Privacy Policy
Last updated: 11 December, 2024
1. INTRODUCTION
1.1 Important information and who we are
Welcome to Pynea Technology Limited’s Privacy Policy (“Privacy Policy”).
Please read the following carefully to understand our practices regarding your Personal Data and how we will treat it.
At Pynea Technology Limited (“we”, “us”, or “our”), owned by Pynea Holdings, we are committed to protecting and respecting your privacy and Personal Data in compliance with applicable data protection laws including:
EU: The Regulation (EU) 2016/679 General Data Protection Regulation ("GDPR")
UK: the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and all other mandatory laws and regulations of the United Kingdom.
This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, and how the law protects you.
1.2 When this policy applies
This Privacy Policy applies to your use of:
Pynea mobile application software (“App”) hosted on the Apple App Store and Google Play, once you have downloaded or streamed a copy of the App onto your mobile telephone or handheld device (“Device”).
Our website at www.pynea.com (“Site”).
Any of the services accessible through the App or Site (“Services”).
This Privacy Policy applies to all Personal Data collected and processed at any time by us.
1.3 Your Data Controller and Data Protection Officer
Pynea Technology Limited is your Data Controller and responsible for your Personal Data.
We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights surrounding your Personal Data please contact the DPO using the details set out below:
Name: Tom Stevenson
Email: [email protected]
Postal address: 3rd Floor 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
2. LEGAL BASIS FOR DATA COLLECTION
2.1 Types of data / Privacy Policy scope
“Personal Data” means any information about a living individual from which that person can be identified.
We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below. We have set out below what we collect and when we collect it from you:
Profile/Identity Data: This is data relating to your first name, last name, gender, date of birth.
Contact Data: This is data relating to your phone number, addresses, email addresses, phone numbers.
Services Data: This is the personal data you voluntarily upload using our App or Site for example, when your post or when you use the messaging function such as photos and interests.
Marketing and Communications Data: This is your preferences in receiving marketing information and other information from us.
Billing Data: This is information relating to your debit and credit card information such as the name attached to your payment details and your billing address.
Transactional Data: This is information of details and records of all payments you have made for our Services including details of in-App purchases.
Technical Data: This is your IP address, browser type and version, time zone setting and location, operating system and platform, and other technology on the devices you use to engage with us.
Customer Support Data: This includes feedback, bug reports and survey responses.
Usage Data: information about how you use our App, Site or Services. We will only collect this information with your consent through cookies, as per our Cookies Policy, below.
Device Data: includes the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting. We will only collect this information with your consent through cookies, as per our Cookies Policy, below.
Location Data. We also use GPS technology to determine your current location. Some of our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling Location Data in your settings.
We also collect anonymized data and will aggregate personal data so that it can no longer be associated with you. Although this aggregated data may be based in part on Personal Data, it does not identify you personally.
We use this information to help us understand our product and better serve you and others.
We may share this type of anonymous data with others, including service providers, our affiliates, agents and current and prospective business partners.
2.2 We may also process what is known under the GDPR as special categories of Personal Data. We do not ask you to provide and special category data and may only process this via any content or information that you choose to upload via our Services.
2.3 The legal basis for collecting that data
There are a number of justifiable reasons under the GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:
“Consent”: Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or ‘opt in’ to a service.
“Contractual Obligations”: We may require certain information from you in order to fulfill our contractual obligations and provide you with the promised service.
“Legal Compliance”: We’re required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions.
“Legitimate Interest”: We might need to collect certain information from you to be able to meet our legitimate interests - this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests. Examples could be your name, so that we have a record of who to contact moving forwards.
3. HOW WE USE YOUR PERSONAL DATA
3.1 Our data uses
We will only use your Personal Data when the law allows us to.
Set out below is a table containing the different types of Personal Data we collect and the lawful basis for processing that data. Please refer to section 2.2 for more information on the lawful basis listed in the table below.
Examples provided in the table below are indicative in nature and the purposes for which we use your data may be broader than described but we will never process your data without a legal basis for doing so and it is for a related purpose. For further inquiries please contact our DPO.
4. YOUR RIGHTS AND HOW YOU ARE PROTECTED BY US
4.1 Your legal rights
You have the following rights under data protection laws in relation to your personal data:
Right to be informed. You have a right to be informed about our purposes for processing your personal data, how long we store it for, and who it will be shared with. We have provided this information to you in this policy.
Right of access. This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it (also known as a "data subject access request"). See section 4.5 below for more details on how you can make a data subject access request.
Right to rectification. You have a right to request correction of the Personal Data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Right to erasure. You have the right to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Right to object. You can object to the processing of Personal Data we hold about you. This effectively allows you to stop or prevent us from processing your Personal Data. Note that this is not an absolute right and it only applies in certain circumstances, for example:
Where we are processing your Personal Data for direct marketing purposes.
Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
In some cases, we may continue processing your data if we can demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Right to restrict processing. You have the right to request the restriction or suppression of their Personal Data. Note that this is not an absolute right and it only applies in certain circumstances:
If you want us to establish the data's accuracy.
Where our use of the data is unlawful but you do not want us to erase it.
Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Right to data portability. You have the right to request the transfer of your Personal Data to you or to a third party. If you make such a request, we will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
If you wish to make a request under any of these rights, please contact us at data@pynea. com.
4.2 Your control over our use of your Personal Data
You may delete your account at any time – this will remove your account page from our systems and our related software.
You can access information associated with your account by logging into your account you created with us.
Your account information will be protected by a password for your privacy and security. You need to prevent unauthorized access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or Device and by signing off after you have finished accessing your account.
It is important that the Personal Data we hold about you is accurate and current. Please keep us informed if your Personal Data changes during our relationship with you. You can do this in your account.
California Privacy Rights: Under California Civil Code sections 1798.83-1798.84, California residents are entitled to ask us for a notice identifying the categories of personal customer information which we share with our affiliates and/or third parties for marketing purposes, and providing contact information for such affiliates and/or third parties. If you are a California resident and would like a copy of this notice, please submit a written request to [email protected].
4.3 How we protect customers' Personal Data
We are concerned with keeping your data secure and protecting it from inappropriate disclosure. We implement a variety of security measures to ensure the security of your Personal Data on our systems. Your information is protected on secured servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted using Secured Sockets Layer technology.
4.4 Opting out of marketing promotions
You can ask us to stop sending you marketing messages at any time by emailing [email protected] or clicking the unsubscribe link present in marketing communications.
Where you opt out of receiving these marketing messages, we will continue to retain other Personal Data provided to us as a result of interactions with us not related to your marketing preferences.
4.5 How to request your data and the process for obtaining it
We may need to request specific information from you to help us confirm your identity and ensure you have the right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
5. YOUR DATA AND THIRD PARTIES
Sharing your data with third parties
We may share non-Personal Data with third parties. We may share your Personal Data with subcontractors, affiliates, or members of Pynea's group, subject to confidentiality obligations to use it only for the purposes for which we disclose it to them and pursuant to our instructions.
We may also share Personal Data with interested parties in the event that we anticipate a change in control or the acquisition of all or part of our business or assets or with interested parties in connection with the licensing of our technology.
If Pynea Technology Limited is sold or makes a sale or transfer, we may, in our sole discretion, transfer, sell or assign your Personal Data to a third party as part of or in connection with that transaction. Upon such transfer, the Privacy Policy of the acquiring entity may govern the further use of your Personal Data. In all other situations your data will still remain protected in accordance with this Privacy Policy (as amended from time to time).
We may share your Personal Data at any time if required for legal reasons or in order to enforce our terms or this Privacy Policy.
6. HOW LONG WE RETAIN YOUR DATA
We will only retain your Personal Data for as long as reasonably necessary to fulfill the purposes we collected it for. We may retain your Personal Data for a longer period than usual in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
7. AGE LIMIT FOR OUR USERS
You must not use our App or Services unless you are aged 18 or older. If you are under 18 and you access our App or Services by lying about your age, you must immediately stop using the App or Services.
The App and is not intended for children and we do not knowingly collect data relating to children.
8. INTERNATIONAL TRANSFER OF DATA
We may transfer your Personal Data to service providers that carry out certain functions on our behalf. This may involve transferring Personal Data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law. Whenever we transfer your Personal Data out of the UK we ensure a similar degree of protection is afforded to it.
We will only transfer your Personal Data to countries that have been deemed by the UK to provide an adequate level of protection for Personal Data or we may use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK.
9. COOKIES POLICY
Our App uses cookies to distinguish you from other users of our App. This helps us to provide you with a good experience when you browse our website and also helps us make improvements.
A cookie is a small file of letters and numbers that we store on your browser or in your device's storage. We only use (and store) non-essential cookies if you provide your consent.
| Cookie | Purpose | Duration | More Information |
|---|---|---|---|
| Mixpanel | This helps us understand how you use the App and helps us to improve your experience. These cookies may track how long you spend on the App and how you interact with the App. | The retention period will be between 1 minute and 1 year depending on the type of cookie used. | MixPanel |
| Firebase (Google) | This helps us understand how you use the App and helps us to improve your experience. These cookies may track how long you spend on the App and how you interact with the App. | The retention period will be between 1 minute and 1 year depending on the type of cookie used. | Firebase |
10. NOTIFICATION OF CHANGES AND ACCEPTANCE OF POLICY
We keep our Privacy Policy under review and will place any updates here and where necessary we will notify of any change by sending you an email with details of the change or notifying you of a change when you next start the App or access our Site.
Data Processing Agreement
This Data Processing Agreement ("Agreement") forms part of any contractual arrangement ("Principal Agreement") between the Company ("Data Controller") and its Customers ("Data Processors"). This Agreement outlines the terms and conditions regarding the processing of personal data in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning.
1.1.1 “Agreement” means this Data Processing Agreement and all Schedules;
1.1.2 “Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Company pursuant to or in connection with the Principal Agreement;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the services the Company provides and referenced in www.pynea.com/terms
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Company Personal Data
2.1 Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
2.1.2 not Process Company Personal Data other than on the relevant Company’s documented instructions.
2.2 The Company instructs Processor to process Company Personal Data as aligned to the categories of data, the categories of data subjects and the purposes of the processing set out in Annex 1, and using sufficient controls as outlined in Annex 2.
3. Processor Personnel
3.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall, in relation to the Company Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take into account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessing
5.1 The Processor shall not appoint any Subprocessors without prior written consent from the Controller. Subprocessors shall be subject to the same data protection obligations as outlined in this Agreement.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of the Company or as required by Applicable Laws to which the Processor is subject, in which case the Processor shall, to the extent permitted by Applicable Laws, inform the Company of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Company and take reasonable commercial steps as directed by the Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation Processor
Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which the Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Company Personal Data
9.1 Upon termination of the Principal Agreement, the Processor shall delete or return all personal data to the Controller within 10 working days, unless legal obligations require retention.
10. Audit rights
10.1 Subject to this section 10, the Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.
10.2 Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Transfer
11.1 The Processor may not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.
12. General Terms
12.1 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of the United Kingdom.
13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the United Kingdom.
Annex 1
1. The purpose of the Data Processor’s processing of personal data on behalf of the Data Controller is:
To facilitate the operations of the Pynea app and web platform, which enable both companies and individuals to:
Sign up and create personal profiles.
Connect with others within the platform.
Share profiles internally or externally (if users choose to make their profiles public).
Support activities such as hiring, contracting, and other professional engagements.
2. The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):
The processing shall mainly pertain to:
Collecting personal data submitted by users during account creation and profile updates.
Storing and managing user profiles, including personal and professional details.
Enabling the sharing of profiles within the platform and externally, if users choose to make profiles public.
Facilitating communication and connections between users (both companies and individuals)
Supporting data analysis, sorting, and matching for purposes such as hiring, contracting, and professional networking.
Ensuring the security and integrity of personal data through access control and other technical measures.
3. The processing includes the following types of personal data about data subjects:
Personal data provided in connection with the provision of Pynea’s services, as agreed in www.pynea.com/terms such as user information (may include name, email, title), job posting information, applicant data (including resume data, contact details, profile information), IP address, device / browser characteristics.
4. The processing includes the following type of special categories of data about data subjects:
____________________________________
5. Processing includes the following categories of data subjects:
User information, job posting data, applicant data, recruitment information, job history, connection data.
6. The Data Processor’s processing of personal data takes place in the following countries and jurisdictions:
UK, EU, USA
7. The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when the Clauses commence. Processing has the following duration:
Until the cessation of contracted services.
Annex 1: Technical and Organisational measures
1. Physical Access Controls
Data Processor shall take reasonable physical access measures to prevent unauthorised persons from gaining access to personal data.
2. Access Controls
Data Processor shall take reasonable measures to prevent personal data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented access authorization processes, documented change management processes, the logging of access on several levels, restricting direct database and application access rights, and implementing an access management policy.
3. Transmission Controls
Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of personal data by means of data transmission facilities is envisaged so personal data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
4. Input Controls
Data Processor shall take reasonable measures to provide that it is possible to check and establish whether and by whom personal data has been entered/modified within data processing systems.
5. Training and Awareness
Data Processor shall ensure that staff with access to Personal Data are trained on data protection and privacy topics.