(Last Updated October 14, 2021)
The websites at https://grin.co and https://app.grin.co, as well as with any present or future affiliated or related mobile application (together, our “Services”) is operated by Grin Technologies, Inc., whose principal place of business office is at 400 Capitol Mall, Floor 9, Sacramento, CA 95814, United States of America (“we”, “us”, or “our”).
As a controller of your personal data (i.e. any information about an individual from which that individual can be identified), we are committed to protecting and respecting your privacy.
Our Services include links to third-party websites and applications. We do not control these third-party websites and are not responsible for their privacy statements, notices, or policies. When you leave our Services, we encourage you to read the privacy information of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to such third-party websites.
If you are in the EEA, you can also contact our appointed EEA data representative at datarep.com.
Similarly, if you are in the UK, you can contact our appointed UK data representative at datarep.com
We provide our Services to two types of customers:
– creators who sign up directly with us on the basis of our Creator Terms of Service (“Creator Customers”); and
– agency and brand customers who have chosen to sign up to our Terms of Service (“Brand Customers”).
Depending on the Services we provide to you and how you interact with us, we collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Special category (sensitive) personal data
We do not knowingly act as the controller of any ‘special category’ personal data, i.e. information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership(s), genetic or biometric data, or information about your sexual orientation or sex life. If you believe that we hold any such ‘special category’ personal data about you, please contact us immediately using the contact details provided in section 2 above and we will immediately delete this.
Additional personal information about creators
Our Brand Customers who operate e-commerce stores use our Services to pull information from their e-commerce stores concerning their own customers and to identify potential creators whom those Brand Customers could approach from the list of those customers (“Potential Creators”). In order to identify Potential Creators, those Brand Customers instruct us to perform ‘web scraping’, whereby we pull and index publicly available personal information from the Internet about Potential Influencers.
Information about Potential Creators that we may gather, organize, and store on behalf of our Brand Customers in providing our Services to Brand Customers include name(s), email address(es), handles of and posts on their social media and content-sharing platform accounts (such as Facebook, Twitter, Instagram, Snap, YouTube, Vimeo and Pinterest) and follower/subscriber counts, work and/or education history, relationship status, profile pictures and any photographs, or audiovisual media made publicly available online that may feature the relevant Potential Influencer, current state/country and/or town/city of residence, language spoken, content of press articles relating to the relevant Potential Influencer, and other information made publicly available online by that Potential Influencer.
Although we are the controller of your information that we process if you are a Brand Customer or Creator Customer, we are not a controller of information about Potential Influencers that we gather, organize, and store when providing our Services to Brand Customers. In those circumstances, the Brand Customers who have instructed us to undertake web scraping on their behalf are the controllers of that information. This is because the web scraping is done for the Brand Customers’ purposes and not our own purposes.
This means that, if you think we are processing personal information about you in your capacity as a Potential Creator, you should direct any queries or concerns about how your personal information is handled in this way to the relevant Brand Customer, since we are simply processing that information on that Brand Customer’s behalf. If you are a Potential Influencer and are concerned about any personal information that we obtain via web scraping, please note that this information could be found by anybody with access to the Internet and, in the case of information gathered from your social media and content-sharing platforms, you have ultimate control over what information you choose to make publicly available on those platforms.
We will only collect and process personal data about where we have a lawful basis to do so, i.e. where:
The following table sets out what personal data we collect about you, what we use that personal data for, and our lawful basis for doing so. Please be aware that we sometimes process your personal data using more than one lawful basis, depending on the specific purpose or activity.
|Purpose/Activity||Type of data||Lawful basis for processing|
|To register you as a customer||(a) Identity|
|Performance of a contract with you|
|To process payments and refunds, operate and provide our Services to you, and collect money owed to us||(a) Identity|
|(a) Performance of a contract with you|
(b) Necessary for our legitimate interests (for collecting money owed to us)
|To enable you to enter into an agreement with another of our users pursuant to your use of our Services||a) Identity|
|Performance of a contract to which you are a party or to take steps prior to entering into that contract|
|(a) Performance of a contract with you|
(b) Necessary to comply with our legal obligations
|To administer and protect our business and our Services (e.g. troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), including providing you with technical notices, update and security alerts, and support and administrative messages||(a) Identity|
|(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with our legal obligations
|To use data analytics to improve our Services, products/services, marketing, customer relationships and experiences||(a) Technical|
|Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant and ensure that its content is presented in the most effective manner for you and for your device, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about new proposals, opportunities, upcoming events, and other news (including information about products and services offered by us and our affiliates)||(a) Identity|
(f) Marketing and Communications
|Your consent (you can withdraw this at any time by clicking the link to unsubscribe in our marketing emails and/or the relevant ‘STOP’ number in text messages, or by contacting us using the details above)|
|To protect us, our customers, and our Services from fraud and theft||(a) Identity|
|Necessary for our legitimate interests (for detecting and preventing fraud)|
Please note that, where we rely on your consent or our legitimate interests to process your personal data and you withdraw that consent or object to our processing, we will no longer be able to provide certain services to you that are dependent on this processing.
If any of your personal data (such as your Contact Data) changes, please ensure that you let us know by editing this in your account settings, so that the information we have about you is kept up to date.
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorized way.
Our Services use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us via the Services. Whenever information is transferred between us in this way, you can check the relevant SSL certificate by looking for a closed padlock system or other trust mark in your browser’s URL bar or toolbar.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you choose to integrate your third-party email service or social-media or content-sharing platform service with our Services, the providers of those third-party services will remain the controller of your personal data and we will process the data on their behalf and share any information that you enter into their integrated versions via our Services with them.
We may be required by law to preserve or disclose your personal information and service data to comply with any applicable law, regulation, legal process, or governmental request, including in order to meet national security requirements. In addition, if we will also disclose personal information to the relevant authorities if we believe it is necessary to do so in order to prevent fraud, investigate any suspected illegal activity, or protect our users’ safety.
If you have registered an account with us, we will retain your information for as long as you have that account. If you delete your account or request us to do so, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we will be able to use this information indefinitely without further notice to you.
For further information on cookies (including about how we use them and when we will request your consent before placing them and how to disable them), please see our Cookie Notice.
We are based in the United States. By accessing or using our Services or otherwise providing personal information or service data to us, you agree to the processing, transfer, and storage of your personal information within the United States, and the transfer to Canada and Australia. We will handle your personal data in accordance with not only with applicable US laws, but also in accordance with the relevant provisions of the EU GDPR and UK GDPR. If we transfer your personal data to any third party located in a country that has not been deemed by the European Commission or the UK as providing adequate protection of your personal data, then we will ensure that such personal information is safeguarded through appropriate contractual terms or other approved mechanisms. If you have any questions about international transfers of your personal information, please contact us using the details set out in section 2 above.
Under applicable data protection laws, you have a number of important rights free of charge. In summary, those include rights to:
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests (in which case we will notify you and keep you updated).
There are some exceptions to the rights listed above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
If you are in the EEA, you have a right to a lodge a complaint with your local supervisory authority. Click here for the contact details of each EEA country’s supervisory authority. Alternatively, if you are in the UK, you have the right to make a complaint at any time to the supervisory authority in the United Kingdom for data protection issues, the Information Commissioner’s Office (click here for their website).
We would, however, appreciate the opportunity to deal directly with your concerns before you approach the ICO or any other supervisory authority, and would be pleased to respond to any such complaints as your first-priority contact.
As stated in our Terms of Service and Creator Terms of Service, our Services are not intended for anyone under the age of 13, and we do not knowingly collect data relating to any individual below this age. If you believe that a child under the age of 13 has provided personal information to us, please contact us using the details set out in section 2 above and provide the relevant details, and we will take the necessary steps to delete the information we hold about that child.