Loco's compliance with the EU General Data Protection Regulation

The purpose of this document is to demonstrate along with our Privacy Notice that we are meeting our legal obligations with respect to the processing of personal data. Specifically this means complying with EU Regulation 2016/679, commonly known as the General Data Protection Regulation, or GDPR. All references to regulations and articles in this document are references to GDPR unless otherwise specified. We've generally used the terminology "you" and "your" to mean the data subject whose information we are processing.

Data Controller

Under GDPR terminology we are a Data Controller for all our customers and website visitors. This means we determine how and why we process personal data, which in our case is entirely for the purpose of providing our software service and running our core business. We are not involved in selling, sharing or otherwise trading personal data, but we understand that our obligation to safeguard your information remains equally important.

The data controller for Loco (the "service") is White Interactive Ltd ("we", "us" "the company"). If you have any questions about our data protection policies or legal compliance, you can reach our data protection officer (Tim Whitlock) via the contact form or by emailing support at this domain.

We are a UK company and so our GDPR compliance is governed by the Information Commissioner's Office who are the supervisory authority for GDPR in the UK. The ICO provide information for the public regarding data protection and you can lodge a concern with them if you feel we are in breach of our legal obligations.

Please note that we only processes personal data belonging to our users and website visitors. We do not engage in the processing of personal data on behalf of other data controllers.

Information we hold

We regularly conduct information audits to map data flows within our company. As a small business this is quite limited. Most data exists only on our main servers (not on personal computers) but we use a handful of third party service providers for technical functions.

None of the information we process is of a sensitive nature under the GDPR definition of "special categories of personal data" listed in Article 9(1). Primarily we process contact details and billing information of our customers, plus common types of Internet connection data such as IP addresses.

We've documented precisely what personal data we hold, where it has come from, who we share it with and what we do with it in our Privacy Notice which we present to all customers and visitors to our website.

Our lawful basis for processing personal data

We've identified that our lawful bases for processing personal data are a mixture of your consent, our contractual obligations to provide a service, and our own legitimate interests and legal obligations.

• Example of consent: You give us your email address so we can send you an account activation link.
• Example of contractual obligation: We store your translations on our servers, because that's the service you've asked us to provide and in some cases paid for.
• Example of legitimate interests: We contact you by email because you haven't paid an invoice, or we log your IP address in order to monitor the security of our site.
• Example of legal obligations: We retain your billing address to comply with European tax regulations.

Any processing of data that is not explicitly for the operation of the service is for the functioning of our core business in ways that you can reasonably expect and which have minimal impact on your privacy. In our Privacy Notice we've justified in plain English why specific types of personal data are processed.

Consent and data retention

We don't assume or record any type of consent for individuals that haven't signed up explicitly for a Loco account. If someone registered (or was invited), but never activated their account, we are not storing their data and have no means to contact them.

Account holders may manage their consent for specific actions within the Loco dashboard. For example, you may wish us to display your email address to fellow team members. Once granted, this type of consent continues until you revoke it via the same interface or delete your account.

When you log into your Loco account we take this to mean you wish to continue receiving our service and as such, any consent you've granted should continue. If you stop logging into your account we'll eventually assume you no longer require the service and may no longer wish for us to store your personal data. We routinely delete abandoned accounts so as to avoid storing personal data longer than necessary.

Note about processing children's personal data: We do not offer our service directly to children, nor process children's data on behalf of other controllers. The minimum age for holding a Loco account is 13. See the Service Provision section of our Terms of Use.

How we protect your rights

The protection of natural persons in relation to the processing of personal data is a fundamental right under the EU charter. We believe all people should enjoy these rights, so the following applies to all our users and website visitors regardless of their location.

Your right to be informed

We've made privacy information available to all website visitors and email recipients via links to our Privacy Notice. This link is easily accessible from various places on our website where personal data is being obtained or used. As a general rule we will always explain why we're asking for particular information and provide links to help and further information prior to collecting it.

Your right of access

We have processes to recognise and respond to individuals' requests to access their personal data. The majority of such data is clearly accessible in the Loco dashboard via the same interface in which it was entered. Any inaccessible data (such as login records) can be downloaded from the Loco dashboard's privacy interface. (See right to portability).

Your right to rectification and data quality

We have processes to ensure that the personal data we hold remains accurate and up to date.

• The majority of personal data can be altered at any time by the same means it was entered by its owner.
• When email addresses bounce or appear to belong to another person, they are marked for removal and the account owner prompted via the Loco interface to correct the information.
• Any data that can't be modified by account holders can be corrected on request, as long as it's the type of data that can reasonably be corrected. (e.g we could correct details on an invoice, but we can't correct an IP address you connected from).

Your right to erasure including retention and disposal

We have processes to securely dispose of personal data that is no longer required or when you've asked us to erase it. All data is destroyed when you close your account and we routinely delete abandoned accounts automatically. Most data you enter yourself can be deleted by the same interface. Any inaccessible data held in your account is for the purpose of providing the account, so the only way to delete that data would be to delete your account.

Your right to restrict processing

We have processes to respond to individuals' requests to restrict the processing of their personal data:

• Most practical restrictions take the form of user preferences available in the Loco Dashboard. e.g. disabling email notifications.
• Restrictions that would prevent the functioning of the service (such as not storing your translations) can be applied instead though deletion.
• If you're concerned that we're processing data in way you dislike but unable to control, please contact our data protection officer for help.

Your right to data portability

We have processes to allow individuals to transfer their personal data from one IT environment to another in a safe and secure way. Your (non-personal) translation data can be exported from Loco into many industry standard file formats. Personal data (such as your user profile) has no standard, interoperable file format, but you can download a JSON export directly from the Loco dashboard's privacy interface.

Your right to object

We have processes to handle individuals' objections to the processing of their personal data. Individuals can contact the data protection officer at any time to discuss their particular grievance. See contact details above.

Your rights related to automated decision making including profiling

We don't believe any of our automated processes constitute decision making that would put any individual at risk. For example, we may guess your preferred time-zone based on your location, or we may decide to delete an account that has not been accessed in over a year. No such automated decision making is designed to profile individuals in any way that would have an impact on their privacy or personal freedoms.

Accountability and governance

This document and our Privacy Notice have been derived from our internal data protection policies. Everyone at the company understands the importance of data protection and we place these issues at the centre of all our software development.

As general rules:

• We consider the data protection aspects of every new feature we add from the start. Privacy is never an after-thought, but we're always reviewing our system to improve it.
• We don't collect data we don't need. e.g. We collect your time-zone so we can format local times correctly. We don't ask your phone number because it's irrelevant to our service.
• We anonymise or pseudonymise data whenever possible. e.g. if you ask us to block your email address, we'll store an irreversible hash of your address, and not your actual address.
• We evaluate all software we use for potential information risks. e.g. This might include researching industry best practices for securing a database.
• We have an appointed data protection officer, see contact details above. This person is also responsible for completing impact assessments.
• Every member of staff is involved with data protection awareness, design and implementation. (We are a small company).

Security policy

We take appropriate security measures at every stage to ensure that personal data can't be accessed by anyone outside of the company and is securely processed by our service providers. See our security disclosures for more information on how we secure your data, and also refer to the security information provided by each of our service providers.

Breach notification

We have methods to identify data breaches and shall notify the relevant supervisory authority immediately upon discovery of such an event. Given the type of data we process it's unlikely that such a breach would result in a risk to the rights and freedoms of any natural persons, but we would not like to second-guess our customers' freedoms and would contact the Information Commissioner's Office in any case.

Regardless of our obligations with respect to Article 33, we would inform all our customers if we had been subject to a breach, as this is how we would like to be treated ourselves.

Data Transfers

We ensure an adequate level of protection for any personal data processed by third parties on our behalf, and in particular when that data is transferred outside the European Economic Area. The only non-EEA country to which we currently transfer personal data is USA, where we do our best to ensure your rights are transferred along with your data.

As detailed below, all our data processors provide legal assurances to protect your data pursuant to Article 28(3). Further pursuant to Article 46, we have entered into additional contractual obligations where data transfers must be subject to appropriate safeguards outside the EEA.

Third party Processors

We use a handful of third parties for outsourcing technical functions and have legally binding agreements with all of them. With respect to Article 28 (3) and Article 46 we have ensured all our data processors are contractually obliged to safeguard any personal data that comes into contact with their systems as a result of our processing and we ensure to transfer your data to them securely as prescribed by those agreements.

Since the European Court of Justice annulled the US/EAA Privacy Shield programme, our US-based processors have updated their customer agreements with Standard Contractual Clauses approved by the European authorities. As their customers we are bound to these conditions and play our part in safeguarding any transfers of your data accordingly.

Linode LLC:

Linode is our primary web hosting provider. Most of the data we process will pass through or be stored via their services. Linode are a US-based company, although all the hardware we use is physically located in the UK.

We have agreed to Linode's "EU Model Contract" which is available to view by request to our data protection officer. Customers may also wish to view Linode's extensive security information in particular the numerous certifications of their London data centre.

Stripe Payments Europe Ltd:

Stripe is our card payment provider. Despite having a company entity based in Ireland, all payment processing is performed via their servers which are physically located in USA. Personal information transferred by Loco to Stripe includes only that required for card processing (name and address of card holder) but it should be noted that some data transfer occurs directly from the customer's browser and so additional data such as IP address will also be visible to Stripe.

We have agreed to Stripe's "Data Processing Addendum" which forms part of our Stripe Services Agreement (UK) and includes the Standard Contractual Clauses adopted as the Data Transfer Mechanism for Stripe's processing of our customers' data.

See:

• How is Stripe dealing with international data transfers?
• Stripe's Data Processing Agreement
• Stripe's security information

Amazon Web Services, Inc.

We use AWS for auxiliary technical functions outside of our main servers. This includes storage of static files and the sending of emails, either of which could contain personal data at any time.

Our contract with Amazon incorporates the AWS GDPR Data Processing Addendum which contains Standard Contractual Clauses applicable between controller (Loco) and processor (Amazon).

See:

• AWS Service Terms
• AWS ISO/IEC 27018:2019 Compliance
• GDPR compliance when using AWS services

Twilio

We use Twilio for performing two-factor authentication which may involve sending text messages to user-provided phone numbers. We don't send any other data about the message recipient along with phone numbers, but it should be noted that Twilio store all numbers that we've asked them to process as part of our "Customer Usage Data". They do not sell it or share it in any way. It is used only to provide Loco with the messaging services we need to provide authentication services to our customers.

Loco's customer agreement with Twilio includes a Data Processing Addendum. Under this agreement data transferred from the UK to Twilio will rely on Standard Contractual Clauses for the initial cross-border transfer, at which point the data will be covered by their Binding Corporate Rules thereafter.

See:

• How Twilio Processes Personal Information
• Measures to Safeguard the Privacy of Personal Data

Processing on behalf of other controllers

Under Article 28 of the GDPR, Data Controllers must have specific contracts with all their Data Processors in order that any third-party processing adheres to the same regulation. If you're reading this because you think you need such a contract with Loco, you will probably find that you don't.

Loco is not a Data Processor because we don't take instructions to process personal data on behalf of other controllers. As outlined in this document, we process personal data purely for the purpose of providing our customers with an account and running our business. This processing is clearly defined by us because it is for a fixed purpose. It would be against our terms of use to re-appropriate the services we offer in order to process personal data belonging to other people.

If your company is routinely asking all service providers to sign data processing contracts, we would ask you to evaluate why you think this is necessary with respect to the particular service we offer:

• If your translations don't contain personal data then a contract is not required as we would not be processing personal data on your behalf.
• If your translations do contain personal data then you can't have instructed us to process it and would be in breach of our terms of service.

Clarifications and suggestions:

• Company contact details are not personal data under GDPR because a company is not a "natural person". See paragraph (14) in the preamble of the regulation. We see no problem if your translations contain this kind of data.
• If you invite other users to Loco we do not store or display the email address you provide until the data subject has approved your invitation. We have a legitimate interest in providing this function and methods in place to prevent it being abused.
• Ownership and copyright of your content are separate issues. It's unlikely in the vast majority of cases that your translations constitute personal data under the relevant EU definition.
• If you're worried about personal data getting into your translations, consider using placeholders like "My phone number is %s". This would allow personal data to exist in your software without being unwittingly processed by ours.