Last updated: March 2020 (archived versions)
To the extent the General Data Protection Regulation (the "GDPR") applies to us when processing your personal data, the controller of your personal data is ToTok Technology Ltd.
If you wish to contact us with any questions in relation to this policy or our privacy practices, you may contact us by emailing email@example.com or by contacting us via the App.
At all times, we keep our privacy practices and the terms of this policy under review to ensure your personal data is processed as securely as possible. This policy was last updated on the date given above. Any changes to this policy will be posted online, within the App and, if possible, emailed to you.
Information We May Collect From You
Personal data, or personal information, means any information about an individual from which that person can be identified. To provide you with the Services, we must collect, store, transfer, analyse and otherwise process certain of your personal data.
The Personal Data We Process Includes:
- Account data for the App or other Services: you provide your mobile number and name to create your account. You may also provide other information to supplement your account including your gender, date of birth, email address, postal address and profile photo. Should you wish to ask us a query or make a complaint about our Services, such personal data will also be automatically added to your account;
- Messages or calls: your messages (including all photos, videos and other recordings) and calls are encrypted or double encrypted and generally speaking, we do not collect nor access any of the personal data or other information provided via your messages or calls. Your messages are stored on your own device and under your control whilst on your device. However, in certain circumstances, it is necessary that we store your messages, namely to comply with legal obligations to which we are subject and for the purpose of ensuring your messages are delivered when the recipient is offline at the time of sending by continually trying to deliver said messages. Our servers will store your messages until they are deleted in accordance with our retention practices (please see section 5).
- Address book data: we will request access to your device address book which, if granted, will allow us to access your contacts. If we have access, we can tell you which of your contacts is also using ToTok to make the experience more beneficial for you, for example if we have access to your address book, it is simple for you to select a contact from your address book to start a conversation with.
- Photos, images, videos, voice recordings, and documents: we will request access to the photos, images, videos, voice recordings and documents stored on your device to allow you to share said content with other ToTok users via the App. Providing us access will also allow any photos, images, videos, voice recordings and documents you receive from other ToTok users to be saved to your device.
- Location data: we will request access to your location which, if granted, may be used for two functions within the App: (1) to allow you to share your location with other App users; and (2) to allow you to check the weather where you are.
- Data from other users: we will collect your personal data when other users of the App interact with you, for example when they send you message. Further, such as when we access your address book with your consent as noted above, if another App user has your details in their address book and provides us consent to access, we will have access to your personal data.
- Technical, usage and cookie data: we collect information about your use of the Services, including how you use our Services, how often you use our Services, the types of interactions you frequently use our Services for (for example whether you only message or whether you message and call). We do this to better understand how to provide our Services, what our users like about our Services and our users don’t like about our Services. Such information may include, if applicable, your preferences, such as your language preference, internet protocol (IP) address, your account login data, browser type and version, browser plug-in types and versions, and other technology on the devices you use to access the Services.
- Device information: we collect information about the device you use to access the Services including the hardware model, the version of the App you are using, the mobile network, and the time zone setting.
How We Use Your Personal Data
We use your personal data for the following reasons:
- to verify your account;
- to provide you with, and operate, the Services;
- to send you marketing materials, including in relation to other products and services provided by our group companies;
- to respond to any of your queries;
- to improve and customise our Services.
We only process your personal data when it is lawful for us to do so. We rely on the following lawful grounds under the GDPR to process your personal data:
- if you provide your consent, for example with respect to receiving marketing communications, allowing us to access your address book, camera or photos, or collect your location data;
- compliance with a legal obligation to which we are subject, for example if we received a lawful request to disclose personal data;
- to protect your vital interests or those of another natural person, for example if we are investigating a report of harmful conduct submitted by you;
- performance of a task carried out in the public interest, for example to the extent this relates to the safety and security of our Service users and others; and/or
- the legitimate interests pursued by us or by a third party as listed below, subject at all times to us ensuring your rights and freedoms do not outweigh the pursued interests.
The legitimate interests we pursue are
- to constantly improve and customise our Services;
- to ensure the safety and security of our Service users and third parties, and to promote such safety and security; and
- to secure our Services from harmful acts such as cyber-security breaches.
Sharing Your Personal Data
We may share your personal data in the following scenarios only:
- we may share your personal data with your consent;
- we may share your personal data with other users who are using the App to ensure you both receive the full benefit of the Services offered. You also use our Services to share your own personal data with other users of the Services;
- by providing personal data to form part of your public profile on the App, any personal data displayed on the public profile will be visible by other users of the App;
- we may share your personal data if we are required to respond to law enforcement, officials, regulatory agencies and other lawful requests or legal processes, or to comply with a legal obligation to which we are subject;
- we may share your personal data with if we undergo a merger, acquisition or other form or reorganisation and pursuant to such, a third party will become the controller of your personal data; and/or
- we may share your personal data with group companies if you request a good or service provided by one of our group companies, and that good or service strictly requires certain of the personal data that we hold about you to function or be provided (such as your name and mobile number if it is another application), or if one of our group companies provides us with services which relate to the provision of Services to you.
If we are required to transfer your personal data to a country outside that in which we collected it pursuant to the above listed circumstances, we will do so in accordance with the applicable data privacy legislation. The lawful requirements will depend on the flow of personal data, meaning it will depend on whether the sharing of personal data is cross-border and which countries are involved. At all times, we will ensure a similar degree of protection is afforded to your personal data outside the country in which you are based.
If you are an EU citizen and we require to transfer your personal data outside the European Economic Area, we will ensure one of the following safeguards is in place:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Security Of Your Personal Data
We take your privacy very seriously and work hard to protect your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place appropriate security measures to prevent this from happening, for example we use encryption tools to protect the content of your messages and calls. For additional information regarding the security of the App, please visit here.
In addition, we limit access to your personal data to those employees, volunteers, agents, contractors and other third parties (as listed above) who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted through our Services; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
How Long We Keep Your Personal Data For
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
With this in mind, we have determined that:
- for the reasons given above under section 1, messages will be stored for a period of up to six (6) months after being sent. This will allow us to continually try to deliver your messages should the recipient be offline and also to comply with our legal obligations; and
- upon cancelling your account, we will store the personal data related to your account for up to one month from the date of cancellation before permanently deleting it. Storing your data for this time means you can easily reactivate your account during this time.
We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation or other regulatory enforcement or action in respect to our relationship with you and/or your use of the Services.
In certain circumstances, you may have the right to:
- Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in certain scenarios.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.
- Withdraw consent at any time where we are relying on consent to process your personal data.
- Complain to the appropriate regulator for any data protection issues. We would, however appreciate the chance to deal with your concerns before you approach the regulator so please contact us in the first instance.
To exercise one of the above rights, please contact us using the details provided above.
We may need to request specific information from you to help us confirm your identity and ensure you are able to exercise the right you wish to exercise. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Third Party Links