Except where otherwise stated, for the purposes of this policy Crisp is the data controller and is responsible for your data.
The Crisp group consists of Crisp Thinking Group Limited, Crisp Thinking (UK) Limited and Crisp Thinking (US) Inc., and data may be shared with these companies for our business purposes; however, Crisp Thinking Group Limited will remain the data controller.
Your Acceptance of These Terms
By using this website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use the Site or contact us via the details below. Your continued use of the Site will be deemed your acceptance of these terms, as updated from time to time.
Data Protection Officer
Crisp Thinking Group Ltd
Central Square, Suite 1, Floor 1, Whitehall Road, Leeds, LS1 4DL, UK
T: +44 (0) 203 870 3338
E: Email us
You have various rights under applicable law to how we use your data. In addition to any other rights you may have under applicable law you may:
- Request access to your data (more commonly referred to as a subject access request (“SAR” or “DSAR”)) - this allows you to receive a copy of the data we hold about you and to check how we process such data;
- Request the correction of any errors or omissions in your data – this allows you to correct any incomplete or inaccurate data we hold about you;
- Object to processing of your data - where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
- Request the restriction of further processing of your data – this allows you to suspend the processing of your data in the following scenarios:
- If you want to establish the data’s accuracy;
- Where our use of the data is unlawful, but you do not want us to erase it;
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;
- You have objected to our use but we need to verify whether we have an overriding legitimate interest to continue using it.
- Request the erasure of any of your data we may hold - this enables you to ask us to delete or remove data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have successfully exercised your right to object to processing, where we may have processed your data unlawfully or where we are required to erase your data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
- Request the transfer of your data – we will provide you or a third party nominated by you, your data in a structured, commonly used, machine-readable format. This right only applies to data processed with your explicit consent or for the performance of a contract that is carried out by automated means; and
- Withdraw your consent to the processing – where we rely on consent to process your data, you may withdraw this at any time by providing us with notice. In some situations, we may not be able to provide you with certain services where consent has been withdrawn.
Storage and security
We may transfer your data to, and store it in, a country other than your own including countries outside of the European Economic Area (“EEA”). That country may not provide the same level of data protection as your own country. However, we will ensure that where such a transfer is made there are technical and operational security measures in place to protect your data to an equivalent standard as what would be expected in your country of residence. Whenever we transfer your data outside of the EEA, we will take steps which are reasonably necessary to ensure that adequate safeguards are in place to protect your data and to make sure it is treated securely. If you are located in the EEA, you may contact us for additional information on the safeguards which we have put in place to protect your data and privacy rights in these circumstances.
The servers in which we hold your data have appropriate administrative, technical, organisational and physical controls that are designed to safeguard your data, including industry-standard encryption technology. We may also store some data in the cloud. We only use recognised cloud storage providers with appropriate levels of security, but due to the nature of cloud storage your data may not be stored in your country of residence and may be split between multiple locations.
Please note that we cannot always delete all records of all historical data. For example, we are required to retain certain records for financial reporting, legal and compliance reasons, or in certain circumstances it may be necessary to retain limited records to prevent further processing of your data. We will however endeavour to delete the maximum amount of your data possible.
Governing law and jurisdiction
We may collect data from you in a variety of ways, including, but not limited to, when you visit our site, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. We will collect data from you only if you voluntarily submit such data to us or as otherwise may be collected by Cookies. Data collected by Cookies may include, a device id, IP address or location settings provided by your browser. You can always refuse to supply data but it may affect the functionality of the Site.
How We Use Your Data
Crisp may collect and use your data for the following purposes:
- To improve customer service:
Data you provide helps us respond to your customer service requests and support needs more efficiently.
- To personalize user experience:
We may use data in the aggregate to understand how our users as a group use the services and resources provided on our Site.
- To improve our Site:
We may use feedback you provide to improve our products and services.
- To send periodic emails:
We may use the email address to respond to their inquiries, questions, and/or other requests. If you decide to opt-in to our mailing list, you will receive emails that may include company news, updates, related product or service information, etc. If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or you may contact us via our Site.
- To respond to enquiries:
Our sales team may use the contact details provided in the enquiry form to respond to your enquiry about our services.
How We Protect Your Data
We have put in place appropriate security measures to protect your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures cover the collection, storage and use of the data. In addition, we limit access to your data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your data in accordance with our instructions and are under contractual duties to keep your data secure and confidential.
We have put in place procedures to deal with any suspected data breach and where permitted by applicable laws we will notify you and an applicable regulator promptly in accordance with any time limits that may be imposed by applicable data protection laws.
Sharing Your Data
We do not sell your data to others. We may share generic aggregated and anonymised demographic information not linked to any data regarding visitors with our business partners, trusted affiliates and advertisers for the purposes outlined above.
We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys, or to provide server hosting or cloud storage for data etc. We may share your data with these third parties for those limited purposes. We enter into contracts with all third parties who process data on our behalf that impose strict requirements in relation to the expected levels of security, as well as a requirement to respect the confidentiality of your data and comply with all applicable data protection laws. We do not allow third parties to use your data for their own purposes and any processing must be in accordance with our instructions.
We may transfer your data outside of the European Economic Area (“EEA”). Where we do so, we shall ensure that your data is subject to technical, organisational and contractual requirements to provide an equivalent level of protection as required under applicable law in the jurisdiction in which you reside.
We will only retain your data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your data in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you. The exercise of certain rights may mean we are still required to retain some data, for example if you exercise both your right to erasure and your right to object to any future processing, we may need to retain some basic data despite you exercising your right to erasure in order to prevent any further processing, but shall not use the data for any other purpose.
Third Party Websites
We may need specific information or documentation to assist us in confirming your identity and to ensure that your data is adequately protected against unauthorised access, this may include you providing proof of identity. This is purely in place as a method to protect your data against third parties who may try to access it. In addition, we may contact you to request further information on what data you require. This is intended to speed to up the process for you and to assist you where you have a specific enquiry you are trying to address.
We will aim to respond to all legitimate DSARs within one month. Occasionally, if the request is particularly complex or you have a number of requests, or large amounts of data is concerned it may take longer than one month. However, we will notify you of this once it becomes clear that it will take longer than one month and will provide you with updates on expected timescales.
You are not required to pay a fee to access your data or exercise your other rights. However, we may charge a reasonable fee in the event you make repeated, excessive or clearly unfounded requests. Additionally, where permitted we may refuse to comply with your request in these circumstances.
All of the content that we access as data controller is publicly available but, depending on the nature of the content submitted or posted on the publicly available location, may contain data about you, such as names or other identifiers used in connection with social media profiles, or any other data that may be posted in the form of a comment or post e.g. any emails, addresses etc.
Data we collect about you
The data we collect varies between Sources and depends on what data you choose to make publicly available, whether through the content of your post or by using the Source’s privacy settings to reduce the publicly available data. It may include but is not limited to the following:
- your name, username, handle, or other unique identifier;
- the content of the data you have published on a Source including comments, images, videos, posts etc.;
- your profile picture or other images or videos that you post or interact with;
- your age or date of birth;
- your job title or profession or employer;
- your education (including level of education and/or schools attended);
- your interests;
- your location;
- your gender; and
- any other data you publish on a Source that we search or on a third-party provider’s databases or platforms that provide data to us.
In addition to the data you make available about yourself, we may also use that data to draw inferences about you.
We analyse the content of the data you publish in order to detect online harmful content and moderate such content on those Sources. In addition, we also analyse data published to identify potential issues for our customers and their businesses.
Using your data
The legal basis for the data that we process is pursuant to our legitimate interests. Our legitimate interests are in providing our Services to our customers, which includes the detection and prevention of online harm.
We also use the data in ways related to, but ancillary, to the Services that we offer. For example, we may use the data to comply with our legal obligations or enforce our rights, including the legal obligations or enforcement of rights of third parties. We may also use the data to improve our Services or to develop new products.
Although it is the responsibility of our customers to use our Services properly, we do put in place safeguards to protect your data, both contractually and through organisation and technical measures. We require our customers to comply with applicable law, including data protection laws (in particular the requirements of GDPR), when using our Services. We also prohibit our customers from using our Services, including your data, in a way that does not comply with our instructions or is in a way you would not reasonably expect your data to be used.
When we infer data about you, some of this may be done automatically. The inferences are based on algorithms that analyse the data that you have published. We do not make any decisions about you based on the data that we process about you (inferred or not), other than the automated removal of Source content. In addition to the algorithms we combine this with human experts to review content.
Where your content constitutes a breach of a Source’s terms and conditions, we may report this to the Source owner. Additionally, if your content constitutes a criminal offence e.g. distributing terrorist propaganda, we reserve the right to process the data for the purpose of reporting this to the relevant authorities in the jurisdiction you are based.
Sharing your data
We may share your data with selected third parties, including our business partners, customers, suppliers, and sub-contractors, for the performance of any contract we enter into with them. We may also share your data with analytics providers, and research institutes that assist us with improving our services. From time to time we also contribute to educational journals, research projects and consultations on online safety, and may share data in order to further the aims of these projects. Where practical, we shall take steps to anonymise and aggregate the data.
We may also disclose your data to third parties in other limited circumstances, for example, in a merger scenario, we may disclose your data to the prospective acquirer. If we, or substantially all of our assets or business, are acquired by any third party, your data may be part of the transferred assets.
If any third-party processes any of your data, we ensure there are sufficient contractual, technical and operational safeguards protecting your data, including strict requirements on data protection and the confidentiality of the data. For any transfer under paragraph 2 of this clause 3.4, the third party shall have no rights to use the data other than for the assessment of the transaction.
We do not under any circumstances sell your data to others.
We will not use the data collected by us to provide targeted direct marketing or any other type of marketing aimed at you and we do not permit any third parties we do business with to use the data to send unsolicited marketing to you.
Accuracy and retention
Most of the data we hold about you comes directly from the content that you have published on the Sources. If it is inaccurate or incorrect, we advise you to fix it on the original Source in which you published that data. Where we infer data about you, it is our aim to ensure that any of this additional data is accurate and kept up to date. You may inform us by email about any inaccuracies you may be aware of and request that our records be amended or updated.
We will retain any data about you for as long as it is reasonably necessary for us to provide the Services. However, if you request that we delete your data, we will also delete your data from our Services. Please note that where we act as a data processor for our customers, we are only able to delete data in our direct possession, we will be unable to delete any data held by the social media platform or by our customer and you should contact them directly as the data controllers to exercise your rights. If you wish to request the deletion of any content, please email us.
Profiling & Automated Decision Making
We may use the data we gather and analyse on you to build profiles to detect online harmful content. We use such profiles to make the Sources safer by identifying online harms and always weigh any action taken against an individual’s rights. You have the right to object to your data being used for profiling and can contact us via email to request we refrain from further processing.
Crisp may use your data to make automated decisions in accordance with our customer’s specifications. For example, if we were to moderate social media pages aimed at children, we may automatically remove any posts containing swear words or sexual imagery that are not deemed suitable for children. For anything that may have a more significant impact on an individual than the deletion of a post our algorithms will escalate the post to a human for review. If you believe the deletion of any post was in error or wish to challenge such deletion you can do so directly via the Sources tools or by contacting by email and we will review the decision.
Privacy practices of third parties