Hafi (HypeAuditor for Influencers) Privacy Policy
THIS PRIVACY POLICY IS DRAFTED FOR SAKE OF OUR COMMITMENT TO THE PRINCIPLE OF “ACCOUNTABILITY” IN COMPLIANCE WITH ARTICLE 5(2) GDPR.
IF YOU HAVE QUESTIONS RELATED YOUR RIGHTS, YOU CAN CONTACT OUR DATA PROTECTION OFFICER AT: [email protected] or by contact form on our website.
USING THE WEBSITE: https://hafi.pro/ YOU ACKNOWLEDGE THAT YOU ARE AWARE OF THE COLLECTION OF COOKIES, THE PURPOSES AND METHODS OF OBTAINING AND PROCESSING PERSONAL DATA (PERSONAL INFORMATION), THAT THE DATA YOU PROVIDE ARE PROCESSED BY THE PROFILING, AND YOU GIVE YOUR CONSENT TO THE PROCESSING OF PERSONAL DATA (PERSONAL INFORMATION) AND PROVIDING IT TO THIRD PARTIES.
ALL DATA THAT YOU PROVIDE IS A PREREQUISITE FOR CONCLUDING AN TERMS OF SERVICE ON THE USE OF THE SITE.
The Site and Services, as described in our Terms of Service, are provided to you by Stonecast Financial LLC, an Indiana Limited Liability Company with registered office at 9165 Otis ave., Suite 238, Indianapolis, IN 46216, USA (“Hafi”).
Consequently, “We”, “Us” and “Ours” refers to Stonecast Financial LLC or Hafi.
1. DATA CONTROLLERS (BUSINESSES) AND DATA PROCESSORS (SERVICE PROVIDERS)
With respect to processing of personal information (hereinafter referred to as “personal data”) of the customers of our Services (“Customers”) and
with respect to the Services where We determine the purposes and means of the processing of personal data of social networks users (“Influencers”), we are the “Data Controller” or “Controller” of Customers’ personal data and Influencers’ personal data respectively.
Feel free to send any of your data protection queries to us at: [email protected].
This Privacy Policy describes the way that We deal with certain personal data of Customers and data of Influencers.
We abide and fully comply with all the rules regarding personal data, both the European legislation and the US legislation related to personal data (“Applicable Law”).
All provisions of this Privacy Policy are drawn up in accordance with European legislation in the field of personal data compliance (Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”)), as well as have been brought into line with, comply with and do not contradict the requirements of US legislation in the field of personal data protection (in particular, this Privacy Notice has been published on this website as per requirement of the California Consumer Privacy Act (“CCPA”)).
2. What personal data and data is processed and the legal basis for processing
By means of this Privacy Policy We fulfill Our obligation under Articles 13 and 14 GDPR to provide information on data processing to the concerned data subjects.
DISCLAIMER: However, in some cases (especially when We obtain the personal data not from the data subjects, e.g. from the social networks) we are incapable to inform each data subject (especially Influencers) rather than by means of this Privacy Policy.
In accordance with Recital 62 and Article 14(5)(b), We are allowed to, because, due to a great number of Influencers, the provision of such information proves impossible or would involve a disproportionate effort (in particular for processing for statistical purposes).
Nevertheless, We commit to take appropriate measures to protect the data subject's rights and freedoms and legitimate interests.
2.1. CUSTOMERS
There are different types of information we collect, whether directly from you at sign up (Article 13 GDPR) or automatically via your device (for instance, personal computer, laptop, mobile phone) when you use our Sites (Article 13-14 GDPR). In accordance with “data minimization” principle (Article 5(1)(c) GDPR), we collect and process only what is strictly necessary to provide you with our Services, no more, no less.
Personal data We collect directly from you: | Legal basis for processing (Art. 13(1)(c) GDPR) | Purposes for processing (Art. 13(1)(c) GDPR) Reason for collection |
---|---|---|
1. Full name | Performance of the contract with you (Art. 6(1)(b) GDPR). We will store just limited information to respect your opt-out preference. | You know our name, We require yours for the contractual relationship between the parties |
2. Email | 1) Performance of contract with you (Art. 6(1)(b) GDPR) and | 1) We require your email to log you into the system and to provide you with the Service, reports, Service-related updates, communications and other important information. |
2) Our legitimate interests, if related to marketing (Art. 6(1)(f) and Recital 47 GDPR). | 2) If We do use your email to contact you for marketing purposes, it will be in Our legitimate interests to do so, but you will always have a chance to opt out of such marketing communications for similar products and/or services prior to first (and any subsequent) communication. You may opt out at any time by emailing [email protected] |
The rest is the technical information that must be processed in order to provide you with our services.
Personal Data collected/accessed by Us automatically | Legal basis for processing (Art. 14(1)(c) GDPR) |
---|---|
1. Internet Protocol (IP) address | 2. We set and access various cookies* on your device |
Performance of the contract (Art. 6(1)(b) GDPR). You need this to connect to the Internet. | Contract performance for the “strictly necessary” cookies. Legitimate interest for the first-party analytics cookies (Art. 6(1)(f) GDPR). Your consent prior to the placement of all the other types of cookies (Art. 6(1)(a) GDPR). |
* This is a piece of information that is automatically transmitted from your electronic device when you use your browser. More information about what kind of information your browser transmits can be found on the sites of the browser companies (for example, Chrome). You can disable the transfer of cookies at any time in the browser settings.
2.2. INFLUENCERS
In essence, We only process information which you have already publically shared via open accounts of the social networks: Instagram, YouTube, TikTok, Twitch, Twitter. We process Your personal data and ensure them to be processed in compliance with Applicable Law and namely in accordance with the principle of “lawfulness, fairness, transparency” (Art. 5(1)(a)), and We respect Your rights (see section below).
Information about Influencer (categories of personal data): | Legal basis for processing (Art. 14(1)(c) GDPR) | Purposes for processing (Art. 14(1)(c) GDPR): Reason for collection |
---|---|---|
1. A link to Influencer profile, full name, avatar, language, biography, country/city/state, brand and common interests, notable engaged users, sponsored posts. | Influencers provide their data to social networks, thereby making it public. We handle anonymous data that We receives from public sources (Instagram, YouTube, TikTok, Twitch, Twitter). | To allow Customers to choose an Influencer for their business purposes and assess the effectiveness of each Influencer’s reach. |
2. Email and social network profile. | We have a legitimate interest in using the data made available by Influencers via social networks for direct marketing purposes (Recital 47 GDPR) without affecting Influencer’s fundamental rights and freedoms. | |
3. Images, graphics, photos, profiles, audio and video clips, sounds, musical works, liaisons with audience, texts of the comments, works of authorship, applications, links and other content or materials from your social network profile. |
2.3. Audience data and statistics
We analyze a vast amount of information in order to provide Customers with statistics. In relation to the Influencer audience (the “Audience”), this includes, in particular: gender, age group. While these items may represent a somewhat sensitive issue, We have undertaken, in accordance with Article 35(7)(a) GDPR, an assessment to identify and prove our legitimate interests and to exclude that our legitimate interests be overridden by the fundamental rights and freedoms of the Audience or any individuals (Art. 6(1)(f) GDPR). We concluded that our processing for statistical purposes is in line with the Applicable Law and does not conflict with the fundamental rights and freedoms of individuals.
In order to lawfully process the data on the ethnic origin of the Audience, We require relevant legal basis. One of the bases is processing for statistical purposes (Art. 9(2)(j) GDPR) (while safeguarding fundamental rights and interests of the Audience) and the fact that such data (Art. 9(2)(e) are made publically available by their data subject by means of disclosure in social media). Such processing does not have discriminatory effects on natural persons involved nor results in measures having such effect. Finally, there is no automated decision-making and profiling based on ethnic origin of the Audience (Art. 14(2)(g) GDPR).
3. What we do with your personal data and aggregate data
Our legitimate interest to work with personal data are direct marketing purposes as said in Recital 47 GDPR (EU GDPR), and Statistical purposes referring to Recitals 113 and 162 GDPR.
However, under US law (as such as The California Consumer Privacy Act), there is no concept of Legitimate Interest. The law does not enumerate specific bases for processing, although the sale of consumer information is prohibited if the consumer has opted out.
Thus, we clearly suggest each of our INFLUENCERS use the opted-out function.
3.1. CUSTOMERS
We do not sell, share or disclose Customers’ data except as provided herein. We never treat your personal data in any way that would surprise you (unless We told you about it and you provided us with an informed and unambiguous consent to such usage).
We use Customer contact details and payment information to establish, support and conduct Сustomer relationships as necessary for the performance of Services. Should the Customer fail to provide the personal data we need, we may be unable to complete the transaction. We only contact Customers with service-related information. Where marketing is involved, Customers have an option to opt out at any time before first (and any subsequent) contact.
3.2. INFLUENCERS
Notification about the processing of Influencer’s personal data occurs through our website and through the provisions of this Policy. Due to the processing of a huge amount of data, we do not have the technical ability to notify each Influencer directly. Also, in accordance with Terms of Service and Contracts with Customers, the obligation to notify the Influencer about the processing of its personal data passes to the Customer.
We provide a statistical service and so, the data about Influencers identified hereinunder is shared with Customers whether on a trial basis or upon payment of fees.
However, we have no control on Our Customers and therefore we are unable to know whether any of Our Customers intends to sell or share the Influencers’ below-mentioned personal information received via our services or not.
If you do not wish your personal information to be shared with or sold to Customers, please click on the link “DO NOT SELL MY PERSONAL INFORMATION” or to send an email with “DO NOT SELL MY PERSONAL INFORMATION” to Our DPO at [email protected].
The data about Influencers that we process is divided into two categories:
Raw Data - All available information collected from social networks. Information is collected only from public / open profiles of Influencers on Instagram, YouTube, TikTok, Twitch, Twitter. Raw data is not structured, so the Influencer identity cannot be determined based on this information.
Processed Data - the data formed from Raw Data, and then Reports are generated.
The Processed Data is divided into two groups:
- Collected and stored as is: profile name, avatar, profile description, likes, commenters, Influencers’ liaisons with commenters and other audience, e-mail, texts of the comments;
- Data generated by AI scripts: audience type, topics and interests of the audience, age of the audience, earnings, history of profile development, authenticity of the audience set.
At any stage of data collection Influencers have the right to send a request to our Data Protection Officer at [email protected] for the purpose of changing / deleting their data or not sharing their data with Our Customers.
3.3. AUDIENCE DATA
Audience data for each Influencer is aggregated for statistical purposes and shared with Customers whether on a trial basis or upon payment of fees.
3.4. DATA CONTROLLER
Data Controller can use the collected data itself as a marketing advertiser. Such Data Controller’s report will be identical to a regular Report provided to any Customer. Such Reports are subject to laws and regulations applicable to all Data Controller’s activities.
4. Where and how long personal data is stored for
In compliance with Article 5(1)(b), (c), (e) GDPR, We commit to the principles of “purpose limitation”, “data minimization”, “storage limitation”, and therefore We collect, retain, store and otherwise process only such information that is necessary to ensure our legitimate interests or to comply with a legal obligation, and for the period necessary to meet our legitimate interests.
4.1. CUSTOMERS
We store your data while your account is active. Whether your annual subscription expires or you fail to use the credits on time, We will delete your personal data from our systems within 1 (one) month after expiration of your annual subscription or when you request such deletion in the frame of exercise your rights (as listed below).
4.2. INFLUENCERS
As stated above, We process the personal data obtained from public sources (open accounts on Instagram, YouTube, TikTok, Twitch, Twitter). The updates may take up to 20 days. If an Influencer deletes his/her account, We will also delete such personal data from our systems and make it unavailable to Customers. This synchronization may take up to 1 (one)month from the date the Influencer deleted his/her account on the relevant social networks.
4.3. AUDIENCE DATA
Audience data is only relevant to the Influencer and is kept in aggregated form together with information about Influencer. Once Influencer data is deleted, Audience data of the Influencer is also deleted.
4.4. DATABASE
All the Data (both Raw Data and Processed Data) we collect are stored in database controlled and maintained by the company DERFIT ENTERPRISES LIMITED (Pavlou Valdaseridi 2A, Floor 1, Larnaca 6018, Cyprus), which is our Data (sub)Processor. (service provider)
The database is located on the secure servers AWS Amazon, Hetzner, and Digital Ocean in Germany.
This Data collection and storage procedure is performed on the basis of a Data Processing Agreement.
The eventual Data processing is limited to the purpose of database efficient technical support and is performed on the basis of a Data Processing Agreement with the EU Standard Contractual Clauses for transfer of personal data to third countries between DERFIT and NASA2 (Data Processor (service provider) on behalf of DERFIT).
All Data are stored in encoded form. It is impossible to accede personal data of any Influencer without its attributed storage ID-code.
5. Security measures used by Us
In compliance with Article 5(1)(d), (e), (f) GDPR, We commit to the principles of “accuracy”, “storage limitation”, and “integrity and confidentiality”.
All personal data is kept with our third-party (sub)processors (service providers) on secure servers (AWS Amazon, Digital Ocean, and Hetzner), in full compliance with international information security requirements. AWS Amazon and Digital Ocean are all in possession of the ISO 27001 Information Security Management System certificates. We use the recommended industry practices to keep access to such data secure (mixture of common sense and best practices).
We use appropriate levels of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Those include the following:
(1) Protective measures for physical access control:
We secure access to the premises via ID readers, so that only authorized persons have access. The ID cards can be blocked individually; access is also logged.
Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.
(2) Protective measures for system access control:
Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.
We regulate access to our own systems via password procedures and the use of SSH keys of at least 1024 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled.
We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.
Passwords must meet the following requirements:
- At least 8 characters long, one capital letter, one digit, one specific character
Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.
(3) Protective measures for data access control:
All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.
Due to the close proximity of the employees, a visual inspection is possible at any time.
Locking and/or logging off when leaving work is prescribed in writing and is practiced.
(4) Protective measures for transfer control:
The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.
Access to the systems from outside the company network is possible only via secure VPN access.
(5) Protective measures for input control:
Our employees do not work directly at database level, but instead use applications to access the data.
IT employees access the system via individual access and use a common login, as there are very few employees and these sit in close proximity of each other and monitor each other by agreements and visual inspections.
(6) Protective measures for availability control:
We ensure availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail.
Critical services are operated redundantly in multiple data centres and controlled by a high-availability system.
Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.
We ensure ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (Art. 32(1)(c) GDPR). We automatically produce back-up copies of all the data, and in case of data loss, we are able to restore such data from those back-ups.
(7) Protective measures for separation control:
To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur.
Access to the data itself is also restricted by the fact that employees use services (applications) which control access.
(8) Measures in case of personal data breach.
Our IT devices are equipped with passwords and encryption by default. In case of loss/theft of device, our impacted employee follows his/her duty of internal notification and We block all access, disactivate keys and change passwords.
In case of data breach (e.g. leakage), We commit to investigate the case, to timely notify the competent data protection authority, to evaluate damages and to communicate the investigation results to all customers whose personal data were impacted.
We take our responsibility seriously and therefore have implemented a variety of technical and organizational measures (“TOMs”) to protect and secure personal data as good as possible. Our measures are aligned with the GDPR regulations (Articles 24, 25 and 32). (link to our TOMs).
6. Categories of recipients of personal data and data
We do not rent, sell, or share Customer personal data with any non-affiliated third parties, except (a) where We have to comply with Our legal obligation and (b) where we need to ensure storage and technical support measures of such data via our service providers (data processors) specified in this Privacy Policy (in the latter case (b), the data remain undisclosed and inaccessible to such service providers).
We do provide a fee-based statistical service in relation to Influencer and Audience data. The recipients of such data are Customers of Our Service.
In relation to Customer data, We do not blindly follow disclosure orders. We will check each request to ensure it satisfies the relevant safeguards, contains a court order, or is issued under a legislative measure for the prevention, investigation, detection or prosecution of criminal offences.
If We employ a (sub)processor (service provider) to act on our behalf, We ensure that there are adequate contractual measures to ensure responsibility, security and liability to the same level as expected of Us.
In any case where a third party accesses your data on Our behalf or upon Our instructions (be it inside or outside the EEA), We use the relevant legal basis to comply with the data protection legislation. In cases where there is no decision by the European Commission confirming the adequate level of protection (Art. 45(1) GDPR), We use standard data protection clauses adopted by the European Commission (Art. 46(2)(c) GDPR) to ensure the appropriate safeguards of your rights and personal data in case of third party’s access or other data transfer outside the EEA.
7. Your rights
In compliance with Article 5(1)(a), (d) GDPR, We commit to the principles of “lawfulness, fairness and transparency”, and “accuracy”.
7.1 You are entitled to the full spectrum of the rights under the General Data Protection Regulation, and We commit to respect your rights. Among those, you have the right to:
- Require access to your personal data (Art. 15 GDPR);
- Require rectification of your personal data (Art. 16 GDPR);
- Require erasure of your personal data (Art. 17 GDPR);
- Require restriction of your personal data processing (Art. 18 GDPR);
- Require portability of your personal data (Art. 20 GDPR);
- Object to the processing of your personal data (Art. 21 GDPR);
- Object to automated processing (if any) of your personal data (Art. 22 GDPR);
- Withdraw your consent to processing of your personal data, where applicable (Art. 7(3) GDPR);
- Lodge a complaint with your national supervisory authority (in the EEA) if you believe that your privacy rights have been breached (Art. 13(2)(d), 14(2)(e), 15(1)(f)).
7.2 Your consent and your right to withdraw your consent
If we choose to process your personal data for any purpose you do not agree with, We will provide you with appropriate information at the point where you come across those additional purposes in order to obtain your consent (where required) or are able to perform Our legal obligations, prior to commencing any such additional processing activities. You are not required to give consent just because We ask for it.
If your personal data were processed on the base of your consent, you may further change your mind and withdraw your consent at later by contacting Our Data Protection Officer (“DPO”) and requesting to be removed from the mailing list at the following email address [email protected]
However, your consent withdrawal will not impact the processing of your personal data which took place before your withdrawal.
7.3 Your right to object to data processing
If your personal data was processed without your given consent (based on the legitimate interest), you may also ask Us to stop processing your personal data and to remove you from the mailing list, by contacting our DPO at [email protected]
However, your request will not impact the processing of your personal data which took place before such request.
If you request Us to rectify, erase your personal data or to restrict processing your data (to stop processing or by withdrawing your consent), We will inform you as soon as your request is satisfied (in accordance with Art.13(2)(c), 14(2)(d), and19 GDPR).
7.4 Your right to lodge a complaint
If your question is not resolved or is not resolved satisfactorily, you have the right to contact your local data protection authority (Art. 13(2)(d), 14(2)(e), 15(1)(f)). You can find the contact details of your local data protection authority here https://edpb.europa.eu/about-edpb/board/members_en
7.5 Your right to access to and to erasure of your personal data
You have the right to request to remove data/content collected from our Service. Such data/content must be deleted within 72 hours of receiving the notification.
Also, data/content should be deleted by all persons/companies/auditors to whom such information was transferred.
You have the right to log into your account and change information about yourself to the extent that the system allows. Also, you can submit a request to change information about yourself to the support service.
7.6 Your right to opt-out from selling your personal information
You have the right to request that your personal information is not be sold to third parties.
To exercise this right, please click on the link “DO NOT SELL MY PERSONAL INFORMATION” or to send an email with “DO NOT SELL MY PERSONAL INFORMATION” to Our DPO at [email protected]
8. Cookies and similar technologies
We use aggregated, non-identifying, electronic data collected from use of our Sites and Services to operate, analyze, improve, and develop our Sites and Services. This information is not used to inform decisions about specific individuals; rather, it is processed to understand how different categories of users interact with our Sites and Services so that we can consistently improve the same for Customers.
We work with analytics providers such as Google Analytics, which use cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends. Google Analytics may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/, and opt out of them by downloading the Google Analytics opt-out browser add-on.
We inform you that in order to fulfill our legitimate interest and improve the quality of services, We may transfer some of the personal data that is publicly available on social networks to the following service providers:
- Amazon Web Services, Inc.
- DigitalOcean, LLC
- Hetzner Online, GmbH
- Paypal, Inc.
- Stripe, Inc.
- Amplitude, Inc.
- HubSpot, Inc.
- Intercom, Inc.
- Google Inc.
You can obtain more detailed information of those service providers and the type of data they process via this link: https://docs.google.com/spreadsheets/d/1QN7hJkjGNDCMmfT8kPd40jZlsj2KhFyWi6Aj_xT2Le0/edit?gid=0#gid=0
The service providers Hubspot, Amplitude, Google Analytics, and Intercom are located in the USA. We contracted to them via purchase of their software and maintenance services (to be used for marketing and communication with clients) and via accepting their customers terms and conditions and privacy policies published on their websites:
- https://amplitude.com/privacy
- https://legal.hubspot.com/privacy-policy?_ga=2.184969193.1542169218.1612359347-1702868337.1612359347
- https://policies.google.com/privacy?hl=en-US
- https://www.intercom.com/legal/privacy
On the matter of transferring (importing/exporting) and processing personal data falling within the scope of GDPR, Hubspot, Google, and Intercom rely on the EU model (standard) contractual clauses; and Amplitude relies on the EU-US and Swiss-US Privacy Shield https://www.privacyshield.gov/Program-Overview
9. Children’s privacy (Article 8 GDPR)
We never knowingly collect, process or solicit any information from anyone of 16 years and younger. The information society services (“Services”) on our sites are neither offered directly nor intend to appeal to such persons. Parents or parental responsibility holders who believe that We directly offer Services to or process personal data of their children aged 16 and under may contact Our DPO at ;[email protected]
DISCLAIMER: When processing open data from social networks, if it is reasonably impossible to recognize the real age of users, Our verification of the age of users is limited to technically available and reasonable treatment of the information openly provided by the social networks from which we collect the data. In case or fallacious, erroneous or missing age data, the social networks shall be solely responsible for violation of requirements of the Applicable Law in relation to the personal data of children.
10. Our commitment
- We will only collect and use your data where We have a legal basis to do so;
- We will always be transparent and tell you about how we use your information;
- When We collect your data for a particular purpose, We will not use it for anything else without your consent, unless other legal basis applies;
- We will not ask for more data than needed for the purposes of providing our services;
- We will adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;
- We will observe and respect Your rights by ensuring that queries relating to privacy issues are dealt with promptly and transparently;
- We will keep our staff trained in privacy and security obligations;
- We will ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;
- We will also ensure that all of our data (sub)processors (service providers) have appropriate security measures in place with contractual provisions requiring them to comply with Our commitment;
11. Changes to the privacy policy
To keep you up to date, We will always notify you via email should we update this privacy policy.
Stonecast Financial LLC,
9165 Otis ave., Suite 238,
Indianapolis, IN 46216,
USA
Our EU Representative (Art. 27 GDPR):
I.F.B.C Business Services Ltd
25th March Street No. 27, 1st Floor Office 106,
Egkomi CY2408, Nicosia – Cyprus
P.O. Box 20695, CY1662 Nicosia – Cyprus
Tel: +35722375340 Fax: +35722375339
E-mail: [email protected]
Effective Date: July 25, 2024