Two Hat Global Privacy Policy
Updated: February 3, 2020

1. General

1.1 Our Commitment to Protecting Your Privacy

We, at Two Hat, value your privacy and we strive to ensure that our customers, vendors, job applicants and office visitors and users of our website (hereinafter collectively “you” and “your”) are aware that their privacy is of the utmost importance to us. This Global Privacy Policy (the “Policy”) explains how we collect, use and disclose personal information about our customers, and users. While Two Hat places a high priority on the protection of personal information shared with us by our customers, and users, legislation is in place that governs how personal information must be managed and protected. We are committed to complying with the legislation and we want you to understand why and how we collect, use, disclose, retain and secure your information.

1.2 Definitions

“collection” – means the act of gathering, acquiring, recording, or obtaining Personal Information from any source, including sources other than the Individual to whom the Personal Information belongs.
“Consent” – means voluntary agreement to the collection, use or disclosure of Personal Information.
“Customer” – means an entity that has entered an agreement to receive Content Moderation Services from Two Hat.
“disclosure” – means making Personal Information available outside Two Hat.
“End User” means our Customer’s end users;
“identified purposes” – means the purposes identified in this Policy.
“include” or “Including” – means including but not limited to.
“Individual” – means any natural person.
“Personal Information” – means information about an identifiable Individual. Personal Information does not include information that cannot be associated with a specific Individual and, where permitted by Privacy Legislation, does not include business contact information when such information is being collected, used or disclosed for purposes authorized by Privacy Legislation.
“Privacy Legislation” – means applicable laws that govern the collection, use, and disclosure of Personal Information, which may include the EU General Data Protection Regulation (“GDPR”) or California Consumer Privacy Act (“CCPA”)..
“Privacy Officer” – means the Privacy Officer of Two Hat as identified in section 8.2 of this Policy.
“Content Moderation Services” – means content moderation services provided to Customers by Two Hat, which may be provided through Community Sift software.
“Two Hat”, “we”, “us”, or “our” – means Two Hat Security Ltd. and its respective partners, associates, and affiliates, as they may exist from time to time.
“use” – means the treatment, handling, management and retention of Personal Information.

1.3 Scope

Two Hat is a SaaS company that builds systems that detect high-risk content for online games, social networks, messaging apps, and more. Two Hat provides Content Moderation Services to its Customers and processes Personal Information of End Users while doing so. Two Hat also collects and processes Personal Information directly from its web users. This Policy applies to “Two Hat” as defined in section 1.2 above.

This Policy does not impose limits on the collection, use or disclosure of Personal Information without consent where that collection, use or disclosure is in accordance with or otherwise authorized by the Privacy Legislation or other applicable law.


Some examples of our collection, use and disclosure include the following.

2.1 Content Moderation Services

We may collect, use and disclose Personal Information to provide Content Moderation Services to our Customers. This allows our Customers to classify their online communications based on a variety of contexts. In this context we act as a processor of Personal Information and our Customers act as Controllers. The Customer is responsible to implement and maintain all necessary internal security and privacy protocols and policies relating to access and use of the Content Moderation Services, including protocols and policies relating to permitted access to and use of the Content Moderation Services, protection of login credentials, and collection, use and disclosure of End User Personal Information.

In providing Content Moderation Services, we may receive the following types of information:

  • Usernames, user IDs, or other similar identifiers of End Users;
  • User generated content from End Users, such as online chat, usernames, profiles, images; and
  • Aggregated analytics to measure, monitor and improve the Content Moderation Services.

We may endeavor to redact certain Personal Information in content generated by End Users. These settings may be configured by our Customers. Customers may also add additional information to End User data prior to sending it to be analyzed and classified by our Content Moderation Services.

2.2 Use of Two Hat Website

When you use (our “Website”), we may automatically collect, use, and disclose certain information generated from your interaction with our Website. The purpose of collection may include:

  • To create and maintain an effective business or employment relationship;
  • To facilitate account, billing, credit, collection and/or customer service;
  • To further develop, enhance and market products and services offered by Two Hat, which may include contacting you to offer you additional products, services or other special promotions or programs;
  • To understand customer needs and preferences, which may include contacting you to request participation in surveys regarding our programs and services;
  • To meet legal, regulatory, insurance and audit requirements;
    In connection with the proposed or actual financing, securitization, insuring, sale, assignment, or other disposal of all or part of our business or assets, for the purposes of evaluation and/or performing a proposed transaction; and
  • To protect, manage, promote and secure Two Hat’s business and operations, as authorized by you or otherwise permitted by Privacy Legislation.

We may collect the following information when accessing our Website:

  • Device-specific information (e.g. hardware model, operating system information, unique device identifiers and mobile network information, including phone number) which we may associate with your Content Moderation Services account (where applicable); and/or
  • Log information (e.g. details of how you use our service, internet protocol address, system and device event information such as crashes, system activity, hardware settings, browser type, browser language and the date and time of use of our service, and cookies that may uniquely identify your browser or your Community Sift account).
  • Cookies. Our Website uses “cookies” and other technologies to enhance your online experience, including personalizing the content that you see on our Website. Most web browsers can be set to disable the use of Cookies. However, if you disable Cookies, you may not be able to access features on our Website correctly or at all. Cookies cannot be used to run programs or deliver viruses to your computer. There are two types of cookies, session cookies and persistent cookies. Our website may use session cookies which are stored in temporary memory and are not retained after you sign out or close the browser session. We never place Personal Information in Cookies.
  • Automatic Information. In the interest of providing our customers and web users with a secure online experience, our servers automatically record information when you visit our website, including:
    o the pages accessed on our site and links you clicked on;
    o the date and time you visited the site;
    o if you use our advanced search tool, the search terms you used;
    o the referring site (if any) through which you arrived at this site;
    o your operating system (e.g. Windows XP, Mac OS X); and
    o the type of web browser you use (e.g. Internet Explorer, Mozilla Firefox).

Our web analytics will also respect any “do not track” setting you might have set on your browser. We use all of this information to analyze trends among our web users to help improve our Website.

  • Remarketing. Our Website uses “Google Adwords” products from time to time to advertise on third party websites (including Google) to previous visitors to our site. It could mean that we advertise to previous visitors who have completed a task on our site, for example using the contact form to make an enquiry. This could be in the form of an advertisement on the Google search results page, or a site in the Google Display Network. Third-party vendors, including Google, may use cookies to serve ads based on someone’s past visits to our Website. You can set preferences for how Google advertises through your Google Account.
  • Google Analytics. Our Website uses “Google Analytics” to collect information about the use of our Website. Google Analytics collects information such as how often web users visit our Website, what pages they visit when they do so, and what other sites they used prior to coming to our site. We use the information we get from Google Analytics to improve our site. Google Analytics collects only the IP address assigned to you on the date you visit our site, rather than your name or other identifying information and we do not combine the information collected through the use of Google Analytics with any other Personal Information in our custody or control. Although Google Analytics uses cookies to identify you as a unique user the next time you visit our Website, the cookie cannot be used by anyone but Google. Google’s ability to use and share information collected by Google Analytics about your visits to our site is restricted by the Google Analytics Terms of Use: You can prevent Google Analytics from recognizing you on return visits to this site by disabling cookies on your browser:

2.3 Links and Other Websites & Businesses

Our Website and correspondence (including emails and messages) may include advertisements for products and services offered by independent businesses (that may have a financial relationship with Two Hat) or links to websites operated by independent businesses. We have no responsibility or liability for, or control over, those other websites, online services or businesses, their products or services, or their collection, use, disclosure or retention of your Personal Information. This Privacy Policy does not apply to the collection, use, disclosure and retention of your Personal Information by those websites, online services and independent businesses. We encourage you to read the privacy policy of every website you visit and, if you have questions about how those websites, online services or independent businesses collect, use, disclose or retain Personal Information, to contact the owner or operator of the website, service or business.


3.1 Types of Consent

We may seek Consent in various ways, depending on the circumstances and the type of information collected, including, for example, using an application form and/or a check-off box, collecting oral consent (when information is collected over the telephone or otherwise in person), or implied consent (such as when you access our Website or otherwise request information or services from us).

3.2 Withdrawal of Consent

Where Consent is the basis for collection of Personal Information, an Individual may withdraw Consent at any time, on reasonable notice, subject to legal or contractual restrictions. We will inform the Individual of the implications of such withdrawal, which in some cases may be an inability for Two Hat to continue to provide services to the Individual.

With respect to Content Moderation Services, Two Hat is a processor of Personal Information through our Customers. In these cases, End Users must initiate requests for withdraw of consent by contacting our Customers who act as controller of the Personal Information.

3.3 Exceptions to Requirement for Consent

The Privacy Legislation sets out specific circumstances under which Two Hat may collect, use or disclose Personal Information without the knowledge or Consent of the Individual and, in such circumstances, Two Hat reserves the right to not obtain Consent from such Individual.

Further, Two Hat may create and collect non-personal information (information that is not about an identifiable individual), including Personal Information that has been de-identified, aggregated or otherwise depersonalized so that the information no longer relates to an identifiable individual. We may use, disclose, transfer and retain non-personal information for any purpose and in any manner whatsoever. If non-personal information is combined with or otherwise becomes Personal Information, then we will treat such information as Personal Information for the purposes of this Privacy Policy.


4.1 Collection

Two Hat limits both the amount and type of Personal Information collected to that which is necessary to fulfill its specific purposes.

We may collect Personal Information from you in person, over the telephone or by corresponding with you via mail, email or the internet. By providing your Personal Information to or otherwise corresponding with Two Hat via email you acknowledge that you are aware that email is not a secure form of communication. Furthermore, with your consent or as otherwise permitted by Privacy Legislation, we may collect or disclose Personal Information to/from other sources including our partners.

The type of Personal Information we collect and maintain, may include:

  • Customer representative’s name and contact information, including business address, telephone number, fax number and/or email address;
  • Such other information that is necessary for our identified purposes and that is collected with your consent or as permitted or required by law.

4.2 Use and Disclosure

Two Hat limits the use and disclosure of Personal Information to its specific purposes, unless the Consent of the Individual has been obtained for other use and disclosure, or if the use and disclosure is permitted or required by law.

We do not sell, rent or lease Personal Information to third parties. If this changes, we will comply with applicable Privacy Legislation including the CCPA.

There are some instances where Two Hat may disclose your Personal Information to fulfill regulatory and legislative obligations and to conduct our business in the ordinary course. In those instances where we do provide information to third parties, we provide only that Personal Information that is required in the circumstances and that may be disclosed with your Consent or otherwise pursuant to applicable law, and we include various provisions in our contracts that have been designed to protect privacy and security of your Personal Information.

We may also use or disclose your Personal Information without your consent, in the following circumstances:

  • as permitted or required by applicable law or regulatory requirements;
  • when the Personal Information is available from a public source (e.g., a telephone directory);
  • to protect ourselves from fraud or when we require legal advice from a lawyer;
  • to investigate an anticipated breach of an agreement or a contravention of law;
  • to comply with valid legal processes such as search warrants, subpoenas or court orders;
  • during emergency situations or where necessary to protect the safety of a person or group of persons; or
  • any other circumstances permitted or required under Privacy Legislation.

4.3 Retention Limited

Two Hat has developed guidelines for the retention of Personal Information, which include minimum and maximum retention periods in compliance with the Privacy Legislation and other applicable laws. The underlying principle of these retention guidelines is to keep Personal Information only as long as remains necessary or relevant for the specific purposes and/or as required by law.

4.4 Service Providers

We may from time to time, transfer or disclose Personal Information to third parties that perform services on our behalf, including processing or storage of data. These third parties may include service providers, research partners, consultants and suppliers. These third party service providers are obligated to process such information in compliance with this Privacy Policy and other appropriate security and confidentiality measures. We do not authorize these third parties to use or disclose Personal Information for their own marketing or other purposes. Some of these service providers may be located outside of the province, state or territory in which you reside and may be located outside of your country, in jurisdictions where Personal Information may be subject to the lawful access requirements of the jurisdiction in which it is being held. Two Hat may utilize servers in Canada, the United States, Europe, and other locations as necessary. If you have any questions about our use of service providers, please contact our Privacy Officer, as set out below.


5.1 Accuracy

We endeavor to keep Personal Information in our custody and control accurate, complete, and up-to-date as this will allow us to provide the best service to our customers. Our customers, and web users can assist us by ensuring that the information they provide to Two Hat is current and accurate.

5.2 Correction Requests

Individuals may make a request to correct or amend Personal Information held by Two Hat. The request must be made in writing to the Privacy Officer identified below and provide sufficient detail to allow Two Hat to identify the Personal Information, and the correction being sought. If the Individual successfully demonstrates that the Personal Information is inaccurate, incomplete, or otherwise in need of change, we will correct the Personal Information, as required, and send the corrected Personal Information to any third party to which we disclosed the Personal Information in the prior year or as otherwise required by law. If no correction is required to be made, we will note the request for correction and annotate the file accordingly.

5.3 Access Requests

An Individual may make a request for access to his or her Personal Information in the custody or control of Two Hat. The request must be made in writing to the Privacy Officer identified below and provide sufficient detail to allow Two Hat to identify the Personal Information they desire access to.

Two Hat will:

  • inform the Individual of the existence, use and disclosure of his or her Personal Information, as requested;
  • provide the Individual with access to the requested Personal Information, subject to statutory exemptions; and
  • respond to the Individual within the time limits prescribed by the Privacy Legislation.

Where we are entitled to charge a fee in order to implement the access request, we will advise the Individual of the amount of the fee and other information required by law.

5.4 Correction and Access for Content Moderation Services

With respect to Content Moderation Services, Two Hat is a processor of Personal Information through our Customers. In these cases, End Users must initiate requests for correction and access by contacting our Customers who act as controller of the Personal Information.


6.1 Security Safeguards

To protect Personal Information against loss or theft, unauthorized access, collection, disclosure, copying, use, or modification, we have implemented reasonable security safeguards which are appropriate to the sensitivity of the information that has been collected, the amount, distribution, format of the information, and the method of storage.

The methods of protection adopted by Two Hat may include:

  • physically securing offices where Personal Information is held;
  • the use of web user IDs and passwords (where applicable);
  • the use of firewalls for stored Personal Information;
  • restricting employee access to Personal Information as appropriate (i.e., only those that need to know will have access and such access will require a password);
  • contractually requiring any service providers to provide comparable security measures;
  • regular privacy training so employees are aware of our privacy and security policies, and the disciplinary consequences of not following them;
  • having employees enter into confidentiality agreements regarding Personal Information;
  • conducting regular privacy audits to ensure employee compliance with our privacy policies;
  • positioning computer monitors so that Personal Information displayed on them cannot be seen by unauthorized personnel or by visitors;
  • using password-protected computer screensavers so unauthorized personnel or visitors cannot see Personal Information;
  • ensuring your computers and network are secure from intrusion by using firewalls, intrusion detection software, antivirus software, and by encrypting Personal Information;
  • using strong and secure passwords to make sure that only authorized employees have access to computer storage devices or to the network and updating such passwords regularly;
  • encrypting Personal Information stored on mobile electronic devices such as laptops and USB flash drives; and
  • securely wiping all Personal Information from hard drives before they are discarded, sold or donated.

This list may be modified from time-to-time. We will continually review and update our security policies and controls as technology changes to ensure ongoing Personal Information security.


7.1 Updates to Privacy Policy

We may change this Privacy Policy from time to time by posting a new version of this Privacy Policy on our Website. Our collection, use, disclosure and retention of your Personal Information will be governed by the version of this Privacy Policy in effect at that time. Your continued dealings with a us after any change to this Privacy Policy will signify your consent to the collection, use, disclosure and retention of your Personal Information as set out in the changed Privacy Policy. Accordingly, we encourage you to periodically review this Privacy Policy to be informed of the latest changes.


8.1 Complaint or Question to Privacy Officer

If you have questions or concerns about the way Two Hat is handling your Personal Information our about our Privacy Policy, please let us know immediately by contacting out Privacy Officer as indicated below. We want to help and will respond promptly.

8.2 Privacy Officer Contact Information

All inquiries should be in writing and addressed to the Privacy Officer as follows:

Privacy Officer
500-554 Leon Ave
Kelowna, BC V1Y 6J6


9.1 Scope

This EU WEBSITE Addendum (“Addendum”) explains how we Process your Personal Data on the basis of cookies and related technology when your access and use our Website is governed by the laws of the European Union (“EU”). Two Hat acts as Data Controller responsible for the Processing of your Personal Data. The Two Hat Privacy Officer, whose contact details are listed above, will act as our Data Protection Officer.

9.2 Our Processing of your Personal Data when You Visit our Website

We collect Personal Data from you when you visit and interact with our Website using cookies and related technology as described above in Section 2.2, for instance when you reach out to us using the contact form on our Website, when you request a demo product from our Website or when you visit our Website and would like personalization. We collect the types of Personal Data described above in Section 2.2, such as information related to the operating system and web browser you use to access our Website, and the date and time that you visited the Website.

We collect and process your Personal Data for the purposes described in Section 2 and to manage your newsletter registration, to address your comments or inquiries when you reach out to us, communicate with you; to operate, evaluate and improve our services and facilitate your use of our Website; and to prevent and protect us and others against fraud, unauthorized transactions, claims and other liabilities. We process this Personal Data on the basis of our legitimate interests, contract performance and, where required, on the basis of your consent. Our legitimate interests include operating, evaluating and improving our organization; preventing and protecting us and others against fraud, unauthorized transactions, claims and other liabilities, and ensuring compliance with company policies and industry standards. For companies like Two Hat that have global business operations, Processing your Personal Data for internal administrative purposes is typically also considered a legitimate interest. We have carefully balanced our legitimate business interests against your data protection rights. Please contact us using the contact details provided in Section 8.2 above if you wish to obtain more information on this balancing test.

We generally do not Process special categories of Personal Data (e.g., race or ethnicity; health-related data) when you visit or interact with our Website, but if we do, we will identify a legal basis to do so (e.g., your consent). Two Hat will not use Personal Data from our Website for any monitoring or profiling activity or process, and will not adopt any automated decision-making processes.

You may configure your browser to accept all cookies, reject all cookies, or notify you when a cookie is sent. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. For example, on Microsoft Internet Explorer, you can disable or delete cookies by selecting “Tools/Internet Options” and reviewing your privacy settings or selecting “delete cookies”.
Please note that our Website is designed to work using cookies and any disabling of them may affect your usage of our Website and prevent you from taking full advantage of it.

9.3 Transfer and Sharing of Personal Data

We may disclose your Personal Data to other Two Hat entities or affiliates, and third parties, such as third party service providers as described in Section 4.4or a competent authority upon official request.
We transfer and onward transfer your Personal Data to other jurisdictions as necessary for the purposes described in this Policy, including to jurisdictions that may not provide the same level of data protection as the jurisdiction in which your Personal Data was originally collected. We will only transfer and onward transfer your Personal Data outside the European Economic Area (“EEA”) on the basis of an adequacy decision of the European Commission pursuant to Art. 45 of the EU General Data Protection Regulation 2016/679 (“GDPR”) or on the basis of other appropriate data transfer mechanisms to address cross-border transfers as required or permitted by Articles 46 and 49 of the GDPR. Please contact our Privacy Officer if you have any questions with respect to the safeguards or transfer mechanisms we have put in place to protect your Personal Data when we (onward) transfer this (including how to obtain a copy of or consult these safeguards), or to find out which jurisdictions we may transfer your data to.

9.4 Retention of Personal Data

We hold on to your Personal Data as described in Section 4.3.

9.5 Your Rights

You have the rights as indicated in the section entitled “Definitions” below. Two Hat will handle your rights regarding the Processing of your Personal Data in accordance with applicable law. You can exercise these rights by contacting our Privacy Officer using the contact details outlined above. If you are not satisfied with the way we handled your request, you may lodge a complaint with a competent Supervisory Authority (for example, with the Supervisory Authority in your country of residence or place of work).

9.6 Definitions

Except for “Two Hat”, “we”, “us”, or “our”, “include”, “Including”, “Privacy Officer”, and “GDPR” the definitions included in Section 1.2 do not apply to this Addendum. The following definitions shall also apply to this Addendum:

“Personal Data” – any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” – any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.

“Data Controller” – the natural or legal person, public authority, agency or other body that determines the purposes and the means of Processing Personal Data.

“Data Subject Rights” – the rights of Data Subjects under the GDPR. These are:

  1. The right of access; this is your right to see what data we Process about you and to request a copy thereof.
  2. The right to rectification; this gives you the right to have any incomplete or inaccurate data that we Process about you corrected or amended.
  3. The right to erasure; under certain circumstances you can ask for the Personal Data that we Process about you to be deleted.
  4. The right to restrict Processing; this gives you the right to ask for a temporary halt to our Processing of your Personal Data, such as in the case where a dispute or legal case has to be concluded, or the data is being corrected.
  5. The right to data portability; this gives you the right to ask that we transmit the Personal Data we Process about you to you or to another Data Controller under specific circumstances.
  6. The right to object; where the legal justification for our Processing of your Personal Data is our legitimate interest, you have the right to object to such Processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the Processing which override your interests and rights, or if we need to continue to Process the data for the establishment, exercise or defense of a legal claim.
    Where we Process your Personal Data for direct marketing purposes, you have the right to object at any time to such Processing, including for profiling purposes to the extent that it is related to direct marketing. If you object to Processing for direct marketing purposes, we will no longer Process your Personal Data for such purposes.
  7. The right to withdraw consent; if you have consented to our Processing of your Personal Data, you have the right to withdraw your consent at any time. This does not affect the lawfulness of the Processing that was based on your consent prior to withdrawal.

9.7 Contact

If you have questions or concerns about this Addendum and/or the way Two Hat is handling your Personal Data, please let us know immediately by contacting out Privacy Officer using the contact details outlined in Section 8.2 above.

Request Demo