Security Standards

Effective Date: January 1, 2025

Last Updated: March 7, 2025

1. Introduction

Tiny Mammoth (“we,” “us,” or “our”) provides a suite of marketing automation and reputation management solutions, which include Review Engine, EchoMeta, Tiny Hub, and other Tiny Mammoth tools (collectively, the “Services”). We are dedicated to protecting the privacy and security of any personal information processed through these platforms.

This Privacy & Security Policy (“Policy”) explains how we collect, use, secure, and process personal data, outlining our compliance obligations under applicable data protection laws such as the General Data Protection Regulation (GDPR) and, where relevant, the Health Insurance Portability and Accountability Act (HIPAA).

2. Our Role & Relationship with a Data Processor

Tiny Mammoth partners with a third-party Data Processor—a platform certified for GDPR and HIPAA compliance—to host and handle data on our behalf. This Processor implements industry-leading technical and organizational safeguards. Any personal information you or your customers provide through our Services is managed within this secure environment.

3. Data Collection & Use

3.1 Types of Data Collected

1. Contact Information: Names, addresses, emails, phone numbers.

2. Service Data: Ratings, reviews, feedback, analytics, and other inputs captured by Review Engine, EchoMeta, Tiny Hub, and associated Tiny Mammoth tools.

3. SMS/Text Messaging Data: Mobile numbers, opt-in preferences, and messaging content for campaign purposes, including communications sent via our partner Twilio or Text Grid.

4. Usage Information: Log data, IP addresses, browser details, device information, and user interaction metrics.

3.2 Purposes of Processing

● Provision of Services: To operate and enhance Review Engine, EchoMeta, TinyHub, and other Tiny Mammoth tools.

● Customer Support: To troubleshoot issues, provide user support, and optimise your experience.

● Legal & Regulatory: To comply with relevant laws, including GDPR, HIPAA (when applicable), and other obligations.

3.3 No Selling of Personal Data

We do not sell, trade, or transfer personal information—including mobile phone numbers—for marketing or promotional use. Information is shared only as necessary to deliver our Services (e.g., to carriers or processors) and maintain compliance with legal and contractual requirements. Text messaging opt-in data is never shared with third parties for promotional use.

4. Data Subject Rights (GDPR)

If the GDPR applies to you or your customers, individuals (data subjects) have the right to:

● Access their data.

● Rectify incorrect or incomplete information.

● Erase data in certain situations (“Right to be Forgotten”).

● Restrict or Object to certain processing activities.

● Portability: Receive a copy of their data in a machine-readable format.

Requests to exercise these rights can be submitted to us at [Contact Email]. We will coordinate with our Data Processor to address any valid request promptly.

5. HIPAA Compliance (Upon requested)

If your organization requires HIPAA compliance for handling Protected Health Information(PHI), we can enable a specialized, HIPAA-compliant environment subject to the applicable HIPAA cost. In such cases, we will:

1. Business Associate Agreements (BAAs): We can execute a BAA defining our responsibilities for safeguarding PHI.

2. Access & Disclosure: Only authorized personnel may access PHI, strictly for providing or supporting the Services.

HIPAA regulations

3. Security Controls: Provide enhanced security measures consistent with HIPAA regulations, including encryption, audit logs, and comprehensive incident response protocols.

6. Security Measures

6.1 Technical & Organizational Controls

● Encryption: Data is encrypted in transit (TLS 1.2/1.3 or higher) and at rest(AES-256).

● Access Controls: Strict role-based permissions ensure only authorized staff can view personal data.

● Vulnerability Management: Regular scans, patching, and penetration testing help maintain system integrity.

● Incident Response: Formal procedures exist for identifying, containing, and resolving security incidents.

6.2 Internal Governance

● Background Checks & Training: Employees undergo security training and, where permissible by law, background checks.

● Policy Reviews: We maintain and update internal policies covering data handling, storage, and disposal.

● and applicable Ongoing oversight ensures compliance with this Policy and applicable regulations.

7. SMS/Text Messaging Compliance

7.1 Program Overview

As part of Review Engine, EchoMeta, Tiny Hub, or other Tiny Mammoth solutions, we may facilitate SMS/Text campaigns for reviews, reminders, or marketing alerts. We utilize our trusted partners for message delivery. Each program requires end-user opt-in, and users can opt-out at any time by replying “STOP.”

7.2 Carrier & Legal Requirements

● STOP/HELP Instructions: Recipients can send “STOP” to unsubscribe or “HELP” for assistance.

● Message Frequency & Rates: Message volume may vary; standard carrier ratesapply.

● Prohibited Content: We prohibit sending or facilitating SMS containing content deemed illegal or violating carrier policies.

● Sev-0 Fines: Major carriers may impose fines for certain severe policy breaches. If these occur, any penalties are the responsibility of the violator.

7.3 No Sharing of Mobile Data

Mobile phone numbers and opt-in data are solely used to deliver the requested text messages. We do not share or sell this data to third parties for marketing or promotional activities. Any sub-processors (including TextGrid) are bound by contractual obligations to protect opt-in data.

8. Data Retention & Deletion

We retain data for as long as it is needed to provide the Services or as required by law. Ifyou wish to request deletion of your information (or that of your end-users), contact us at[Contact Email]. We will work to remove or anonymize such data, in coordination with ourData Processor, subject to any legal obligations.

9. Incident Response & Breach Notification

In the event of a data breach or other security incident:

1. Containment & Investigation: We immediately secure affected systems and investigate root causes.

2. Notification: We will inform you promptly if your data has been impacted, in accordance with legal or contractual obligations.

10. International Data Transfers

recognized mechanisms Where data is transferred outside the country of collection, we utilize recognized mechanisms (e.g., standard contractual clauses) to ensure compliance with applicable data transfer regulations.

11. Children’s Privacy

Our Services are not directed to children under 13 (or relevant local age). We do not knowingly collect personal data from minors without verified parental or guardian consent.

12. Updates to This Policy

This Policy may be updated periodically to reflect changes in our practices or legal requirements. The effective date at the top will indicate when revisions were made. In the event of significant changes, we will provide notice (e.g., email or a prominent announcement within our Services).

13. Contact Information

If you have any questions about this Policy, our practices, or your rights, please contact:

Email: security-compliance@tiny-mammoth.com