USER PRIVACY STATEMENT

Privacy Policy

Terms and Objectives

This Privacy Policy presents the ways that Mentionlytics Ltd protects and processes personal data. It is in effect from 25^th of May 2018. The following terms are defined:

Data Controller: Mentionlytics Ltd, 20-22 Wenlock Road, London, N1 7GU, UK
Data Processor: Mentionlytics Ltd, 20-22 Wenlock Road, London, N1 7GU, UK
Website – https://www.mentionlytics.com/
User: A person that uses the Website. This person can be a registered user of the application or a website visitor without logging in.
User Account: The account used by a User to have access to the services provided by the Data Controller through the Website.

The Data Controller has the right to change this Privacy Policy for several reasons, such as: changes in the EU legislation regarding the protection of the User’s personal data or changes of the Website and the provided services of the Data Controller. The User is able to contact the Data Controller via the e-mail address, or the postal address below for issues related to the processing, as well as the protection of his/her personal data. E-mail address: privacy@mentionlytics.com, postal address: Mentionlytics Ltd, 20-22 Wenlock Road, London, N1 7GU, UK.

The General Data Protection Regulation (GDPR) is a European Union (EU) privacy law that affects businesses around the world when it becomes into effect on 25^th of May 2018. It regulates how any organization that is subject to the Regulation treats or uses the personal data of a User located in the EU. Personal data is any piece of data that is used alone or with other data, identifying a person. If an organization collects, changes, transmits, erases, or otherwise uses or stores the personal data of EU citizens, it needs to comply with the GDPR. The GDPR replaces an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Data Controller Users. The GDPR also outlines the rights of a User around his/her personal data. An EU User has the right to ask for details about the way his/her personal data is used. A User has the right to request his/her personal data be corrected, provided to him/her, prohibited for certain uses, or removed completely from the database of the Data Controller.

1. General

The User’s personal data is processed by the Data Controller from 25^th of May 2018, based on the Regulation (EU) 2016 of the European Parliament and of the Council on the protection of natural persons, in respect to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). The User agrees to this Privacy Policy when creating a User Account and providing his/her personal data for processing by the Data Controller. The Data Controller is not liable for the User providing false personal data. The Data Controller processes the following personal data: Name, Surname, e-mail address, postal address, TAX ID, phone number, and social media IDs. The User’s personal data can be submitted to Chargify Llc., Stripe Inc., Xero Ltd., for accounting and processing online payments, and after user’s approval to Intercom Inc., fullstory, HubSpot Inc., ProfitWell, G2, and Mailchimp for support and best customer assistance. The Data Controller submits the User’s personal data to the aforementioned connected platforms (referred as “connected platforms”), in respect to the User’s rights consistent with applicable laws. The Data Controller deletes personal data of the trial User, who does not continue using User Account after a period of 3 months. The Data Controller also deletes personal data of the demo accounts after 10 days. The same rules stands also for the “connected platforms”.

The User’s personal data is processed by the Data Controller creating a User Account and verifying the User via e-mail. Furthermore, the User’s personal data is processed for marketing actions, to which the User agrees while creating a User Account. Such marketing actions include sending e-mails for new features, services or commercial information about the Data Controller. While creating a User Account, the User agrees to the processing of his/her personal data by the “connected platforms” for purposes connected with the processing of electronic payments and support.

2. Data Encryption

Data Controller encrypts User’s personal data both at rest and in transit via Google Cloud, Amazon AWS, and Microsoft Azure. All these top cloud service providers are designed, built, and are operating with security top of mind both at rest and in transit by default. VPC Service Controls keeps sensitive data private while using GCP’s fully managed storage and data processing capabilities. It constructs an invisible border around everything in the application that prevents its data from escaping and having the power to set up, reconfigure and tear down these virtual perimeters at will. Well-defined VPC service controls can give admins a greater level of control to prevent data exfiltration from cloud services as a result of breaches or insider threats. With this managed service, Data Controller configures private communication between cloud resources and hybrid VPC networks. By expanding perimeter security from on-premise networks to data stored in GCP services, Data Controller feels confident running sensitive data workloads in the cloud. VPC service gives Data controller precise control over which a User can access GCP resources with Access Context Manager. These policies help ensure the appropriate level of protection is in place when allowing access to data in cloud resources from the Internet. Google Cloud is the first cloud provider to offer virtual security perimeters for API-based services with simplicity, speed, and flexibility that far exceeds what organizations can achieve in a physical, on-premises environment.

Data controller encrypts data at rest and transit between the communication among the database and the application. Access to the database is achieved only by using a VPN service from a specific IP address. All post forms with personal data of a User are available via an Https service. Profile images or any other image is Https enabled. The entire application of the Data Controller is available under an Https service.

We would like to highlight that no local/in-house servers have been used or utilised for any purpose related to customer support or platform usage.

3. Vulnerability Management

Data controller has a solid vulnerability management process in place, across the entire ecosystem. The vulnerability management program of the Data Controller includes the adaptation to modern networks by implementing three key principles: Complete Ecosystem Visibility, Remediation Workflow Automation, and SecOps Agility.

4. Backups

Data Controller makes daily backups. Backups are useful in case of storage failure, asset loss, or other disasters. Data Controller uses server and database options available from the top cloud service providers today, that of Google, Amazon AWS, and Microsoft. Disaster recovery is always high on the list regardless of which regulations that need to be met. Backup of the database data is done in the cloud, avoiding local backups.

5. Penetration tests

Data Controller uses penetration tests to understand weak spots that need to be focused. It goes through as real scenarios, flowing a process to regularly test, assess and evaluate the effectiveness of security measures. Penetration tests and injection attacks are performed between every 1^st and 5^th day of each month.

6. Attackers Detection

Data Controller exploits Users access logs to detect anomalous User account activity within its environment, for further investigation.

7. Right to be forgotten

A User is allowed to delete his/her User Account whenever desired. That option is available inside the Data Controller application with the press of a button. After the User deletes his/her User Account, his/her personal data is automatically deleted as long as from the “connected platforms” unless he/she was a paying user in which case we keep just the necessary information for taxing purposes as the law obliges.

8. Incident Response Team

An incident response team acts in case of an incident in the midst of an attack. This team is in charge of protecting User’s personal data against unauthorized access by third parties. The team also provides the legal measures consistent with applicable laws to guarantee that the User’s data remains confidential and is processed in a manner to prevent unauthorized access. The Data Controller adopts the requested technical solutions, towards protecting the User’s personal data.

9. Data Retention Policy

Personal data is only kept for as long as it is necessary. Then the data is securely destroyed or anonymized. Personal data of the User is retained as long as he/she exploits the provided services by the Data Controller, maintaining a User Account. If the User Account is deleted by the User, the personal data is retained by the Data Controller up to three months from the date of the termination of the services. After the expiration of the personal data retention duration, the data will be deleted by the Data Controller, except for the personal data that is provided to the Data Controller for advertising actions. Such data will be deleted after the User withdraws the consent, in respect to the processing of such data.

10. Data Protection Officer

Data Controller has appointed a Data Protection Officer, who is in charge of this privacy policy and GDPR compliance issues.

11. Breach Notification

Any breaches of personal data of the User will be reported to the authorities and affected individuals without delay, according to the GDPR requirements.

12. Personal Data Processing

The Data Controller processes User’s personal data according to the GDPR requirements after the User’s consent and registration on the Website. The creation of a User Account and the use of the provided services of the Data Controller by the User requires giving the consent for the personal data processing. The user also gives the consent to the provision of the personal data to the “connected platforms”. If the User does not agree to give the consent, the creation of a User Account is not possible by the Data Controller for the provision of the available services. The User is allowed to withdraw his consent, with respect to the processing of his/her personal data by the Data Controller.

13. Cookies policy

The Data Controller uses cookies for the Website. A User is able to change cookie settings or prevent cookies support from his/her browser settings. The most of the cookies are session ones that are automatically deleted from User’s PC after the User closes the browser. For other cases, some cookies allow the identification of the User when he/she revisits the Website in case that they are not deleted automatically. The Data Controller exploits cookies for making the Website more efficient and User-friendly. The Data Controller also collects anonymous statistics about the User’s use of the Website, towards improving its services.

14. Privacy practices of third parties

This Privacy Policy reports collection, processing and use of personal data by Data Controller and Data Processor. Our users may have access to data and use it in other ways in accordance with their own privacy policies. Data Controller encourages users to familiarize themselves with the privacy policies provided by any platform they use to publish or process any data. Please note that Data Controller services may use the YouTube API. YouTube’s API Services – Developer Policies require us to notify users that our services exploit YouTube API Services (i.e.data from YouTube) and to link to the YouTube privacy statement: http://www.google.com/policies/privacy.

Data Processor accesses, collects, stores and processes data from YouTube’s API in respect to: Video Snippet (thumbnail, title, description, statistics, comments), Channel settings (cover), Channel statistics and Channel snippet (thumbnail, title). Such data is processed by the Data Controller as per the requirements of YouTube’s API Services – Developer Policies: https://developers.google.com/youtube/terms/developer-policies#a.-api-client-terms-of-use-and-privacy-policies

This data will not be used in any manner that is incompatible with the purposes for which it was collected. Data Processor processes such data to provide users our social media monitoring services. This includes providing users access to our different features and insights. Our processing for the purpose of providing our services is based on our legitimate interest to do so or on users’ consent (where applicable, such as when the user signs up for an account).

Last updated 25 Nov, 2019.