Effective Date: September 23, 2020
Data Controller and Processor
The GDPR differentiates between the “controller” and “processor” of information. In general, we are the processor of Customer Data and the controller of Other Data. “Customer Data” includes the data submitted through a Customer’s Services account by that Customer or by Respondents to that Customer’s surveys, forms, questionnaires, or other information requests. “Other Data” includes, for example, data submitted by Customers or Website Visitors through contact forms on our Website or other interactions with us.
Legal Bases for Processing
We collect and process personal information only where we have a legal basis for doing so. The legal basis depends on the Services and how you use them. Generally, we process personal information you provide on the basis of consent, but we may process personal information you provide where we need it to provide you the Services (like customer support), where it satisfies a legitimate interest (like to market and promote our Services or protect our legal rights and interests), or on another basis permitted by GDPR or applicable law, for example, so we can comply with our legal obligations.
We may transfer your personal information outside the EEA. When we transfer your personal information outside the EEA, we ensure at least one of the following safeguards is implemented:
- We will only transfer your personal information to countries considered by the European Commission to provide adequate levels of protection. For more information, see European Commission: Adequacy Decisions.
- With certain service providers, we may use the European Commission’s approved standard contractual clauses for data transfers between the EEA and non-EEA countries. For more information, see Standard Contractual Clauses (SCC).
How long we retain personal information varies according to the type of information and the purpose for which it is used. For example, we retain your account information for as long as your account is active. Also, we retain the information you share through our Services as long as retention is required by the account administrator. If you choose to receive marketing communications from us, we will retain information about your marketing preferences as long as you express interest in our Services. We will delete or anonymize personal information within a reasonable period after we no longer need it for the purpose or purposes for which it was provided. Alternatively, you may request that we delete your personal information before the end of its retention period. We may archive personal information (store it in inactive files) for longer periods before deleting it as part of our ordinary business continuity procedures.
Right to Complain to Data Protection Authorities
You may file a complaint about our processing of your personal information with your national or regional Data Protection Authority. The European Commission provides a list of Data Protection Authorities and their contact information here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.