GDPR & TRYILO
INFO: The EU General Data Protection Regulation (GDPR) will set a new standard for how companies use and protect EU citizens’ data. The regulation will become effective on the 25th May 2018. You can find all information about GDPR at https://www.eugdpr.org/.
NOTE: Tryilo is fully committed to achieving compliance with the General Data Protection Regulation, which will go into effect May 25, 2018. This post outlines what we have done to make sure that Tryilo meets GDPR obligations.
GDPR overview
The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.
Specifically, GDPR grants EU citizens the following means of controls over their personal data:
Transparent information about data processing
Every company that hold and/or process data of any person in the EU is obligated to provide any information relating to processing this data subject.
Right of access
Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records.
Right to be Forgotten
Individuals can decide they no longer want their personal data to be processed and request all of their information to be deleted.
Notice of security breaches
Individuals must be alerted within 72 hours if their personal data has been hacked or otherwise compromised.
Privacy by design
The idea has existed as a concept for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition.
Data portability
Individuals will be permitted to move their personal data from one company to another upon request, without opposition from the data controller.
Transparent information about data processing
The Article 4 of GDPR defines data controllers and data processors as below:
Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
Processor – a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.
For example, if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then, with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.
This distinction is important for compliance. Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling the right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.
Tryilo as a Data Controller
In the meaning of Data Controller stated above, Tryilo stores the following private data:
  1. User email address.
  2. User name.
  3. User phone number.
  4. User avatar.
  5. Date of birth (optional).
  6. Gender(Optional).
  7. Residential or Commercial address.
  8. Government ID such as ID (Photo identification card), Passport or Driving license.
  9. Internet protocol address (IP).
  10. Browsers used.
If you create an account in Tryilo, we will ask you for a valid email address. The email address will be used as your ID in the service. You also have the option to give us more information if you want to, including real name, additional email address, phone number, a photograph (avatar), physical address, ID (such passport, driving license or identification card). This type of information is required to create a smooth rental process. Your personal government identification documents are required for your profile verification purpose. We carefully verify each and every document uploaded on the platform to ensure we provide a secure service for both borrowers and lenders. Your ID documents are NOT shared with any entity and the sole purpose is for verifying the individual.
Why we collect this
  • We need your Personal Information to create your account, and to provide the services you request.
  • We show your Personal Information on your profile page. This profile is only accessible for you and no one can modify the profile data without your consent.
  • We use your Personal Information, specifically your email address, to identify you on Tryilo.
  • We will use your email address to communicate with you (newsletters, notifications). You can change your email and unsubscribe from those messages any time. We are using AWS SES to send our email messages to our clients (all information about our Vendors and their GDPR commitments are listed below)
  • We need your physical residential or commercial address to identify the location of your listed products on Tryilo.
  • We need your personal government identification documents for your profile verification on Tryilo if you want to use our services such as lending or borrowing.
INFO: We do not store any Credit Card information. For that we use an external service: MangoPay.
Our Vendors
Tryilo uses certain vendors in providing its Services. All services either fully comply with GDPR regulations or are to implement it shortly.
  • Amazon Web Services – Hosting infrastructure for the Service and SES for email
  • MangoPay – Payment processing
  • Google G Suite – Email communication with clients
  • Self Hosted Mautic – Marketing emails communications
  • Hotjar – UX analytics
  • Google Analytics – Data analytics
  • Mixpanel – Statistics, analysist, cohort analysis, email notifications
  • Crisp – Helpdesk and customer messaging platform
  • Clickatell – SMS communications
  • ManyChat – Facebook Messenger communication
Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.
We limit our use of your Personal Information to the purposes listed in our Privacy Statement. We do not share, sell, rent, or trade Personal Information with third parties.
Tryilo as a Data Processor
Tryilo is a community platform where users can create communities and invite their friends to join their communities. Tryilo will send the invitation emails/notifications on behalf of the customer. This email information needs to be stored and processed by Tryilo, in order to send the emails and give the invitation status to the our users(community admins).
Right of access and Right to be Forgotten
Tryilo doesn’t ask for more personal data from our users than we need to provide our services to you. We provide you the ability to access and delete the data you have given us (e.g. you can remove your profile information at any time).
Please go through our Privacy Statement to get more information on our privacy policies.
INFO: If you want to get or erase all information that we have about you, please send a request to support@tryilo.com.
Notice of security breaches
Tryilo takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.
Privacy by design
Since the very beginning, the application’s architecture and server infrastructure have been designed and chosen specifically to ensure that all user data is safe.
The application and user data are hosted on Amazon Web Services servers. You can see how AWS secures data here. Amazon’s GDPR commitment is available here.
Tryilo’s system installation is using a hardened, patched OS with dedicated firewall and VPN services that help block unauthorized access. We also employ industry-leading solutions to mitigate DDoS attacks. Our servers are under constant surveillance by our employees.
The application infrastructure is continually updated on weekly basis with the most recent and secure solutions. Critical security patches are provided as needed outside of the regular release cycle and specifically announced with email notifications and via our social channels such Twitter and Facebook. We also have a bug bounty program that lets users report vulnerabilities to our dedicated address report@tryilo.com. All reported issues and security holes are fixed with the highest priority.
Data portability
As described earlier, Tryilo, as a private Data Controller, has only access to data that provided during registration with optional Personal Information provided by the user. All this information can be found in My Account section once the user log in. The data can be changed, removed or copied by the owner(the logged in user)at any time.
Tracking
If you do not want online services to collect and share certain kinds of information about your online activity from third-party tracking services, you can set the Do Not Track privacy preference in your browser.
We do not track your online browsing activity on other online services over time and we do not permit third-party services to track your activity on our site with the exception of Google Analytics, Mixpanel tracking and occasional user behavior tracking performed with Hotjar analytics tool. The tracking data is collected exclusively to improve the UX and performance of the Service and website. Tryilo does not record any personal data with Hotjar as all text entered to the Service during tracking is suppressed before the data is sent back to Hotjar servers.
Because we do not share this kind of data with third-party services or permit this kind of third party data collection on Tryilo for any of our users, and we do not track our users on third-party websites ourselves, we do not need to respond differently to an individual browser’s Do Not Track setting. If you wish, you can opt out from Google Analytics tracking here, Mixpanel tracking here and from Hotjar here.
Our emails might contain a pixel tag, which is a small, clear image that can tell us whether or not you have opened an email and what your IP address is. We use this pixel tag to make our email more effective for you and to make sure we’re not sending you unwanted email. If you prefer not to receive pixel tags, please opt out of marketing emails.
Updates to our ToS and other policies
To achieve compliance with the GDPR we’re very focused on bringing our policies into alignment with the new law. This includes updates to Terms of Service, Privacy Policy, and Safety & Security.
We also offer a GDPR-compliant Data Processing Addendum (DPA), enabling you to comply with GDPR contractual obligations. If you need a Data Protection Agreement with us, please contact us