This Privacy Policy is outlined to demonstrate our commitment to compliance with the principles of “accountability” in accordance with Article 5(2) of the General Data Protection Regulation (GDPR). If you have any questions about your rights in regards to data protection, you can contact our Data Protection Officer at dpo@scanem.io or through the contact form on our website.
Datawash Inc or Scanem.io, a California-based Corporation (the “Data Controller” of your personal data), as outlined in our Terms of Service, provides users with the Site and Services. Therefore, terms such as “We”, “Us”, and “Ours” refer to the Data Controller.
By using the website scanem.io, you acknowledge that you are aware of our collection and usage of cookies, the purposes and methods of obtaining and processing of personal data (personal information), and the profiling of such data when processed. You also hereby provide your consent to the processing of personal data (personal information) and its disclosure to third parties, in compliance with applicable data privacy legislation.
In order to register and use the services provided by Scanem.io, you must provide all of the requested data, which is a pre-requisite for concluding a Terms of Service agreement. Your data will be treated in full compliance with applicable data privacy laws.
When in comes to the processing of personal information (“personal data”) of the customers of our Site or Services (“Customers”) and to the Services where we determine the purposes and means of the processing of personal data of social networks users (“Influencers”), we are the “Data Controller” or “Controller” of Customers’ and Influencers' personal data.
When in comes to the Services (e.g. Outreach, Marketing Campaign management, etc.) where a Customer determines the purposes and essential means of the processing of personal data of Influencers (e.g. which and whose personal data to process, how long to store them, etc.), but where we still may determine technical means of the processing of such data (e.g. where and how to search, collect, store the personal data), and we process personal data on Customers’ behalf or on Customers’ orders and in Customers’ interests (e.g. when our Services used to provide a tool to Customers to reach their goals), Customer must be considered the Controller, and we are the Processor (or Data Processor or Service Provider).
This Privacy Policy outlines how we handle personal data of Customers and Influencers.
We adhere to and strictly follow all regulations concerning personal data, both the European and US laws pertaining to personal data (“Applicable Law”).
This Privacy Policy has been drafted in accordance with European legislation in the area of personal data compliance (Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”)) and has been designed to be consistent with, adhere to and not conflict with the requirements of US legislation regarding personal data protection (specifically, this Privacy Notice has been posted on this website to fulfill the requirements of the California Consumer Privacy Act (“CCPA”)).
Through this Privacy Policy, we meet our legal requirement under Articles 13 and 14 of the GDPR to provide information on data processing to the individuals concerned.
However, in some cases (e.g. when we collect personal data not from the data subjects, e.g. from the social networks), it is not feasible to inform each data subject (especially Influencers) individually, other than through this Privacy Policy.
Recital 62 and Article 14(5)(b) of the GDPR permits us to refrain from doing so in cases where providing such information would be impossible or involve a disproportionate effort (particularly for processing for statistical purposes) due to a large number of Influencers. However, we pledge to take appropriate measures to protect the rights, freedoms, and legitimate interests of data subjects.
We may collect various types of information, whether directly during your sign up (Article 13 GDPR), or automatically through your device (e.g. personal computer, laptop, mobile phone) (Article 13-14 GDPR) when you access our Site. In keeping with the “data minimization” principle outlined in Article 5(1)(c) GDPR, we only collect and process the information necessary to offer you our Services, no more and no less.
| Personal data we collect directly from you: | Legal basis for processing( Art. 13(1)(c) GDPR) | Purposes for processing (Art. 13(1)(c) GDPR): Reason for collection |
|---|---|---|
| Full name | Performance of the contract with you (Art. 6(1)(b) GDPR). We will store just limited information to respect your opt-out preference. | You know our name, we require yours for the contractual relationship between the parties |
| 1)Performance of contract with you (Art. 6(1)(b) GDPR) and | 1) We require your email to log you into the system and to provide you with the Service, reports, Service-related updates, communications and other important information. | |
| 2) Our legitimate interests, if related to marketing (Art. 6(1)(f) and Recital 47 GDPR). | 2) If we use your email to contact you for marketing purposes, it will be in our legitimate interests to do so, but you will always have a chance to opt out of such marketing communications for similar products and/or services prior to first (and any subsequent) communication. You may opt out at any time by emailing support@scanem.io or using "Unsubscribe" option if it is provided at the bottom of an email. |
The rest is the technical information that must be collected and processed in order to provide you with our services.
| Personal Data collected/accessed by us automatically | Legal basis for processing (Art. 14(1)(c) GDPR) |
|---|---|
| Internet Protocol (IP) address | Performance of the contract (Art. 6(1)(b) GDPR). You need this to connect to the Internet. |
| We set and access various cookies* on your device | Contract performance for the “strictly necessary” cookies. Legitimate interest for the first-party analytics cookies (Art. 6(1)(f) GDPR). Your consent prior to the placement of all the other types of cookies (Art. 6(1)(a) GDPR). |
* This piece of data is sent automatically from your electronic device when you use your browser. Further details about the type of information transmitted by your browser can be located on the websites of the browser companies (e.g. Chrome). You can choose to turn off the transmission of cookies at any time in the browser settings.
Essentially, we only process information which you have already made publically available through open accounts on social networks such as Instagram, YouTube, TikTok, Twitch, and Twitter. We process Your personal data and ensure that it is done in compliance with Applicable Law and specifically in accordance with the principle of “lawfulness, fairness, transparency” (Art. 5(1)(a)), and we respect Your rights (see section below).
| Information about Influencer (categories of personal data): | Legal basis for processing (Art. 14(1)(c) GDPR) | Purposes for processing (Art. 14(1)(c) GDPR): Reason for collection |
|---|---|---|
| A link to Influencer profile, full name, avatar, language, biography, country/city/state, brand and common interests, notable engaged users, sponsored posts. | Influencers provide their data to social networks, thereby making it public. We handle anonymous data that we receive from public sources (e.g. Instagram, YouTube, TikTok, Twitch, Twitter, etc). | To allow Customers to choose an Influencer for their business goals and assess the effectiveness of each Influencer’s reach. |
| Email and social network profile. | We have a legitimate interest in using the data made available by Influencers via social networks for direct marketing purposes (Recital 47 GDPR) without affecting Influencer’s fundamental rights and freedoms. | To allow Customers to choose an Influencer for their business goals and assess the effectiveness of each Influencer’s reach. |
| Images, graphics, photos, profiles, snapshots of video clips, liaisons with audience, texts of the comments, works of authorship, links and other content or materials from Influencer's social network profile. | We have a legitimate interest in using the data made available by Influencers via social networks for direct marketing purposes (Recital 47 GDPR) without affecting Influencer’s fundamental rights and freedoms. | To allow Customers to evaluate an Influencer's content performance and quality for their business goals and assess the effectiveness of each Influencer’s activity. |
The purpose of collecting this data is to enable Customers to select an Influencer for their business purposes and evaluate the extent of each Influencer's impact.
We have conducted a review in accordance with Article 35(7)(a) GDPR to determine and validate our legitimate interests and to guarantee that these interests do not supersede the fundamental rights and freedoms of the Audience or any individuals (Art. 6(1)(f) GDPR). We determined that our processing for statistical purposes is compliant with the Applicable Law and does not transgress the fundamental rights and freedoms of individuals. In order to give Customers statistics, we analyze a great deal of data, specifically gender, age group, and ethnicity in relation to the Influencer audience (the “Audience”). Although these items may be somewhat delicate, we are committed to keep our processing in line with the law.
In order to legally process data on the ethnic origin of the Audience, we require relevant legal basis. One of the bases is processing for statistical purposes (in accordance with Art. 9(2)(j) GDPR, while safeguarding the fundamental rights and interests of the Audience) and the fact that such data (Art. 9(2)(e) GDPR) is made publically available by its data subject through disclosure in social media. This processing should not result in any discriminatory effects on natural persons involved nor lead to measures having such effect. Additionally, there should be no automated decision-making or profiling based on ethnic origin of the Audience (Art. 14(2)(g) GDPR).
Our processing of personal data is driven by our legitimate interest of using it for direct marketing and statistical purposes as described in Recital 47 GDPR (EU GDPR) and Recitals 113 and 162 GDPR accordingly. Nevertheless, under the US law, such as the California Consumer Privacy Act, there is no concept of Legitimate Interest. The CCPA does not enumerate specific bases for processing, though the sale of consumer information is not allowed if the consumer has opted out. Thus, we strongly recommend that all of our Influencers use the opt-out feature.
We do not sell, share or disclose Customers’ data except as provided herein. We never treat your personal data in any way that would surprise you (unless we told you about it and you provided us with an informed and unambiguous consent to such usage).
We use Customer contact details and payment information to establish, support and conduct customer relationships as necessary for the performance of Services. Should the Customer fail to provide the personal data we need, we may be unable to complete the transaction. We only contact Customers with service-related information. Where marketing is involved, Customers have an option to opt out at any time before first (and any subsequent) contact.
Notification of the processing of Influencer's personal data is provided through our website and this Policy. Given the considerable volume of data being processed, it is technically and financially impossible to directly notify each Influencer. Additionally, per the Terms of Service and Contracts with Customers, the responsibility to inform the Influencer about the processing of their personal data is transferred to the Customer.
We provide a statistical service and, thus, share data about Influencers with Customers, both during trial periods and upon payment of fees.
According to our Terms of Services it is strictly prohibited to our Customers to assign, syndicate, resell or otherwise transfer or make available information obtained via Scanem to third parties.
However, we have no control over our Customers and therefore it is impossible for us to know whether any of our Customers intend to sell or share the Influencers’ mentioned below personal data that they receive via our Site or Services.
If you do not want your personal information to be shared with or sold to Customers, please follow the link “Do not sell my personal information” on the bottom of our home page or send us an email with “Do not sell my personal information” to our DPO at dpo@scanem.io
Influencers' data that we process is divided into two categories:
Raw Data - All publicly available information collected from social networks. Information is collected only from publicly available and open profiles of Influencers' on Instagram, YouTube, TikTok, Twitch, Twitter. This Raw data is not structured, so the Influencer's identity cannot be determined based on this information.
Processed Data - the data formed from Raw Data, which is later used to generate analytical Reports.
The Processed Data is divided into two groups:
Influencers have the rights, at any stage of data collection, to send a request to our DPO at dpo@scanem.io to change or delete their data, or not share their data with our Customers.
Audience data for each Influencer is aggregated for statistical purposes and shared with Customers whether on a trial basis or upon payment of fees.
The Data Controller may use the collected data for its own marketing purposes, creating reports that are identical to those it provides to customers. All such reports must comply with any laws or regulations that apply to the Data Controller's activities.
When it comes to offered Campaign Management Services we are a Data Processor on behalf of our Customers and in Customers’ interests (who are Data Controller). Data Controller use their personal account on Site as a tool to process data related to companies databases in form of Excel tables. We do not store such databases (they are stored directly on the secured servers). We have no access to our Customers’ personal accounts and do not know their content, including the content of the databases and any personal data (if any) therein. We just determine, or provide, to some extent, technical means of the processing of personal data (e.g. account maintenance).
In accordance with Articles 5(1)(b), (c), and (e) of the GDPR, we uphold the principles of "purpose limitation", "data minimization", and "storage limitation". We only collect, retain, store, and process information that is necessary in order to meet our legitimate interests or to comply with a legal obligation, and only for the duration that is needed to satisfy our legitimate interests.
We store your data while your account is active. Whether your subscription expires or you fail to use the provided balance on time, we will delete your personal data from our systems within 1 (one) month after expiration of your subscription or when you request such deletion/deactivation in the frame of exercise your rights (as listed below).
As stated above, we process personal data obtained from public sources, such as public accounts on Instagram, YouTube, TikTok, Twitch, and Twitter. It may take up to 30 days for the information to be updated. If an Influencer deletes their account, we will delete their personal data from our systems and make it unavailable to Customers. This process of synchronization may take up to one month from the date the Influencer deleted their account on the relevant social networks.
Audience data is solely pertinent to the Influencer and is stored in a collective format, in conjunction with information concerning the Influencer. As soon as the Influencer's data is deleted, their Audience data is also deleted.
The databases are located on the secure servers Hetzner, and Digital Ocean in Germany.
This Data collection and storage procedures are performed on the basis of a Data Processing Agreement.
All Data are stored in encoded form. It is impossible to accede personal data of any Influencer without its attributed storage ID-code.
In compliance with Article 5(1)(d), (e), (f) GDPR, we commit to the principles of “accuracy”, “storage limitation”, and “integrity and confidentiality”.
All personal data is kept with our third-party (sub)processors (service providers) on secure servers (Digital Ocean, and Hetzner), in full compliance with international information security requirements. Secure servers are all in possession of the ISO 27001 Information Security Management System certificates. We use the recommended industry practices to keep access to such data secure (mixture of common sense and best practices).
We have taken the necessary technical and organizational measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, but are not limited to:
We secure access to the premises via ID readers, so that only authorised persons have access. The ID cards can be blocked individually; access is also logged. Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorised persons. The alarm system is linked to a locking mechanism for the doors.
Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
We regulate access to our own systems via password procedures and the use of SSH keys of at least 1024 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet the following requirements: At least 8 characters long
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the close proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed in writing and is practised.
The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.
Access to the systems from outside the company network is possible only via secure VPN access.
Our employees do not work directly at database level, but instead use applications to access the data.
IT employees access the system via individual access and use a common login, as there are very few employees and these sit in close proximity of each other and monitor each other by agreements and visual inspections.
We ensure the availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail. Critical services are operated redundantly in multiple data centres and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.
To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur.
Access to the data itself is also restricted by the fact that employees use services (applications) which control access.
Our IT devices are equipped with passwords and encryption by default. In case of loss/theft of device, our impacted employee follows his/her duty of internal notification and we block all access, deactivate keys and change passwords.
In case of data breach (e.g. leakage), we commit to investigate the case, to timely notify the competent data protection authority, to evaluate damages and to communicate the investigation results to all customers whose personal data were impacted.
We take our responsibility seriously and have implemented a variety of technical and organizational measures to protect and secure personal data to the best of our ability in accordance with GDPR regulations (Articles 24, 25 and 32).
We do not rent, sell, or share Customer personal data with any third parties outside our organization, unless we are legally obligated to do so. In addition, we may use service providers to store and process such data, as stated in this Privacy Policy; however, these service providers are not allowed to access or use the data for any purpose other than providing the requested services.
We do provide a fee-based statistical service in relation to Influencer and Audience data. The recipients of such data are Customers of our Service.
We take the utmost care when handling Customer data and do not simply comply with disclosure orders untill each request is rigorously assessed to ensure it is compliant with the relevant safety regulations, supported by a court order, or mandated by a legal procedure for the detection, prosecution, investigation or prevention of criminal activities.
If we utilize a (sub)processor to act on our behalf, we will ensure that appropriate contractual measures are in place to ensure that the (sub)processor provides a level of responsibility, security, and liability that is equivalent to that which is expected of us.
In any instance where a third party accesses your data on our behalf or according to our instructions (be it inside or outside the EEA), we use the applicable legal basis in order to remain in compliance with data protection laws. Where there has not been a decision by the European Commission confirming an adequate level of protection (Art. 45(1) GDPR), we rely on the standard data protection clauses adopted by the European Commission (Art. 46(2)(c) GDPR) to guarantee the necessary safeguards for your rights and personal data in case of third-party access or other data transfers outside the EEA.
In compliance with Article 5(1)(a), (d) GDPR, we commit to the principles of “lawfulness, fairness and transparency”, and “accuracy”.
Among those, you have the right to:
If we decide to process your personal information for any purpose that you do not approve of, we will notify you of the intended use and provide you with the relevant information. You will have the option of either consenting or not consenting to the use of your data, or we will take the necessary steps to fulfill our obligations under the law. You are not obligated to give your consent, and you have the right to refuse.
If you have provided your consent for the processing of your personal data, you can choose to withdraw your consent at any time by contacting our DPO (Data Protection Officer) and requesting to be removed from the mailing list at the following email address dpo@scanem.io. However, any processing of your personal data that has already taken place prior to your withdrawal of consent shall remain valid.
If your personal data was processed without your given consent (based on the legitimate interest), you have the right to request that we stop processing your personal data, and remove you from any mailing lists. This can be done by contacting our Data Protection Officer at dpo@scanem.io. However, any processing of your personal data that has already occurred will not be affected by this request. If you request that we rectify, erase, or restrict the processing of your data (by withdrawing your consent, for example), we will notify you as soon as your request has been fulfilled, in accordance with Articles 13(2)(c), 14(2)(d), and 19 of the General Data Protection Regulation (GDPR).
If your question is not resolved or is not resolved satisfactorily, you have the right to contact your local data protection authority (Art. 13(2)(d), 14(2)(e), 15(1)(f)). You can find the contact details of your local data protection authority here: https://edpb.europa.eu/about-edpb/board/members_en
You have the right to request information regarding the Customer that received the personal data from your social media profile, and Scanem is committed to providing this information to you. Within 72 hours of receiving your request, Scanem shall provide you with all information about the Customer.
You are entitled to request the removal of any data or content collected from our Service, which must be carried out within 72 hours of receiving your notification. Furthermore, all persons, companies, and auditors to whom such information has been shared must also delete the detailed information. You are permitted to log into your account and make any changes to your information that the system permits. Moreover, you can send a request to the support service to alter your personal information.
You have the right to request that your personal information must not be sold to third parties. To exercise this right, please follow the link “Do not sell my personal information” on the bottom of our home page or send us an email with “Do not sell my personal information” to our DPO at dpo@scanem.io
We utilize aggregated, anonymized electronic data collected from the use of our Sites and Services to manage, analyze, refine and develop our Sites and Services. This data is not used to make decisions about individual people; instead, it is processed to gain insight into how different types of users interact with our Sites and Services, so that we can continually improve them for our customers.
We collaborate with analytics providers like Google Analytics, who employ cookies and related technologies to gather and assess data surrounding the utilization of the Services and report on activities and trends. Google Analytics may additionally collect information related to the use of other sites, apps, and online resources. To learn about Google's practices, you can check out www.google.com/policies/privacy/partners, and to opt out of them, you can download the Google Analytics opt-out browser add-on.
In order to meet our legitimate interests and enhance the quality of our services, we may transfer personal data that is publicly accessible on social media to the following third-party providers:
Service providers such as HubSpot, Inc., Google Inc., are located in the USA. We contracted to them via purchase of their software and maintenance services (to be used for marketing, payments processing, and communication with our customers) and via accepting their customers terms and conditions and privacy policies published on their websites:
Regarding the transfer of personal data under the scope of the GDPR, Hubspot and Google utilize the EU model contractual clauses.
We never knowingly collect, process or solicit any information from anyone aged 16 or younger. Our services are not intended to be used by or appeal to individuals of this age. Parents or guardians who believe that we are offering services to and processing personal data of children aged 16 and under may contact our DPO at dpo@scanem.io.
When we collect open data from social networks, it may be impossible to determine the real age of users. Our verification of the age of users is limited to the information openly provided by the social networks we collect from. In cases of incorrect, wrong or missing age data, the social networks are solely responsible for any violation of the applicable law regarding the personal data of children.
To keep you up to date, we will always notify you via email should we update this privacy policy.
Last updated and in effect as of: 25 February, 2023