GDPR

Base GDPR Compliance

In order to ensure that our service is compliant with the legal requirements set by the EU General Data Protection Regulation (GDPR), we have implemented certain changes in the way we handle personal data.

Since Base acts as both a data controller, (for instance, when handling our clients’ personal data – like email addresses, needed for registration to the service) and data processor, some of our obligations will extend only to data subjects whose personal data we are in direct control of.

Base processes customer personal data to provide the products and services and for other limited purposes which will be enumerated in our updated Privacy Policy.

While we always took the privacy and security of our clients’ data extremely seriously, some of our procedures will need to be modified if we are to meet all the conditions listed in the GDPR. This includes examining and when necessary, modifying our:

Data storage and access authorizations

We have performed an audit and mapped all the personal data we collect, assessed the way it is stored and updated, restricted its processing, and prevented it from being accessed, copied, or manipulated by members of our staff without there being a record of the actions taken, ensuring full accountability.

Data access authorization levels are to be refined, amount of data collected, and a retention period to be brought down to the operational minimum (“privacy by default”), and employees that do have access to data are to be educated on what they can and cannot do with it.

We intend to retain documented data that explains how, when, and why the data has been collected and to monitor that data in order to identify odd patterns or breaches.

Cookie policy

If we are already handling your personal data, we will inform you once we are done implementing all the changes included in our GDPR compliance roadmap, at which point, you’ll be able to expect complete transparency regarding the data we collect and the way we are using it.

Before we send any data-collecting cookies, users will be informed on the type of cookies we intend to use, the purposes we need them for, and the effects of declining or accepting them. Some cookies are used to inform us on how our site is being used, which ultimately translates into a smoother experience for our users, but still requires us to get your permission before sending them. However, there are those which are absolutely necessary for you to be able to use our service or view our website (for instance, CSRF protections cookies), and these cookies can be sent without us asking for explicit consent.

Before we send any other kind of cookies your way, we will clearly inform you which cookies we are using, what we need them for, and which of them you need to accept in order to use our site or services, as well as which cookies are optional.

We may update this policy from time to time owing to changes in legislation or other reasons. You will be informed about the activities we undertake where it affects your privacy rights.

Consent and privacy by design

Before we collect any kind of personal data, send data collecting cookies your way, or make major changes in the way we handle your data, we will ask for your permission. This will be reflected in the design of our website, including different forms and text input fields, as well as sections triggering automatic data retrieval and storage (“privacy by design”).

You will, in plain terms, be informed about what we exactly need from you, why we need it, and what the risks and benefits of allowing us to collect your data are. The site’s architecture will ensure that you can never give out your data inadvertently, without being fully aware of what you are consenting to and without being able to review and remove your consent.

Policies regarding the subject’s right to be informed and to access the data

While we never kept our visitors or clients in the dark when it comes to the data we are collecting, or the way we are using it, these changes are meant to set up an infrastructure allowing data subjects to easily get any kind of information they need.

Data subjects can, at any time, get information regarding:

  • The exact amount and kind of data we have
  • The way that data is stored
  • Who has access to their data
  • How long their data is to be kept

We are obliged to inform the data subjects:

  • Access their data in its entirety
  • Ask for the data to be supplemented, corrected, or abridged
  • Ask for their data to be transferred, either to them or to a third party provider of their choice, if the transfer is technically feasible
  • Request we restrict or stop the processing of their data (“Right to restrict processing”, “Right to object”)
  • Ask for their data to be deleted (“Right to be forgotten”)

Associated third parties GDPR compliance

In order to provide you with our services, Base relies on different third-party apps helping us communicate with our users, or perform other essential tasks (example: Intercom). While some of those third party services won’t have any kind of access to your data, others will, either as controllers or as processors. While we can’t assume full responsibility in the cases where they are treated as controllers, what we can do is to ensure that each of these services that need access to your data in order to perform their function is compliant with the GDPR and that we have your consent to grant them access.

Our relationships with relevant third-party service providers (i.e. the ones that might have any kind of access to your data) will be regulated by written contracts, EU Standard contractual clauses (“SCCs”) and we will do everything within our power to ascertain, and keep periodically reassessing their compliance with the GDPR. Their Privacy Policy pages will be clearly listed on our website, along with anything else you might need to know about the particularities of our collaboration with those data providers.

Security

Aware of the sensitivity of data we handle, we have always invested heavily in our security procedures, however, the specific requirements of the GDPR pertaining to data segmentation, and the imperative to keep close and detailed records regarding any interaction of our staff with the data; necessitate the revision of our security procedures.

In order for us to be able to inform you of data breaches, to establish culpability, or to prove that we have acted in accordance with the rules prescribed by the GDPR, we need to ensure that everything important that happens to your data is logged and available for later review, by us, you, or the regulating body.

In order to limit the damage potential of security breaches, data received from third-party data sources go through pseudonymization. This process allows us to work with a depersonalized version of the data set in question, while the encryption key, or different additional information needed to attribute data to specific data subjects, is kept separately.

Security of processing is our top priority and we have adopted a risk-based approach that involves regular testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the safety and privacy of your personal information.

Data received from a third party

Before acquiring a contact list or a database with contact details of individuals from another organization or transferring one such list to a third party organization, Base will make sure that we as well as the organization must be able to demonstrate that the data was obtained in compliance with the General Data Protection Regulation and that it may be used for advertising purposes.