Charisma.ai Privacy Notice
Effective Date: 7th December 2023
PLEASE READ THIS NOTICE CAREFULLY. IT CONTAINS IMPORTANT INFORMATION ABOUT HOW WE PROCESS YOUR PERSONAL INFORMATION.
WHO WE ARE AND HOW WE APPROACH DATA PRIVACY
We are Charisma Entertainment Limited (Company Registration No. 09911142, Registered Office: Preston Park House, South Road, Brighton, East Sussex, United Kingdom, BN1 6SB).
We are the Data Controller for the purposes of the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679)).
As a company we are committed to protecting and respecting the privacy of your personal information. We want you to be confident that your information will be properly protected whilst in our possession.
This notice explains how we, and carefully selected third-parties we work with, will collect and use the personal information of our customers, suppliers, prospects, and users of our website https://charisma.ai/ and its associated application (referred to in this notice as the Site(s)). If this describes you, please read this notice carefully and make sure you’re comfortable with the content.
This website and its associated application are not intended for children, and we do not knowingly collect data relating to children.
If you have any questions about our use of your personal information, or you wish to exercise one of your rights under data protection legislation, please contact us. A summary of your rights is detailed later in this notice.
THIRD PARTY LINKS ON OUR WEBSITE AND APP
The Sites may include links to third-party websites, plug-ins and applications. Clicking on those links, engaging with those plug ins or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
We utilise a payment platform on our Sites which is operated by Stripe Inc. a company based in the United States of America. When you make a purchase via our Sites, Stripe will collect data about you, including your bank account and payment card details (along with other identifiers). We do not have access to personal data provided by you to Stripe Inc. All data provided to Stripe will be stored and dealt with in accordance with Stripe’s privacy policy. For further information on how Stripe processes your data, please refer to their privacy policy.
THE DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, usernames or similar identifiers.
- Contact Data includes contact information such as email address, Apple ID’s and Facebook ID’s.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and approximate geolocation, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Sites.
- Profile Data includes your username and password (your password being encrypted) and purchases or orders made by you via our Sites.
- Usage Data includes information about how you use our Sites, which is then aggregated, so as to anonymise that data.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Story Data includes full story scripts (either as text or audio snippets), which shall include details of what has been said, spoken or written in any of those story scripts as part of a playthrough. It is possible that Story Data may, on occasion, contain personal data such as Identity and Contact Data (or other types of personal data that we cannot predict) and this will depend upon the input by you into those story scripts. Pursuant to our Terms & Conditions, you should not input any personal data (about you or any other party) into your story scripts, however in the event that you do so in breach of our Terms & Conditions, your personal data may be shared with third parties. Further details of where Story Data may be shared can be found under the heading “Data Sharing” below.
We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we will aggregate your Usage Data to, for example, calculate and analyse page views on our Sites. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
Do I have to provide this information?
The personal information you provide to us as set out above is entirely voluntary. You are not under a statutory or contractual obligation to provide it to us. If you apply to open an account with us, we will stipulate the minimum information we required to open and maintain your account.
If you decide not to provide that information when requested, we may not be able to deliver the services you have requested. In this case, we may have to cancel your access to the service and our Sites, but we will notify you if this is the case at the time.
HOW YOUR PERSONAL DATA IS COLLECTED
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you, for example:
- register to use our Sites by creating an account with us;
- request marketing to be sent to you by signing up to our newsletter;
- give us feedback or otherwise contact us.
- Use of our Sites. Due to the nature of our platform and services, you may provide personal data, including Identity and Contact Data, along with other types of data (that we cannot predict) when you access and use our Sites. We have grouped this data together and defined it as “Story Data”. Pursuant to our Terms & Conditions, you should not input any personal data (about you or any other party) into your story scripts or whilst using our platform and services. Therefore, Story Data should not contain any personal data.
- Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies, such as pixel tags. Each time you visit our Sites, we will collect Technical Data via cookies and pixel tags. Further information can be found in our Cookie Policy.
HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform a contract that we are about to enter into or have entered into with you, relating to the use of our Sites.
- Where it is necessary for our legitimate business interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
The above circumstances are defined in more detail below:
- Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
- Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
- Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
Generally, we do not rely on consent as a legal basis for processing your personal data other than in relation to sending third party direct marketing communications to you via email or text or push message. You have the right to withdraw consent to these activities at any time by contacting our Data Representative at hello@charisma.ai
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose/Activity | Type of Data | Lawful Basis for Processing, Including Basis of Legitimate Interest |
---|---|---|
To register you as a new customer and to allow you to access our Sites thereafter. |
| This information is necessary as it allows us to perform a contract with you, (including allowing us to provide you with access to our services and Sites). |
To manage our relationship with you which will include: Notifying you about changes to our Terms & Conditions and/or this privacy policy; and Asking you to leave a review or take a survey, or where you otherwise contact us to report an issue. |
| This information is necessary as it allows us to perform a contract with you. It is also necessary to comply with our legal obligations. Finally, it is necessary for our legitimate interests (to keep our records updated and to study how customers use our Sites, which in turn allows us to develop and grow our Sites). |
To allow you to contact us with an enquiry or to report a problem with our products, services or Sites |
| This information is necessary as it allows us to perform a contract with you. It is also necessary for our legitimate interests (to allow us to deal with your enquiry and investigate the problem you have raised). |
To administer and protect our business, this website and our Sites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
| Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise). |
To register you as a new customer and to allow you to access our Sites thereafter. |
| This information is necessary as it allows us to perform a contract with you, (including allowing us to provide you with access to our services and Sites). |
To use data analytics to improve our website, our Sites, our marketing and our customer relationships and experiences. |
| This information is necessary for our legitimate interests (to define types of customers for our Sites, to keep our website updated and relevant, and to develop our business and marketing strategy. |
To make suggestions and recommendations to you about goods or services that may be of interest to you |
| Necessary for our legitimate interests (to develop our products/services and grow our business). |
CHANGE OF PURPOSE
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
HOW LONG WILL YOU USE MY PERSONAL DATA FOR?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. However, we may need to retain your personal data for longer in certain circumstances, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may also retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
PROVIDING US WITH PERSONAL INFORMATION OF ANOTHER PERSON
If you need to provide us with personal information about another person you must obtain that individual’s express consent to pass us their information. You should share this notice with those individuals as it may also apply to them.
MARKETING
We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will only receive marketing communications from us if you have expressly opted in to receive them or if you provided us with your details when you entered, for example, a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.
Third-party marketing
We will get your express opt-in consent before we share your personal data with any company outside the Charisma Entertainment group of companies for marketing purposes.
Unsubscribe
You can unsubscribe from any marketing messages by following the unsubscribe links on any marketing message sent to you OR by emailing us at hello@charisma.ai at any time.
Where you unsubscribe, we will still process your personal data to provide a service you continue to engage with.
AUTOMATED DECISION-MAKING
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
DATA SHARING
We may have to share your personal data with the carefully selected third-parties set out below for the purposes set out in the table above:
-
Twilio SendGrid Inc. based in the United States of America who provide transactional email services. We will share your personal data, including elements of your Identity and Contact Data with SendGrid when providing our services and facilitating access to and use of our Sites. SendGrid shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on SendGrid Inc’s privacy terms, please click here and here.
-
The Rocket Science Group LLC (trading as “MailChimp”), based in the United States of America who provide a service for email address management and marketing. We will share your personal data, including elements of your Identity and Contact Data, with Mailchimp when providing our services, including when you sign up to our newsletter or otherwise get in touch with us. Mailchimp shall process your personal data in accordance with accepted standard contractual clauses which shall give your personal data the same level of protection it has in the UK. For more information on Mailchimp’s terms, please click here and here.
-
Three Hearts Digital Ltd (trading as “EmailOctopus”), based in the United Kingdom who provide a service for email address management and marketing. We will share your personal data, including elements of your Identity and Contact Data, with EmailOctopus when providing our services, including when you sign up to our newsletter or otherwise get in touch with us. EmailOctopus shall process your personal data in accordance with their privacy policy, which can be found here.
-
Supabase, Inc. based in the United States of America who provide a database hosting service. We will share your personal data, including elements of your Identity and Contact Data, with Supabase when providing our services and facilitating access to and use of our Sites. Supabase shall process your personal data in accordance with standard contractual clauses which shall give your personal data the same level of protection it has in the UK. For more information on Supabase’s terms, please click here and here.
-
Functional Software Inc. (trading as “Sentry”) based in the United States of America who provide an error tracking and performance analysis service. We will share elements of your Technical Data with Sentry when providing our services and facilitating access to and use of our Sites. Sentry shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Sentry’s privacy terms, please click here and here.
-
Vercel Inc. based in the United States of America who provide a deployment solution which includes content delivery network for static files, provisioning serverless API functions, building time continuous integration and environment variable storage. We will share elements of your Technical Data with Vercel when providing our services and facilitating access to and use of our Sites. Vercel shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Vercel’s privacy terms, please click here.
-
Salesforce.com Inc. based in the United States of America who provide a platform for running servers along with IP rate limiting services. We will share elements of your Technical Data with Salesforce when providing our services and facilitating access to and use of our Sites. Salesforce shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Salesforce’s privacy terms, please click here.
-
Meta Platforms Inc. based in the United States of America who support a Facebook login feature on our Sites. We will share elements of your Identity and Contact Data with Meta when providing our services, specifically when you login to our Sites via Facebook. Meta shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Meta’s privacy terms, please click here and here.
-
Apple Inc. based in the United States of America who provide a platform to develop and distribute our Sites via their iOS operating system. We will share elements of your Identity and Contact Data with Apple when providing our services, specifically when you make in app purchases. Apple shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Apple’s privacy terms, please click here.
-
Google LLC, based in the United States of America who provide a storage service for personal data via the Google Cloud Platform, an analytical service and an in app purchase service for our Sites mobile application. We will share your personal data, including Identity, Contact and Technical Data, with Google when providing our services and facilitating access to and use of our Sites. Google shall process your personal data in accordance with accepted standard contractual clauses, which shall give your personal data the same level of protection it has in the UK. For more information on Google’s privacy terms, please click here and here.
In addition to the above, we will share elements of Story Data with the following third-parties when providing our services:
- Replica Media Pty Ltd, based in Australia.
- Resemble.AI, based in Canada.
- Cereproc Ltd, based in Scotland.
- Deepgram Inc. based in the United States of America.
- Anthropic, PBC, based in the United States of America.
- OpenAI Inc. based in the United States of America.
- Google LLC, based in the United States of America.
- Amazon Web Services Inc. based in the United States of America.
However, and as referred to above, Story Data should not contain any personal data and therefore the transfer of Story Data to the third-parties listed above will not constitute a transfer of personal data. For further information about the restrictions on including personal data in Story Data, please refer to our Terms & Conditions.
Further, we may transfer personal data to the following:
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue & Customs, regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice;
- Other third parties where you have given your express consent.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
INTERNATIONAL TRANSFERS
Many of our external third parties are based outside the UK so their processing of your personal data will involve a transfer of data outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data; or
- Where we use certain service providers in countries that have not been deemed to provide an adequate level of protection for personal data, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
DATA SECURITY
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need-to-know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
DATA REPRESENTATIVE
We have appointed a Data Representative to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal information, please contact the Data Representative at hello@charisma.ai
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION
Under certain circumstances, you have the right under data protection laws in relation to your personal data. These include:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Representative at hello@charisma.ai
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to a person who has no right to receive it.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
CHANGES TO THIS NOTICE & YOUR DUTY TO INFORM US OF CHANGES
We keep this notice under regular review. Any changes we make to this notice will be posted on our Sites with a prominent notice and, where appropriate, we will notify you by email.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
If, in the future, we wish to use your personal information in a way not set out in this notice we will notify you and seek your permission to do so.
CONTACT US
If you would like to request further information about this notice or the way in which we handle your personal information, please contact our Data Representative at: Charisma Entertainment Limited, 3 Kings Meadow, Oxford OX2 0DP (or by emailing hello@charisma.ai).