Data Collection

We collect only the data necessary for the agreed-upon purposes and ensure that data collection methods comply with relevant laws and regulations. Mainly, ensuring that the data received has consent for its intended use.

Data Handling

• All data is encrypted at rest using industry-standard encryption algorithms.
• Data is stored in a secure, access-controlled environments. We use a cloud service (GCP) with robust security certifications which also requires user to have 2FA (two factor authentication) set up and enabled.
• Data access is limited to authorised personnel through granular identity and access control management (IAM) and role-based access control (RBAC).
• All staffed are trained on how to handle and manage sensitive data.
• Data will not be shared with any external third-party parties, unless previously agreed with the brand and a data transfer agreement has been put in place.
• We maintain records of data protection activities, including data collection, access logs, incident reports, and training records.
• We have data retention policies to ensure data is kept only as long as necessary and disposed of securely when no longer needed.

Incident Response and Reporting

• We have an internal incident response plan which we maintain which we use to address data breaches and security incidents.
• We take immediate action to contain and mitigate any data breaches including notifying affected parties and relevant authorities as required by law.
• We document and report all incidents in accordance with legal and contractual requirements.

Data Subject Rights

Individuals have the following rights concerning their personal data: