Instaply is a service provider which provides communication services to its professional customers, generally companies that provide services or sell goods to consumers. Thanks to the Instaply platform, end-users (i.e. individuals, clients of Instaply’s customers) are able to communicate (notably in writing via short messages) with any shop, company or entity that has entered into a contractual relationship with Instaply (the “Services“).
In this context, Instaply may gather and process data that is sent by end-users to its customers and, reciprocally, may gather and process data that is replied by its customers to the end-users. Such data may include personal data (as defined hereunder).
Protection of privacy has always been extremely important to Instaply right from the start.
These practices have been defined in accordance with the principles of “Privacy by Design” and “Privacy by Default”, which means that Instaply has designed the Services to enable efficient communication between Users, while striving to protect the personal data of said Users. In principle, only the information strictly necessary for the provision of the Services is collected and processed by Instaply. Where appropriate Users can consent to provide other information.
In all cases, this information is collected and processed confidentially and securely in accordance with appropriate protection measures, in compliance with the state of the art and pursuant to legislation on the protection of personal data, namely the General Data Protection Regulation (EU) No. 2016/679 of 27 April 2016 (the “GDPR“) and/or any national law of a Member State of the European Union, adopted pursuant to or for transposition of the GDPR (hereinafter collectively the “Applicable Laws“).
Instaply also adhered to the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding international transfers of personal data (please see art. 13 hereunder).
4. Instaply’s role in the provision of Services
As indicated in the Terms, Instaply acts exclusively as processor of the information that we receive as part of the Services pursuant to the meaning ascribed to the term “processor” by Applicable Laws.
This means that Instaply will act at all times solely upon instruction of its clients, data controllers, to the extent strictly necessary under the Terms and in accordance with Applicable Laws.
5. How do we collect information?
Instaply’s Services are designed to make it easier for you to communicate with your customers and prospects. The use of such Services therefore requires the collection and processing of some of the Users’ personal data, who either (i) must provide information or (ii) communicate information spontaneously, either for processing their request or to respond to a specific request.
For example, Instaply collects a User ID to ensure communication between Users. However, Users are free to provide any information they choose to formulate a request or respond to a request from another User. Users are also free to opt-out whether their personal information is to be disclosed to a third party or to be used for a purpose that is materially different from the purpose for which it was originally collected (please see 11. below).
The collection and processing of information that transits through the Services is, in any event and depending on the circumstances, either carried out under the Terms in the name and on behalf of the data controller or implemented by consent of a User who chooses to provide the information via the Services.
6. Which information do we collect as part of the Services?
The information we collect is generally as follows:
- information identifying a User (client or prospect) seeking to contact you through the Services, for example his last name, first name, e-mail address, phone number, or even any social network or messaging ID, depending on the communication method chosen by such User;
- the content of communications sent by a User (customer or prospect) seeking to communicate with you, as well as the content of communications from User members of your staff, to respond to requests from another User (customer or prospect);
- we can also use “pixel tags,” “web beacons” of “transparent GIFs” or any other similar technique (hereinafter individually or collectively the “Web Beacons“) in connection with our Services to collect data on the use of our Services as well as demographic data. A Web Beacon is an electronic image, usually a transparent graphic element, which is placed on a web page and can be associated with cookies on a hard drive. Web Beacons allow us to count the number of Users who have consulted web pages of the Services, with the aim of providing them with customized services and enabling us to rate the efficiency of our Services;
- our servers automatically save certain information on how a User uses our Services (hereinafter the “Login Data“). Login Data may contain information such as a User’s Internet Protocol (IP) address, browser type, operating system, the web page that a User visited before accessing our Services, the pages or features of our Services that a User consulted, and the time spent on those pages or features, the key search words used, the links in the Services clicked on by a User, plus other statistics;
- if a User communicates via a mobile device, we collect the information that is automatically sent to us by such device, such as the device ID, configuration information and the device’s operating system, as well as information relating to the use of our Services;
- In some cases, we collect information on the Service Users’ location. We may use Users’ location information to improve and customize our Services to their advantage. If a User does not want us to use his location information, they can disable this function on their mobile device.
As a rule, the Services are intended to allow the exchange of information of an essentially commercial nature (store opening times, after-sales service, etc.) and are not designed to collect or process personal data of a “sensitive” nature within the meaning of Applicable Laws. Should a User decide to provide such data as part of the Services, this will only be permitted with the User’s explicit consent. In any case, Instaply disclaims all liability in this regard.
7. How do we use the information we collect as part of the Services?
Instaply only uses the information collected as part of the Services for the following purposes:
- Primarily, the information is used to provide you with the Services, i.e. to enable you to communicate with your customers and prospects: the transmission of this information allows you to learn the identity of the person seeking to contact you and to take note of his request. This data is thus subject to processing in order to transmit it to you, depending on the channel chosen by the User, so that you can read it and respond;
- On an ancillary basis, and only concerning the technical data described in point 6. above (especially the Login Data), the information that we collect is used to administer our Services. We use this information to manage the Services and we analyze it (directly or via third party contractors) to enhance the Services by improving their features and functions, as well as adapting them to Users’ needs and preferences. We can also use a User’s IP address to combat unsolicited messages (“spam”), malicious software (“malware”), and identity theft. We may also use a User’s IP address to generate aggregated and anonymous information relating to the way in which a User uses our Services.
8. To whom do we disclose the data we collect as part of the Services?
When we process the data we collect as part of the Services, its transmission is restricted to a certain number of explicitly listed recipients, namely:
- You, as data controller. This concerns all the information relating to the content of the communications sent to you. This information is solely made available to you;
- Users: when you respond to a User (client or prospect), your answer is sent to the latter. This response may contain any type of information, according to the message that you (or your designated employee) have chosen to send him. This information is solely made available to the User in question;
- Us: we may become aware of certain information relating to messages that you exchange with Users (customers or prospects), but exclusively for Service maintenance purposes. We never look at the messages that the Users exchange, except (i) if we are forced to and (ii) if you have explicitly authorized us to. In any event, Instaply has verified the reliability of its staff members who may have access to the information that transits through the Services. All Instaply staff members have been made aware of the issue of personal data protection and know how to exercise caution in this respect under Applicable Laws and are bound to protect the confidentiality of information transiting through the Services;
- Other third parties: exceptionally, we may share information with third parties that is aggregated and/or anonymous, i.e. that cannot identify a User, for market analysis, demographic profiling and other similar purposes; under certain conditions, Instaply may be found liable for wrongful onward transfers to third parties of personal information received in the course of the Services and/or pursuant to Privacy Shield ;
- The authorities: it is our policy to protect Users of our Services from breaches of their privacy. However, we will where appropriate cooperate with state, administrative or judicial authorities, including supervisory authorities responsible for enforcing Applicable Laws, when we are compelled to and including to meet national security or law enforcement requirements. Instaply may also be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Accordingly, we reserve the right to disclose any information collected in connection with the Services to competent authorities when required to do so in order to: (I) satisfy or comply with any law in force, any regulation or any judicial procedure or to respond to judicial requests, notably summons to appear in court, mandates or judicial orders; (ii) protect our property, rights and our safety as well as the rights, property and safety of third parties or the general public; and (iii) prevent or halt an activity that we deem unlawful or unethical.
Please be aware that the opposition from a User to the transmission of its personal data to certain of these above-mentioned recipients may make the provision of the Services simply impossible as this transmission is technically necessary and/or mandatory. Instaply does not share the Users’ personal data with persons or entities that do not need to collect or process them for the purpose of the provision of the Services.
9. Instaply respects Service Users’ choices
This means that if a User decides not to provide us with the information (notably the personal data) we need to provide the Services, then the User may not be able to access all the Services’ features. This concerns notably a User’s phone number if the services are provided by SMS.
10. Instaply ensures the security of the information provided as part of the Services
As a data processor, Instaply undertakes to implement and maintain, at its own expense, ad hoc technical and organizational measures for the processing and security of personal data, pursuant to Applicable Laws and notably Articles 32 to 34 of the GDPR.
Instaply thus ensures that these technical and organizational measures are always adapted to the specific risks associated with its processing activities, concerning the type of data likely to transit through the Services, especially to protect personal data against destruction, loss, alteration, unauthorized disclosure or accidental or unlawful access.
Thus, regarding the technical measures implemented by Instaply:
- all the information is encrypted both during its transmission via the services and its storage. This information is transmitted via an SSL connection from the source to the target. During their storage, the databases are encrypted, and encrypted copies are created;
- the Services platform works according to the HTTPS protocol and is completely isolated on a virtual private cloud hosted at Amazon Web Services; only the intended traffic can pass through the firewall, everything else is blocked by default;
- logging and tracking systems allow us to detect suspicious activity in real time; all access attempts are recorded and saved in logs;
- we regularly perform security tests to ensure that the system is not vulnerable to this form of attack;
- the Services have been configured in such a way that only certain Instaply staff members who need this information can access the information that transits through the Services. As indicated above, this access takes place (i) only for maintenance of the Services and (ii) upon explicit and specific instructions from the data controller;
- roles and profiles of Instaply members of staff are thus configured according to the least privilege principle;
- on the client side (data controller), access to the platform is granted only to certain members of staff duly identified by agreement with Instaply; solely read-only access may be granted for certain profiles; access rights to the system may be revoked by the administrator with immediate effect;
- the Services platform servers are controlled by security groups. Access to these systems, via a bastion, is limited to just a few administrators.
Instaply also undertakes to maintain, update and keep complete and accurate records on the processing of personal data implemented as part of the Services. These records give details of its processing activities. Instaply can provide such records and associated documentation to the relevant data controller to prove its compliance with Applicable Laws.
Instaply also undertakes to grant each of its clients the right to audit its records, at a maximum of once every calendar year and subject to a written notice of at least 30 (thirty) calendar days, relating to the processing carried out on behalf of the client concerned. However, since the information transmitted via the Services is stored on servers hosted by Amazon Web Services, no on-site visits may be made.
11. Instaply allows the exercise of the rights derived from Applicable Laws.
Instaply acts only as processor in full transparency for the Users (your customers and prospects).
Therefore, only you – as data controller in direct contact with Users – will be in the position to inform Users of their rights which are granted by Applicable Laws (right to access, modify, delete, oppose, right to invoke binding arbitration, right to opt-out whether their personal data is to be disclosed to certain third party or to be used to for a purpose that is materially different from the one for which it was originally collected, etc.).
And only you will receive requests from data subjects to exercise their rights.
When you receive such a request, and to the extent Instaply’s involvement as processor is required, you must send it to us as soon as possible so that we can respond satisfactorily to such request. This request must be sent by email to our Data Privacy Officer: firstname.lastname@example.org, who will process it as soon as possible and either way within 72 (seventy-two) working hours from receipt.
You must inform your Users that any request to exercise their rights will be treated in accordance with Applicable Laws but that (i) depending on the type of request, access to the Services could be impeded or even rendered impossible and that (ii) in the event of exercise of the right to object or the right to be forgotten, some data could nonetheless be retained by Instaply for the latter to comply with its legal obligations.
Finally, pursuant to Applicable Laws and given the technique implemented, the Services do not currently allow for exercise of the right to portability of personal data.
12. Notification of a personal data breach
In the event of a personal data breach of any kind, Instaply will without delay and within 24 (twenty-four) hours after becoming aware of such breach, inform the customer concerned and provide the latter with sufficient information as to the type of breach to enable said customer to comply with its obligations under Applicable Laws.
13. International transfers of data
All the information collected and processed via the Services is stored on a cluster of servers hosted by Amazon Web Services located within the European Union. In principle Instaply does not transfer data outside the European Union.
This certification to the EU-U.S. Privacy Shield Framework allows the transfer of personal data to the United States of America to cover the following cases:
- if Instaply staff members based in the United States of America need access to the information for maintenance reasons and in accordance with the data controller’s instructions;
- to ensure the transmission of information to our service provider Mixpanel. This data is however exclusively anonymous and does not enable individual users to be identified. It is used exclusively to compile general statistics on use of the Services;
- to ensure the transmission of certain information to our service provider Periscope. However, this provider is only connected to a separate database containing only identifiers, with no directly identifiable personal data;
- to ensure the transmission of certain information to our service provider Twilio. This provider provides an intermediary email server that does not store message content but only certain metadata. The contract between Instaply and Twilio imposes strict confidentiality and security obligations on the latter;
- to ensure the transmission of certain information to our service provider Nexmo. This provider provides an intermediary email server that does not store message content but only certain metadata. The contract between Instaply and Nexmo imposes strict confidentiality and security obligations on the latter.
In compliance with the Privacy Shield Principles, Instaply commits to resolve complaints about our collection or use of personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact our Data Privacy Officer at the following e-mail address: email@example.com.
Instaply shall cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to data transferred from the EU.
Under certain conditions, more fully described on the Privacy Shield website, Instaply may be found liable for wrongful onward international transfers to third parties of personal data received in the course of the Services and/or pursuant to Privacy Shield.
14. Links to other Sites
We recommend that Users carefully read the privacy policies of the other websites and services they use to safeguard their personal data.
15. Our policy on children
Our Services are not intended for children under the age of 15. If we learn that we have collected the data of a child under the age of 15, we will take steps to delete this data from our files as soon as possible. Minors aged between 15 and 18 years must have a parental authorization to be able to use the Services.
* * *