This Policy is continuously reviewed to ensure that they remain meaningful and accurate. TELLaSTORY reserves the right to change the Policy at any time without giving notice. By using the TELLaSTORY platform, you agree to the collection, use and disclosure of your Personal Data in accordance with this Policy.
TELLaSTORY is a property of BFLG Management AB, company with headquarters in Stockholm, Sweden, a member state of the European Union (EU). TELLaSTORY is bound the EU General Data Protection Regulation (GDPR), a general law on data protection and privacy. The basic principles outlined in this Policy aims to abide by the comprehensive set of regulations and corresponding legal obligations outlined in the GDPR. If, on a case-by-case basis, an applicable local law which has a stricter data protection and privacy requirements than this Policy applies, then the personal data will be PROCESSED in compliance with those stricter laws. However, this Policy shall not restrict TELLaSTORY's right to use personal data to the fullest extent legally possible in order to preserve its position during any legal action or official proceedings.
TELLaSTORY respects and protects the rights of individuals, in particular the right to data protection and privacy, during the processing and use of PERSONAL information as well as the right to privacy. The protection of Personal data or information comprises, but is not limited to, the personal data of employees, authors, users, customers, suppliers, partners, and all other persons within TELLaSTORY's area of responsibility. It is the duty of all TELLaSTORY employees or TELLaSTORY 3rd Party service providers to comply with the provisions of this Policy when handling personal data in their daily work for TELLaSTORY.
TELLaSTORY Subscription options allow a Subscriber/Administrator to have access to their own Private map and create their own content. Subscribers and assigned Editors are administrators and can/are responsible to manage their own users and content. Subscription users may keep their content private wherein they do not have access to information about users belonging to the Subscription maps they aren't assigned to. Subscription members can only see other users who are also assigned to their Map. Content, including photos, stories, videos, audio files and other materials will then be accessible, manageable, and visible to invited members and subscribers only.
2. Privacy Basics
We collect the data, story content or/and other information you provide when you use our Services. Data collection include signing up for an account, subscription, creating, storing or sharing digital content, and submitting messages or communicating with others. This can include information in or about the content you provide, such as the location of a photo, story references or the date a file was created. Example of the information you provide:
- Your username, password and e-mail address when you register for an account.
- Profile information that you provide for your user profile (e.g., first and last name, picture, phone number, or other information included in the section about you).
- User Content (e.g., photos, stories, and other digital content) that you post to the Service. When you share and communicate, you choose the audience who can see what you share. For example, when you create a story, you define if your published story will be public or private.
- Communications relevant for Services.
- The operating system of the computers, hardware type, phones, or other devices settings like location, number, language and time zone, IP address, where you install or access our portal, depending on the permissions you’ve granted.
During every process that includes collecting, processing, or using personal data, personal data may be processed or used only in accordance with the purpose, with this Policy and to the extent permitted by law. Data is collected to the extent absolutely necessary for fulfilling the purpose specified and made known to the user before it is processed or used; any other processing is not permitted. All the above-named collections and activities are essential for our service, published surveys, campaigns, or development efforts to provide you with the best possible portal experience, interaction or view. To provide, improve, develop and deliver Services, we collect information about the portal usage, frequency and duration of portal activities and data related to your content or yourself.
We use this information to provide:
- An efficient access to your information after you sign in.
- A consistent experience across your devices.
- A data history so you will not have to re-enter the information during your visit or the next time you visit the Service
- Provide personalized content and information to you and others, which could include online ads or other forms of marketing.
- Provide, improve, test, and monitor the effectiveness of our Service develop and test new products and features.
- Monitor metrics such as total number of visitors, traffic, and demographic patterns.
- Diagnose or fix technological problems.
- Any other terms we’ve let you know about. Please read, print, and save a copy of these terms and policies for your records.
To personalize and make the content relevant, we collect information about the people and groups you network with or details of your location, which is used to provide you with the published stories in your immediate neighborhood. We also collect contact information you provide if you upload, sync or import this information (such as a reference or link). Personal data is to be collected directly from the person affected. Personal data must be accurate at all times and corrected when necessary.
Public information is any information you share with a public audience, as well as information in your Public Profile, or content you share on a TELLaSTORY or another public forum. Public information is available to anyone on or off our Services and can be seen or accessed through online search engines, APIs, and offline media, such as on TV. Please do not post or add personal data to your profile that you would not want to be publicly available.
Processing is allowed if:
- A “User” registers on a website. By registering as a “User” you confirm your consent.
- Providing Services according to the contracts.
- Legally required or permitted, for example, due to tax or social security laws.
Personal data may be retained only for as long as is absolutely necessary for the purposes specified or other legal requirements. Thereafter, personal data not used for the Service nor needed for legal reason will be deleted or anonymized.
Legal retentions include, but are not limited to, for example a donation, or the details related to the transaction payment information, such as your credit or debit card number and other card information, and other account and authentication information, as well as billing, shipping and contact details.
3. Responsibilities for Data Protection and Privacy
The following tasks are the responsibility of management of TELLaSTORY:
- Continuous monitoring of the applicable law.
- Ensuring that processes during which personal data is collected, processed, and/or used are in line with applicable law, and that local and global process owners are informed of necessary changes.
- Ensuring that all approvals required by the supervisory authorities for collecting, processing, using, and transferring personal data have been granted, and that the necessary notifications have been sent to the supervisory authorities.
Within TELLaSTORY, responsibility can be delegated along the organizational structure of TELLaSTORY by means of documented instructions from management, guidelines, and business processes that involve the explicit transfer of responsibility to managers at different levels as well as employees and partners. Management is responsible for structuring all processes during which personal data is collected, processed, or used in such a way that the requirements of this Policy are fulfilled.
Before commencing an activity during which access to personal data is required, every employee and every data processor will only collect, process or use personal data with the consent of the data subject. The collected data will be handled confidentially and only in accordance with the purpose for which it was collected.
Notification, Accuracy, and Inspection - The data subject is informed that their personal data is being collected, processed, transferred and/or used in accordance with the declared purpose and only to such extent necessary to achieving the purpose. It is the responsibility of the End User to ensure that the stored personal data is accurate. All processes for collecting, processing, and/or using personal data must contain an option for correcting, updating, and, where required by applicable law, deleting or blocking. Inaccurate data must be corrected or deleted as soon as practicably possible. The data subject may, at any time, request information about his/her personal data, its origin, purpose for storing, and recipients to whom the data disclosed. Queries or complaints submitted by the data subject must be processed by the TELLaSTORY without undue delay or according to those timeframes imposed by local law, whichever is the earlier. Objections from the data subject with regard to the processing of personal data must be investigated and, if necessary, remedial action must be taken.
Storage, Data Deletion - The personal data collected will be deleted after the specified purpose has been fulfilled or if the legal basis no longer applies. The duration of the storage of personal data is only for as long as necessary to provide the products and services to the end users. Personal data will be kept until the account is deleted, unless TELLaSTORY no longer needs the data to provide products and services. The data subject can delete his account at any time. Instead of deleting the personal data, the data subject may anonymize it, allowing his/her content to be public without revealing his/her personal identity. If, for technical or legal reasons (for example, if the retention of data is legally required for tax purposes), it is not possible to either delete or anonymize personal data, this personal data must be blocked for any further processing and/or use, as well as for further access.
It is the duty of all TELLASTORY employees to treat personal data to which they have access in the course of fulfilling their contractual duties with TELLaSTORY, as confidential. TELLaSTORY employees and partners may collect, process, and/or use personal data only to the extent required to fulfil their duties, and in accordance with approved processes. If collecting, processing, or using personal data is not recognizably prohibited for the employee, he or she can refer to the legality of the management's instructions.
Special types of personal data are details on racial and ethnic origin, political views, religious or philosophical beliefs, union membership, health, or sexual preferences. Special types of personal data are equal to such personal data that requires special sensitivity for the data subject (sensitive data). For example, this is the case for data on criminal activities, as well as on those individuals who in their respective country fall below the age legally deemed as adult i.e., minors.
In the instances in which TELLaSTORY, or data processors, collect special types of personal data, management must ensure that the data subjects have been informed in advance and have given their consent. Provided that applicable law does not determine otherwise, special types of personal data may be collected, stored, processed, and transferred only with the explicit consent of the persons affected. Increased precautions (for example, physical safety features, encryption, and access restrictions) that are appropriate for the special sensitivity are to be taken for collecting, storing, processing, and transferring this data.
Transfer of personal data
If personal data is to be shared within TELLaSTORY or with other companies. TELLaSTORY will impose strict restrictions on how the third-party partners can use and disclose the personal data, including signed contractual assurances to ensure that the latter’s processes meet the GDPR’s regulations. Such a check is always required if TELLaSTORY is to process data on behalf of an external service provider is to process data on behalf of an TELLaSTORY company (“transfer for processing purposes”). TELLaSTORY ensures that the sharing of personal information is for a legitimate reason, with the consent of the data subject, and with appropriate protection and safeguards in place.
TELLaSTORY must ensure that external companies who are to collect, process, or store personal data on their behalf, are reviewed regularly and in advance to ensure that they comply with the requirements of data protection and privacy regulations, and that the necessary contracts with these companies have been concluded.
We do not share information that personally identifies you (personally identifiable information is information like name or email address that can by itself be used to contact you or identifies who you are) with advertising, measurement, or analytics partners unless you give us permission. We may provide these partners with information about the reach and effectiveness of their advertising without providing information that personally identifies you, or if we have aggregated the information so that it does not personally identify you. For example, we may tell an advertiser how its ads performed, or how many people viewed their ads or installed an app after seeing an ad or provide non-personally identifying demographic information (such as age, gender, location, interest) to these partners to help them understand their audience or customers, but only after the advertiser has agreed to abide by our advertiser guidelines.
The review can be delegated and conducted on regular basis.
Transfer for recipient's own purposes:
The transfer of personal data to an external entity for their own purposes is allowed only if this is permitted or required by law, or if the persons affected have given their prior consent. TELLaSTORY ensures that the legal requirements are checked before the data is transferred.
Transfer to state agencies (authorities and courts):
TELLaSTORY will transfer personal data to governmental agencies only on the basis of applicable law and after Legal have performed a prior check and taking into account other required areas within the TELLaSTORY. In the event of a request for information from a governmental authority or a court of competent jurisdiction, TELLaSTORY will inform the data subject of this without undue delay.
4. Data Protection and Privacy Supervisory Authorities and Data Security
If so required by law, contract and/or the obligations set down in this Policy, TELLaSTORY must always cooperate with any data protection and privacy supervisory authority irrespective of whether such authoritative entity is based within the EEA or outside the EEA.
If a data protection and privacy supervisory authority requests information or otherwise exercises their right of investigation, TELLaSTORY will act in accordance with the respective data protection and privacy supervisory authorities’ instructions. Certain data protection and privacy laws require special security measures to be implemented when collecting, processing, and/or using personal data. TELLaSTORY shall define such measures in compliance with the legal requirements in the TELLaSTORY Security Policy and the related Security Standards and Guidelines. We may access, preserve and share your information in response to a legal request (like a search warrant, court order or subpoena) if we have a good faith belief that the law requires us to do so.
Anonymized data / Anonymous data
Anonymized data is data in a form that makes the direct or indirect identification of an individual person impossible, even with the aid of other data or information. Anonymous data does not have any reference to a person when it is collected. Anonymous and anonymized data is no longer subject to the internal or external data protection and privacy regulations.
Special categories of personal data
Data on the racial or ethnic origin, political views, religious or philosophical beliefs, union membership, felonies, penal convictions, health, or sexual preferences of persons, as well as data that can be misused for identity theft, for example, social security numbers, credit card and bank account numbers, as well as passport or driver's license numbers.
An identified or identifiable natural person whose personal data is affected by a data processing action. A person is deemed identifiable if he or she can be identified directly or indirectly, in particular by reference to an identity number or to one or more factors specific to that person's physical, physiological, psychological, economic, cultural, or social identity.
Data processing actions (collecting, processing, and/or using)
Collecting means procuring data on the person affected. Processing describes any operation performed with or without the aid of an automatic procedure, or any set of operations connected with personal data, for example, collecting, saving, modifying, storing, changing, transferring, locking, or deleting personal data. Using means any usage of personal data except for processing.
A natural or legal person, authority, institution, or any other office, except for the following:
- The person affected
- The office responsible
- The commissioned data processor
- The persons who, under the direct responsibility of the data controller or the commissioned data processor, are authorized to process the data for the purposes of this Policy as well as applicable data protection and privacy laws. Different companies associated with the TELLaSTORY are classified as third parties in relation to each other.
This may be explicit or implicit. Explicit consent generally requires an action by the person affected, through which they allow the processing of data, for example, the declaration of consent with the sending of e-mails, or entering of personal data (opt-in). Explicit consent granted without duress is deemed to be the legal basis for the processing of personal data, provided no other legal provision is in force. Implicit consent (for example, via opt-out) allows processing provided the person affected does not object.
Either the physical destruction of data or the anonymization of data in such a way that makes it impossible to relate the data to a natural person.
All information on an identified or identifiable natural person (person affected). A person is deemed identifiable if he or she can be directly or indirectly identified, in particular by reference to an identity number or to one or more factors specific to that person's physical, physiological, psychological, economic, cultural, or social identity. For example, persons can be identified directly on the basis of names, telephone numbers, e-mail addresses, postal addresses, user IDs, tax numbers, or social security numbers, or indirectly on the basis of a combination of any information. Personal data that is subject to this Policy includes data on employees, applicants, former employees, customers, interested parties, suppliers, partners, users of TELLaSTORY websites and services, and any other persons. The data may be contained in an TELLaSTORY system, or in systems of third parties, who operate these on behalf of TELLaSTORY. Customer systems that TELLaSTORY or third parties on behalf of TELLaSTORY operate are also relevant, as are systems operated by customers themselves if TELLASTORY employees can access the personal data stored in these systems while providing services, support, or consulting services.