GDPR Statement
Depending on your geographic location, some parts of this statement may not apply to you. Except as described below, we are the data controller of personal data collected from our website or the NinjaCat platform. Our physical address is 2810 N Church St. #57506, Wilmington, DE 19802-4447
and you may reach us by emailing [email protected].
Our EU Representative is Osano International Compliance Services Limited and can be contacted by writing to:
EU Representative
Osano International Compliance Services Limited
ATTN: V7NR
3 Dublin Landings
North Wall Quay
Dublin 1
D01C4E0
UK Representative
Osano UK Compliance LTD
ATTN: V7NR
42-46 Fountain Street
Belfast
Antrim
BT1 - 5EF
GDPR Principles
The GDPR principles exist to aid companies to stay and remain within the boundaries of the regulation; they also help to understand its main objectives. Therefore, we comply with the contours and principles expressed to be the core of GDPR compliance, which are:
- Lawfulness, fairness, and transparency. These first principles express the need to comply with the GDPR when required under this regulation due to our activities, as expressed in this Statement. We are to keep you as informed as possible regarding our GDPR compliance.
- Purpose Limitation. As is determined in the text of the GDPR, all purposes for data processing and collection must remain specific, explicit, and legitimate. The controller must use such collected personal data for the particular purposes for which you have consented to its collection and processing.
- Data minimization. We only collect the data which is necessary and relevant for our activities. The less personal information we collect or process, the better for every party involved.
- Accuracy. We keep data as up-to-date as possible and try to ensure we erase inaccurate data or if we believe data is outdated.
- Storage limitations. We keep personal information only as long as necessary for the purposes stated in our Privacy Policy
- Integrity and confidentiality. We protect and secure all personal data we store and process and have methods to anonymize personal data.
- Accountability. We keep committed to recording our activities and strategies, proving compliance with the GDPR, and constantly reviewing and improving the management of personal data.
Sources of Data Collection
We may collect information about you during your visit and when you use our website, app, and services. To give you more information on the sources of the data we collect from you, consider that we are doing so;
- When you directly share it with us. We directly collect data from you when you voluntarily give it to us, such as when you register on the website or app, when you contact us when you sign up for our services or our newsletter or promotional emails, or even when you give us information about yourself in person, by phone or text, or by email.
- Automatically through your use of our services, website, or other similar activities. Your personal information is collected automatically when you browse our site or app, even when you are not a registered user. For example, we gather information such as your IP address, which webpages you stay on and how long, and other user data and information about the device you use when on the website or app.
- From third-party sources. We may also gather personal information about you from third parties. We may receive personal information about you or your contacts if you register for our services or access our website through a social media account. The types of personal information we may receive from social media accounts will depend on your privacy settings in those accounts. We may also receive personal information about you from our partners and processors or from other third parties to whom you have given permission to share your information.
Categories of Personal Data
We may collect the following categories of personal data:
- First and last name
- Phone Number
- Mailing Address
- Email Address
- Employer
- Job Title
- Usernames or handles
- Internet Protocol (IP) Address
- Geographic location data
Remember that you have the right at all times not to disclose any personal information to us. However, this may impact and possibly limit your use of the Website and App and we may not be able to provide you any Services to the extent that your personal data is required to enable us to provide such data.
How We Use Your Personal Information
We may use your personal information for various purposes.
- To provide you with our products and services.
- To Contact you.
- To improve and optimize our products and services to make them better and easier to use by you and by our clients.
- To better understand your preferences and use that information to develop further and update our products and services.
- To market our solutions.
- To detect and avoid fraud.
- To prevent fraud
- To comply with applicable legal obligations.
- For various security purposes.
- For a different specific purpose, for which you have specifically consented to.
We follow the directives of the GDPR in informing you about our uses, basis, and purposes for the collection and processing of your personal data. In the event that any such purpose changes, we will make sure to inform you about any changes to the purposes of why and what we collect and process your data for.
Sharing of Your Personal Information
Under no circumstance will we sell, trade, or rent any of your personal information, regardless of its source or purpose. However, with your previous consent, we may share personal data with recipients under certain circumstances and with the following parties;
- With services providers, agents, subcontractors, and vendors to perform certain activities and functions on our behalf, and only limited to the extent they need such data to perform such activities and functions. Contractual boundaries are determined and agreed upon with these parties to protect and responsibly use your data.
- Within our company group, to better provide you with information and services.
- With Professional advisors of ours which we consult on different niche areas, such as legal, accounting, and banking.
- With public and government authorities and law enforcement, pursuant to legal obligations or when we are compelled under law and authority to disclose personal data.
Data Protection Officer
We have appointed a Data Protection Officer. You may contact them at: [email protected]
If you think the DPO is not the correct party to address for any questions or inquiries about this Statement contact us to our provided contact data above.
Data Protection
All personal data requires a legal basis for processing, and will be accessible on a strict need-to-know basis. Personal data is to be kept confidential and must be protected and safeguarded from unauthorized access, modification and disclosure.
- Storage and Transmission: Personal data must be encrypted, with strong cryptography, whenever stored on or transmitted by NinjaCat, Inc. systems
- Disposal: Paper records must be securely shredded prior to disposal. Electronic media must be securely wiped, sanitized or physically destroyed prior to disposal or reuse
- Awareness Training: Relevant personnel will receive appropriate training on their information security and data privacy responsibilities with regard to GDPR and the handling of personal data as well as the Data Subject Access Request (DSAR) procedure
- NinjaCat, Inc. will not transmit EU or UK PII to any third-party or vendor until an appropriate Data Protection Addendum has been fully executed by NinjaCat, Inc. and the third-party.
- The company shall retain Record of Processing Activity in accordance with Article 30 of the GDPR. Records shall include:
- the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations;
- where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for erasure of the different categories of data;
- where possible, a general description of the technical and organisational security measures referred to in Article 32.
Legal Basis of Processing
Under the GDPR, all companies must have a legal basis for processing personal information. We rely on the following legal bases for collecting and processing personal data:
- Processing is made based on your consent to the collection or processing of your personal data.
- Processing is necessary to perform a contract with you.
- Processing is required to comply with a legal obligation that applies to us.
- Processing is needed to protect the vital interests of you or another person.
- Processing is based on the performance of a task carried out in the public interest or based on the public authority.
- Processing is based on our legitimate interests or the legitimate interests of a third party, provided that your interests or fundamental rights do not outweigh them.
Breach Notification
Notification of any reportable unauthorized use or disclosure of personal data will be sent to affected parties in accordance with the GDPR notification requirements.
Your Data Subject Rights
The GDPR has granted data subjects specific rights respecting their personal data. This applicability may depend on your nationality and geographic location. These are your rights:
- Right of knowledge or confirmation. You have the right to obtain a confirmation of whether your personal data is being processed
- Right of access. You may require from the controller free information about the storage of your personal information and also obtain a copy of this information. Additionally, you have a right to know the purposes of the processing of any personal information, the categories of personal information collected or processed and stored, and the recipients of the personal information, if any.
- Right of rectification. You have the right to correct or request the correction of your personal information.
- Right to be forgotten (erasure). You shall have the right to have your personal data erased without delay, provided that processing is unnecessary. The controller shall consider if such information is no longer necessary for the purposes it was collected for and that there are no overriding legitimate grounds for processing.
- Right of restriction of processing. You have the right to request that processing of your personal data be restricted when:
- The accuracy of personal data is contested;
- The processing of personal information is unlawful, and you do not require its deletion;
- The controller does not need the personal data any longer, but is required to keep it to fulfill a legal obligation or to pursue or defend a legal claim.;
- You have objected to processing their personal data during the time of verification by the controller.
- Right of Data Portability. You have the right to receive their personal information in a structured and machine-readable format. You shall have the right to transmit the data to another controller without further observation by the original controller. You may also request that personal data be transferred directly from one controller to another.
- Right to object. You have the right to object to the processing of your personal information, at any time.
- Right not to be subject to automatic decision-making, including profiling. We currently do not use nor base any data collection or processing on automated decision making, nor do we use profiling.
- Right to withdraw consent. If you have consented to the collection or use of your personal information, you have the right to withdraw your consent at any time.
Additionally, if you feel we have failed to address any of your requests regarding your personal data, you may have the right to lodge a complaint with a Data Protection Authority. Here is a list of the contacts for them: https://edpb.europa.eu/about-edpb/about-edpb/members To practice your aforementioned rights, please contact us at the physical or email address provided in our Privacy Policy. Before we grant or process any requests for your rights, we may require verification of your identity.
Data Subject Access Requests (DSAR/SAR)
Subject to the exceptions noted below in this policy, NinjaCat, Inc. will comply with any SAR concerning the following rights of the data subject:
SAR when NinjaCat, Inc. is the data controller:
- A SAR must be made using any Customer Support Channel. This includes emailing [email protected], or using the chat widget on our application.
- Where required, the data subject must provide reasonable evidence of their identity in the form of valid identification of identity, for example, email verification.
- When submitting the SAR via the interface, the data subject must identify the SAR type that is being requested, e.g., erasure.
- If a SAR is submitted by an agent, the submission must include the identification of the data subject.
SAR when NinjaCat, Inc. is the data processor:
- The SAR must be submitted via the user interface in the NinjaCat platform.
- The controller must identify the SAR that is being requested.
SAR requirements:
- The date by which the SAR is submitted, identification is verified, and the specification of the SAR request type must be recorded; NinjaCat, Inc. will acknowledge any manual requests within 3 business days.
- NinjaCat, Inc. has one month from the initial request date to complete the request. There are very limited circumstances in which an extension to that one month will be provided.
- The SAR application will be documented and can be audited using NinjaCat, Inc.'s internal processes.
SAR Exemptions
NinjaCat, Inc. may withhold information requested under SAR in accordance with Article 23 of the GDPR or any similar exemption under applicable law. Any such exemption must be reviewed and approved by the Data Protection Officer.
SAR Limits
Where permitted by law, such as Article 15 of the GDPR, for any further copies of personal data collected by NinjaCat, Inc. that are requested by the data subject, NinjaCat, Inc. may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic format.
Subprocessors
For the purposes determined within this statement and to provide complete and compliant services to you, we engage and use data processors with which we may share some categories of your collected data. These subprocessors are under an agreement with us and may use your data for the specific purposes we require and in compatibility with this statement and our privacy policy.
Entity Name | Purpose for Processing | Location |
---|---|---|
Amazon Web Services, Inc. | Cloud Hosting Provider | U.S.A. |
DataDog | Analytics and Monitoring | U.S.A. |
OpenAI | Optional AI Services | U.S.A |
Google Analytics | Analytics | U.S.A |
Snowflake Inc. | Data Warehousing | U.S.A |
Twilio, Inc. | Email communications and Optional Telephony | U.S.A |
Intercom | Customer Support | U.S.A. |