Last Updated October 14, 2021

Privacy Policy (UK/EU)

  1. About us and this Privacy Policy
  2. How to contact us
  3. Information we collect from you
  4. How we collect and use your personal information
  5. How we store your personal information
  6. Who we share your information with
  7. How long keep your personal information
  8. Cookies
  9. International transfers of your information
  10. Your rights
  11. Children’s personal information
  12. Updates to this Privacy Policy

 

  1. About us and this Privacy Policy

The websites at https://grin.co and https://app.grin.co, as well as with any present or future affiliated or related mobile application (together, our “Services”) is operated by Grin Technologies, Inc., whose principal place of business office is at 400 Capitol Mall, Floor 9, Sacramento​, CA 95814, United States of America (“we”, “us”, or “our”).

This Privacy Policy is intended for users of our Services in the European Economic Area (EEA) and the United Kingdom (UK). Users in the EEA have certain privacy rights under applicable laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018. For details of how we handle the personal information of users in the United States, please see our US Privacy Policy.

As a controller of your personal data (i.e. any information about an individual from which that individual can be identified), we are committed to protecting and respecting your privacy.

This Privacy Policy (together with our Terms of ServiceCreator Terms of Service, and any other documents referred to in them, as well as our Cookie Notice) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

Our Services include links to third-party websites and applications. We do not control these third-party websites and are not responsible for their privacy statements, notices, or policies. When you leave our Services, we encourage you to read the privacy information of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to such third-party websites.

  1. How to contact us

Any questions or requests regarding this Privacy Policy, including any requests in respect to your personal data that we process, can be sent by post to the above-stated address or emailed to privacy.support@grin.co.

If you are in the EEA, you can also contact our appointed EEA data representative at datarep.com.

Similarly, if you are in the UK, you can contact our appointed UK data representative at datarep.com

  1. Information we collect about you

We provide our Services to two types of customers:

  • creators who sign up directly with us on the basis of our Creator Terms of Service (“Creator Customers”); and
  • agency and brand customers who have chosen to sign up to our Terms of Service (“Brand Customers”).

Depending on the Services we provide to you and how you interact with us, we collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data, which includes your email address, postal address, billing address (if different), telephone number (including any phone number used to contact our customer services number).
  • Email Data, which includes your email message bodies, subject lines, attachments, metadata, and headings.
  • Financial and Transaction Data, which includes payment card details, details of payments to and from you, and other financial and billing information.
  • Identity Data, which includes date of birth, first name, last name, title, job position, and the name of the organization at which you work.
  • Influencer Data (which we only collect about you if you are an Influencer Customer), and which includes the handles of and links to your accounts on social-media and content-sharing platforms (such as Facebook, Twitter, Instagram, Snap, YouTube, Vimeo, and Pinterest).
  • Marketing and Communications Data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Profile Data, which includes information about purchases from us made by you, product interests, preferences, feedback, and survey responses.
  • Technical Data, which includes your internet protocol (IP) address, cookie identifiers, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Services.
  • Usage Data, which includes information about how you use our Services and products, such as clickstream to, through, and from our Services (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.

Special category (sensitive) personal data

We do not knowingly act as the controller of any ‘special category’ personal data, i.e. information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership(s), genetic or biometric data, or information about your sexual orientation or sex life. If you believe that we hold any such ‘special category’ personal data about you, please contact us immediately using the contact details provided in section 2 above and we will immediately delete this.

Additional personal information about creators

Our Brand Customers who operate e-commerce stores use our Services to pull information from their e-commerce stores concerning their own customers and to identify potential creators whom those Brand Customers could approach from the list of those customers (“Potential Creators”). In order to identify Potential Creators, those Brand Customers instruct us to perform ‘web scraping’, whereby we pull and index publicly available personal information from the Internet about Potential Influencers.

Information about Potential Creators that we may gather, organize, and store on behalf of our Brand Customers in providing our Services to Brand Customers include name(s), email address(es), handles of and posts on their social media and content-sharing platform accounts (such as Facebook, Twitter, Instagram, Snap, YouTube, Vimeo and Pinterest) and follower/subscriber counts, work and/or education history, relationship status, profile pictures and any photographs, or audiovisual media made publicly available online that may feature the relevant Potential Influencer, current state/country and/or town/city of residence, language spoken, content of press articles relating to the relevant Potential Influencer, and other information made publicly available online by that Potential Influencer.

Although we are the controller of your information that we process if you are a Brand Customer or Creator Customer, we are not a controller of information about Potential Influencers that we gather, organize, and store when providing our Services to Brand Customers. In those circumstances, the Brand Customers who have instructed us to undertake web scraping on their behalf are the controllers of that information. This is because the web scraping is done for the Brand Customers’ purposes and not our own purposes.

This means that, if you think we are processing personal information about you in your capacity as a Potential Creator, you should direct any queries or concerns about how your personal information is handled in this way to the relevant Brand Customer, since we are simply processing that information on that Brand Customer’s behalf. If you are a Potential Influencer and are concerned about any personal information that we obtain via web scraping, please note that this information could be found by anybody with access to the Internet and, in the case of information gathered from your social media and content-sharing platforms, you have ultimate control over what information you choose to make publicly available on those platforms.

  1. How we collect and use your information

We will only collect and process personal data about where we have a lawful basis to do so, i.e. where:

  • we need your personal data to perform a contract with you (for example, to process a payment from you or to provide customer support);
  • we need your personal data to enable you to enter into a contract with another user of our Services (for example, where a Brand Customer and an Influencer to enter into an agreement regarding a specific marketing campaign);
  • the processing is in our legitimate interests (as described below) and not overridden by your interests, rights, or freedoms;
  • we have a legal obligation to collect or disclose personal data from you; and/or
  • we have your consent to process your personal data.

The following table sets out what personal data we collect about you, what we use that personal data for, and our lawful basis for doing so. Please be aware that we sometimes process your personal data using more than one lawful basis, depending on the specific purpose or activity.

Purpose/Activity Type of data Lawful basis for processing
To register you as a customer (a) Identity

(b) Contact

(c) Influencer

Performance of a contract with you
To process payments and refunds, operate and provide our Services to you, and collect money owed to us (a) Identity

(b) Contact

(c) Financial

(d) Transaction

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (for collecting money owed to us)

To enable you to enter into an agreement with another of our users pursuant to your use of our Services (a) Identity

(b) Contact

(c) Creator

Performance of a contract to which you are a party or to take steps prior to entering into that contract
To manage our relationship with you, including handling any complaints or queries and notifying you about changes to our Terms of Service, Creator Terms of Service and/or this Privacy Policy (a) Identity

(b) Contact

(c) Transaction

(d) Profile

(a) Performance of a contract with you

(b) Necessary to comply with our legal obligations

To administer and protect our business and our Services (e.g. troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), including providing you with technical notices, update and security alerts, and support and administrative messages (a) Identity

(b) Contact

(c) Technical

(d) Transaction

(e) Profile

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with our legal obligations

To use data analytics to improve our Services, products/services, marketing, customer relationships and experiences (a) Technical

(b) Usage

(c) Profile

(d) Creator

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant and ensure that its content is presented in the most effective manner for you and for your device, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about new proposals, opportunities, upcoming events, and other news (including information about products and services offered by us and our affiliates) (a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

(f) Marketing and Communications

(g) Influencer

Your consent (you can withdraw this at any time by clicking the link to unsubscribe in our marketing emails and/or the relevant ‘STOP’ number in text messages, or by contacting us using the details above)

 

To protect us, our customers, and our Services from fraud and theft (a) Identity

(b) Contact

(c) Financial

(d) Transaction

Necessary for our legitimate interests (for detecting and preventing fraud)

 

Where the lawful basis stated above is your consent, you have the right to withdraw this consent at any time. You can also object to our processing in certain circumstances where our lawful basis for processing is our legitimate interests. Please see section 10 of this Privacy Policy for further information on how to exercise these rights.

Please note that, where we rely on your consent or our legitimate interests to process your personal data and you withdraw that consent or object to our processing, we will no longer be able to provide certain services to you that are dependent on this processing.

If any of your personal data (such as your Contact Data) changes, please ensure that you let us know by editing this in your account settings, so that the information we have about you is kept up to date.

  1. How we store your information

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorized way.

Our Services use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us via the Services. Whenever information is transferred between us in this way, you can check the relevant SSL certificate by looking for a closed padlock system or other trust mark in your browser’s URL bar or toolbar.

We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

 

  1. Who we share your information with

We limit access to your personal information to those who have a genuine business need to know it, such as our staff, affiliates, professional advisers, and business partners, suppliers, and subcontractors that we use in connection with the running of our business for the purposes set out in the table in section 4 of this Privacy Policy. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We may be required to share your personal information for prevention of crime or where otherwise required to do so by other regulators or by law.

If you choose to integrate your third-party email service or social-media or content-sharing platform service with our Services, the providers of those third-party services will remain the controller of your personal data and we will process the data on their behalf and share any information that you enter into their integrated versions via our Services with them.

We may be required by law to preserve or disclose your personal information and service data to comply with any applicable law, regulation, legal process, or governmental request, including in order to meet national security requirements. In addition, if we will also disclose personal information to the relevant authorities if we believe it is necessary to do so in order to prevent fraud, investigate any suspected illegal activity, or protect our users’ safety.

  1. How long we keep your information

If you have registered an account with us, we will retain your information for as long as you have that account. If you delete your account or request us to do so, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we will be able to use this information indefinitely without further notice to you.

  1. Cookies

Our Services use cookies to distinguish you from other users. This helps us to provide you with a good experience when you use our Services and also allows us to improve them.

For further information on cookies (including about how we use them and when we will request your consent before placing them and how to disable them), please see our Cookie Notice.

  1. International transfers of your information

We are based in the United States. By accessing or using our Services or otherwise providing personal information or service data to us, you agree to the processing, transfer, and storage of your personal information within the United States, and the transfer to Canada and Australia. We will handle your personal data in accordance with not only with applicable US laws, but also in accordance with the relevant provisions of the EU GDPR and UK GDPR. If we transfer your personal data to any third party located in a country that has not been deemed by the European Commission or the UK as providing adequate protection of your personal data, then we will ensure that such personal information is safeguarded through appropriate contractual terms or other approved mechanisms. If you have any questions about international transfers of your personal information, please contact us using the details set out in section 2 above.

  1. Your rights

Under applicable data protection laws, you have a number of important rights free of charge. In summary, those include rights to:

  • access to your personal information and to certain other supplementary information that this Privacy Policy is already designed to address;
  • require us to correct any mistakes in your information which we hold;
  • require the erasure of personal information concerning you in certain situations (please note this that this right will not apply where it is necessary for us to continue to use the relevant personal information for a lawful reason);
  • receive the personal information concerning you which you have provided to us (and where the relevant lawful basis stated in section 4 of this Privacy Policy is your consent or our performance of a contract with you), in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations (please note that this right does not apply to personal data contained only in hard-copy records);
  • withdraw your consent (if you have given this to us previously) for us to contact you for direct marketing purposes;
  • object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
  • object in certain other situations to our continued processing of your personal information; and
  • otherwise restrict our processing of your personal information in certain circumstances.

If you would like to exercise any of those rights, please contact us using the details provided section 2 of this Privacy Policy, letting us know the information to which your request relates.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests (in which case we will notify you and keep you updated).

There are some exceptions to the rights listed above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.

If you are in the EEA, you have a right to a lodge a complaint with your local supervisory authority. Click here for the contact details of each EEA country’s supervisory authority. Alternatively, if you are in the UK, you have the right to make a complaint at any time to the supervisory authority in the United Kingdom for data protection issues, the Information Commissioner’s Office (click here for their website).

We would, however, appreciate the opportunity to deal directly with your concerns before you approach the ICO or any other supervisory authority, and would be pleased to respond to any such complaints as your first-priority contact.

  1. Children’s personal information

As stated in our Terms of Service and Creator Terms of Service, our Services are not intended for anyone under the age of 13,  and we do not knowingly collect data relating to any individual below this age. If you believe that a child under the age of 13 has provided personal information to us, please contact us using the details set out in section 2 above and provide the relevant details, and we will take the necessary steps to delete the information we hold about that child.

If you are over 13 years of age but are not yet 18 years old, you must not use our Services unless your parent or legal guardian has read our Terms of Service, Creator Terms of Service, and this Privacy Policy AND your parent or legal guardian has given you permission to use our Services. Please do not change any of your privacy settings when using our Services without having first spoken to your parent or legal guardian.

  1. Updates to this Privacy Policy

This Privacy Policy was last updated in September 2021.

We may amend this Privacy Policy from time to time as necessary to comply with law or for legitimate business purposes. Any changes we make to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this Privacy Policy.