GDPR Compliance


Affinio is committed to providing our customers with audience insights and segmentation in an ethical manner and in compliance with the privacy regimes of Canada, the United States and the European Union.  This document outlines how the Services offered by Affinio comply with the General Data Protection Regulation.

Does GDPR apply to Affinio?

Yes.  Affinio has clients and offers its Services for sale in the European Union.  Accordingly, it may handle personally identifiable information (PII) of residents of the European Union.  That places Affinio under the jurisdiction of GDPR.

Is Affinio a data controller or a data processor?

Affinio is a data processor with respect to its Services.  Its Clients are data controllers in that the Client collects, chooses and submits information (defined as “Client Data”) to the Affinio Services.  The Client warrants to Affinio that any Client Data it has collected and submitted to the Affinio Services has been collected with the consent of the owner of such information and in compliance with all applicable privacy laws.

Does Affinio collect any information, including PII, from its Clients through its Services?

The Client chooses what information it will submit as Client Data to the Services for processing.  It is not necessary to submit any PII to the Services in order to utilize the Services.

Clients must submit the names and business contact information of its approved users in order to obtain login credentials for these users.  This information is not used for any other purposes except to provide and maintain the login credentials. It is not shared with third parties.

Affinio collects statistics on the use of the Services by its Clients and their users, such as number of logins, usage, and report generation.  These statistics are used internally to monitor the use of our Services, to improve our Services and to enable customer support. This data is not used for any other purpose and is not shared with third parties.

What information does Affinio compile through its Services?

Affinio does not collect PII from individuals. The information which forms the basis of the Reports provided to our Clients is compiled from publicly available information from various social media platforms as a result of searches done utilizing the Client Data.  The information is collected directly from public profiles either by using a platform’s public application programming interface (API) or by searching the platform. We collect this information in accordance with (a) the platforms’ terms of use for their APIs and (b) robot exclusion protocols. We respect the privacy settings of individuals who use these platforms and do not collect information in contravention of the privacy settings set by the individual.

Affinio does not collect information through the use of games, quizzes or tests placed on social media platforms nor does it permit developers onto its own platform to create these items.

Where does Affinio store Client Data submitted to its platform?

The Affinio platform and Services are located in the United States and all Client Data is transferred and stored in the US.  Affinio’s platform is hosted by Microsoft Azure in its facilities in the continental United States.

Does Affinio have access to the Client Data?

Affinio does not access or use Client Data except to provide the Services as outlined in the legal agreement between Affinio and Client.  Our customer success team members, located in the United States and Canada, may assist you in processing your Client Data. As part of this assistance, our customer success team members may access your Client Data (with your consent) from their locations in these countries.

Will Affinio delete or modify the Client Data?

Upon termination of the relationship between Client and Affinio, Affinio will delete the Client Data in accordance with our data deletion policy and procedures.  We will not otherwise delete or modify Client Data.

Will Affinio notify us about security breaches affecting our Client Data?

Yes, we will do so in accordance with the provisions of GDPR and the terms of the legal agreement between Affinio and Client, including taking any other actions that are reasonably necessary regarding such security breach.  Affinio will cooperate with Client and any law enforcement or regulatory official investigating such security breach.

Will Affinio assist us in responding to inquiries from data subjects?

Yes, we will provide assistance to our Clients.

What certifications does Affinio have?

The Affinio Services first party data environment has received ISO-27001 certification.  The ISO-27001 compliance process requires organizations to assess existing data security and privacy measures and develop organization-wide comprehensive policies and procedures that must be maintained to ISO-27001 standards. In many ways, the ISO-27001 information security management framework overlaps GDPR requirements for appropriate safeguards and oversight of data security and privacy and our certification forms the basis for our GDPR compliance.

Does Affinio use Subprocessors?

Yes. We have entered into binding legal agreements with each of our Subprocessors which require the Subprocessors to protect PII in accordance with the provisions of GDPR.  All of our Subprocessors are located in the United States and are Privacy Shield certified. Subprocessors, and their employees, do not have access to any Client Data. 

What security is in place to protect Client Data?

Affinio has implemented and will maintain administrative, physical and technical safeguards that are designed to prevent any collection, use or disclosure of, or access to Client Data, other than to the extent required for Affinio to provide the Services.  This includes an information security program to safeguard Client Data which meets commercially reasonable industry practices.  Affinio employees sign confidentiality agreements as a condition of their employment with Affinio and undertake security awareness training once per year.

Has Affinio appointed a Data Protection Officer?

Yes, we have.  If you have any questions about our GDPR compliance please contact our DPO at