GDPR Privacy and Personal Data Protection Policy (“GDPR Policy”)

Introduction

Peep Inc. (“Peeple”, “we”, “us” or “our”) is committed to protecting the privacy of personal data of identifiable individuals who use the services, websites, and applications offered by Peeple (the “Service”). This GDPR Policy describes Peeple’s policies and procedures on the collection, use, disclosure, and sharing of your information when data subjects within the European Union (“EU”) use the Service, via our website at www.forthepeeple.com, Peeple content embedded on another site, your mobile phone, or one of Peeple’s applications for mobile devices and/or any other platform or media through which we make such services available from time to time.

This GDPR Policy informs you of Peeple’s policies and practices regarding the collection and use of information you submit to us or which we collect about you through the Services and to inform you of options that you have to control or restrict the availability and use of your information. Wherever you reside or from whichever country you submit your information, you consent to our use of your information, consistent with this GDPR Policy, in Canada and in other territories where Peeple provides the Service.

Peeple reserves the right to change this GDPR Policy from time to time. Amendments to this GDPR Policy will be posted to the Service and will be effective when posted. In the event that such changes are made, your explicit and informed consent will be sought as a condition to Peeple’s continued collection and processing of your personal data.

In this GDPR Policy, “personal data” means any information about an identified or identifiable individual.

In collecting and using this data, Peeple is subject to a variety of legislation controlling how such activities may be carried out and the safeguards that must be put in place to protect it. It has been determined that Peeple as an organization that not only operates within the EU, but also collects and processes personal data of EU citizens is subject to GDPR legislation.

Purpose

The purpose of this GDPR Policy is to set out the relevant GDPR legislation and to describe the steps Peeple is taking to ensure that it complies with it.

Scope

This GDPR Policy applies to:

  • all Personnel, and;
  • all IT Resources, regardless of their physical location, which is used to store, process, and/or transmit Peeple electronic information in any form. This includes, but not limited to networks, computer hardware, mobile devices, software, applications, and associated information used in the support of Peeple business.

General Data Protection Regulation 2016 (“GDPR”)

There are a number of fundamental principles upon which the GDPR is based.

There are a total of 26 definitions listed within the GDPR and it is not appropriate to reproduce them all here. The most fundamental definitions with respect to this policy are captured in the Definitions section below.

1. Principles Relating to Processing of Personal Data

There are a number of fundamental principles upon which the GDPR is based.

  • 1.1 Personal data shall be:
  • (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
  • (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
  • (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
  • (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  • (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
  • (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
  • 1.2 The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1.1 (‘accountability’).
  • Peeple must ensure that it complies with all of these principles both in the processing it currently carries out and as part of the introduction of new methods of processing such as new IT systems.

2. Rights of the Individual

  • The data subject also has rights under the GDPR. These consist of:
  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object; and
  • rights in relation to automated decision making and profiling.

Each of these rights must be supported by appropriate procedures within Peeple that allow the required action to be taken within the timescales stated in the GDPR. These timescales are shown in Table 1.

Data Subject Request Timescale
The right to be informed When data is collected (if supplied by data subject) or within one month (if not supplied by data subject)
The right of access One month
The right to rectification One month
The right to erasure Without undue delay
The right to restrict processing Without undue delay
The right to data portability One month
The right to object On receipt of objection
Rights in relation to automated decision making and profiling. Not specified

Table 1 - Timescales for data subject requests

3. Consent

Unless it is necessary for a reason allowable under the GDPR, explicit consent must be obtained from a data subject to collect and process their data. In case of children below the age of 16 parental consent must be obtained. Transparent information about our usage of their personal data must be provided to data subjects at the time that consent is obtained and their rights with regard to their data explained, such as the right to withdraw consent. This information must be provided in an accessible form, written in clear language and free of charge.

If the personal data are not obtained directly from the data subject then this information must be provided within a reasonable period after the data are obtained and definitely within one month.

When you register as a user of our Service, we ask for personal data that will be used to activate your account, create a user profile, provide the Service to you, communicate with you about the status of your account, and for other purposes set out in this GDPR Policy. Your name, company name, address, gender, birth date, telephone number, email address, specific or general location, and certain other information about you may be required by us to provide the Service or be disclosed by you, directly or indirectly, during your use of the Service. If you use your Facebook, or any other social media networking site (“SMN”) account information to sign in to the Service, or link your Peeple account with such SMN, we will collect and store such account information (such as your name, profile picture, and email address) and we may receive information about you from such SMN, depending on the privacy settings you have with that SMN.

By providing personal data to us and by retaining us to provide you with the Service, you voluntarily consent to the collection, use and disclosure of such personal data as specified in this GDPR Policy. Without limiting the foregoing, we may on occasion ask you to consent when we collect, use, or disclose your personal data in specific circumstances.

Your name, likeness, and other personal data you submit to your user profile through the registration process will be available for public viewing on the Service. You also provide us information in any Content (as defined in the Terms and Conditions of Service) you post to the Service, including any comments, questions, recommendations, ratings, reviews, and other contributions on the Service, as well as metadata about them, all of which is intended for public consumption and will be publicly viewable on the Service. We may display this information through the Service, share it with third parties, and further distribute it to a wider audience through third party sites and services. This information may also be “crawled” by third party search engines so that personal data in your user profile may be accessible through search engines in search results.

In addition, we may use your personal or account information for the following purposes (the “Purposes”):

  • To provide the Service to you and to other users of the Service;
  • To improve the quality of the Service through polls, surveys and other similar feedback gathering activities conducted by Peeple and/or third parties;
  • To create, manage and control your account information, and to verify access rights to the Service;
  • To bill your account, if applicable;
  • Subject to applicable legislation, to communicate with you, including without limitation for the purpose of providing you with information about the Service, or informing you of changes or additions to the Service or of the availability of any other services or features we provide;
  • To assess service levels, monitor traffic patterns and gauge popularity of different features and service options of the Service;
  • To enforce this GDPR Policy or our Terms and Conditions of Service;
  • To protect against fraud or error, and to respond to claims of any violation of our rights or those of any third parties;
  • To respond to your requests for customer service;
  • To protect the rights, property or personal safety of you, us, our users and the public; and
  • As required to comply with applicable laws or as authorized by applicable laws.

In addition, from time to time we may disclose or allow access to your personal data outside Canada where it may be subject to the lawful access requirements of the jurisdiction in which it is stored or able to be accessed. If you have any questions about our use of service providers outside of Canada, you may contact Peeple’s Privacy Officer by email at privacy@forthepeeple.com.

Subject to applicable legislation, we may occasionally communicate with you regarding our products, services, news and events. You have the option to not receive this information. We provide an opt-out function within all email communications of this nature, or will cease to communicate with you for this purpose if you contact us and tell us not to communicate this information to you. The only kind of these communications that you may not “opt-out” of are those required to communicate announcements related to the Service, including information specific to your user account, planned Service suspensions and outages. We will attempt to minimize this type of communication to you.

For the purposes of billing your account, Peeple may share your credit card and other payment information with banks or other third parties, such as Paypal or Stripe in order to process payments. In addition, while Peeple has in place up-to-date technology and internal procedures to guard such payment information against unauthorized access or intruders, there is no guarantee that such technology or procedure can eliminate all of the risks of theft, loss or misuse. Peeple shall not be liable to you or any other person for any damages that might result from unauthorized use, publication, disclosure or any other misuse of such payment information, including credit card information.

4. Age of Consent

We do not knowingly provide the Service to, and will not knowingly collect the personal data from anyone under the age of consent.

5. Rights to Your Information

You have the right to access and edit your information that is in the custody or under the control of Peeple at any time through the interface provided as part of the Service. In the event an access request is refused, you will be advised in writing of the reasons for the refusal and other applicable information.

6. Disclosure

We may disclose personal data to third parties for legitimate business purposes or for the Purposes and will obtain assurances from such third parties that they will safeguard personal data in a manner consistent with this GDPR Policy. To the extent such personal data is disclosed to third parties in other countries, those countries to which personal data will be transferred may or may not have laws that seek to preserve the privacy of personal data.

Peeple uses services hosted by third parties in the course of providing the Service, including Stripe, Google Maps, email providers, and social networking sites including, but not limited to, Facebook, Twitter and LinkedIn (the “Third Party Hosts”). To the extent any Third Party Host collects the personal data of users, such collection will be subject to the applicable privacy policies of the Third Party Hosts and shall not fall under the scope of this GDPR Policy.

7. Retention and Destruction

Subject to the terms of this GDPR Policy, your personal data is only retained as long as is reasonable to fulfill the purpose for which it was collected or for legal or business purposes (such as backup, archival, or audit purposes, or to improve the Service) or as otherwise required under applicable law. Notwithstanding the foregoing, and subject to applicable laws and regulations, Peeple will retain all personal data generated by users with respect to user intercommunications, and all personal data which is posted by users to areas of the Service which are accessible to the public or other users, indefinitely.

Personal data which is used to make a decision that directly affects a specific user will be retained for at least one year after the date of that decision.

8. Aggregated Data

We may also use your personal data to generate Aggregated Data for internal use and for sharing with others on a selective basis. “Aggregated Data” means records which have been stripped of information potentially identifying users, and which have been manipulated or combined to provide generalized, anonymous information. Your identity and personal data will be kept anonymous in Aggregated Data.

9. Cookies and Log Files

We use cookies and log files to track user information. Cookies are small amounts of data that are transferred to your web browser by a web server and are stored on your computer’s hard drive. We use cookies to track which page variant a visitor has seen, to track if a visitor has clicked on a page variant, to monitor traffic patterns and to gauge popularity of service options. We will use this information to deliver relevant content and services to you.

10. Change of Ownership or Business Transition

In the event of a change of ownership or other business transition, such as a merger, acquisition or sale of our assets, your information may be transferred in accordance with applicable privacy laws.

11. Security

We will strive to prevent unauthorized access to your personal data, however, no data transmission over the Internet, by wireless device or over the air is guaranteed to be 100% secure. We will continue to enhance security procedures as new technologies and procedures become available.

Please remember that you control what personal data you provide while using the Service, and what personal data you choose to make available to the public through the Service. Ultimately, you are responsible for maintaining the secrecy of your identification, passwords and/or any personal data in your possession for the use of the Service. Always be careful and responsible regarding your personal data. We are not responsible for, and cannot control, the use by others of any information which you provide to them and you should use caution in selecting the personal data you provide to others through the Service. Similarly, we cannot assume any responsibility for the content of any personal data or other information which you receive from other users through the Service, and you release us from any and all liability in connection with the contents of any personal data or other information which you may receive using the Service. We cannot guarantee, or assume any responsibility for verifying, the accuracy of the personal data or other information provided by any third party. You release us from any and all liability in connection with the use of such personal data or other information of others.

Privacy by Design

Peeple has adopted the principle of privacy by design and will ensure that the definition and planning of all new or significantly changed systems that collect or process personal data will be subject to due consideration of privacy issues, including the completion of one or more privacy impact assessments.

The privacy impact assessment will include:

  • (a) consideration of how personal data will be processed and for what purposes;
  • (b) assessment of whether the proposed processing of personal data is both necessary and proportionate to the purpose(s);
  • (c) assessment of the risks to individuals in processing the personal data; and
  • (d) what controls are necessary to address the identified risks and demonstrate compliance with legislation.

Use of techniques such as data minimization and pseudonymisation will be considered where applicable and appropriate.

13. Transfer of Personal Data

Transfers of personal data outside the European Union must be carefully reviewed prior to the transfer taking place to ensure that they fall within the limits imposed by the GDPR. This depends partly on the European Commission’s judgement as to the adequacy of the safeguards for personal data applicable in the receiving country and this may change over time.

14. Data Protection Officer

A defined role of Data Protection Officer (DPO) is required under the GDPR if an organization is a public authority, if it performs large scale monitoring or if it processes particularly sensitive types of data on a large scale. The DPO is required to have an appropriate level of knowledge and can either be an in-house resource or outsourced to an appropriate service provider.

Based on these criteria, Peeple has not appointed a Data Protection Officer.

15. Breach Notification

It is Peeple’s policy to be fair and proportionate when considering the actions to be taken to inform affected parties regarding breaches of personal data. In line with the GDPR, where a breach is known to have occurred which is likely to result in a risk to the rights and freedoms of individuals, the relevant supervisory authority will be informed within 72 hours.

16. Addressing Compliance to the GDPR

The following actions are undertaken to ensure that Peeple complies at all times with the accountability principle of the GDPR:

  • the legal basis for processing personal data is clear and unambiguous;
  • all staff involved in handling personal data understand their responsibilities for following good data protection practice;
  • training in data protection has been provided to all Personnel;
  • rules regarding consent are followed;
  • routes are available to data subjects wishing to exercise their rights regarding personal data and such enquiries are handled effectively;
  • regular reviews of procedures involving personal data are carried out;
  • privacy by design is adopted for all new or changed systems and processes;
  • the following documentation of processing activities is recorded:
  • organization name and relevant details;
  • purposes of the personal data processing;
  • categories of individuals and personal data processed;
  • categories of personal data recipients;
  • agreements and mechanisms for transfers of personal data to non-EU countries including details of controls in place;
  • personal data retention schedules; and
  • relevant technical and organisational controls in place.

These actions will be reviewed on a regular basis as part of the management review process.

Policy Infringement

Infringement of this Policy by Personnel may be subject to disciplinary actions, among other actions, including dismissal, termination of contract and possible legal proceedings following such termination. Reports of infringement may be forwarded to privacy@forthepeeple.com. In cases where local or international law is violated, Peeple has a responsibility to involve the relevant law enforcement agencies.

If Peeple believes that a breach of a third party’s confidential information, contract, or regulations has taken place; Peeple may have a duty to report the matter to that organization.

Definitions

Terms of particular importance for this document include.

  • controller - Is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • Personnel - All Peeple employees, students, trainees, contractors, consultants working under contract, and in limited circumstances, may include third party service providers, who have access to, use or possess any information assets or IT Resources.
  • information assets - All information created and received in the course of business of Peeple, and which may be deemed a record. This refers to all information created in any media format, throughout the entire information lifecycle, including creation, use, maintenance and disposition. Information assets do not include information or records created by other persons outside Peeple, except where they form part of a business or regulatory transaction of Peeple. Information assets have recognizable and manageable value, risk, context and lifecycle.
  • Information Technology (IT) Resource(s) - Any digital/electronic devices, and all digital infrastructure, operating systems, application, IT-related support services, and externalized digital information processing, infrastructure or storage services, including cloud based, used to store or process Peeple information assets. IT Resources are not limited to infrastructure systems and services maintained or procured by Peeple Information Services. IT Resources include information assets.
  • “must” versus “should” - the words “must”‘, “shall”, “will” and “required” indicate that the item is mandatory. The words “should”, or “may” indicate the item is a security control whose application is strongly recommended, but which is not mandatory in all circumstances. They provide guidance and represents best practice.
  • personal data - Defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • processing - Means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;