Graph Commons Privacy Statement

Graph Commons is a service offered by Alterlab, LLC (hereinafter: "we", "us" or "our"). We respect your privacy and are committed to protecting personal data. This privacy statement explains how we handle personal data when you access and use the Graph Commons Platform (and all related websites, software, applications, online services and tools referred to in this statement, regardless of how you access or use them, including mobile devices). This statement also informs you about your rights and how you can exercise those rights.

It is important that you read this privacy statement together with any other specific privacy statements we may provide to you on certain occasions when we are collecting or processing personal data about you, so that you are fully informed of how and why we are using your data. This privacy statement supplements our other notices and statements and is not intended to override them.

1. Data controller contact information

Alterlab, LLC, 19 Morris Ave. 11205, Brooklyn, New York, USA

E-mail: privacy@graphcommons.com

2. The data we collect about you

Personal data means any information relating to an identified or identifiable natural person. It does not include anonymous information.

We may process the following personal data about you:

  • Identity Data, which includes your full name, image, username or similar identifier;

  • Contact Data, which includes your e-mail address;

  • Transaction Data, which includes information about payments you have made and products and services you have accessed or used through the Graph Commons Platform.

  • Technical Data, which includes your internet protocol (IP) address, your login data, browser type and version, hardware information, time zone setting and location, browser plug-in types and versions, operating system and website, and other technology on the devices you use to access the Graph Commons Platform.

  • Profile Data, which includes your username and password, your purchases or orders, your preferences, feedback and survey responses.

  • Usage Data, which includes information about how you use our Platform, products and services.

  • Marketing and Communications Data, which includes your preferences in receiving marketing from us and our third party Platform partners and your communication preferences.

We do not collect any Special Categories of Personal Data about you.

3. How is personal data collected?

We use different methods to collect personal data from you and about you, including through:

  • Direct interactions. You provide us with your personal data, such as Identity Data and Contact Data, among others when you create an account with us, subscribe (or are subscribed) to our services or interact in a Graph, request marketing to be sent to you, enter a promotion or survey, give us feedback or contact us.

  • Automated technologies or interactions. We collect personal data when you interact with the Graph Commons Platform, such as Technical Data and Usage Data.

We process personal data for certain purposes, described below. Furthermore, we process personal data based on a legal basis. These legal bases are, amongst others:

  • Where we need to perform the contract we are about to enter into or have entered into with you (e.g. to provide you with access to the functionality of the Graph Commons Platform).

  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

  • Where we need to comply with a legal obligation.

Purposes for which we will use personal data

We have set out below a description of all the purposes for which we use personal data, and the corresponding the legal bases we rely on to do so. Where appropriate, we have also specified what our legitimate interests are.

Note that we may process personal data on more than one legal basis depending on the specific purpose for which we are using that personal data.

PurposeType of dataLegal basis for processing
To register you as a user of the Graph Commons Platform (a) Identity
(b) Contact
Performance of a contract with you
To process the use of a Graph:
(a) Managing payments, fees and charges
(b) Verifying your identity and details of your payment method or credit card account
(c) Communicating with you, for example sending you notification about your invitation to a Graph.
(a) Identity
(b) Contact
(c) Transaction
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Our legitimate interests
To manage our relationship with you, which includes:
(a) Providing access to Platform services
(b) Notifying you about changes to our terms or privacy statement
(c) Asking you to leave a review or take a survey
(d) Investigating complaints
(a) Identity
(b) Contact
(c) Profile
(d) Marketing and Communications
(a) Performance of a contract with you
(b) Compliance with a legal obligation
(c) Our legitimate interests (to keep our records updated and to study how users use the Graph Commons Platform and associated products/services)
To administer and protect our business and our services (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity
(b) Contact
(c) Technical
(a) Our legitimate interests (for running our business, administering our CRM, provision of administration and IT services, network security, prevent fraud and in the context of a business reorganization or group restructuring exercise)
(b) Compliance with a legal obligation
To enable you to partake in a competition or complete a survey (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(a) Performance of a contract with you
(b) Our legitimate interests (to study how users use the Graph Commons Platform and to develop and grow our business)
To deliver relevant Platform content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity
(b) Contact
(c) Profile
(d) Usage
(e) Marketing and Communications
(f) Technical
Our legitimate interests (to study how users use the Graph Commons Platform and to grow our business and inform our marketing and growth strategy)
To use data analytics to improve our Platform, products/services, marketing, user and Partner relationships and experiences (a) Technical
(b) Usage
Our legitimate interests (to define types of users for certain Platform services and to keep our services and website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about Graphs or other services available through the Graph Commons Platform that may be of interest to you (a) Identity
(b) Contact
(c) Technical
(d) Usage
(e) Profile
(f) Marketing and Communications
Our legitimate interests (to develop the products and services available through the Graph Commons Platform)

Profiling

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what might be of interest to you. This is how we decide which services and offers may be relevant for you.

You will receive marketing communications from us if you have given us your consent (to extent required), if you have previously requested information from us, if you have used our services or purchased products or services through the Graph Commons Platform, and you have not opted out of receiving that marketing.

In every marketing e-mail, newsletter or product update, you will find a link to your subscriber preference center. Here you can update your preferences regarding the use of personal data, including an option to opt-out of all marketing communications.

We will not share your personal data with any company for marketing purposes unless we have received your consent to do so.

5. Provision to third parties

External Third Parties

In some cases we share personal data with third parties. We can share personal data with:

  • Supervisory authorities and other bodies in order to comply with legal obligations;

  • Service providers acting as processors predominantly based in the USA who provide IT hosting services to help us operate our business and our website or administer activities on our behalf, including Amazon Web Services, Google Suite, and Google Cloud.

  • Service providers acting as processors based in the EU and/or the USA who provide a range of services to us to help us operate our business, including financial services provided by Stripe.

  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use personal data in the same way as set out in this privacy statement.

As follows from the above, we also utilize the services of third parties that function as “processors”. We are obliged to enter into a processor agreement with such service providers stipulating that they may only process personal data in accordance our instructions and subject our control.

We will only transfer personal data to the above mentioned third parties for the purposes stated in this privacy statement, and only to the extent that is permitted under the applicable law and regulations, or if we are obligated to provide the personal data to a competent authority.

Third parties to whom we transfer personal data are themselves responsible for compliance with privacy legislation. We are neither responsible nor liable for the processing of personal data by these third parties.

Third party websites and applications

The Graph Commons Platform includes references and hyperlinks to third-party websites and applications as well as to partner providers of multiple different types of services associated with a particular graph. These third-party links all have their own privacy statement and policies, which we recommend you to read carefully. We are in no way liable for the way these third parties handle personal data or comply with the applicable data protection law.

Where third parties provide Graphs or support the provision of services made available to you through the Graph Commons Platform, these third parties may receive certain personal data from you. Whilst we are not in control of any third parties to whom you request your data to be shared, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. Unless they obtain your explicit consent, we do not allow any third-party Graph or service providers to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with your instructions.

To help constantly improve and tailor the service we provide to you through our Platform, we may use aggregated information so that we can administer and improve our services, analyse trends, gather broad demographic information and detect suspicious or fraudulent transactions and most importantly monitor and improve our operations on a day to day basis. In carrying out this activity, we may pass some information to third parties in aggregate and anonymised format.

6. International transfers

To be able to provide our services, it might be necessary that we transfer personal data to other countries inside or outside the EEA. Whenever we transfer personal data out of the EEA, we ensure an appropriate degree of protection is afforded to it. We take all measures necessary to transfer the personal data in a lawful manner to such countries. We ensure that at least one of the following safeguards applies:

The country where we transfer personal data has been deemed to provide an adequate level of protection for personal data by the European Commission. Where we use certain service providers, we may use Standard Contractual Clauses approved by the European Commission which offer sufficient safeguards on data protection.

7. Data security

We have put in place appropriate technical and organizational measures to protect personal data from unauthorized or unlawful processing and from loss, alteration, destruction or disclosure. These measures ensure an appropriate level of security. Amongst others, we limit access to personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

When you get the impression that your personal data is not appropriately secured, or if there are indications of misuse, please contact privacy@graphcommons.com.

8. Data retention

We will not store personal data longer than necessary to fulfil the purposes we collected it for, unless we are required by law to do so. After this retention period we will erase or anonymize personal data for research or statistical purposes.

Under the GDPR you have the following rights in relation to your personal data:

  • Request access to your personal data. This means you can make a request to obtain access to the personal data concerning you.

  • Request rectification or correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you completed or corrected.

  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data.

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data.

  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

  • Object to direct marketing where your personal data is used for that purpose.

  • Lodge a complaint with a supervisory authority if you consider that your rights under the GDPR are infringed.

  • Withdraw consent at any time where we are relying on consent as a legal basis to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will inform you if this is the case at the time you withdraw your consent.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You can generally exercise your rights free of charge. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you wish to exercise any of the rights set out above, please contact us via privacy@graphcommons.com.

10. Updates, cookies and contact

Changes to our privacy statement and your duty to inform us of changes to your personal data

We regularly review our privacy statement and reserve the right to change this privacy statement where needed. This version was updated on 5 August 2020.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Platform may become inaccessible or not function properly.

Contact details

If you have any questions about this privacy statement, including any requests to exercise your legal rights, please contact the data privacy manager using the details set out below.

Full name of legal entity: Alterlab, LLC

E-mail address: privacy@graphcommons.com

Postal address: 19 Morris Ave. 11205, Brooklyn, New York, USA