Didimo respects your privacy and is committed to protecting your personal data.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
Who we are
We are a technology company called Didimo, which, through our services, allows you to create a lifelike digital version of yourself to use as an interface with technologies of all sorts. Using our services means that you can experience a new level of ownership and responsibility of your online identity. For more information about our services, please visit: https://mydidimo.com/about/.
The Didimo Group is made up of different legal entities, which are as follows:
- Didimo, Inc., a company registered in Delaware, USA, having its office at: 4500 140th Avenue North, Suite 101, Clearwater, Florida, FL33762. Didimo, Inc., is our parent company.
- Didimo Tech Hub Canada Ltd, a company registered in Canada, having its registered office at: c/o McCarthy Tetrault LLP, Suite 2400, 745 Thurlow Street, Vancouver, BC V6E 0CS.
- Didimo SA, a company registered in Portugal, having its registered office at: Avenida da Liberdade, UPTEC Pólo do Mar, Sala E2/E3, 4450-718 Leça da Palmeira, Portugal.
Because we collect, use and are responsible for certain personal information about you, we are regulated under the General Data Protection Regulation (often called the GDPR) which applies across the European Union (and the United Kingdom). We are responsible as a data controller of that personal information for the purposes of those laws when we are processing personal information about European data subjects (individuals) or when are offering our services to European data subjects. We will let you know which Didimo entity will be the controller of your personal information when you enter into an agreement with us to use our services.
Whilst the GDPR does not apply to non-European individuals, we are committed to privacy rights and have extended our data protection practices across our entire business.
Our website and services
Throughout our website we may link to other websites, APIs and mobile apps (“third-party platforms”) which are owned and operated by third parties. This may be to refer you to products and services offered by these third-party companies, or to refer you to our customers who have used our services. These other third-party platforms may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to these other third-party websites, please consult their privacy policies as appropriate. We are not responsible for the content on such third-party platforms nor for their handling of your personal data.
Our collection and use of your personal information
We collect personal information about you when you access our website, register with us, contact us, send us feedback, use our services or purchase or subscribe to services via our website and complete customer surveys.
We collect this personal information from you either directly, such as when you register with us, contact us use our services or purchase or subscribe to services via our website or indirectly, such as when you are an authorised user of one of our customers or from your browsing activity while you are on our website and customer portal, or when you use our app, Didimo Xperience (see ‘Cookies’ below).
The information we collect about you depends on the particular activities carried out through our website and whether you use our services. This information includes:
- Identity Data includes first name, last name, username or similar identifier.
- Contact Data includes billing address, email address and telephone numbers.
- Likeness Data includes photographs or video images of your face and likeness as well as the ‘Didimo’ virtual self that is created of you through use of our services.
- Financial Data includes limited payment information (such as the last 4 digits of your payment card and the expiry date) provided to us by our payment provider, Stripe - for more information, see the section below ‘External Third Parties’.
- Transaction Data includes details about payments to and from you and other details of services you have purchased from us or we have provided to you.
- Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our services.
- Profile Data includes your username and social media ID (such as when you log-in to our services via Google or Facebook), purchases or orders of our services made by you, your interests, preferences, feedback and survey responses you give us by phone, email, post or via social media.
- Usage Data includes information about how you use our website, customer portal, Didimo Xperience app, products and services and information about the services we provide to you.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
We use this personal information to:
- create and manage your account with us
- verify your identity
- provide our services to you so that we can create and process your digital self
- customise the content and the way it is presented to your particular preferences
- notify you of any changes to our website or to our services that may affect you
- improve our services
Our website and services are not intended for use by children under the age of 16, and we do not knowingly collect or use personal information relating to children.
Information we do not collect
We do not actively collect any sensitive data about you (also known as special categories of personal data), such as details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership or information about your health or genetic data, nor do we collect any information about criminal convictions and offences, however such matters may become apparent to us when you voluntarily share your Likeness Data with us or when you have shared this with a third party company using our services.
Indeed, we process your biometric data (which is limited to photograph and video footage of your face and likeness) for two reasons.
Firstly, for the provision of our Didimo services when you have expressly and explicitly consented to share this this information with us (or you have expressly consented that a third party provides that information to us) – for example when you sign up to, and/or use our services directly or via a third party (one of our customers). You can withdraw consent which you give for use of the Didimo services at any time.
Secondly, we also collect and process your biometric data (which is still limited to photograph and video footage of your face and likeness and the ultimate Didimo creation based on your Likeness Data) when you supply it to us (or when it is supplied to us from one of our customers, being a third party company using our services) for the purpose of scientific research. Scientific research means the technological development and demonstration, (including algorithm and AI development and machine learning) that we undertake to research improvements for, and to develop our technology. In this second case, we are able to process your personal data - strictly for this purpose - without your consent and for as long as we need to do so, in order to carry out development of our technology.
Our legal basis for processing your personal information
When we use your personal information, we are required to have a legal basis for doing so. There are various different legal bases on which we may rely, depending on what personal information we process and why.
The legal bases we may rely on include:
- consent: where you have given us (our our customer if you are an authorised user) clear consent for us to process your personal information (including your biometric data) for a specific purpose
- contract: where our use of your personal information is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract
- legal obligation: where our use of your personal information is necessary for us to comply with the law (not including contractual obligations)
- legitimate interests: where our use of your personal information is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect your personal information which overrides our legitimate interests)
- scientific research: where our use of your personal information (including biometric or Likeness Data) is necessary to allow us to carry out research and development into our machine learning processes, our development and improvement of our AI and algorithms, provided that we implement all relevant and legally required safeguards.
Further information: The personal information we collect, when and how we use it
For further details on when we collect personal information, what we collect as well as how we use it, please read the following table:
|Purpose/Activity||Type of data||Lawful basis for processing|
|To register you as a new customer or user||Identity Data and Contact Data.||Performance of a contract|
|To manage the provision of our services to you, for example, to manage payments and collect and recover money owed to us||Identity Data, Contact Data, and Transaction Data.||Performance of a contract with you
Necessary for our legitimate interests (to recover monies owed to us)
|To provide and administer our technical services to you for the creation of your digital likeness||Likeness Data.||Consent|
|To conduct scientific research into the improvement and development of our technology, including to carry out machine learning, AI and algorithm development and research for the purpose of improving the Didimo technology and to make technological advancements.||Likeness Data.||Scientific research|
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how our clients use our services)
|To enable you to partake in a prize draw, competition or complete a survey||Identity Data, Contact Data, Profile Data and, Marketing and Communications Data.||Performance of a contract with you
Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
|To administer and protect our business and this website and the provision of our services (including troubleshooting, data analysis, testing, system maintenance, product development, support, reporting, hosting of data and IT and data security)||Identity Data, Contact Data, Profile Data, and Technical Data.||Necessary for our legitimate interests (for running our business, provision of administration and IT services, provision of and development to our services and to ensure network security.|
|To use data analytics to improve our website, technology and services, marketing, customer relationships and experiences||Technical Data and Usage Data.||Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business, technology and our services and to inform our marketing strategy)|
|To make suggestions and recommendations to you about services that may be of interest to you||Identity Data, Contact Data, Technical Data, Profile Data and, Marketing and Communications Data.||Necessary for our legitimate interests (to develop our products/services and grow our business)|
For further details on when and how we use personal information for marketing purposes, please see the section ‘Marketing’ below.
Who we share your personal information with
So that we are able to provide you with our services and access to this website, we routinely share your personal data with the following third parties:
- Internal Third Parties:
For example, all of the companies in the Didimo Group and who are based in Portugal, the USA and Canada and who provide IT and system administration services, development of our technology services and website and who also carry out administration and management of our business.
- External Third Parties:
Service providers acting as processors based inside and outside of the EEA who provide IT and system administration services, cloud hosting and storage services, HR services, product development, financial services, payment providers, operations and software development.
Professional advisers including lawyers, bankers, auditors and insurers based inside and outside of the EEA who provide consultancy, banking, legal, insurance and accounting and tax services.
Regulators and other authorities based inside and outside of the EEA who require reporting of processing activities in certain circumstances – for example, in relation to tax returns and tax declarations.
A list of these third parties is available on request.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We will share personal information with law enforcement or other authorities if required by applicable law.
As you can see, some of the third-party recipients of your personal information are based outside the EEA. For further information including on how we safeguard your personal data when this occurs, see ‘Transfer of your information out of the EEA’.
Whether information has to be provided by you, and if so why
We require you to provide certain information about you – for example, your likeness or proof of your identity, to enable us to safeguard your rights and provide our services and create your digital self. We will inform you at the point of collecting information from you whether you are required to provide the information to us.
Transfer of your information out of the EEA
We may transfer your personal information to the following which are located outside the EEA to allow us to run our business and to provide our services and this website to you, or indeed when you are based outside of the EEA. We also share your personal data within the Didimo Group which involves transferring your data from the EEA to the USA and Canada.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries. This is the case when we transfer personal personal information from the EEA to Didimo Tech Hub Canada Limited when we rely on the EU-Canada Adequacy Decision.
- Where we use certain service providers or when we transfer personal information from the EEA to Didimo, Inc., we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Cookies and other tracking technologies
We would like to send you information about our services, our business, competitions and special offers and our details about new features and our website, which may be of interest to you. Where we have your consent or it is in our legitimate interests to do so, we may do this by post, email, telephone, text message (SMS) or automated call.
We would also like to share your information with selected third parties from time to time so that they may send you information about their products or services, depending on what you agree with us.
We will only ask whether you would like us to send you marketing messages when you tick the relevant boxes when you sign up to our services, sign up to our newsletter or make contact with us via our website for the first time.
If you have previously agreed to being contacted in this way, you can unsubscribe at any time by:
- contacting us using the details below
- using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts
- updating your marketing preferences via your user profile.
It may take up to 30 days for this to take place.
For more information on your rights in relation to marketing, see ‘Your rights’ below.
Under the GDPR, European individuals have a number of important rights. In summary, these rights include the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Please note that where we process your personal data (including any Likeness Data) for the purpose of scientific research, then we are not legally required to delete your personal data when you request us to do so, if this means that it would likely be difficult or impossible for us to carry out this scientific research without your personal data. If we retain your data despite your request for deletion, we will only do so provided we comply with applicable laws and ensure all safeguards to protect your personal data are in place. We will inform you of this if we are unable to adhere to your deletion request for this reason.
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:
- If you want us to establish the accuracy of the information.
- Where our use of the information is unlawful, but you do not want us to erase it.
- Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide our services to you. We will advise you if this is the case at the time you withdraw your consent. Please note that we do not require your consent to process your personal data (including Likeness Data) where we are doing so for the purpose of scientific research, but that this will never affect your right to withdraw your consent in respect of data processing for the use of our services and the provision of Didimos on the basis of your Likeness Data, to you or our customers.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please email or write to us using the details below.
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
What we need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Timeframe for responding to you
We aim to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances you can ask us to delete your information: see ‘Your rights’ above for further information.
In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes or in an aggregated format for machine learning, product improvement and development of our technology, in which case we may use this information indefinitely without further notice to you.
Furthermore, as set out in the section ‘Further information: The personal information we collect, when and how we use it’, we collect your Likeness Data for the purposes of carrying out scientific research into our product and services, for machine learning, product improvement and development of our technology, in which case we may use this information for as long as is necessary to allow us to carry out that scientific research, without further notice to you. Where possible, we will ensure that such data is anonymised. Where this is not possible, we will implement pseudonymisation (such as allocating code names or numerical identifiers), and we will only process the minimum amount of data that we need to achieve our scientific research purposes. In doing so, we will safeguard the data with technical and organisational measures (ensuring security and confidentiality of the data), including by ensuring that all data processed for this purpose is stored in a separate database, accessible on a need-to-know basis.
Please rest assured that when keeping your personal data for scientific research purposes, we will never process it to support measures or decisions relating to particular individuals and we always ensure the data is not processed in such a way that substantial damage or substantial distress is likely to be caused to any individual.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The GDPR also gives EEA and UK users the right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where they work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Portugal (where our European representative is based) is the CNPD – Comissão Nacional de Protecção de Dados (the Portuguese Data Protection Authority). They can be contacted by:
Telephone: (+ 351) 21 392 84 00;
Fax: (+ 351) 21 397 68 32; or
You can also visit their website.
How to contact us