HypeAuditor Privacy Policy

THIS PRIVACY POLICY IS DRAFTED FOR SAKE OF OUR COMMITMENT TO THE PRINCIPLE OF “ACCOUNTABILITY” IN COMPLIANCE WITH ARTICLE 5(2) GDPR.

IF YOU HAVE QUESTIONS RELATED YOUR RIGHTS, YOU CAN CONTACT OUR DATA PROTECTION OFFICER AT dpo@hypeauditor.com or by contact form on our website.

USING THE WEBSITE HYPEAUDITOR.COM YOU ACKNOWLEDGE THAT YOU ARE AWARE OF THE COLLECTION OF COOKIES, THE PURPOSES AND METHODS OF OBTAINING AND PROCESSING PERSONAL DATA (PERSONAL INFORMATION), THAT THE DATA YOU PROVIDE ARE PROCESSED BY THE PROFILING, AND YOU GIVE YOUR CONSENT TO THE PROCESSING OF PERSONAL DATA (PERSONAL INFORMATION) AND PROVIDING IT TO THIRD PARTIES.

ALL DATA THAT YOU PROVIDE IS A PREREQUISITE FOR CONCLUDING AN TERMS OF SERVICE ON THE USE OF THE SITE.

The Site and Services, as described in our Terms of Service, are provided to you by Stonecast Financial LLC, an Indiana Limited Liability Company with registered office at 9165 Otis ave., Suite 238, Indianapolis, IN 46216, USA (“HypeAuditor”).

Consequently, “We”, “Us” and “Ours” refers to Stonecast Financial LLC or HypeAuditor.

DATA CONTROLLERS (BUSINESSES) AND DATA PROCESSORS (SERVICE PROVIDERS)

With respect to processing of personal information (hereinafter referred to as “personal data”) of the customers of our Services (“Customers”) and

with respect to the Services where We determine the purposes and means of the processing of personal data of social networks users (“Influencers”), we are the “Data Controller” or “Controller” of Customers’ personal data and Influencers’ personal data respectively.

Feel free to send any of your data protection queries to us at dpo@hypeauditor.com

With respect to the Services (e.g. Campaign Management) where a Customer determines the purposes and essential means of the processing of personal data of Influencers (e.g. which and whose personal data to process, how long to store them), but where We still may determine technical means of the processing of personal data (e.g. where and how to search, collect, store the personal data), and We process personal data on Customers’ behalf or on Customers’ orders and in Customers’ interests (e.g. where our Services are to provide a tool to Customers to reach the Customers’ purposes), Customer is Controller, and we are Processor (or Data Processor or Service Provider).

With respect to the Services (e.g. Landing Pages) where a Customer determines the purposes and essential means of the processing of personal data of Influencers (e.g. which and whose personal data to process, how long to store them), but where We still may determine technical means of the processing of personal data (e.g. where and how to search, collect, store the personal data), and We process personal data on Customers’ behalf or on Customers’ orders and in Customers’ interests (e.g. where our Services are to provide a tool to Customers to reach the Customers’ purposes), Customer is Controller of Customers’ personal data and Influencers’ personal data respectively, and we are Processor (or Data Processor or Service Provider).

This Privacy Policy describes the way that We deal with certain personal data of Customers and data of Influencers.

We abide and fully comply with all the rules regarding personal data, both the European legislation and the US legislation related to personal data (“Applicable Law”).

All provisions of this Privacy Policy are drawn up in accordance with European legislation in the field of personal data compliance (Regulation (EU) 2016/679 General Data Protection Regulation (“GDPR”)), as well as have been brought into line with, comply with and do not contradict the requirements of US legislation in the field of personal data protection (in particular, this Privacy Notice has been published on this website as per requirement of the California Consumer Privacy Act (“CCPA”)).

By means of this Privacy Policy We fulfil Our obligation under Articles 13 and 14 GDPR to provide information on data processing to the concerned data subjects.

DISCLAIMER: However, in some cases (especially when We obtain the personal data not from the data subjects, e.g. from the social networks) we are incapable to inform each data subject (especially Influencers) rather than by means of this Privacy Policy.

In accordance with Recital 62 and Article 14(5)(b), We are allowed to, because, due to a great number of Influencers, the provision of such information proves impossible or would involve a disproportionate effort (in particular for processing for statistical purposes).

Nevertheless, We commit to take appropriate measures to protect the data subject's rights and freedoms and legitimate interests.

2.1. CUSTOMERS

There are different types of information we collect, whether directly from you at sign up (Article 13 GDPR) or automatically via your device (for instance, personal computer, laptop, mobile phone) when you use our Sites (Article 13-14 GDPR). In accordance with “data minimization” principle (Article 5(1)(c) GDPR), we collect and process only what is strictly necessary to provide you with our Services, no more, no less.

* This is a piece of information that is automatically transmitted from your electronic device when you use your browser. More information about what kind of information your browser transmits can be found on the sites of the browser companies (for example, Chrome). You can disable the transfer of cookies at any time in the browser settings.

2.2. INFLUENCERS

In essence, We only process information which you have already publically shared via open accounts of the social networks: Instagram, YouTube, TikTok, Twitch, Twitter. We process Your personal data and ensure them to be processed in compliance with Applicable Law and namely in accordance with the principle of “lawfulness, fairness, transparency” (Art. 5(1)(a)), and We respect Your rights (see section below).

2.3. Audience data and statistics

We analyze a vast amount of information in order to provide Customers with statistics. In relation to the Influencer audience (the “Audience”), this includes, in particular: gender, age group and ethnicity. While these items may represent a somewhat sensitive issue, We have undertaken, in accordance with Article 35(7)(a) GDPR, an assessment to identify and prove our legitimate interests and to exclude that our legitimate interests be overridden by the fundamental rights and freedoms of the Audience or any individuals (Art. 6(1)(f) GDPR). We concluded that our processing for statistical purposes is in line with the Applicable Law and does not conflict with the fundamental rights and freedoms of individuals.

In order to lawfully process the data on the ethnic origin of the Audience, We require relevant legal basis. One of the bases is processing for statistical purposes (Art. 9(2)(j) GDPR) (while safeguarding fundamental rights and interests of the Audience) and the fact that such data (Art. 9(2)(e) are made publically available by their data subject by means of disclosure in social media). Such processing does not have discriminatory effects on natural persons involved nor results in measures having such effect. Finally, there is no automated decision-making and profiling based on ethnic origin of the Audience (Art. 14(2)(g) GDPR).

Our legitimate interest to work with personal data are direct marketing purposes as said in Recital 47 GDPR (EU GDPR), and Statistical purposes referring to Recitals 113 and 162 GDPR.

However, under US law (as such as The California Consumer Privacy Act), there is no concept of Legitimate Interest. The law does not enumerate specific bases for processing, although the sale of consumer information is prohibited if the consumer has opted out.

Thus, we clearly suggest each of our INFLUENCERS use the opted-out function.

3.1. CUSTOMERS

We do not sell, share or disclose Customers’ data except as provided herein. We never treat your personal data in any way that would surprise you (unless We told you about it and you provided us with an informed and unambiguous consent to such usage).

We use Customer contact details and payment information to establish, support and conduct customer relationships as necessary for the performance of Services. Should the Customer fail to provide the personal data we need, we may be unable to complete the transaction. We only contact Customers with service-related information. Where marketing is involved, Customers have an option to opt out at any time before first (and any subsequent) contact.

3.2. INFLUENCERS

Notification about the processing of Influencer’s personal data occurs through our website and through the provisions of this Policy. Due to the processing of a huge amount of data, we do not have the technical ability to notify each Influencer directly. Also, in accordance with Terms of Service and Contracts with Customers, the obligation to notify the Influencer about the processing of its personal data passes to the Customer.

We provide a statistical service and so, the data about Influencers identified hereinunder is shared with Customers whether on a trial basis or upon payment of fees.

Section 9.6 of Our Terms of Services prohibits Our Customers to “assign, syndicate, resell or otherwise transfer or make available information obtained via HypeAuditor to third parties…”.

However, we have no control on Our Customers and therefore we are unable to know whether any of Our Customers intends to sell or share the Influencers’ below-mentioned personal information received via our services or not.

If you do not wish your personal information to be shared with or sold to Customers, please click on the link “DO NOT SELL MY PERSONAL INFORMATION” or to send an email with “DO NOT SELL MY PERSONAL INFORMATION” to Our DPO at dpo@hypeauditor.com

The data about Influencers that we process is divided into two categories:

Raw Data - All available information collected from social networks. Information is collected only from public / open profiles of Influencers on Instagram, YouTube, TikTok, Twitch, Twitter. Raw data is not structured, so the Influencer identity cannot be determined based on this information. Processed Data - the data formed from Raw Data, and then Reports are generated.

The Processed Data is divided into two groups:

• Collected and stored as is: profile name, avatar, profile description, likes, commenters, Influencers’ liaisons with commenters and other audience, e-mail, texts of the comments;

• Data generated by AI scripts: audience type, topics and interests of the audience, age of the audience, earnings, history of profile development, authenticity of the audience set.

At any stage of data collection Influencers have the right to send a request to our Data Protection Officer at dpo@hypeauditor.com for the purpose of changing / deleting their data or not sharing their data with Our Customers.

3.3. AUDIENCE DATA

Audience data for each Influencer is aggregated for statistical purposes and shared with Customers whether on a trial basis or upon payment of fees.

3.4. DATA CONTROLLER

Data Controller can use the collected data itself as a marketing advertiser. Such Data Controller’s report will be identical to a regular Report provided to any Customer. Such Reports are subject to laws and regulations applicable to all Data Controller’s activities.

3.5. CAMPAIGN MANAGEMENT SERVICES

With respect to Campaign Management Services We are Data Processor on behalf of our Customers and in Customers’ interests (who are Data Controller). Data Customers use their personal cabinet/account on e-platform as a tool to process data related to companies databases in form Excel tables. We do not store such databases (they are stored directly on the secured servers). We have no access to our Customers’ personal cabinets and do not know their content, including the content of the databases and any personal data (if any) therein. We just determine, to some extent, technical means of the processing of personal data (e.g. account maintenance).

In compliance with Article 5(1)(b), (c), (e) GDPR, We commit to the principles of “purpose limitation”, “data minimization”, “storage limitation”, and therefore We collect, retain, store and otherwise process only such information that is necessary to ensure our legitimate interests or to comply with a legal obligation, and for the period necessary to meet our legitimate interests.

4.1. CUSTOMERS

We store your data while your account is active. Whether your annual subscription expires or you fail to use the credits on time, We will delete your personal data from our systems within 1 (one) month after expiration of your annual subscription or when you request such deletion in the frame of exercise your rights (as listed below).

4.2. INFLUENCERS

As stated above, We process the personal data obtained from public sources (open accounts on Instagram, YouTube, TikTok, Twitch, Twitter). The updates may take up to 20 days. If an Influencer deletes his/her account, We will also delete such personal data from our systems and make it unavailable to Customers. This synchronization may take up to 1 (one)month from the date the Influencer deleted his/her account on the relevant social networks.

4.3. AUDIENCE DATA

Audience data is only relevant to the Influencer and is kept in aggregated form together with information about Influencer. Once Influencer data is deleted, Audience data of the Influencer is also deleted.

4.4. DATABASE

All the Data (both Raw Data and Processed Data) we collect are stored in database controlled and maintained by the company DERFIT ENTERPRISES LIMITED (25 Martiou, 27, 1st floor, Flat/Office 106, Egkomi,2408, Nicosia, Cyprus), which is our Data (sub)Processor. (service provider)

The database is located on the secure servers AWS Amazon, Hetzner, and Digital Ocean in Germany.

This Data collection and storage procedure is performed on the basis of a Data Processing Agreement.

The technical support of the database is performed by Armenian provider NASA2 LLC on behalf of and for purposes determined by DERFIT. The eventual Data processing is limited to the purpose of database efficient technical support and is performed on the basis of a Data Processing Agreement with the EU Standard Contractual Clauses for transfer of personal data to third countries between DERFIT and NASA2 (Data Processor (service provider) on behalf of DERFIT).

All Data are stored in encoded form. It is impossible to accede personal data of any Influencer without its attributed storage ID-code.

In compliance with Article 5(1)(d), (e), (f) GDPR, We commit to the principles of “accuracy”, “storage limitation”, and “integrity and confidentiality”.

All personal data is kept with our third-party (sub)processors (service providers) on secure servers (AWS Amazon, Digital Ocean, and Hetzner), in full compliance with international information security requirements. AWS Amazon and Digital Ocean are all in possession of the ISO 27001 Information Security Management System certificates. We use the recommended industry practices to keep access to such data secure (mixture of common sense and best practices).

We use appropriate levels of technical and organizational measures to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed. Those include the following:

(1) Protective measures for physical access control:

We secure access to the premises via ID readers, so that only authorized persons have access. The ID cards can be blocked individually; access is also logged.

Furthermore, an alarm system is installed in the premises, preventing infiltration by unauthorized persons. The alarm system is linked to a locking mechanism for the doors.

(2) Protective measures for system access control:

Each employee has access to the systems/services only via his/her own employee access. The access rights involved are limited to the responsibilities of the respective employee and/or team.

We regulate access to our own systems via password procedures and the use of SSH keys of at least 1024 bits in length. The SSH keys strengthen the productive systems against attacks that target weak passwords, as the password-based access to the relevant systems is disabled.

We have, in addition, a regulation for the creation of passwords. This guarantees higher security also for systems that offer password-based access.

Passwords must meet the following requirements:

• At least 8 characters long, one capital letter, one digit, one specific character

Our systems are protected by firewalls that reject all incoming connections by default. Only connection types defined by exception are accepted.

(3) Protective measures for data access control:

All servers and services are subject to continuous monitoring. This includes the logging of personal access in the user interface.

Due to the close proximity of the employees, a visual inspection is possible at any time.

Locking and/or logging off when leaving work is prescribed in writing and is practiced.

(4) Protective measures for transfer control:

The handling of local data storage devices, e.g. USB sticks, is regulated via agreements.

Access to the systems from outside the company network is possible only via secure VPN access.

(5) Protective measures for input control:

Our employees do not work directly at database level, but instead use applications to access the data.

IT employees access the system via individual access and use a common login, as there are very few employees and these sit in close proximity of each other and monitor each other by agreements and visual inspections.

(6) Protective measures for availability control:

We ensure availability of data in several ways. On the one hand, there is regular backup of the entire system. This steps in if the other availability measures fail.

Critical services are operated redundantly in multiple data centres and controlled by a high-availability system.

Our workstations are also protected with the usual measures. For example, virus scanners are installed, laptops are encrypted.

We ensure ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (Art. 32(1)(c) GDPR). We automatically produce back-up copies of all the data, and in case of data loss, we are able to restore such data from those back-ups.

(7) Protective measures for separation control:

To separate data, We use logically separate databases so that no accidental reading of data by unauthorised persons can occur.

Access to the data itself is also restricted by the fact that employees use services (applications) which control access.

(8) Measures in case of personal data breach.

Our IT devices are equipped with passwords and encryption by default. In case of loss/theft of device, our impacted employee follows his/her duty of internal notification and We block all access, disactivate keys and change passwords.

In case of data breach (e.g. leakage), We commit to investigate the case, to timely notify the competent data protection authority, to evaluate damages and to communicate the investigation results to all customers whose personal data were impacted.   

We take our responsibility seriously and therefore have implemented a variety of technical and organizational measures (“TOMs”) to protect and secure personal data as good as possible. Our measures are aligned with the GDPR regulations (Articles 24, 25 and32). (link to our TOMs).

We do not rent, sell, or share Customer personal data with any non-affiliated third parties, except (a) where We have to comply with Our legal obligation and (b) where we need to ensure storage and technical support measures of such data via our service providers (data processes) specified in this Privacy Policy (in the latter case (b), the data remain undisclosed and inaccessible to such service providers).

We do provide a fee-based statistical service in relation to Influencer and Audience data. The recipients of such data are Customers of Our Service.

In relation to Customer data, We do not blindly follow disclosure orders. We will check each request to ensure it satisfies the relevant safeguards, contains a court order, or is issued under a legislative measure for the prevention, investigation, detection or prosecution of criminal offences.

If We employ a (sub)processor (service provider) to act on our behalf, We ensure that there are adequate contractual measures to ensure responsibility, security and liability to the same level as expected of Us.

In any case where a third party accesses your data on Our behalf or upon Our instructions (be it inside or outside the EEA), We use the relevant legal basis to comply with the data protection legislation. In cases where there is no decision by the European Commission confirming the adequate level of protection (Art. 45(1) GDPR), We use standard data protection clauses adopted by the European Commission (Art. 46(2)(c) GDPR) to ensure the appropriate safeguards of your rights and personal data in case of third party’s access or other data transfer outside the EEA.

In compliance with Article 5(1)(a), (d) GDPR, We commit to the principles of “lawfulness, fairness and transparency”, and “accuracy”.

7.1 You are entitled to the full spectrum of the rights under the General Data Protection Regulation, and We commit to respect your rights. Among those, you have the right to:

• Require access to your personal data (Art. 15 GDPR);

• Require rectification of your personal data (Art. 16 GDPR);

• Require erasure of your personal data (Art. 17 GDPR);

• Require restriction of your personal data processing (Art. 18 GDPR);

• Require portability of your personal data (Art. 20 GDPR);

• Object to the processing of your personal data (Art. 21 GDPR);

• Object to automated processing (if any) of your personal data (Art. 22 GDPR);

• Withdraw your consent to processing of your personal data, where applicable (Art. 7(3) GDPR);

• Lodge a complaint with your national supervisory authority (in the EEA) if you believe that your privacy rights have been breached (Art. 13(2)(d), 14(2)(e), 15(1)(f)).

7.2 Your consent and your right to withdraw your consent

If we choose to process your personal data for any purpose you do not agree with, We will provide you with appropriate information at the point where you come across those additional purposes in order to obtain your consent (where required) or are able to perform Our legal obligations, prior to commencing any such additional processing activities. You are not required to give consent just because We ask for it.

If your personal data were processed on the base of your consent, you may further change your mind and withdraw your consent at later by contacting Our Data Protection Officer (“DPO”) and requesting to be removed from the mailing list at the following email address dpo@hypeauditor.com. However, your consent withdrawal will not impact the processing of your personal data which took place before your withdrawal.

7.3 Your right to object to data processing

If your personal data was processed without your given consent (based on the legitimate interest), you may also ask Us to stop processing your personal data and to remove you from the mailing list, by contacting our DPO at dpo@hypeauditor.com.

However, your request will not impact the processing of your personal data which took place before such request.

If you request Us to rectify, erase your personal data or to restrict processing your data (to stop processing or by withdrawing your consent), We will inform you as soon as your request is satisfied (in accordance with Art.13(2)(c), 14(2)(d), and19 GDPR).

7.4 Your right to lodge a complaint

If your question is not resolved or is not resolved satisfactorily, you have the right to contact your local data protection authority (Art. 13(2)(d), 14(2)(e), 15(1)(f)). You can find the contact details of your local data protection authority here: https://edpb.europa.eu/about-edpb/board/members_en

7.5 INFLUENCER: your right to be informed on the Customer

You have the right to request information about the Customer who received the personal data of your social media profile, and HypeAuditor commits to provide you with all information about the Customer.

If you request information about the Customer who received the personal data of you, HypeAuditor will provide you with all information of the Customer, within 72 hours of receiving the request from you.

If a Customer has transferred to third parties The Report about your Social media profile received when using HypeAuditor service, you have the right to get the entire chain of persons to whom such a Report was transferred, within 72 hours after your request.

7.6 Your right to access to and to erasure of your personal data

You have the right to request to remove data/content collected from our Service. Such data/content must be deleted within 72 hours of receiving the notification.

Also, data/content should be deleted by all persons/companies/auditors to whom such information was transferred.

You have the right to log into your account and change information about yourself to the extent that the system allows. Also, you can submit a request to change information about yourself to the support service.

7.7 Your right to opt-out from selling your personal information

You have the right to request that your personal information is not be sold to third parties.

To exercise this right, please click on the link “DO NOT SELL MY PERSONAL INFORMATION” or to send an email with “DO NOT SELL MY PERSONAL INFORMATION” to Our DPO at dpo@hypeauditor.com

We never knowingly collect, process or solicit any information from anyone of 16 years and younger. The information society services (“Services”) on our sites are neither offered directly nor intend to appeal to such persons. Parents or parental responsibility holders who believe that We directly offer Services to or process personal data of their children aged 16 and under may contact Our DPO at dpo@hypeauditor.com.

DISCLAIMER: When processing open data from social networks, if it is reasonably impossible to recognize the real age of users, Our verification of the age of users is limited to technically available and reasonable treatment of the information openly provided by the social networks from which we collect the data. In case or fallacious, erroneous or missing age data, the social networks shall be solely responsible for violation of requirements of the Applicable Law in relation to the personal data of children.

• We will only collect and use your data where We have a legal basis to do so;

• We will always be transparent and tell you about how we use your information;

• When We collect your data for a particular purpose, We will not use it for anything else without your consent, unless other legal basis applies;

• We will not ask for more data than needed for the purposes of providing our services;

• We will adhere to the data retention policies and ensure that your information is securely disposed of at the end of such retention period;

• We will observe and respect Your rights by ensuring that queries relating to privacy issues are dealt with promptly and transparently;

• We will keep our staff trained in privacy and security obligations;

• We will ensure to have appropriate technological and organizational measures in place to protect your data regardless of where it is held;

• We will also ensure that all of our data (sub)processors (service providers) have appropriate security measures in place with contractual provisions requiring them to comply with Our commitment;