implementing three key principles: Complete Ecosystem Visibility, Remediation Workflow Automation, and SecOps Agility.
Data Controller makes daily backups. Backups are useful in case of storage failure, asset loss, or other disasters. Data Controller uses server and database options available from the top cloud service providers today, that of Google, Amazon AWS, and Microsoft. Disaster recovery is always high on the list regardless of which regulations that need to be met. Backup of the database data is done in the cloud, avoiding local backups.
5. Penetration tests
Data Controller uses penetration tests to understand weak spots that need to be focused. It goes through as real scenarios, flowing a process to regularly test, assess and evaluate the effectiveness of security measures. Penetration tests and injection attacks are performed between every 1st and 5th day of each month.
6. Attackers Detection
Data Controller exploits Users access logs to detect anomalous User account activity within its environment, for further investigation.
7. Right to be forgotten
A User is allowed to delete his/her User Account whenever desired. That option is available inside the Data Controller application with the press of a button. After the User deletes his/her User Account, his/her personal data is automatically deleted as long as from the “connected platforms” unless he/she was a paying user in which case we keep just the necessary information for taxing purposes as the law obliges.
8. Incident Response Team
An incident response team acts in case of an incident in the midst of an attack. This team is in charge of protecting User’s personal data against unauthorized access by third parties. The team also provides the legal measures consistent with applicable laws to guarantee that the User’s data remains confidential and is processed in a manner to prevent unauthorized access. The Data Controller adopts the requested technical solutions, towards protecting the User’s personal data.
9. Data Retention Policy
Personal data is only kept for as long as it is necessary. Then the data is securely destroyed or anonymized. Personal data of the User is retained as long as he/she exploits the provided services by the Data Controller, maintaining a User Account. If the User Account is deleted by the User, the personal data is retained by the Data Controller up to three months from the date of the termination of the services. After the expiration of the personal data retention duration, the data will be deleted by the Data Controller, except for the personal data that is provided to the Data Controller for advertising actions. Such data will be deleted after the User withdraws the consent, in respect to the processing of such data.
10. Data Protection Officer
11. Breach Notification
Any breaches of personal data of the User will be reported to the authorities and affected individuals without delay, according to the GDPR requirements.
12. Personal Data Processing
The Data Controller processes User’s personal data according to the GDPR requirements after the User’s consent and registration on the Website. The creation of a User Account and the use of the provided services of the Data Controller by the User requires giving the consent for the personal data processing. The user also gives the consent to the provision of the personal data to the “connected platforms”. If the User does not agree to give the consent, the creation of a User Account is not possible by the Data Controller for the provision of the available services. The User is allowed to withdraw his consent, with respect to the processing of his/her personal data by the Data Controller.
13. Cookies policy
Last updated 24 May, 2018.