TIDWIT’s GDPR Policy Statement

TIDWIT Inc., (“TIDWIT”) is committed to complying with the European Union’s GDPR (General Data Protection Regulation), which is scheduled to go into effect in May 25, 2018. This regulation covers different areas that affect TIDWIT as an organization as well as its network platform, customers, and users in the European Union.

The following policy statement shall cover the entire TIDWIT Network, including but not limited to the www.tidwit.com site and all the platform instances and sub-instances that may be setup as sub-domains through ontidwit.com with or without any URL vanity features.

Because TIDWIT wants to demonstrate its commitment to our users’ privacy and personally identifiable information (PII), it has agreed to disclose its information practices.

I. Approach
TIDWIT’s approach to GDPR has been proactive in that we see it as an opportunity to service our customers more effectively, transparently, and securely. TIDWIT also sees GDPR as a confirmation of its business model, which promotes conducting content dissemination and marketing within an opt-in network environment as opposed to an opt-out spam e-mail environment. As such, TIDWIT’s approach has been to commit to the following:

  • Prepping the TIDWIT organization to support GDRP with the introduction of a DPO (Data Protection Officer)
  • Aligning the TIDWIT network and platform features and functionalities to support GDRP regulation as well as US regulations within the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland, respectively
  • Implementing secure data protection at both the hardware (facility) level as well as the software and transaction levels
  • Communicating transparently TIDWIT’s Terms & Conditions, PII, and Cookie policies to customers and users

TIDWIT has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles, which encompasses both GDPR and US PII regulations. If any conflict arises between any of TIDWIT’s Privacy policies and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit www.privacyshield.gov

II. GDPR Compliance
TIDWIT hereby certifies that it falls under and is compliant to the GDRP regulations as per the following clauses:

II.A. Location:
While TIDWIT is headquartered in the United States, it has operations and customers in the EU and the UK. Therefore, TIDWIT recognizes that it falls under the jurisdiction of GDRP.

II.B. Data Controller and Processor
TIDWIT understands GDPR’s regulations as it pertains to the TIDWIT Network user’s rights and specifically

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling

 

II.C. Data Controller and Processor
The TIDWIT Network provides content distribution services on behalf of businesses to their customers. Being a network, TIDWIT allows standardization in both the publishing and distribution phases. Additionally, what is unique about TIDWIT is the multi-tier model. This means a content publisher could be sitting three or more tiers removed from the users who access their content. This has implications when it comes to Data Control and Data Processing within GDPR. The golden rule we follow, and which complies with GDPR, is that regardless where the content is coming from, as long as it is on the TIDWIT network, TIDWIT is considered the Data Controller and Processor. In addition, the instance owner on which a user accesses the content would be considered co-Controller. Therefore, the instance owner would be allowed to access the PII of their user and be responsible for making sure that this PII is properly protected according to GDPR. Two examples may help explain more the model and implications.

The first example is one where a User A who accesses a video from an instance of Business “B”, which is running on the TIDWIT network (This would be the two-tier model). To access the video, User A must register and give consent to opt-in to the instance whose content he’d like to access. Consent is hence simultaneously issued to both (TIDWIT and Business “B” who co-share User A’s PII and Co-control the data).

A second example is when a content publisher “C” syndicates their content through the TIDWIT network to a partner ”P”, who then distributes it to a user “U” (This would be a three-tier model). The question here is who is the Data Processor and who is the Data Controller? The Data Processor as always is TIDWIT. User “U” however accessed Partner “P”’s instance and consented to sharing PII with them and TIDWIT. So TIDWIT and Partner “P” are considered co-Controllers of the user’s data, with PII access and responsibility as per GDPR. What about the content publisher ‘C”? They would only be able to get data in aggregated form from TIDWIT without any associated PII, therefore protecting User “U” from any communication for which they did not give any consent, in line with GDPR. Since content Publisher “P” does not have access to any PII, they would be absolved of any Data Controller or Data Processor responsibilities under GDPR.

II.D. Cookies
A cookie is a piece of data stored on the user’s computer tied to information about the user. TIDWIT uses Session ID cookies. For the session ID cookie, once users close the browser, the cookie simply terminates. By setting a cookie on our site, users would not have to log in a password more than once, thereby saving time while on our site. If users reject the cookie, they may still use our site. TIDWIT also uses Multi-session (Persistent) cookies. These enable us to track and target the interests of our users to enhance the experience on our network. Cookies may be tied to a user’s personal identity information; however, we only share a user’s specific profile and PII with the specific instance that they visit. And we only share user profiles in statistically aggregated and unidentifiable forms to any other third party. For more details, please access TIDWIT Cookie Policy.

II.E. Personal and Biometric Data
TIDWIT’s network is designed to collect and store the least amount of user data aiming for Privacy by Design. As such, TIDWIT collects only the needed data about users that would help personalize the experience based on the user’s preferences. During registration, the required fields are limited to first, last name, e-mail, and password. As users interact with the Network, they may optionally add data to their profile to customize it further to their needs. Collected user data may include but not be limited to automatically generated behavioral characteristics based on pages accessed and content viewed. TIDWIT considers the sensitivity of the data it collects on its users low to medium.

TIDWIT does NOT collect or store any of the following highly sensitive personal data: Social security numbers, date of birth, Credit/debit card information, Driver’s license number, or State-issued Identification Card number (including Passport), Financial account number, Personal medical information, Health insurance information, Information or data collected through the use/operation of an automated license plate recognition system.

II.F. Data Rectification, Erasure, Objection, and Portability
Business customers and users will have the right to request rectification of their data and TIDWIT will comply within a period of two weeks. TIDWIT customers and users also have the right to object to the usage of their accounts and to disable their accounts and erase their pertinent data. Users will also have the option to port their data if they so wish. To process such requests, written contact will need to be made with TIDWIT’S customer service: customerservice at tidwit.com

II.G. Right to Be Informed and Breaches
TIDWIT recognizes the Users’ rights to be informed, which encompasses TIDWIT’s obligation to provide ‘fair processing information’, typically through a privacy notice. Even though, TIDWIT’s limited PII represents low sensitivity, TIDWIT is committed informing its customers within 72 hours of any breaches that occur with a detailed description of the nature of the breach, the scope, its implications, and how the situation is being rectified.

III. Contacting TIDWIT’s Data Protection Officer
If users have any questions or suggestions regarding our GDPR Policy, please contact our Data Protection Officer at:

11911 Freedom Drive, Suite 805
Reston VA 20190, USA
Tel. +1.703.761.7600
Email: legal at tidwit.com
Web site URL www.tidwit.com

IV. Where can you find more information about GDPR?
You can learn more about GDPR from the following third-party websites:

V. Glossary of Terms

BIOMETRIC DATA: Any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their identification.

CONSENT: Freely given, specific, informed statement that agrees to the processing of their personal data.

DATA BREACH: A breach of security leading to the accidental or unlawful access to, destruction, misuse, etc. of personal data.

DATA CONTROLLER: The entity that determines the purposes, conditions and ways in which we process personal data.

DATA ERASURE: Entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data.

DATA PORTABILITY: This is the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.

DATA PROCESSOR: The entity that processes data on behalf of the Data Controller

DATA PROTECTION OFFICER: An expert on data privacy who works independently to make sure organizations are adhering to the GDPR.

DATA SUBJECT: A natural person whose personal data is processed by a controller or processor.

PERSONAL DATA: Any information related to a person or ‘Data Subject’ that can be used to identify the person.

PRIVACY BY DESIGN: A principle that calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.

PROCESSING: Any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

RIGHT TO ACCESS: Also known as Subject Access Right: Entitles the data subject to have access to and information about the personal data that a controller has concerning them.

RIGHT TO BE FORGOTTEN: See Data Erasure