Last Updated/ Reviewed: 29/02/2024
Kiyanna is a product of Emojot. The Emojot platform plays a role as a data controller of its own data and as a data processor of customer data. Emojot has adopted the EU GDPR definitions (Article 4), which specifies that a data controller is an entity (person, organization, etc.) that determines the why and the how for processing personal data and a data processor is an entity that actually performs the data processing on the controller’s behalf.
Personally identifiable information (PII) is any data that can be used to identify a specific individual. Social Security numbers or National Identity Card numbers, mailing or email addresses, and phone numbers are commonly considered PII, but PII can also include an IP address, login IDs, social media posts, or digital images. Geo-location, biometric, and behavioral data can also be classified as PII. The Emojot platform collects and stores PII data as a data processor and a data controller.
Emojot actively ensures compliance as closely as possible with applicable data privacy laws both as a data controller of its own data and as a data processor of our business clients’ data. To find out more about the extent of compliance with any particular data protection/privacy regulation or act, please send an email to security@emojot.com.
Data Privacy: PII Data Subject Requests
As a survey platform, Emojot collects data on survey respondents on behalf of our business clients. Generally, individuals have the following rights in relation to their personal data:
- The right to access personal data.
- The right to rectify inaccurate personal data.
- The right to erase personal data.
- The right to restrict the processing of personal data.
- The right to data portability.
- The right to object to the processing of personal data.
- The right to withdraw consent to the processing of personal data
However, these rights are subject to the scenarios and laws under which certain campaigns are conducted by Emojot’s business clients, who are the data controllers. If a survey respondent wishes to exercise rights in relation to personal data or personal information that may have been collected via the Emojot platform, the respondent should contact the customer (the data controller) who collected the relevant data.
If an individual wants to exercise their rights in relation to data for which Emojot acts as a data controller, they should contact security@emojot.com.
Data Privacy: Explicit Consent
In accordance with the EU General Data Protection Regulation (GDPR), Emojot collects personal identifiable information (PII) from survey respondents only after obtaining their freely given, informed, and unambiguous consent. This means respondents have the right to skip providing their information and choose to remain anonymous when responding to Kiyanna.
Health data is deemed ‘special data’ under GDPR guidelines. Kiyanna does not directly deal with health data and therefore, Emojot has not implemented the more stringent version of the consent used for personal, non-health data.
Data Privacy: Data Collection
Business Sign-up: We collect limited personal information, such as your email address and mobile number, only when you sign up for a Kiyanna account. Each registered business receives a unique business-ID and QR-code for identification purposes. It’s important to note that Emojot does not store any payment information. We partner with Stripe and Payhere for secure payment processing, and you can refer to their respective data protection policies for further details.
Responding via Kiyanna – Kiyanna allows respondents to participate anonymously. Respondents have the option to skip providing their name, email address, or mobile number during the Kiyanna response process.
Data Protection: Data Encryption
All Emojot data is encrypted at rest and in transit. That means, all the data is encrypted in the database, and the data transfer channels are also encrypted.
Data Protection: Data Storage
Emojot data is stored in an industry-standard database as a service cloud platform that inherently supports high availability, failovers, and replication. By default, Emojot is compliant with all the infrastructure-related regulatory compliance standards that are associated with our cloud provider (AWS).
Data Protection: Customer Identity Access Management
All Emojot data stores can only be accessed by applications that are within an isolated private network of AWS and cannot be accessed by any unauthorized entity even if they were able to steal login credentials or data access endpoints to Emojot data stores.
We control access to your information through API calls, which are authenticated, authorized, and governed by an API Manager. Additionally, we implement a data virtualization layer that uses your unique “Business ID” to automatically separate and protect your data from other business’ data. This ensures that no business’ data is ever exposed to another business on our cloud platform.
If your Kiyanna subscription package supports it, your analytics data can be accessed through secure, temporary links. These links remain active for only 7 days. Please note that these links are confidential and should not be shared with anyone unauthorized to access your data. If you accidentally share an analytics link with an unauthorized person while the link is still active, immediately contact security@emojot.com to have the link disabled.
Data Protection: Security Monitoring and Governance
Emojot has a continuous process of strengthening, monitoring, and securing the Emojot Platform related services with robust internal protocols and processes. These actions include automated server patching, vulnerability scanning, and continuously reviewing the security of the Emojot platform across multiple levels of infrastructure, applications, and code, in alignment with the best practices of the IT security industry.
Data Protection: Data Breaches
The EU GDPR compliance requires that companies report data breaches within a 72-hour window. The Emojot platform governance processes enable us to inform our business clients of certain types of data breaches within the 72-hour timeframe, enabling our business clients to comply with the GDPR guidelines to a certain extent. Emojot is working on becoming compliant with all types of data breaches.