GDPR & Privacy Policy

Introduction

In order to operate the Brand Fibres service, Brand Fibres collects and provides various information from the Customer for a variety of business purposes. This policy sets out how Brand Fibres seeks to protect Customer data according to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on General Data Protection Regulation (GDPR). “Customer” means any visitor of our websites, user or tester of our free services or subscribers of our paid services. While we collect more data from those who decide to be more involved with us, all Customers benefit from the same measures that we put in place to protect their data. Being transparent and providing accessible information to Customers about how we will use their data is important for Brand Fibres.

Controller of data
Brand Fibres Sp. z o.o.

North Gate
Ul. Bonifraterska 17
00-203 Warszawa
email: contact@brandfibres.com

Data Protection Officer

The Data Protection Officer (DPO) is responsible for overseeing data protection strategy and implementation to ensure compliance of Brand Fibres with GDPR requirements. He is also responsible for awareness-raising and training of staff involved in processing operations. He reports directly to Brand Fibres top management. Any Customer may contact the Data Protection Officer about all issues related to processing of their data and to exert their rights. Data Protection Officer responsibility is to reply to all Customer questions and queries. In order to do so, he maintains a set of formal procedures to handle consultation, modification, consent revocation and erasure of Customer data.
Email: dpo@brandfibres.com

Brand Fibres Business purposes

The purposes for which Customer data may be used by Brand Fibres include the following:

Identification and authentication of the Customer in order to access its account;
Providing the Brand Fibres service:
- a SaaS media monitoring service which integrates externally crawled website and metrics data, social media results, proprietary data and Customer specific metrics into one single 360 degree view platform. This platform offers a real time search and monitoring of specific topics allowing Customers to analyze and optimize their company communication and brand protection.
- an access to the platform via an API allowing Customers to integrate results into their own BI solutions, configure reports which are sent by email, create dashboards, integrate computation results into external services, and visualize results in a command center solution which is shown at Customer premises.
- training, advice and consulting offers, including the creation of Brand Fibres reports for Customers and the development and maintenance of Customer specific applications and program code.
Compliance with legal and corporate governance obligations and good practice;
Improving the quality of the services provided;
Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information;
Investigating complaints;
Market research and marketing communications.

Data collected by Brand Fibres

Visitors:

Visitor settings

Type of data: IP address, cookies
Purpose of use: visitor statistics

Users of paid services:

Service settings:

Type of data: first and last name of user, e-mail address, role in the system, OAuth credentials, user ID in connected external services (Facebook only – if specified by user)
Purpose of use: authentication and security of user’s account, used as an alternative for e-mail login
Non-personal data: time zone, access rights level, language of the system, login, password (coded)

Alerts and reports:

Type of data: e-mail address
Purpose of use: necessary to establish communication, system notifications
Non-personal data: Brand Fibres stores history of alerts and reports sent to User of paid services

Server log files:

Type of data: IP address, username
Purpose of use: incident and breakdown investigation, verification of unusual activity
Non-personal data: server resources accessed by user

Fair and lawful processing

Brand Fibres processes Customer data fairly and lawfully in accordance with individuals’ rights. This generally means the following:

processing is necessary for the performance of the contract between Brand Fibres and Customer or in order to take the steps prior to entering into a contract;
as Customer data is captured following a notification to the Customer (Visitor settings) or provided directly by the Customer (any other data), it is fair to assume that Customer agrees with the processing for the above-mentioned purposes. This agreement is maintained by the continuous use of the services;
Customer data is retained for no longer than it is necessary to provide an optimal service.

Brand Fibres does not use any element of collected Customer data to profile its Customers as per GDPR Article 4 (evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements) and does not process sensitive personal data as per GDPR Article 9 (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation).

Customer data rights

Consent - whenever Customer data exceeds the minimum required for the performance of the contract, i.e. the optional elements in the table above, the data that we process is subject to active consent by the Customer.
Data portability - upon request, the Costumer has the right to receive a copy of its data in a text or comma-separated value file, which is structured, commonly used and machine-readable format. These requests are processed within one month, provided there is no undue burden. Customer may also request that its personal data is transferred directly to another system, where technically feasible. Such requests are free of charge and should be made during a valid subscription via request to the DPO. Search results constitute Brand Fibres’s intellectual property. Its transmission is subject to copyright and contractual limitations.
Right of access and right to rectification - Customer has the right to access and rectify its data at any time. Customer shall take reasonable steps to ensure that the data we hold about it is accurate and updated as required. If data is outdated or inaccurate, the Customer is invited to change it or to send a request to Brand Fibres so that we can update Customer records.
Right to erasure - Billing and accounting information will be kept as long as required by law. Customers may request that any information held on them is deleted or removed. Brand Fibres is responsible for handling such requests with any third parties who process or use that data. An erasure request of Customer data might limit the usability of the Brand Fibres service or make it unusable. This does not release Customers from respecting the contract. Upon request, Brand Fibres may provide the Customer with a signed certificate of erasure/destruction clearly stating the elements that have not been erased/destroyed (in order to comply with the law), if any.
Accuracy and relevance - we will ensure that any Customer data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process Customer data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Data protection and storage

Brand Fibres conducts regular data protection impact assessments on the Brand Fibres service and ensures that the developments take into account security and data protection aspects. Customers’ data protection settings are set to private by default. Brand Fibres has a set of internal information security policies and procedures such as Access control, Supplier relationships, Incident Management, Business continuity, Disaster Recovery, Human Resources, Risk Management, etc., which are maintained/tested regularly in order to be able to keep the confidentiality, integrity and availability of Customer data. Particularly for IT teams, dedicated security measures are in place like development guidelines, secure development, developer talks, awareness training. The security level of the application is regularly assessed by expert and independent penetration testing. Our production network is firewalled and not reachable by our public blog and website which are not connected through our production network. All our servers are firewalled. Access to our production cluster is restricted to a limited amount of specific employees through SSH with key-based authentication, and from dedicated PCs with restricted Internet access in a separate office VLAN, only used for this specific purpose. Where other organizations process Customer data as a service on Brand Fibres’s behalf, Brand Fibres establishes what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organizations. All Customer specific data and information in Brand Fibres is stored in separate accounts for each Customer. Each Customer has its own access and set of data, completely separated from the other Customers. The database containing all Brand Fibres Service settings (project settings, user settings, collected and processed data) are stored on encrypted hard disk partitions which are mounted by our monitoring system after server start. All Backups are transferred via encrypted channels and backups are automatically deleted after a period of 6 months after contract termination.

Availability

Our service is hosted on dedicated servers (servers partial-virtualized and only accessible by us and clients in case of issues) in Poland. The hosting provider is connected to the internet with DDOS protection. Only our hosting provider and its personnel are allowed to physically access the data centers where our servers are stored. Brand Fibres infrastructure is built so that we can tolerate individual errors with automatic failover. Data is generally saved redundantly. Automated monitoring observes various metrics on our servers and alerts us on critical errors. Brand Fibres services are monitored 24 hours a day with automatic SMS service to developers in case of a fatal error. In case there is no response, a second developer will be contacted as well.
Checks are divided into different categories and services. We check that:

the software is correctly deployed (potential version conflicts)
the hardware is working correctly
that our software runs correctly (e.g. volume checks, errors in log files)
that our services are available
that backups are made correctly and regularly

Subcontractors and data access

In order to provide the Brand Fibres service to its Customers, Brand Fibres utilizes two subcontractors (processors):

Hosting of data: 3S Katowice, Poland;
Email sending (in order to ensure deliverability): nazwa.pl (nazwa.pl Sp. z o.o.), Poland and Microsoft (Microsoft Corporation), USA. Customers can specify also their own SMTP servers in our Branding options if they wish to send all emails through their own servers.

Brand Fibres has Data Processing Agreements in place with its subcontractors according to European data protection legislation:

Privacy Shield for nazwa.pl Sp. Z o.o.
Privacy Shield for 3S Data Center SA.

For the supporting activities, Brand Fibres utilizes the following subcontractors according to their general terms for business use.

More information on the security and data protection aspects of these subcontractors can be found in:

Google:
https://gsuite.google.com/terms/dpa_terms.html
https://gsuite.google.com/intl/en/security/

Nazwa.pl:
https://www.nazwa.pl/fileadmin/nazwa/Regulaminy/Pl_prywatnosci.pdf

3S:
https://panelklienta.3s.pl/policy

Brand Fibres remains fully liable to its Customers for the performance of its subcontractors.

Cookies

Cookies are small amounts of information that may be stored by Brand Fibres websites on Customer’s devices. Cookies may not allow identification of the party receiving the cookies, unless such party has already provided Brand Fibres with personal information allowing such identification – login or sign up. Brand Fibres use cookies to provide an enhanced support for Customers using Brand Fibres services.
Brand Fibres uses:

Session cookies that enable Brand Fibres to process and memorize Customers’ requests during a given session on its account (i.e. after login). These cookies are necessary in order to use the Brand Fibres service.
Persistent cookies that enable Brand Fibres to remember Customer’s information in order to provide easier and more convenient access to the services, tailored information, web content and promotional messages to the Customer, and that are used for market research purposes.
Cross-site cookies: Provide anonymous information about visitors, such as the websites they visit before and/or after visiting a Brand Fibres website. They are set by the following third party services according to their own policies: Pinterest Ads, Facebook Ads, Google Adwords.

Customers may set their browser parameters in order to select the types of cookies they wish to receive or not receive from Brand Fibres.

Reporting breaches

In the case of a breach of Customer data, Brand Fibres will inform the affected Customer, where feasible, not later than 72 hours after having become aware of it. If the breach includes personal data, Brand Fibres will cooperate with the Customer to assess the need or obligation to inform the data protection supervisory authority of the jurisdiction where the Customer is established. For Customers based in the European Union, Brand Fibres shall report the breach to the Polish data protection authority as per GDPR Article 33.

Biuro Generalnego Inspektora Ochrony Danych Osobowych (GIODO)
ul. Stawki 2
00-193 Warszawa