Privacy Policy

General

Introduction

This Privacy Policy describes how Crisp Thinking Group Limited (trading as Crisp) (Company number: 05636614) with our registered offices located at Suite 1, Central Square, 29 Wellington Street, Leeds, LS1 4DL (“Crisp”, “we” or “our”) collects and processes personally identifiable information (“data”) in connection with: (1) this website (the “Site”) and; (2) the provision of services to our customers involving data contained in publicly available user generated content (“UGC”)(“you” or “your”).

This Privacy Policy has been drafted in order to document Crisp’s compliance with the European General Data Protection Regulations 2016/679) (“GDPR”) and provide you with information on how we use your data and what rights are available to you in relation to your data

Except where otherwise stated, for the purposes of this policy Crisp is the data controller and is responsible for your data.

The Crisp group consists of Crisp Thinking Group Limited, Crisp Thinking (UK) Limited and Crisp Thinking (US) Inc., and data may be shared with these companies for our business purposes; however, Crisp Thinking Group Limited will remain the data controller.

Changes to This Privacy Policy

Crisp has the discretion to update this Privacy Policy at any time. When we do, we will revise the updated date at the bottom of this page. We encourage you to frequently check this page for any changes to stay informed about how we use your data and how we keep it safe. You acknowledge and agree that it is your responsibility to review this Privacy Policy periodically and become aware of modifications. Please inform us if any data we may hold becomes incorrect or if any change to this policy means you wish to withdraw your consent to any processing.

Your Acceptance of These Terms

By using this website, you signify your acceptance of this policy. If you do not agree to this policy, please do not use the Site or contact us via the details below. Your continued use of the Site will be deemed your acceptance of these terms, as updated from time to time.

Supervisory Authority

You may lodge a complaint with the supervisory authority about our processing of your data under this Privacy Policy. The appropriate supervisory authority is the data protection regulator in your territory. If you live in the United Kingdom this is the Information Commissioner’s Office and you can report a concern at ico.org.uk/concerns.

Data Protection Officer

We have appointed a Data Protection Officer who is responsible for overseeing our data processing activities in accordance with this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the Data Protection Officer using the details set out below.

Contacting Us

If you have any questions about this Privacy Policy, our services, the practices of the Site, or your dealings with the Site, please contact us at:

Crisp Thinking Group Ltd
Central Square, Suite 1, Floor 1, Whitehall Road, Leeds, LS1 4DL, UK
T: +44 (0) 203 870 3338
E: Email us

Your Rights

You have various rights under applicable law to how we use your data. In addition to any other rights you may have under applicable law you may:

• Request access to your data (more commonly referred to as a subject access request (“SAR” or “DSAR”)) - this allows you to receive a copy of the data we hold about you and to check how we process such data;
• Request the correction of any errors or omissions in your data – this allows you to correct any incomplete or inaccurate data we hold about you;
• Object to processing of your data - where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your rights and freedoms.
• Request the restriction of further processing of your data – this allows you to suspend the processing of your data in the following scenarios:
  1. If you want to establish the data’s accuracy;
  2. Where our use of the data is unlawful, but you do not want us to erase it;
  3. Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims;
  4. You have objected to our use but we need to verify whether we have an overriding legitimate interest to continue using it.
• Request the erasure of any of your data we may hold - this enables you to ask us to delete or remove data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have successfully exercised your right to object to processing, where we may have processed your data unlawfully or where we are required to erase your data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request;
• Request the transfer of your data – we will provide you or a third party nominated by you, your data in a structured, commonly used, machine-readable format. This right only applies to data processed with your explicit consent or for the performance of a contract that is carried out by automated means; and
• Withdraw your consent to the processing – where we rely on consent to process your data, you may withdraw this at any time by providing us with notice. In some situations, we may not be able to provide you with certain services where consent has been withdrawn.

Storage and security

We may transfer your data to, and store it in, a country other than your own including countries outside of the European Economic Area (“EEA”). That country may not provide the same level of data protection as your own country. However, we will ensure that where such a transfer is made there are technical and operational security measures in place to protect your data to an equivalent standard as what would be expected in your country of residence. Whenever we transfer your data outside of the EEA, we will take steps which are reasonably necessary to ensure that adequate safeguards are in place to protect your data and to make sure it is treated securely. If you are located in the EEA, you may contact us for additional information on the safeguards which we have put in place to protect your data and privacy rights in these circumstances.

The servers in which we hold your data have appropriate administrative, technical, organisational and physical controls that are designed to safeguard your data, including industry-standard encryption technology. We may also store some data in the cloud. We only use recognised cloud storage providers with appropriate levels of security, but due to the nature of cloud storage your data may not be stored in your country of residence and may be split between multiple locations.

Please note that we cannot always delete all records of all historical data. For example, we are required to retain certain records for financial reporting, legal and compliance reasons, or in certain circumstances it may be necessary to retain limited records to prevent further processing of your data. We will however endeavour to delete the maximum amount of your data possible.

Governing law and jurisdiction

English law governs this Privacy Policy and any dispute or claim related to it. Each party agrees that the English courts will have exclusive jurisdiction over this Privacy Policy and any dispute or claim arising in connection with it, whether contractual or otherwise.

Our Websites

Data

We may collect data from you in a variety of ways, including, but not limited to, when you visit our site, fill out a form, and in connection with other activities, services, features or resources we make available on our Site. We will collect data from you only if you voluntarily submit such data to us or as otherwise may be collected by Cookies. Data collected by Cookies may include, a device id, IP address or location settings provided by your browser. You can always refuse to supply data but it may affect the functionality of the Site.

Cookies

Our Site may use "cookies" to enhance your experience. Your web browser places cookies on your hard drive for record-keeping purposes and sometimes to track information. We will never place a Cookie on your device without your explicit consent, unless it is strictly necessary e.g. cookies designed to balance the load on the website. You may choose to set your web browser to refuse cookies, or to alert you when cookies are being sent. You can change preference to our use of Cookies at any time by accessing your cookie preferences via their browser. If you choose not to accept cookies please, note that some parts of the Site may not function properly.

How We Use Your Data

Crisp may collect and use your data for the following purposes:

• To improve customer service:
  Data you provide helps us respond to your customer service requests and support needs more efficiently.
• To personalize user experience:
  We may use data in the aggregate to understand how our users as a group use the services and resources provided on our Site.
• To improve our Site:
  We may use feedback you provide to improve our products and services.
• To send periodic emails:
  We may use the email address to respond to their inquiries, questions, and/or other requests. If you decide to opt-in to our mailing list, you will receive emails that may include company news, updates, related product or service information, etc. If at any time you would like to unsubscribe from receiving future emails, we include detailed unsubscribe instructions at the bottom of each email or you may contact us via our Site.
• To respond to enquiries:
  Our sales team may use the contact details provided in the enquiry form to respond to your enquiry about our services.
• To process your application for a role at Crisp:
  We will use the information you provide as part of our application process for a role at Crisp. We may use information provided anonymised and in aggregate as part of our internal reporting on our hiring process and to improve the experience for users. We may contact you about future vacancies at Crisp, and you may withdraw your consent for the use of your data in this way at any time by email or using the contact us section on our Site.

How We Protect Your Data

We have put in place appropriate security measures to protect your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures cover the collection, storage and use of the data. In addition, we limit access to your data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your data in accordance with our instructions and are under contractual duties to keep your data secure and confidential.

We have put in place procedures to deal with any suspected data breach and where permitted by applicable laws we will notify you and an applicable regulator promptly in accordance with any time limits that may be imposed by applicable data protection laws.

Sharing Your Data

We do not sell your data to others. We may share generic aggregated and anonymised demographic information not linked to any data regarding visitors with our business partners, trusted affiliates and advertisers for the purposes outlined above.

We may use third party service providers to help us operate our business and the Site or administer activities on our behalf, such as sending out newsletters or surveys, or to provide server hosting or cloud storage for data etc. We may share your data with these third parties for those limited purposes. We enter into contracts with all third parties who process data on our behalf that impose strict requirements in relation to the expected levels of security, as well as a requirement to respect the confidentiality of your data and comply with all applicable data protection laws. We do not allow third parties to use your data for their own purposes and any processing must be in accordance with our instructions.

We may also share your data with our subsidiaries or other group companies. We ensure that each company in our group complies with an equivalent standard of data protection and will comply with the terms of this Privacy Policy.

We may transfer your data outside of the European Economic Area (“EEA”). Where we do so, we shall ensure that your data is subject to technical, organisational and contractual requirements to provide an equivalent level of protection as required under applicable law in the jurisdiction in which you reside.

Data Retention

We will only retain your data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your data in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect of our relationship with you. The exercise of certain rights may mean we are still required to retain some data, for example if you exercise both your right to erasure and your right to object to any future processing, we may need to retain some basic data despite you exercising your right to erasure in order to prevent any further processing, but shall not use the data for any other purpose.

Third Party Websites

You may find content on our Site that links to the sites and services of our partners, suppliers, advertisers, sponsors, licensors and other third parties. We do not control the content or links that appear on these sites and are not responsible for the practices employed by websites linked to or from our Site. In addition, these sites or services, including their content and links, may be constantly changing. These sites and services will have their own privacy policies and customer service policies and we are not responsible for the content of such Privacy Policy or how they might use your data. Browsing and interaction on any other website, including websites which have a link to our Site, is subject to that website's own terms and policies. If you click on any such link we would encourage you to review and familiarise yourself with such policies and terms and conditions.

Accessing Data

We may need specific information or documentation to assist us in confirming your identity and to ensure that your data is adequately protected against unauthorised access, this may include you providing proof of identity. This is purely in place as a method to protect your data against third parties who may try to access it. In addition, we may contact you to request further information on what data you require. This is intended to speed to up the process for you and to assist you where you have a specific enquiry you are trying to address.

We will aim to respond to all legitimate DSARs within one month. Occasionally, if the request is particularly complex or you have a number of requests, or large amounts of data is concerned it may take longer than one month. However, we will notify you of this once it becomes clear that it will take longer than one month and will provide you with updates on expected timescales.

You are not required to pay a fee to access your data or exercise your other rights. However, we may charge a reasonable fee in the event you make repeated, excessive or clearly unfounded requests. Additionally, where permitted we may refuse to comply with your request in these circumstances.

Our Services

General

We search and index publicly available information (including data) from the social media platforms, applications and wider web sources (each a “Sources”). We also contract directly with third party providers to gain access to their data. The details of how these third-party providers may use and share such data will be contained in their own Privacy Policy. In each case, the data that we have access to is published or made publicly available by you. This data is then collated and stored in our database to enable us to detect harmful online content, moderate our customers’ social media channels or identify potential concerns relevant to our customers e.g. potential product safety concerns (our “Services”). Where we provide certain moderation services on customer owned Sources, we act as a data processor on behalf of the customer. Where we search and index Sources for crisis detection, we act as a data controller of the data we collect.

All of the content that we access as data controller is publicly available but, depending on the nature of the content submitted or posted on the publicly available location, may contain data about you, such as names or other identifiers used in connection with social media profiles, or any other data that may be posted in the form of a comment or post e.g. any emails, addresses etc.

In addition to any direct rights that you may have via your relationship with the Sources, you also have certain rights relating to your data that we process, as set out in this Privacy Policy or any legislation on privacy and data protection that provides additional rights in the jurisdiction in which you reside.

Data we collect about you

The data we collect varies between Sources and depends on what data you choose to make publicly available, whether through the content of your post or by using the Source’s privacy settings to reduce the publicly available data. It may include but is not limited to the following:

1. your name, username, handle, or other unique identifier;
2. the content of the data you have published on a Source including comments, images, videos, posts etc.;
3. your profile picture or other images or videos that you post or interact with;
4. your age or date of birth;
5. your job title or profession or employer;
6. your education (including level of education and/or schools attended);
7. your interests;
8. your location;
9. your gender; and
10. any other data you publish on a Source that we search or on a third-party provider’s databases or platforms that provide data to us.

In addition to the data you make available about yourself, we may also use that data to draw inferences about you.

We analyse the content of the data you publish in order to detect online harmful content and moderate such content on those Sources. In addition, we also analyse data published to identify potential issues for our customers and their businesses.

Using your data

The legal basis for the data that we process is pursuant to our legitimate interests. Our legitimate interests are in providing our Services to our customers, which includes the detection and prevention of online harm.

We also use the data in ways related to, but ancillary, to the Services that we offer. For example, we may use the data to comply with our legal obligations or enforce our rights, including the legal obligations or enforcement of rights of third parties. We may also use the data to improve our Services or to develop new products.

Although it is the responsibility of our customers to use our Services properly, we do put in place safeguards to protect your data, both contractually and through organisation and technical measures. We require our customers to comply with applicable law, including data protection laws (in particular the requirements of GDPR), when using our Services. We also prohibit our customers from using our Services, including your data, in a way that does not comply with our instructions or is in a way you would not reasonably expect your data to be used.

When we infer data about you, some of this may be done automatically. The inferences are based on algorithms that analyse the data that you have published. We do not make any decisions about you based on the data that we process about you (inferred or not), other than the automated removal of Source content. In addition to the algorithms we combine this with human experts to review content.

Where your content constitutes a breach of a Source’s terms and conditions, we may report this to the Source owner. Additionally, if your content constitutes a criminal offence e.g. distributing terrorist propaganda, we reserve the right to process the data for the purpose of reporting this to the relevant authorities in the jurisdiction you are based.

Sharing your data

We may share your data with selected third parties, including our business partners, customers, suppliers, and sub-contractors, for the performance of any contract we enter into with them. We may also share your data with analytics providers, and research institutes that assist us with improving our services. From time to time we also contribute to educational journals, research projects and consultations on online safety, and may share data in order to further the aims of these projects. Where practical, we shall take steps to anonymise and aggregate the data.

We may also disclose your data to third parties in other limited circumstances, for example, in a merger scenario, we may disclose your data to the prospective acquirer. If we, or substantially all of our assets or business, are acquired by any third party, your data may be part of the transferred assets.

If any third-party processes any of your data, we ensure there are sufficient contractual, technical and operational safeguards protecting your data, including strict requirements on data protection and the confidentiality of the data. For any transfer under paragraph 2 of this clause 3.4, the third party shall have no rights to use the data other than for the assessment of the transaction.

We do not under any circumstances sell your data to others.

We will not use the data collected by us to provide targeted direct marketing or any other type of marketing aimed at you and we do not permit any third parties we do business with to use the data to send unsolicited marketing to you.

Accuracy and retention

Most of the data we hold about you comes directly from the content that you have published on the Sources. If it is inaccurate or incorrect, we advise you to fix it on the original Source in which you published that data. Where we infer data about you, it is our aim to ensure that any of this additional data is accurate and kept up to date. You may inform us by email about any inaccuracies you may be aware of and request that our records be amended or updated.

We will retain any data about you for as long as it is reasonably necessary for us to provide the Services. However, if you request that we delete your data, we will also delete your data from our Services. Please note that where we act as a data processor for our customers, we are only able to delete data in our direct possession, we will be unable to delete any data held by the social media platform or by our customer and you should contact them directly as the data controllers to exercise your rights. If you wish to request the deletion of any content, please email us.

Profiling & Automated Decision Making

We may use the data we gather and analyse on you to build profiles to detect online harmful content. We use such profiles to make the Sources safer by identifying online harms and always weigh any action taken against an individual’s rights. You have the right to object to your data being used for profiling and can contact us via email to request we refrain from further processing.

Crisp may use your data to make automated decisions in accordance with our customer’s specifications. For example, if we were to moderate social media pages aimed at children, we may automatically remove any posts containing swear words or sexual imagery that are not deemed suitable for children. For anything that may have a more significant impact on an individual than the deletion of a post our algorithms will escalate the post to a human for review. If you believe the deletion of any post was in error or wish to challenge such deletion you can do so directly via the Sources tools or by contacting by email and we will review the decision.

Privacy practices of third parties

This Privacy Policy only addresses our collection, processing, and use (including disclosure) of your data. Our customers and other third parties that may have access to your data where they are the controller of that data can use it in other ways in accordance with their own privacy practices and applicable law. For the avoidance of doubt any data we share with third parties where we are the data controller can only be used as part of our provision of the Services. Please consult the privacy policies of any online Sources you may use for more information about how they may use and share data you publish.