Minsh takes the protection of personal data very seriously. This FAQ explains the data protection regimes we comply with, what they mean for you as a Minsh App owner, and what they mean for your users. You may also be interested in learning more about the technical side of how we handle data in our Minsh Processes FAQ.
A few definitions
- Personal Data. Any information relating to an identifiable person who can be directly or indirectly identified, for example by reference to a name, an email address, a phone number, an IP address, or an online identifier.
- Data Controller. The entity that determines the purposes and means of the processing of Personal Data. In our setup, each one of our clients (the Minsh App owner) is the Data Controller for the data of their app’s end users.
- Data Processor. The entity that processes Personal Data on behalf of the Data Controller. In our setup, Minsh is the Data Processor.
Which data protection laws does Minsh comply with?
Minsh’s contractual commitments to its clients cover the four most commonly applicable data protection regimes:
- The EU General Data Protection Regulation (Regulation (EU) 2016/679) — the EU GDPR;
- The UK General Data Protection Regulation and the UK Data Protection Act 2018 — the UK GDPR;
- The Swiss Federal Act on Data Protection of 25 September 2020 — the Swiss FADP;
- The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles — the Australian Privacy Act.
These commitments are set out in our Data Processing Agreement (DPA), which forms part of every Minsh client’s contract with us.
What is the GDPR?
The GDPR is a European legal framework that defines how the personal data of individuals in the European Union must be collected, stored, used, and protected. It came into effect on May 25, 2018, and has been the global benchmark for modern data protection law ever since. The UK GDPR (post-Brexit), the revised Swiss FADP, and Australia’s Privacy Act all share the same core principles.
Is Minsh compliant?
Yes. We have taken all the necessary steps and continuously review our processes to ensure that Minsh and its sub-processors operate in line with the four regimes listed above. Our sub-processors are bound by data processing addendums that cover the relevant regimes; the current list is in Schedule 1 of our Data Processing Agreement.
Which data do these laws apply to?
They apply to “Personal Data” as defined above. In the case of Minsh Apps, this mostly applies to the data users provide when they sign up or complete their profile page; although other information provided in different places of the app (messages, events, comments, location data, etc.) may also fit the description.
To whom do these laws apply?
Each regime has slightly different territorial scope, but the practical rule of thumb is: if some of your users are in the EU, the UK, Switzerland, or Australia, the corresponding regime applies to your processing — regardless of where you or your business are located.
Can you help me with the terms of use and privacy policy of my Minsh App?
Yes — for the benefit of our clients, we can provide template terms of use and a generic privacy policy that cover common data protection requirements. These templates are not a substitute for legal advice, and we recommend that you have your own legal counsel review them before publishing them on your Minsh App.
When drafting your policy, keep the language plain and the information accessible to your users. We make sure your terms and privacy policy are easy to find by linking them on your Minsh App’s sign-up page and settings page.
Please note that Minsh cannot be held responsible for the content of your Minsh App’s terms of use or privacy policy.
What rights do my users have?
Subject to the applicable regime, your users (the data subjects) generally have the following rights regarding their personal data:
- Right of access — to know what personal data you hold about them and obtain a copy.
- Right to rectification — to have inaccurate or incomplete data corrected.
- Right to erasure (“right to be forgotten”) — to have their data deleted in certain circumstances.
- Right to restriction of processing.
- Right to data portability — to receive their data in a commonly used format and transmit it elsewhere.
- Right to object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent, where consent was the legal basis.
- Right to lodge a complaint with their data protection authority.
How quickly do I have to respond to a user request?
Response timeframes vary slightly by regime, but as a rule of thumb:
- EU GDPR / UK GDPR / Swiss FADP: within one (1) month of receiving the request, extendable by up to two further months for complex requests if you notify the user.
- Australian Privacy Principles: within thirty (30) days.
Whatever the regime, our practical advice is the same: confirm the user’s identity, acknowledge their request quickly, and don’t sit on it.
What about data breach notification?
If a security incident affecting your Minsh App’s data occurs, Minsh will notify you (the Data Controller) without undue delay so that you can in turn meet your own notification obligations to your supervisory authority (within 72 hours under EU/UK GDPR, within 30 days under the Australian NDB scheme) and to affected users where required.
How can I update my Minsh App’s terms of use and privacy policy?
Please contact us at team@minsh.net and we will assist you.
Any further questions? Feel free to contact me at any time!
Barbara Maim
CEO Minsh