(Last Updated June 6, 2023)
The websites at https://grin.co and https://app.grin.co, as well as with any present or future affiliated or related mobile application (together, our “Services”) is operated by Grin Technologies, Inc., whose principal place of business office is at 400 Capitol Mall, Floor 9, Sacramento, CA 95814, United States of America (“we”, “us”, or “our”).
This Privacy Policy is intended for users of our Services in the European Economic Area (EEA) and the United Kingdom (UK). Users in the EEA have certain privacy rights under applicable laws, including the EU General Data Protection Regulation (EU GDPR), the UK General Data Protection Regulation (UK GDPR), and the UK Data Protection Act 2018. For details of how we handle the personal information of users in the United States, please see our US Privacy Policy.
As a controller of your personal data (i.e. any information about an individual from which that individual can be identified), we are committed to protecting and respecting your privacy.
This Privacy Policy (together with our Terms of Service, Creator Terms of Service, and any other documents referred to in them, as well as our Cookie Notice) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Our Services include links to third-party websites and applications. We do not control these third-party websites and are not responsible for their privacy statements, notices, or policies. When you leave our Services, we encourage you to read the privacy information of every website you visit. We do not accept any responsibility or liability for the privacy policies or notices on third-party websites. Please check these policies before you submit any personal data to such third-party websites.
Any questions or requests regarding this Privacy Policy, including any requests in respect to your personal data that we process, can be sent by post to the above-stated address or emailed to [email protected]
If you are in the EEA, you can also contact our appointed EEA data representative at datarep.com/data-request.
Similarly, if you are in the UK, you can contact our appointed UK data representative at datarep.com/data-request.
We provide our Services to two types of customers:
– creators who sign up directly with us on the basis of our Creator Terms of Service (“Creator Customers”); and
– agency and brand customers who have chosen to sign up to our Terms of Service (“Brand Customers”).
Depending on the Services we provide to you and how you interact with us, we collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Special category (sensitive) personal data
We do not handle any ‘special category’ personal information (i.e. information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership(s), genetic or biometric data, or information about sexual orientation or sex life) of our Brand Customers.
If you are a Creator Customer, we will hold any ‘special category’ information about you (as defined above) that you have chosen to make publicly available on your social-media and content-sharing platforms (such as Facebook, Twitter, Instagram, Snap, YouTube, Vimeo, and Pinterest) from which we have pulled and indexed information about you in order to provide our Services to you. This will only include ‘special category’ information that you have chosen to make publicly available yourself on those platforms. You have ultimate control over what information you choose to make publicly available on those platforms.
Additional personal information about creators
Our Brand Customers who operate e-commerce stores use our Services to pull information from their e-commerce stores concerning their own customers and to identify potential creators whom those Brand Customers could approach from the list of those customers (“Potential Creators”). In order to identify Potential Creators, those Brand Customers instruct us to pull and index publicly available personal information from social-media and content-sharing platforms about Potential Creators.
Information about Potential Creators that we may gather, organise, and store on behalf of our Brand Customers in providing our Services to Brand Customers include name(s), email address(es), handles of and posts on their social media and content-sharing platform accounts (such as Facebook, Twitter, Instagram, Snap, YouTube, Vimeo and Pinterest) and follower/subscriber counts, work and/or education history, relationship status, profile pictures and any photographs, or audiovisual media made publicly available online that may feature the relevant Potential Creator, current state/country and/or town/city of residence, language spoken, content of press articles relating to the relevant Potential Creator, and other information made publicly available online by that Potential Creator.
Although we are the controller of your information that we process if you are a Brand Customer or Creator Customer, we are not a controller of information about Potential Creators that we gather, organise, and store when providing our Services to Brand Customers. In those circumstances, we do this for the Brand Customers’ purposes and not our own purposes.
If you are a Potential Creator and are concerned about any personal information that we obtain about you, please note that this information could be found by anybody with access to the Internet and, in the case of information gathered from your social media and content-sharing platforms. You have ultimate control over what information you choose to make publicly available on those platforms.
We will only collect and process personal data about where we have a lawful basis to do so, i.e. where:
The following table sets out what personal data we collect about you, what we use that personal data for, and our lawful basis for doing so. Please be aware that we sometimes process your personal data using more than one lawful basis, depending on the specific purpose or activity.
| Purpose/Activity | Type of data | Lawful basis for processing |
|---|---|---|
| To register you as a customer | (a) Identity (b) Contact (c) Influencer | Performance of a contract with you |
| To process payments and refunds, operate and provide our Services to you, and collect money owed to us | (a) Identity (b) Contact (c) Financial (d)Transaction | (a) Performance of a contract with you (b) Necessary for our legitimate interests (for collecting money owed to us) |
| To enable you to enter into an agreement with another of our users pursuant to your use of our Services | a) Identity (b) Contact (c) Creator | Performance of a contract to which you are a party or to take steps prior to entering into that contract |
| To manage our relationship with you, including handling any complaints or queries and notifying you about changes to our Terms of Service, Creator Terms of Service and/or this Privacy Policy | (a) Identity (b) Contact (c)Transaction (d) Profile | (a) Performance of a contract with you (b) Necessary to comply with our legal obligations |
| To administer and protect our business and our Services (e.g. troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data), including providing you with technical notices, update and security alerts, and support and administrative messages | (a) Identity (b) Contact (c)Technical (d)Transaction (e) Profile | (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud, and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with our legal obligations |
| To use data analytics to improve our Services, products/services, marketing, customer relationships and experiences | (a) Technical (b) Usage (c) Profile (d) Creator | Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Services updated and relevant and ensure that its content is presented in the most effective manner for you and for your device, to develop our business and to inform our marketing strategy) |
| To make suggestions and recommendations to you about new proposals, opportunities, upcoming events, and other news (including information about products and services offered by us and our affiliates) | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications (g) Influencer | Your consent (you can withdraw this at any time by clicking the link to unsubscribe in our marketing emails and/or the relevant ‘STOP’ number in text messages, or by contacting us using the details above) |
| To protect us, our customers, and our Services from fraud and theft | (a) Identity (b) Contact (c) Financial (d) Transaction | Necessary for our legitimate interests (for detecting and preventing fraud) |
Call recording/transcripts (Zoom, Google Meet, Phone Calls) | (a) Identity (b) Contact | Your consent (you can withdraw this at any time by verbally withdrawing consent or withdrawal through in-call chat function) |
Where the lawful basis stated above is your consent, you have the right to withdraw this consent at any time. You can also object to our processing in certain circumstances where our lawful basis for processing is our legitimate interests. Please see section 10 of this Privacy Policy for further information on how to exercise these rights.
Please note that, where we rely on your consent or our legitimate interests to process your personal data and you withdraw that consent or object to our processing, we will no longer be able to provide certain services to you that are dependent on this processing.
If any of your personal data (such as your Contact Data) changes, please ensure that you let us know by editing this in your account settings, so that the information we have about you is kept up to date.
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way.
Our Services use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us via the Services. Whenever information is transferred between us in this way, you can check the relevant SSL certificate by looking for a closed padlock system or other trust mark in your browser’s URL bar or toolbar.
We have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We limit access to your personal information to those who have a genuine business need to know it, such as our staff, affiliates, professional advisers, and business partners, suppliers, and subcontractors that we use in connection with the running of our business for the purposes set out in the table in section 4 of this Privacy Policy. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We may be required to share your personal information for prevention of crime or where otherwise required to do so by other regulators or by law.
If you choose to integrate your third-party email service or social-media or content-sharing platform service with our Services, the providers of those third-party services will remain the controller of your personal data and we will process the data on their behalf and share any information that you enter into their integrated versions via our Services with them.
We may be required by law to preserve or disclose your personal information and service data to comply with any applicable law, regulation, legal process, or governmental request, including in order to meet national security requirements. In addition, we will also disclose personal information to the relevant authorities if we believe it is necessary to do so in order to prevent fraud, investigate any suspected illegal activity, or protect our users’ safety.
If you have registered an account with us, we will retain your information for as long as you have that account. If you delete your account or request us to do so, we will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.
In some circumstances we will anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we will be able to use this information indefinitely without further notice to you.
Our Services use cookies to distinguish you from other users. This helps us to provide you with a good experience when you use our Services and also allows us to improve them.
For further information on cookies (including about how we use them and when we will request your consent before placing them and how to disable them), please see our Cookie Notice.
We are based in the United States. By accessing or using our Services or otherwise providing personal information or service data to us, you agree to the processing, transfer, and storage of your personal information within the United States, and the transfer to Canada and Australia. We will handle your personal data in accordance not only with applicable US laws, but also in accordance with the relevant provisions of the EU GDPR and UK GDPR. If we transfer your personal data to any third party located in a country that has not been deemed by the European Commission or the UK as providing adequate protection of your personal data, then we will ensure that such personal information is safeguarded through appropriate contractual terms or other approved mechanisms. If you have any questions about international transfers of your personal information, please contact us using the details set out in section 2 above.
Under applicable data protection laws, you have a number of important rights free of charge. In summary, those include rights to:
If you would like to exercise any of those rights, please contact us using the details provided section 2 of this Privacy Policy, letting us know the information to which your request relates.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests (in which case we will notify you and keep you updated).
There are some exceptions to the rights listed above and, although we will always try to respond to any instructions you may give us about our handling of your personal information, there may be situations where we are unable to meet your requirements in full.
If you are in the EEA, you have a right to lodge a complaint with your local supervisory authority. Click here for the contact details of each EEA country’s supervisory authority. Alternatively, if you are in the UK, you have the right to make a complaint at any time to the supervisory authority in the United Kingdom for data protection issues, the Information Commissioner’s Office (click here for their website).
We would, however, appreciate the opportunity to deal directly with your concerns before you approach the ICO or any other supervisory authority, and would be pleased to respond to any such complaints as your first-priority contact.
As stated in our Terms of Service and Creator Terms of Service our Services are not intended for anyone under the age of 13, and we do not knowingly collect data relating to any individual below this age. If you believe that a child under the age of 13 has provided personal information to us, please contact us using the details set out in section 2 above and provide the relevant details, and we will take the necessary steps to delete the information we hold about that child.
This Privacy Policy was last updated in May 2023.
We may amend this Privacy Policy from time to time as necessary to comply with law or for legitimate business purposes. This Privacy Policy is reviewed yearly to ensure that personal data is used in conformity with the purposes identified in the Privacy Privacy, and any relevant regulations or frameworks. Any changes we make to this Privacy Policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to this Privacy Policy.
