TENSOR SOCIAL PRIVACY POLICY (updated: 8 March 2021)


Introduction and our details

What personal data is processed and the legal basis for processing 2.1. Customers
2.2. Influencers
2.3. Audience data and statistics

What we do with your personal data 3.1. Customers
3.2. Influencers
3.3. Audience data How long personal data is stored for 4.1. Customers

4.2. Influencers
4.3. Audience data

Security measures used by Us Categories of recipients of personal data Your rights
Cookies and similar technologies Children’s privacy
Our commitment
Changes to the privacy policy Introduction and our details

The Site and Services, as described in our Terms of Service, are provided to you by Tensor Social Incorporated with registered office at 819 Santee St. Los Angeles, CA 90018 (the “Data Controller” of your personal data). Consequently, “We”, “Us” and “Ours” refers to the Data Controller. Feel free to send any of your data protection queries to us at [email protected]

This Privacy Policy describes the way that We deal with certain personal and other data of customers of our Services (the “Customers”) and users of the social photo sharing online service Instagram (the “Influencers”).

We are based outside the European Economic Area and have nominated the following representative to promptly respond to any requests by our customers and relevant authorities: Name: Address: Email:Mr. P. Maurus (Tensor Social)
PO Box 75028, London, SW1P 9QZ [email protected]

2. What personal data is processed and the legal basis for processing

2.1. CUSTOMERS There are different types of information we obtain, whether directly from you at sign up or automatically via your device (for instance, personal computer, laptop, mobile phone) when you use our Sites. Essentially, we only obtain what is strictly necessary to provide you with our Services, no more, no less.
Information you Legal basis for processing Reason for collection provide Us with: 1. Full name, company address, company name Performance of the contract with you. We will store just enough information to honour your opt-out preference. You know our name, We require yours for the contractual relationship between the parties 2. Email and social network profile 1) Performance of contract with you and 2) Our legitimate interests, if related to marketing. 1) We require your email and/or social network information to log you into the system and to provide you with the Service, reports, Service related updates, communications and other important information. 2) If We do use your email to contact you for marketing purposes, it will be in Our legitimate interests to do so, but you will always have a chance to opt out of such marketing communications for similar products and/or services prior to first (and any subsequent) communication. You may opt out at any time by emailing [email protected] rest is the technical stuff that must be processed in order to provide you with our services. Information collected/accessed automatically Legal basis for processing1. Internet Protocol (IP) addressPerformance of the contract.
You need this to connect to the Internet. 2. We set and access various cookies on your device Contract performance for the “strictly necessary” cookies. Legitimate interest for the first-party analytics cookies. Your consent prior to the placement of all the other types of cookies.
2.2. INFLUENCERS Before April 2018 we have obtained relevant data from Instagram via its API, which is subject to Instagram Platform Policy (https://www.instagram.com/about/legal/terms/api/). Since April 2018 we have not been using Instagram API. In essence, We only process information which you already shared with the world via Instagram. We ensure We have a legal basis for processing your personal data. We treat it in accordance with relevant legislation and respect Your Rights (see section below). Information Influencer Legal basis for processing Reason for provides Instagram with: collection A link to Influencer profile, full name. avatar, language, biography, gender, country/city/state, brand and common interests, notable engaged users, sponsored posts. Email and social network profile. Images, graphics, photos, profiles, audio and video clips, sounds, musical works, works of authorship, applications, links and other content or materials “Content”, as defined by s.8 of Instagram terms of service. Influencers provide their personal data to Instagram as part of performance of contract by Instagram (there is no other way to provide such a photo sharing service) and Influencer’s affirmative consent by uploading Content (as defined in Instagram). https://help.instagram.com/478745558852511 We have a legitimate interest in using the data made available by Influencers via Instagram for commercial purposes without affecting Influencer’s fundamental rights and freedoms. To allow Customers to choose an Influencer for their business purposes and assess the effectiveness of each Influencer’s reach.
2.3. Audience data and statistics We analyze a vast amount of information in order to provide Customers with statistics. In relation to Influencer audience (the “Audience”), this includes, in particular: gender, age group and ethnicity. While these items may represent a somewhat sensitive issue, We have undertaken a review of our legitimate interests and the risks to the rights and freedoms of individuals. We concluded that our processing for statistical purposes is in line with legislation and does not affect the rights and freedoms of individuals. In order to legally process data on the ethnic origin of the Audience, We require relevant legal basis. One of the bases is processing for statistical purposes (while safeguarding fundamental rights and interests of the Audience). Such processing does not have discriminatory effects on natural persons involved nor results in measures having such effect. Finally, there is no automated decision-making and profiling based on ethnic origin of the Audience.

3. What we do with personal data
3.1. CUSTOMERS We do not sell, share or disclose Customer data except as provided herein. We never treat your personal data in any way that would surprise you (unless We told you about it and you provided us with an informed and unambiguous consent to such usage). We use Customer contact details and payment information to establish, support and conduct customer relationships as necessary for the performance of Services. Should the Customer fail to provide the personal data we need, we may be unable to complete the transaction. We only contact Customers with service related information. Where marketing is involved, Customers have an option to opt out at any time before first (and any subsequent) contact.
3.2. INFLUENCERS We provide a statistical service and so, the data about Influencers identified above is shared with Customers whether on a trial basis or upon payment of fees.
3.3. AUDIENCE DATA Audience data for each Influencer is aggregated for statistical purposes and shared with Customers whether on a trial basis or upon payment of fees.

4. How long personal data is stored for
4.1. CUSTOMERS We store your data while your account is active. Whether your annual subscription expires or you fail to use the credits on time, we will delete your personal data from our systems 1 month from expiration of your annual subscription or when you exercise your rights (as listed below).
4.2. INFLUENCERS As stated above, We process information that Instagram provides us with. The updates may take up to 20 days. If an Influencer deletes their account, We would also delete such information from our systems and make it unavailable to Customers. This synchronisation may take up to a month from when the deletion happens on Instagram.
4.3. AUDIENCE DATA Audience data is only relevant to the Influencer and is kept in an aggregated form together with information about Influencer. Once Influencer data is deleted, Audience data of the Influencer is also removed.

5. Security measures used by Us All personal data is kept with our third-party processors on secure servers, in full compliance with international information security requirements. Hetzner Online, Google and Amazon are all in possession of the ISO 27001 Information Security Management System certificates. We use the recommended industry practices to keep access to such data secure (mixture of common sense and best practices). We use appropriate level of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Those include the following: (1) Protective measures for physical access control: We secure access to the premises via ID readers, so that only authorised persons have access. The ID cards can be blocked individually; access is also logged. Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorised persons. The alarm system is linked to a locking mechanism for the doors. (2) Protective measures for system access control: Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team. We regulate access to our own systems via password procedures and the use of SSH keys of at least 1024 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled. We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access. Passwords must meet the following requirements: At least 8 characters long
At least 1 letter in upper-case
At least 1 letter in lower-case At least 1 number
At least 1 non-alphanumeric character Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted. (3) Protective measures for data access control: All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface. Due to the close proximity of the employees, a visual inspection is possible at any time. Locking and/or logging off when leaving work is prescribed in writing and is practised. (4) Protective measures for transfer control: The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.
Access to the systems from outside the company network is possible only via secure VPN access. (5) Protective measures for input control: Our employees do not work directly at database level, but instead use applications to access the data. IT employees access the system via individual access and use a common login, as there are very few employees and these sit in close proximity of each other and monitor each other by agreements and visual inspections. (6) Protective measures for availability control: We ensure the availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail. Critical services are operated redundantly in multiple data centres and controlled by a high- availability system. Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted. (7) Protective measures for separation control: To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur. Access to the data itself is also restricted by the fact that employees use services (applications) which control access.

6. Categories of recipients of personal data We do not rent, sell or share Customer personal data with any third parties, except where We have to comply with Our legal obligation. We do provide a fee-based statistical service in relation to Influencer and Audience data. The recipients of such data are Customers of Our Service. In relation to Customer data, We do not blindly follow disclosure orders. We will check each request to ensure it satisfies the relevant safeguards, contains a court order or is issued under a legislative measure for the prevention, investigation, detection or prosecution of criminal offences. If We employ a processor to act on our behalf, We ensure that there are adequate contractual measures to ensure responsibility, security and liability to the same level as expected of Us. In any case where a third party accesses your data on Our behalf or upon Our instructions (be it inside or outside the EEA), We use the relevant legal basis to comply with the data protection legislation. In cases where there is no finding of an adequacy decision by the European Commission, we use model contracts approved by the European Commission to safeguard your rights and data.

7. Your rights You are entitled to the full spectrum of the rights under the General Data Protection Regulation and We will go out of our way to accommodate any valid request. You can exercise your rights by emailing us at [email protected] have a wide array of rights that we respect. Among those, the right to: Require access to your personal data; Require rectification of your personal data; Require erasure of your personal data; Withdraw consent to processing of your personal data, where applicable; Lodge a complaint with your national supervisory authority (in the EEA) if you believe that your privacy rights have been breached. We only retain such information that is necessary to protect our legitimate interests or to comply with a legal obligation.

8. Cookies and similar technologies We use aggregated, non-identifying, electronic data collected from use of our Sites and Services to operate, analyze, improve, and develop our Sites and Services. This information is not used to inform decisions about specific individuals; rather, it is processed to understand how different categories of users interact with our Sites and Services so that we can consistently improve the same for Customers.

9. Children’s privacy We never knowingly collect or solicit any information from anyone of 13 years and younger. The Sites and Services are not directed at nor made look to appeal to such persons. Parents or guardians that believe that We hold information about their children aged 13 and under may contact Us at [email protected].

Our commitment We will only collect and use your data where We have a legal basis to do so;
We will always be transparent and tell you about how we use your information;
When We collect your data for a particular purpose, We will not use it for anything else without your consent, unless other legal basis applies;
We will not ask for more data than needed for the purposes of providing our services;
We will adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
We will observe and respect Your rights by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
We will keep our staff trained in privacy and security obligations;
We will ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
We will also ensure that all of our data processors have appropriate security measures in place with contractual provisions requiring them to comply with Our commitment;

Changes to the privacy policy 11. • • • • • • • • • To keep you up to date, We will always notify you via email should we update this privacy policy.Tensor Social Incorporated 819 Santee St. Los Angeles, CA 90018