Last updated: 1 October 2023
Next review: 1 May 2024
Bombe is a software-as-a-service (SaaS) audience intelligence platform operated by Bombe Platform Ltd, a company limited by shares incorporated in England and Wales under company registration number 14978678.
Bombe Platform Ltd is registered with the Information Commission under registration number ZB604981, confirmation of which can be found here.
Bombe Platform Ltd operates in compliance with the laws of England and Wales, as well as the European Union’s General Data Protection Regulation (GDPR) as incorporated into law as part of the UK General Data Protection Regulation and the Data Protection Act of 2018.
Bombe is a product intended to help businesses understand how public opinion is formed, by who and why. It relies on a variety of sources of data to do so, ranging from private opinion polling information, open government statistics, parliamentary data and public social media data
The overwhelming majority of this data is not directly personally identifiable information about individuals at the present moment, and therefore does not fall into the scope of UK GDPR or the European Union’s GDPR for the purposes of establishing a legal basis for processing.
The exception to this is public social media data, for which our primary legal basis for processing is the legitimate interest of Bombe Platform Ltd and our customers. While carefully balancing the fundamental rights of data subjects, we provide services to assist our customers in their legitimate interest to understand what’s being discussed on the most important forum for discussion in the modern world, social media. The information that we process in this respect is public, and any user may at any time choose not to share this further by changing their social media privacy settings.
Bombe ingests a wide range of different data from many different data sources, the majority of which is not personally identifiable information.
In the context of the social media data collected by Bombe Platform Ltd to provide services to our customers, we collect and process the following information:
Personal identifier (username/user ID)
Geographic location where provided
Text posted
Entities mentioned
%%
We may then process this data further to infer the overall sentiment of the social media post, or information about data subjects like language, age, gender, location, topics of interest and so on. This is done automatically and algorithmically by our platform. Whether collected or deduced, we never make any decisions about data subjects based on the data we hold on them – this is solely provided to our customers.
Under the European Union’s GDPR and UK GDPR, you have the a range of rights, which we comply with as follows:
The Right(s) | How We Comply with This Right |
|---|---|
To be informed | As part of this statement, we provide:
|
To access | You can exercise this right by writing to us at [email protected]. |
To rectify | You can exercise this right by writing to us at [email protected]. |
To delete | You can exercise this right by writing to us at [email protected]. |
To restrict processing or object | You can exercise this right by writing to us at [email protected]. |
To data portability | We always provide data in a machine-readable, portable manner. |
With respect to automated decision-making | We do not automatically make decisions or profile on the Bombe platform. |
Data is retained while it is still in use and working in the legitimate interest of Bombe Platform Ltd and its customers.
When personal data is deleted, it is removed immediately from the live database. Back-ups are kept for one week, after which point the data is irretrievably deleted.
Data may be kept for statistical reasons, for example, to track trends in activity or report on usage for billing or financial purposes. Similarly, we may need to keep some data to track for anti-abuse purposes or to comply with a request to restrict processing of a data subject. In this case, the data will be anonymised to the greatest extent possible to fulfil our requirements in keeping with the GDPR principles of data minimisation and security.
All data is hosted in databases and storage within the European Economic Area (EEA). Where the functionality of software we produce requires it, or we have necessary subprocessors based outside the EEA, data may leave the EEA to fulfil this functionality. In these cases, we carefully ensure that all such data transfers take place within a legal framework such as the Standard Contractual Clauses (SCCs).
Our broad data protection procedures are as follows:
All customer data is stored on data centers located within the EEA, hosted by SOC II Type 2 and ISO 270001 compliant providers.
All data at rest is block-level encrypted with AES-256.
All data in transit is encrypted with mandatory TLS 1.2+.
We require two-factor authentication (via authenticator app or hardware key) for all mission-critical infrastructure (e.g.: hosting platforms, database servers, domain registrars, etc.)
We rotate all keys and credentials on services regularly.
In the future, we foresee developing functionality to allow customers to import their own data into the platform to help them understand what their own audiences are likely to think and why. Our customers would contractually warrant to Bombe Platform Ltd that they have the right to hold, process, and assign the processing to subprocessors like us for this data.
In that instance, our basis for processing would be therefore performance of a contract for processing data on behalf of these organisations. For more information on how they store and process personal data, or to exercise your rights as a data subject, please refer to their own privacy policies.