Inbot Data
Protection Policy

May 2018

Introduction

We store personal data about our employees, clients, vendors and other individuals for a variety of business purposes. This policy explains how we protect personal data and ensure that our employees and contractors understand the rules governing their use of personal data to which they have access in the course of their work.

Definitions

Inbot. Inbot or “we” means, separately or together, Inbot, Inc. a Delaware Corporation; Inbot GmbH, a Germany Corporation; Inbot Oy, a Finland Corporation; and Inbot Oü, an Estonia Corporation.

Data subject. The individual Inbot is holding information about. This includes our vendors, vendor prospects, community members, employees and contractors.

Personal data. Information relating to identifiable individuals, including vendors, vendor prospects and their employees, community members, wallet users, current and former employees, contractors and other possible other parties.

Personal data we gather may include: person’s contact details, addresses, online profiles, IP addresses, job titles, nationality, country of residence, required KYC (Know Your Customer) information such as photos of the individual, passport or other official identifying documents, proof-of-address documents such as utility bills. Our systems may enhance this personal data with additional metadata such as tags and categories. In addition, we store any other data you may voluntarily upload to your account, including, but not limited to personal address books or metadata of emails, calls and calendars.

Sensitive personal data. Personal data about an individual's racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health or condition, criminal offences, or related proceedings.

We do not collect or store any sensitive personal data.

Scope

This policy applies to all employees and contractors of Inbot. Our employees and contractors must be familiar with this policy and comply with its terms. We may supplement or amend this policy by additional policies and guidelines from time to time.

Responsible parties

Inbot is a startup company and is therefore not required to appoint a separate DPO (Data Protection Officer). All of our team members and the leadership will take all reasonable steps to protect the data that is trusted with us.

We will also periodically audit our systems and processes to find possible gaps in our security policies. We will also require our suppliers to comply with data protection regulations such as GDPR.

Our customers and members can inquire about our data protection policies any time by emailing us at team@inbot.io.

Our procedures

Fair and lawful processing. We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.

The processing of all data must be:

  • Necessary to provide our educational environment
  • In our legitimate interests and not unduly prejudice the individual's privacy
  • In most cases this provision will apply to routine data processing activities.

Justification for personal data. We will process personal data in compliance with all eight data protection principles:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for specified and lawful purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose(s) shall not be kept for longer than is necessary for the purpose(s).
  6. Personal data shall be processed in accordance with the rights of data subjects.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

We will document any additional justification for the processing of sensitive data that might be conceived in the future.

Data accuracy and relevance

We will ensure that any personal data we process for our data subjects is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Data subjects may ask that we correct inaccurate personal data relating to them. If you believe that your information is inaccurate, you should inform us at team@inbot.io.

Data audit and register

We will conduct regular data audits to manage and mitigate risks. These audits include information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

Some data that we collect is subject to active consent by the data subject. This consent can be revoked at any time. We only use data that is necessary for the purposes of legitimate interests pursued by us, except where such interests are overridden by the interests, rights or freedoms of the data subject. This includes the performance of a contract with the data subject or taking the steps to enter into a contract, as well as to protect the vital interests of a data subject or another person.

Exemptions. Certain data may be exempted from the provisions of the GDPR or legally required from us without the explicit consent of the data subject. This includes, but is not limited to:

  • Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Processing is necessary to exercise a right or obligation conferred or imposed by law upon us.