A guide to our GDPR policy
1. About this page
With the 2018 introduction of the General Data Protection Regulation (GDPR) across Europe it is our obligation to make clear, in plain English, how we manage the data that our customers and users provide to us.
This document aims to give a clear, simple, breakdown of our role, the data we and our clients collect, and your rights. If any of this doesn’t make sense, or you have concerns, please contact us via email@example.com.
For the purposes of this document, we need to make a few definitions to ensure clarity.
We, Twine or other references to ourselves means Twine Limited – UK Company number 09199373 or the software we provide.
Platform refers explicitly to the Twine software that we provide access to.
Clients refers to our direct clients who have either signed up to use Twine via signup.twinehr.com or who otherwise have a contract with us to provide access to the Twine services.
Users refers to individuals who log into Twine, having been onboarded or invited by a Client.
Tenant refers to a Client’s isolated Twine environment, supplied for their users to log in to.
1.2 About Twine
Twine is a Software as a Service (SaaS) provider that supplies the Twine intranet. Our clients are normally businesses or organisations who wish to use the Twine platform to help their users collaborate more effectively.
Twine has a relationship with both Clients and Users, and the data collected can vary depending on these relationships. Clients can decide how to control access to their Twine tenant, from open registration to invitation only.
3. What information we collect
In order to provide our service we collect and hold information that broadly falls into three categories as described in this section. This information may come from the client or directly from the users themselves.
3.1 Information about clients
We hold information about our clients in order that we can supply a service, and where relevant manage any contractual relationship. This information includes:
- Client name and contact details
- Contractual information
- Background information (e.g number of users)
- Any information you communicate during the process of us supporting you (such as support tickets)
Administrator user information is classed the same way as any other user information and is covered by section 3.2 below.
3.2 Information about users
We collect and store a standard set of information about each user in order to provide the service. This information includes:
- Email address
- First and last name
- Password details
- Data about user actions in the system (e.g. login history, IP addresses etc)
- Any content posted or otherwise entered into the platform, including chat messages
3.3 Additional information about users, defined by Clients
In addition to the basic minimum data described in section 3.2 above, clients may configure the system to collect additional information. We do provide some common default options such as:
- Business department
- Telephone numbers
It is important, however, to understand that our Clients may request, and even require, that you supply additional information onto the Twine platform in order to participate. Twine considers that you are providing this information to our Client that we are simply holding on their behalf. Twine provides default terms of service for end users, however many of our Clients will instead provide their own specific terms, and you should refer to them in the first instance regarding any concerns you may have.
4. How we handle your personal data
We have systems and processes in place to protect the data we receive from you, and we take this commitment very seriously. We can provide, upon request, our detailed data protection, data handling, and privacy policies. Otherwise, we’re happy to talk through any concerns or questions you have directly.
4.1 Handling and storage
Broadly speaking, we follow best practices and store your data on an environment hosted by Amazon Web Services, based in Dublin, Ireland. Amazon has extensive documentation on their security and legal compliance available on their website at https://aws.amazon.com/compliance/.
In handling your data we follow best practices such as:
- Using encryption to communicate between users and ourselves.
- Restricting and logging those who have access to the data we hold.
- Not moving data from production to test environments.
- Having outside security companies perform penetration tests on the platform.
4.2 Providing your personal data to others
In order to both operate the platform and our business as a whole we need to involve some third party suppliers and platforms. We have detailed each, and the reason we use them below. We may use more third parties than this, however these are the ones that would potentially see personal information.
4.2.1 In order to provide the platform
- Amazon Web Services, for hosting of the platform and storage of the data
- Pusher, to provide chat services
- Sendgrid, to send emails
- Google Analytics and Hotjar, to track user behaviour
- BugSnag, to monitor bugs in our software
4.2.2 In order to operate our business
- Xero, for accounting and billing
- Nutshell, for Customer Relationship Management
- Google, for email, and contactural or planning information
- Slack, for internal communications
- Freshdesk and Intercom, for Customer Support
- Hiscox insurance
4.3 Retaining your data
We will need to keep hold of your data while you as a User are active (not deleted). The primary reason for this is Twine is a community built from your contributions made on the Twine platform. For example your contributions to Polls, Comments, and the Forum all need to persist while the Tenant and your User are active.
There are two conditions where your data will be deleted:
- You or the Tenant administrator elect to delete your User account on the Twine platform, by contacting us via firstname.lastname@example.org.
- The Tenant administrator or Client requests to close down the Tenant, by contacting us via email@example.com
After processing your request to delete data, it will almost immediately be made inactive, meaning your data will not be visible to any other User within Twine. Then, within 30 days Twine Platform will automatically delete your data entirely from our platform, including backups.
5. Your rights
GDPR provides for several rights for individuals, if you wish to exercise any of these right we request that you contact us via firstname.lastname@example.org where will arrange for the required work to be undertaken.
5.1 Data formats
In order to service rights requests in the timeframe required by the law, we may not be able to provide data in a specific format defined by the user making the request. We will, however, aim to provide the data in a machine-readable format (such as CSVs) to enable portability.
5.2 Complex requests
If your request is excessively complex to fulfil we may need to charge a fee to cover the extra time required, as permitted by the law.