Privacy and Security Policy

Last updated: Maj 25, 2018

Who we are

We are a Danish company Flagit ApS (“us”, “we”, or “our”) and have our registered office at Frederiksgade 7, 4th floor, 1265 Copenhagen K, Denmark. Company registration number (VAT) DK35868089. We operate the Flagit mobile application, website and connected services (jointly the “Flagit Services” or “Service”).

We are data controller responsible for the processing of personal data through Flagit Services. By using Flagit Services you are entering into a binding contract with us (“Flagit”). The agreement (“Agreement”) includes this Privacy and Security Policy and Flagit’s User Terms of Service.

If you disagree with any part of the Agreement then you may not access Flagit Services.

Introduction

Thank you for taking the time to study Flagit’s Privacy and Security Policy.

This Privacy and Security Policy is designed to be open and transparent to people (“you”, “user”, “your”)

At Flagit, we take the protection of data extremely seriously. This Privacy and Security Policy describes the organizational and technical measures we implement to prevent unauthorized access, use, alteration or disclosure of all and any data. We also tell you about the data we collect and process.

Our Privacy and Security policy has been reviewed and rewritten in accordance with European General Data Protection Regulation. If you would like to find out more about our Privacy and Security Policy, security or submit a request regarding your personal data, please contact us at [email protected].

Statement

This document informs you of our policies regarding the collection, use and disclosure of Personal Information when you use our Service.

We will not use or share your information with anyone except as described in this Privacy and Security Policy.

We use your Personal Information for providing and improving the Service. By using the Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy and Security Policy, terms used in this Privacy and Security Policy have the same meanings as in our Terms of Service.

How and what information may we obtain

While using our Service, you may provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information (“Personal Information”) may include, but is not limited to:

  • Account details (phone number, which we use to identify you as a user)
  • Profile information (such as, but is not limited to, name, birthdate, gender, photo)
  • Location information (such as your position on the map)
  • Personal data included in content uploaded by you to our Service
  • Personal data included in your assignment responses posted by you to our Service
  • Contact information (such as phone number, email or postal address)
  • Information about your usage of our Service
  • Log data (such as your device information, see more under Log data)
  • Any other information that you have provided us voluntarily (such as comments on social media, comments in AppStore, the information you wrote us via email or through other communication channels)

We may collect other types of personal data if required under applicable law or if necessary for the purposes listed below. We will then inform you and ensure that there is a valid legal basis for doing so.

How may we use this information

The purpose of collecting the above mentioned information is (1) to identify you as the user, (2) to optimize the Service, (3) to better service you as a user, (4) to be able to pay you for your service, (5) to abide applicable law and regulations, (6) to enforce the agreement between you and Flagit, (7) to protect the rights, safety and property of Flagit, the users, others, and (8) to create anonymized statistics, reports and conduct generic data mining.

You should be aware that the main purpose of Flagit is to use information collected through Flagit Services to help companies and organisations (“Clients”) to observe, get inspiration, get answers to their most pressing questions, to get feedback, and to co-create with their audience, you and other Flagit users.

Flagit does the best possible effort to make your Personal Information anonymised, so our Clients only get to know the audience by demographic information (such as age and gender). No Account details, Profile information or Contact information (see above) are shared.

Flagit generates anonymised reports and statistics for commercial purposes, selling such reports and statistics to Client, and also to show and promote the success of the Service and thereby recruit more merchants and more users and expand the benefits and offerings made available via the Service to you and other users. Flagit believes that being upfront about this is just good business.

Please read “Assignment responses and feedback” section to learn more about how you can make sure that your Personal Information stays anonymised.

How may we share personal data

We may share the personal information we collect and receive on a need to know basis with the following third parties:

  1. Service providers
  2. Competent public authorities or other third parties, if required by law or reasonably necessary to protect the rights, property and safety of ourselves or others.
  3. We may also transfer your personal data in the event that we sell or transfer all or a portion of our business or assets on a need to know basis. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use personal data you have provided to us in a manner that is consistent with applicable law and this Privacy Statement.

We do not sell, rent or trade your Personal Information.

Assignment responses and feedback

We store information that you voluntarily post through our Service as assignment responses and feedback:

  • Textual responses
  • Image responses
  • Smiley responses
  • Poll responses

We use assignment responses and feedback in combination with anonymised demographical data and location information to provide Flagit’s Clients with:

  • Anonymised answers to their questions
  • Aggregated and anonymised insights and reports

We advise you not to post any Personal Information that might reveal your identity to the third party (such as name, contact information, personal image etc.) through assignment responses and feedback. This is for your own safety and wellbeing.

It is Flagit’s primary concern to keep you anonymous and disguised, but it is also your own responsibility to make sure that your responses can’t be traced back to you.

Please contact us if you have any questions, suggestions or concern on that matter.

Location information

Our Service doesn’t record your position continuously and doesn’t track your movement.

We use and store only limited information about your location if you permit us to do so, and only when such information is required for our Service to function. We use this information to provide most essential features of our Service, to improve and customise our Service to your personal needs.

We use the following technologies build-in into your mobile device to achieve the needed level of position accuracy to be able to provide you with most relevant information in Flagit:

  • GPS (Global Positioning System)
  • Bluetooth
  • WiFi
  • QR codes

You can enable or disable location services when you use our Service at any time, through your mobile device settings. However, if you do not allow Flagit to use location services, you will not be able to use most of our Service, as our Service is strongly dependent on Location information.

You can also partially disable location services by switching WiFi or Bluetooth off on your device. In that case, you might miss out on some Services that can be relevant to you.

We use location information to be able to:

  • Provide you with relevant assignments. Most types of assignments our Service are based on geographical position and can only be shown to the audience present at that location. For that purpose we
  • Notify you about new assignments in the area of your last seen location or the area of hidden assignments, accessible only through iBeacons (Bluetooth devices).
  • Position your assignment responses and feedback on the map. All posts from you have their own position.

GPS position (precision by WiFi) is only read while Flagit app is an active state, meaning you have Flagit app open on your device. We only read this information when it is required. The last position obtained this way is saved as your last seen location.

Bluetooth is used so your mobile device can watch for other devices, such as iBeacons. These devices are placed in hidden locations and allow you to see hidden assignments that you might discover while using our Services. Only if you choose to respond to such assignments, then we gather metadata that identifies where such device was placed.

QR codes can also be placed at physical locations and can contain information identifying that location. Scanning a QR code will reveal hidden assignments or feedback options which you can respond to. Only if you choose to respond to such assignments, then we gather metadata that identifies where such QR code was placed.

Cookies

Cookies are files with small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer’s hard drive.

We use “cookies” to be able to:

  • Identify if you previously installed Flagit app, so we don’t repeatedly show you our welcome screen
  • Improve your user experience and transition from the physical marker (such as QR code) to our website and then into specific part of our mobile app.
  • Collect relevant metadata from the physical location
  • Collect anonymised statistical data to be able to improve your user experience of our Service

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service.

Log data

There is specific technical information (“Log data”) about devices accessing our service that needs to be collected, for us to be able to:

  • Keep our Service safe and secured
  • Identify suspicious behaviour and prevent exploitation of our Service
  • Target functionality to the needed device
  • Understand user behaviour and provide better Service

We collect information that your browser sends whenever you visit our Service. This Log Data may include information such as your computer’s Internet Protocol (“IP”) address, browser type, browser version, the pages of our Service that you visit, the time and date of your visit, the time spent on those pages and other statistics.

Also, we may use third-party services such as Google Analytics that collect, monitor and analyse this type of information to increase our Service’s functionality. These third party service providers are stated in Service providers section.

When you access the Service by or through a mobile device, we may collect certain information automatically, including, but not limited to, the type of mobile device you use, your mobile device token, the IP address of your mobile device, your mobile operating system, the kind of mobile Internet browser you use and other statistics.

Security

To help protect the privacy of the data and personally identifiable information you provide to us and that we learn from you, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. Also, we will take reasonable steps to assure that third parties to whom we transfer any data will provide sufficient protection of personal information. We restrict access to our databases to a few key employees and only so they that we can improve the Services we provide. Also, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

How is my data safe?

We take the needed measures to keep your data secure:

  • SSL/TLS is used to secure data flow between server and client (mobile and web)
  • All services on the server side are hardened by customising their security configurations
  • Security tools (firewall, fail2ban, ssh) are used and configured
  • API uses special techniques to prevent XSS, SQL injection, and other known attacks
  • Servers are regularly updated and tested
  • Servers are monitored

How we protect personal data?

We maintain appropriate technical and organisational security safeguards designed to protect your personal data against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use. However, due to the inherent open nature of the Internet, we cannot guarantee that communications between you and us or the personal information stored are entirely secure. We will notify you of any data breach that is likely to have unfavourable consequences for your privacy in accordance with applicable law.

Where is my data stored?

All Flagit information is securely stored on Linode servers in EU (more on Linode security https://www.linode.com/compliance). All images are securely stored on AWS S3 in EU (more on AWS security https://aws.amazon.com/security/).

Service providers

We may employ third party companies and individuals to facilitate our Service, to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Information only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Our current list of service providers, whose services we depend on to provide you with our Service:

  • We use Linode (for Hosting) to host our databases and web services (see policy).
  • We use CloudFlare (for CDN) to distribute our resources for our marketing website, including downloads of the app itself (see policy)
  • We use PayPal (for Payouts) to be able to transfer money to the users (see policy).
  • We use AWS S3 (for Image storage) to store images published through our Service (see policy).
  • We use Google Analytics (for Analytics) to track page views and mobile app event to improve usability our mobile app and website (see policy).
  • We use Google Maps (for Maps) to show you your location on the map and to show you the distance to the closest assignments (see policy).
  • We use Nexmo (for SMS) to send you single-use activation codes and service messages (see policy ).
  • We use Google Android and Apple iOS (for Mobile apps) to provide you with mobile experience of our Service
  • We use Facebook (for Advertisement) to promote our Service on social media (see policy)

International transfer

Your information, including Personal Information, may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ than those from your authority.

If you are located outside of EU and choose to provide information to us, please note that we transfer the data, including Personal Information, to EU and process it there.

Your consent to this Privacy and Security Policy followed by your submission of such information represents your agreement to that transfer.

Links to other sites

Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party’s website. We strongly advise you to review the Privacy and Security Policy of every website you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

Compliance with laws

We reserve the right to disclose your personal data based on the request of public authorities, including tax authorities, police and justice, and in cases where Flagit under applicable law is obliged to do so. In such cases, we may require additional Personal Information from you, which you will be asked to provide at the next use of the Service. You will not be able to continue your use of the Service until the necessary information is delivered to us.

Children’s privacy

Our Service does not address anyone under the age of 18 (“Children”).

We do not knowingly collect personally identifiable information from children under 18. If you are a parent or guardian and you are aware that your Children has provided us with Personal Information, please contact us. If we discover that a Children under 18 has provided us with Personal Information, we will delete such information from our servers.

If you know of minors that are using our mobile app, please let us know.

Your personal rights

You have all the rights afforded to you under General Data Protection Regulation, including:

  1. Right of access which means that you have the right to know whether data concerning you is being processed and access it
  2. Right to rectification means that your personal data must be correct and corrected upon your request
  3. Right to erasure or right to be forgotten means right to have your personal data deleted in most cases
  4. Right to the restriction of processing means essentially being informed about the processing of your data and objecting to parts or all of it
  5. The right to be informed about a variety of items, but most importantly, about your processed data being a subject of a data breach
  6. The right to data portability means that you have a right to receive portions of your data for your own use in a readable format or, if possible, transferred to another data processor
  7. The right to object means that you may object to processing your data on any grounds and this has to be both acknowledged and properly assessed
  8. The right to opt out of automatic profiling means that you can demand to have a human involved in automated decisions about you, taken based on personal data

You can make use of your rights by writing to Flagit at the below address. However, use of the Service and provision of information to Flagit is voluntary, if you object to Flagit gathering information on you or demand deletion of all or substantially all information on you, Flagit might not be able to, or might refuse to, continue providing the Service to you.

Complaints

Please let us know if you would like to find out more about your rights when using Flagit by contacting us on [email protected].

Apart from complaining directly to Flagit at the above address, you are also entitled to complain to the Danish Data Protection Agency (“Datatilsynet”). You can do so here:

http://www.datatilsynet.dk/om-datatilsynet/kontakt/

or you can write the agency at:

Datatilsynet

Borgergade 28, 5.

1300 Copenhagen K

Denmark

Changes To This Privacy and Security Policy

We may update our Privacy and Security Policy from time to time. We will notify you of any changes by posting the new Privacy and Security Policy on this page.

You are advised to review this Privacy and Security Policy periodically for any changes. Changes to this Privacy and Security Policy are effective when they are posted on this page.

Deletion of your Flagit account

You may at any time delete your Flagit account, and if so, delete personal information that is registered by Flagit about you. However, for accounting and tax purposes we reserve the right to retain certain personal information for a period of up to 5 years from deletion. During that period of time your profile and your Personal Information is not available and not accessible to you, or anyone.

To delete your account please contact us by writing to [email protected], and specify your phone number, for which you wish your profile to be deleted.

Updated to this Privacy and Security Policy

We may update this Privacy Statement from time to time. We will notify you of any significant changes to this Privacy Statement on the website or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided in the notification.

How to contact us

If you have any questions about this Privacy and Security Policy, please contact us by email: [email protected].