Loco's compliance with the EU General Data Protection Regulation
The purpose of this document is to demonstrate along with our Privacy Notice that we are meeting our legal obligations with respect to the processing of personal data. Specifically this means complying with EU Regulation 2016/679, commonly known as the General Data Protection Regulation, or GDPR. All references to regulations and articles in this document are references to GDPR unless otherwise specified. We've generally used the terminology "you" and "your" to mean the data subject whose information we are processing.
Under GDPR terminology we are a Data Controller for all our customers and website visitors. This means we determine how and why we process personal data, which in our case is entirely for the purpose of providing our software service and running our core business. We are not involved in selling, sharing or otherwise trading personal data, but we understand that our obligation to safeguard your information remains equally important.
The data controller for Loco (the "service") is White Interactive Ltd ("we", "us" "the company"). If you have any questions about our data protection policies or legal compliance, you can reach our data protection officer (Tim Whitlock) via the contact form or by emailing support at this domain.
We are a UK company and so our GDPR compliance is governed by the Information Commissioner's Office who are the supervisory authority for GDPR in the UK. The ICO provide information for the public regarding data protection and you can lodge a concern with them if you feel we are in breach of our legal obligations.
Please note that we only processes personal data belonging to our users and website visitors. We do not engage in the processing of personal data on behalf of other data controllers.
Information we hold
We regularly conduct information audits to map data flows within our company. As a small business this is quite limited. Most data exists only on our main servers (not on personal computers) but we use a handful of third party service providers for technical functions.
None of the information we process is of a sensitive nature under the GDPR definition of "special categories of personal data" listed in Article 9(1). Primarily we process contact details and billing information of our customers, plus common types of Internet connection data such as IP addresses.
We've documented precisely what personal data we hold, where it has come from, who we share it with and what we do with it in our Privacy Notice which we present to all customers and visitors to our website.
Our lawful basis for processing personal data
We've identified that our lawful bases for processing personal data are a mixture of your consent, our contractual obligations to provide a service, and our own legitimate interests and legal obligations.
- Example of consent: You give us your email address so we can send you an account activation link.
- Example of contractual obligation: We store your translations on our servers, because that's the service you've asked us to provide and in some cases paid for.
- Example of legitimate interests: We contact you by email because you haven't paid an invoice, or we log your IP address in order to monitor the security of our site.
- Example of legal obligations: We retain your billing address to comply with European tax regulations.
Any processing of data that is not explicitly for the operation of the service is for the functioning of our core business in ways that you can reasonably expect and which have minimal impact on your privacy. In our Privacy Notice we've justified in plain English why specific types of personal data are processed.
Consent and data retention
We don't assume or record any type of consent for individuals that haven't signed up explicitly for a Loco account. If someone registered (or was invited), but never activated their account, we are not storing their data and have no means to contact them.
Account holders may manage their consent for specific actions within the Loco dashboard. For example, you may wish us to display your email address to fellow team members. Once granted, this type of consent continues until you revoke it via the same interface or delete your account.
When you log into your Loco account we take this to mean you wish to continue receiving our service and as such, any consent you've granted should continue. If you stop logging into your account we'll eventually assume you no longer require the service and may no longer wish for us to store your personal data. We routinely delete abandoned accounts so as to avoid storing personal data longer than necessary.
How we protect your rights
The protection of natural persons in relation to the processing of personal data is a fundamental right under the EU charter. We believe all people should enjoy these rights, so the following applies to all our users and website visitors regardless of their location.
Your right to be informed
We've made privacy information available to all website visitors and email recipients via links to our Privacy Notice. This link is easily accessible from various places on our website where personal data is being obtained or used. As a general rule we will always explain why we're asking for particular information and provide links to help and further information prior to collecting it.
Your right of access
We have processes to recognise and respond to individuals' requests to access their personal data. The majority of such data is clearly accessible in the Loco dashboard via the same interface in which it was entered. Any inaccessible data (such as login records) can be downloaded from the Loco dashboard's privacy interface. (See right to portability).
Your right to rectification and data quality
We have processes to ensure that the personal data we hold remains accurate and up to date.
- The majority of personal data can be altered at any time by the same means it was entered by its owner.
- When email addresses bounce or appear to belong to another person, they are marked for removal and the account owner prompted via the Loco interface to correct the information.
- Any data that can't be modified by account holders can be corrected on request, as long as it's the type of data that can reasonably be corrected. (e.g we could correct details on an invoice, but we can't correct an IP address you connected from).
Your right to erasure including retention and disposal
We have processes to securely dispose of personal data that is no longer required or when you've asked us to erase it. All data is destroyed when you close your account and we routinely delete abandoned accounts automatically. Most data you enter yourself can be deleted by the same interface. Any inaccessible data held in your account is for the purpose of providing the account, so the only way to delete that data would be to delete your account.
Your right to restrict processing
We have processes to respond to individuals' requests to restrict the processing of their personal data:
- Most practical restrictions take the form of user preferences available in the Loco Dashboard. e.g. disabling email notifications.
- Restrictions that would prevent the functioning of the service (such as not storing your translations) can be applied instead though deletion.
- If you're concerned that we're processing data in way you dislike but unable to control, please contact our data protection officer for help.
Your right to data portability
We have processes to allow individuals to transfer their personal data from one IT environment to another in a safe and secure way. Your (non-personal) translation data can be exported from Loco into many industry standard file formats. Personal data (such as your user profile) has no standard, interoperable file format, but you can download a JSON export directly from the Loco dashboard's privacy interface.
Your right to object
We have processes to handle individuals' objections to the processing of their personal data. Individuals can contact the data protection officer at any time to discuss their particular grievance. See contact details above.
Your rights related to automated decision making including profiling
We don't believe any of our automated processes constitute decision making that would put any individual at risk. For example, we may guess your preferred time-zone based on your location, or we may decide to delete an account that has not been accessed in over a year. No such automated decision making is designed to profile individuals in any way that would have an impact on their privacy or personal freedoms.
Accountability and governance
This document and our Privacy Notice have been derived from our internal data protection policies. Everyone at the company understands the importance of data protection and we place these issues at the centre of all our software development.
As general rules:
- We consider the data protection aspects of every new feature we add from the start. Privacy is never an after-thought, but we're always reviewing our system to improve it.
- We don't collect data we don't need. e.g. We collect your time-zone so we can format local times correctly. We don't ask your phone number because it's irrelevant to our service.
- We anonymise or pseudonymise data whenever possible. e.g. if you ask us to block your email address, we'll store an irreversible hash of your address, and not your actual address.
- We evaluate all software we use for potential information risks. e.g. This might include researching industry best practices for securing a database.
- We have an appointed data protection officer, see contact details above. This person is also responsible for completing impact assessments.
- Every member of staff is involved with data protection awareness, design and implementation. (We are a small company).
We take appropriate security measures at every stage to ensure that personal data can't be accessed by anyone outside of the company and is securely processed by our service providers. See our security disclosures for more information on how we secure your data, and also refer to the security information provided by each of our service providers.
We have methods to identify data breaches and shall notify the relevant supervisory authority immediately upon discovery of such an event. Given the type of data we process it's unlikely that such a breach would result in a risk to the rights and freedoms of any natural persons, but we would not like to second-guess our customers' freedoms and would contact the Information Commissioner's Office in any case.
Regardless of our obligations with respect to Article 33, we would inform all our customers if we had been subject to a breach, as this is how we would like to be treated ourselves.
Our Data Processors
We use a handful of third parties for outsourcing technical functions and have legally binding agreements with all of them.
With respect to Article 28 (3) we've ensured all our data processors are contractually obliged to safeguard any personal data that comes into contact with their systems as a result of our processing. As these companies are all Internet-based providers, our "contracts" with them are written agreements that we have "signed" via their websites or by email.
Linode is our primary web hosting provider. All data we process will pass through or be stored via their services. Although Linode are a US-based company all the hardware we use is physically located in the UK. Pursuant to Article 28(3) we have agreed to Linode's "EU Model Contract" which is available to view by request to our data protection officer.
Customers may also wish to view Linode's extensive security information in particular the numerous certifications of their London data centre.
Stripe Payments Europe Ltd:
Stripe is our credit card payment provider. All card payment processing is performed via their service which is physically located in USA, although they have a company entity based in Ireland. To safeguard personal data under the GDPR, Stripe are a member of the EU-US and Swiss-US Privacy Shield frameworks. You can view their certification here. Pursuant to Article 28(3) we have agreed to Stripe's "Data Processing Addendum" which is available to view by request to our data protection officer.
Amazon Web Services, Inc.
We use AWS for auxiliary technical functions outside of our main servers. This includes storage of static files and the sending of emails, either of which could contain personal data at any time. We may use other AWS functions from time to time, but they are all GDPR compliant.
Where at all possible we process personal data via AWS hardware that is physically located in the EU (usually Ireland) although it's possible that from time to time some services will only be available in US regions. However, AWS is a member of the EU-US Privacy Shield framework so any data passed into a US region is protected similarly. You can view their certification here.
Pursuant to Article 28(3) our contract with Amazon includes the AWS GDPR Data Processing Addendum which contains standard contractual clauses approved by the Article 29 Working Party. You can read more about AWS data protection here.
The Rocket Science Group LLC: (MailChimp)
We stopped using MailChimp before GDPR came into effect. All personal data that was stored with MailChimp has been deleted from their service prior to May 25 2018. If we choose to use this provider again in future we'll update this document. As a precaution, we've already signed their "EU Data Processing Addendum" and ensured they are certified under the EU-US and Swiss-US Privacy Shield frameworks.
We ensure an adequate level of protection for any personal data processed by others on our behalf that is transferred outside the European Economic Area. The only non-EEA country to which we currently transfer personal data is USA, where personal data is protected under the EU-US and Swiss-US Privacy Shield frameworks providing that the data processor is certified. As listed above, all our non-EEA service providers offer us this assurance and have entered into further contractual obligations pursuant to Article 28(3).
Processing on behalf of other controllers
Under Article 28 of the GDPR, Data Controllers must have specific contracts with all their Data Processors in order that any third-party processing adheres to the same regulation. If you're reading this because you think you need such a contract with Loco, you will probably find that you don't.
If your company is routinely asking all service providers to sign data processing contracts, we would ask you to evaluate why you think it's necessary with respect to the particular service we offer:
- If your translations don't contain personal data then a contract is not required as we would not be processing personal data on your behalf.
- If your translations do contain personal data then you can't have instructed us to process it and would be in breach of our terms of service.
Clarifications and suggestions:
- Company contact details are not personal data under GDPR because a company is not a "natural person". See paragraph (14) in the preamble of the regulation. We see no problem if your translations contain this kind of data.
- If you invite other users to Loco we do not store or display the email address you provide until the data subject has approved your invitation. We have a legitimate interest in providing this function and methods in place to prevent it being abused.
- Ownership and copyright of your content are separate issues. It's unlikely in the vast majority of cases that your translations constitute personal data under the relevant EU definition.
- If you're worried about personal data getting into your translations, consider using placeholders like
"My phone number is %s". This would allow personal data to exist in your software without being unwittingly processed by ours.