Privacy Notice for Users of the Sideways 6 Platform
At Sideways 6, we treat your privacy seriously and only use your personal data to help you run idea campaigns by providing you with access to the Sideways 6 platform, administer your account, give you product support as needed, and improve the Sideways 6 product.
We encourage you to read this page thoroughly and contact us at firstname.lastname@example.org in case of any queries.
We are Sideways 6 Ltd registered office 21 Downham Road, London, N1 5AA, the makers of the Sideways 6 idea management platform. You, the user of the Sideways 6 platform, are the data subject, and we act as the data processor. Your employer is the data controller.
We do not explicitly request your consent as data subjects to collect data, because you already gave consent for it to be collected and used in the course of your employment, or processing your data is necessary for the performance of your employment contract.
This constitutes lawful basis for processing under the General Data Protection Regulation (GDPR).
Sideways 6 has been certified by BSI to ISO/IEC 27001 under certificate number IS 719021. By operating our Information Security Management System and applying industry best practices, we ensure your personal data is protected from loss, disclosure to inappropriate persons, and unavailability.
Your personal data is stored encrypted on Microsoft Azure servers and is always transferred securely, protecting you against data breaches and disruption. The location of these servers varies depending upon our agreement with your employer. If you are unsure as to which data centres are being used for your data, please contact email@example.com or use the in-app chat.
The following Sideways 6 user personal data is processed for all users with an account in the Sideways 6 platform:
- First and last names
- Profile picture you upload into Sideways 6
- The IP address of the computer(s) you use to connect to Sideways 6
- Unique user and computer identifier in the form of a browser cookie
- The date and time of your first and latest login and activity
We will use this data to:
- Allow your employer to run analytics on the performance of your idea campaigns
- Set up your Sideways 6 account and provision platform access
- Authenticate you by using your company email address as a unique identifier
- Personalise your Sideways 6 experience by letting you save your preferences
- Carry out product satisfaction surveys to help us improve the platform
- Generate product usage analytics to improve your Sideways 6 experience
- Meet audit log requirements set out in our agreement with your employer
- Provide product support when requested and notify you of any disruption
- Give you updates about improvements made to the product via email or in-app
We will keep your personal data for the whole length of the engagement between your employer and Sideways 6, and up to 30 days thereafter. It is then deleted or anonymised.
To further process your data, we use third party product support and analytics tools like Intercom to enable us to react to Sideways 6 platform users’ questions and issues and continually improve the user experience. We host our platform and all data on third-party Microsoft Azure servers as well as use their Text Analytics API.
We use the following sub-processors to process personal data:
- Microsoft Azure for IaaS cloud hosting and text analytics, covering all personal data processed as above. The Sideways 6 platform is run at the West Europe Microsoft Azure location. Data is also stored in the West Europe Microsoft Azure location in the Netherlands by default and does not leave the EU, but this may be changed to a different Azure Location on customer request. International data transfer bases are therefore dependent on the storage location chosen. The Azure Online Services Terms, however, incorporate the Standard Contractual Clauses. Microsoft Azure holds a number of security certifications and attestations, including ISO 27001.
- Intercom for providing product support via in-app chat and email. Name and surname, email, and job title are processed. We also use Intercom to collect product feedback, serve Product Tours, and contact users to request feedback on existing and future functionality. Data is processed in the US and transferred under Standard Contractual Clauses, which form part of the Data Processing Addendum signed by both Sideways 6 and Intercom. Intercom hold a SOC 2 Type II attestation.
- Twilio SendGrid for sending out emails from the Sideways 6 platform. Name, surname, and email are processed. Data is processed in the US and transferred under Standard Contractual Clauses, which are part of the Data Protection Addendum, incorporated into the Twilio Terms of Service by reference. SendGrid hold a SOC 2 Type II attestation.
The Sideways 6 internal Anonymous User ID of users of the platform is also passed to other analytics tools used to help us understand user behaviour, including Hotjar and Google Analytics. This does not fall under personal data.
At the moment, Sideways 6 does not carry out any profiling in relation to campaign participants or platform users.
Under the General Data Protection Regulation (GDPR), you have a right to:
- Be Informed – you will be notified within 72 hours of a data beach concerning your data. We will notify our customers within 12 hours if we discover a data breach to allow them to inform the relevant data subjects in a timely manner.
- Access – you have access to what and how your personal data is being processed and request a copy of it. You can do this by contacting us at firstname.lastname@example.org.
- Erasure – you can be forgotten if your data is no longer relevant to its original purpose. For such requests, you may contact us at email@example.com.
- Data Portability – you can get a copy of your data that we store in a portable (easy to use elsewhere) format. We can provide a copy of the data in XLS/CSV format if requested at firstname.lastname@example.org.
- Rights in relation to automated decision-making, including processing.
- Rectification - Have a record of your personal data be corrected in case of errors or inaccuracies. To do this, you may contact your (potentially former) employer directly, Sideways 6 Support, or email@example.com.
- Complain to the GDPR supervisory authority appointed by your EU member state or the UK if you believe your rights are being encroached.
We will respond to a data subject access request (SAR) within one calendar month. If you would like to exercise any of these rights and need more information, please contact us on firstname.lastname@example.org.
We do not process or control data belonging to special categories, like health information or political views, unless manifestly revealed by the employee as part of their campaign activity to the internal public, which is an exception that allows for processing them under the GDPR.
The California Consumer Privacy Act takes the position that consumers own their data and provides them with five general rights regarding their PII. California-based consumers therefore have the right to:
- Know what personal information is collected about them.
- Know whether and to whom their personal information is sold/disclosed, and to opt-out of its sale, where sale means any transfer in exchange for a monetary or other compensation. We will never sell your data.
- Access their personal information that has been collected over the last 12 months. Once the request is made, businesses must disclose the requested information free of charge within 45 days. We can provide a copy of the data in XLS/CSV format if requested at email@example.com.
- Have a business delete their personal information, excluding information under legal hold (until the matter is adjudicated or until the hold is released) and for information that must be retained per legal or regulatory recordkeeping requirements. If a data deletion request is made by emailing firstname.lastname@example.org, we will delete all data that pertains to you not related to the subject your employment or as is otherwise legally required.
- Not be discriminated against for exercising their rights under the CCPA.
Data protection principles
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner,
- Collected for specified, explicit and legitimate purposes; further processing for statistical purposes shall not be considered incompatible with initial purposes,
- Adequate, relevant and limited to what is necessary in relation to the purposes they were processed,
- Accurate, and where necessary kept up to date; every reasonable effort must be taken to ensure that any inaccurate personal data are erased or rectified,
- Kept in a form that permit identification of data subjects for no longer than is necessary for the purpose they were processed,
- Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and accidental loss or damage.