Last modified - February 5, 2024

Introduction

Questionlab Inc. (“Questionlab”, “Company” or ”We”) respects your privacy and takes the protection of personal data very seriously.
This policy describes:

• How we collect, use, disclose, and protect the personal information of our customers and website users (“you”).
• Describes the types of information we may collect from you or that you may provide when you visit the website https://questionlab.com/ (our “Website”).
• Our practices for collecting, using, maintaining, protecting, and disclosing that information.
• What privacy rights you may have under applicable data protection and privacy laws, such as the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).

We take steps to ensure that the personal information that we collect about you is adequate, relevant, not excessive, and used for limited purposes.

In this policy, “personal information” or “personal data” has the meaning given in the data protection law applicable to you, and includes any information about an identifiable individual, which includes information that can be used on its own or with other information to identify, contact, or locate a single person. Unless covered by the data protection law applicable to you, personal information does not include business contact information, including your name, title, or business contact information.
This policy applies to information we collect, use, or disclose about you:

• On this Website and any website which our surveys may be hosted.
• In email, text, and other electronic messages between you and this Website.

Please read this policy carefully to understand our policies and practices for collecting, processing, and storing your information. This policy may change from time to time (see Changes to Our Privacy Policy). Please check the policy periodically for updates. We will notify you in advance of any material changes to this policy.

What Personal Data We Process and How We Obtain It

The table below describes the categories of Personal Data we have collected about you in the last twelve months.

Personal Data We Collect, Process, or Store	How We Obtain It
Identifiers A real name, alias, postal address, unique personal identifier, online identifier, social media profile, Internet Protocol address, email address, account name, date of birth, age, or other similar identifiers.	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you sign up as a client you use one of our services in person or by phone you visit one of our offices you, as a representative of one of our customers, give it directly to us for the purposes of sales or customer support you, as a representative of one of our suppliers, give it directly to us for the purposes of registering and dealing with the supplier you visit our websites and social media sites We receive it from: our customers (including their employees, contractors, and other representatives of their companies) provide it to us other companies within our corporate group our vendors a friend of yours or when one of our business partners refers you to our services by providing your personal data to us
Special categories of Personal Data A name, signature, address, telephone number, education, employment, resume, employment history and financial information. Some personal data included in this category may overlap with other categories.	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you sign up as a client you use one of our services in person or by phone you visit one of our offices you, as a representative of one of our customers, give it directly to us for the purposes of sales or customer support you, as a representative of one of our suppliers, give it directly to us for the purposes of registering and dealing with the supplier. We receive it from: our customers (including their employees, contractors, and other representatives of their companies) provide it to us other companies within our corporate group our vendors a friend of yours or when one of our business partners refers you to our services by providing your personal data to us
Protected characteristics Age (40 years or older), and sex (including gender, gender identity, gender expression, pregnancy or childbirth, and related medical conditions).	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you sign up as a client you use one of our services in person or by phone you visit one of our offices you, as a representative of one of our customers, give it directly to us for the purposes of sales or customer support We receive it from: our customers (including their employees, contractors, and other representatives of their companies) provide it to us other companies within our corporate group our vendors when a friend of yours or one of our business partners refers you to our services by providing your personal data to us
Commercial information Records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you use one of our services in person or by phone you visit our websites and social media sites we receive it from other companies within our corporate group our vendors provide it to us
Internet or other similar network activity Login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your internet connection, the equipment you use to access our website, usage details, browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	You provide it directly to us when you visit our websites and social media sites.
Non-personal details about your website interactions The full Uniform Resource Locators (URLs), clickstream to, through and from our Website (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, or any phone number used to call our customer service number.	You provide it directly to us when you visit our websites and social media sites.
Geolocation data IP addresses.	You provide it directly to us when you take a survey.
Professional or employment-related information Current or past job history or performance evaluations, job title, and name of employer.	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you sign up as a client you use one of our services in person or by phone you visit one of our offices our customers (including their employees, contractors, and other representatives of their companies) provide it to us you, as a representative of one of our customers, give it directly to us for the purposes of sales or customer support we receive it from other companies within our corporate group our vendors provide it to us when a friend of yours or one of our business partners refers you to our services by providing your Personal Data to us.
Inferences drawn from other Personal Data Profile reflecting a person's preferences, characteristics, and behavior.	You provide it directly to us when: you ask a question, fill a form, make a complaint, or comment about one of our products or services you sign up as a client you use one of our services in person or by phone our customers (including their employees, contractors, and other representatives of their companies) provide it to us you, as a representative of one of our customers, give it directly to us for the purposes of sales or customer support you visit our websites and social media sites we receive it from other companies within our corporate group our vendors provide it to us when a friend of yours or one of our business partners refers you to our services by providing your Personal Data to us.

Information We Collect Through Cookies and Other Automatic Data Collection Technologies
As you navigate through and interact with our Website, we may use cookies or other automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

• Details of your visits to our Website, including, location data, logs, and other communication data and the resources that you access and use on the Website.
• Information about your computer and internet connection, including your IP address, operating system, and browser type.

The information we collect automatically is statistical information that includes personal information, and we may maintain it or associate it with personal information we collect in other ways, that you provide to us. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

• Estimate our audience size and usage patterns.
• Store information about your preferences, allowing us to provide surveys according to your individual interests.
• Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

• Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our websites does not have the capability to respond to “Do Not Track” signals received from web browsers.

Why We Use Your Information

We use information that we collect about you or that you provide to us, including:

• To present our Website and its contents to you.
• To notify you if you are entitled to an incentive.
• To match you against the survey you are taking.
• To provide you with information, products, or services that you request from us.
• To fulfill the purposes for which you provided the information or that were described when it was collected, or any other purpose for which you provide it, including for survey data collection.
• To provide you with notices about your account.
• To carry out our obligations and enforce our rights arising from any contracts with you or to comply with legal requirements.
• To manage our relationship and contract with our suppliers (including subcontractors, and individuals associated with our suppliers and contractors), and to receive services from them.
• To notify you about changes to our Website or any products or services we offer or provide though it.
• To improve our Website, products or services, marketing, or customer relationships and experiences.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.

Disclosure of Your Information

We may disclose personal information that we collect or you provide as described in this privacy policy:

• In accordance with applicable law, to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Questionlab’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Questionlab about our customers and users is among the assets transferred.
• To contractors, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with Website improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.
• To fulfill the purpose for which you provide it.
• For any other purpose disclosed by us when you provide the information.
• With your consent.

We may also disclose your personal information:

• To comply with any court order, law, or legal process, including to respond to any government or regulatory request, in accordance with applicable law.
• To enforce or apply our terms of use and other agreements, including for billing and collection purposes, where applicable.

If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Questionlab, our customers, or others.

Sharing Personal Data with Third Parties

The following table describes, in the last twelve months, the categories of information we have disclosed to third parties for business purposes, and the categories of those third parties.

Personal Data Disclosed for Business Purposes
Category	Yes or No	Categories of Third Parties Receiving Personal Data
Identifiers	Yes	Internet service providers Cloud service providers
Special categories of personal information	Yes	Internet service providers Cloud service providers
Protected classification characteristics under California or federal law	Yes	Internet service providers Cloud service providers
Commercial information	Yes	Online payment system provider Online merchants
Internet or similar network activity	Yes	Internet service providers Web analytics providers
Geolocation data	Yes	Our clients External suppliers
Professional or employment-related information	No	N/A
Inferences drawn from other Personal Data	No	N/A

Some of these third parties may be located outside of the European Union or the European Economic Area (“EEA”) or the United Kingdom (“UK”). In some cases, the European Commission may have determined that in some countries, their data protection laws provide a level of protection equivalent to European Union law. You can see here the list of countries that the European Commission as recognized as providing an adequate level of protection to personal data.

We may transfer personal information that we collect or that you provide as described in this policy to contractors, service providers, and other third parties we use to support our business (such as analytics and search engine providers that assist us with Website improvement and optimization) and who are contractually obligated to keep personal information confidential, use it only for the purposes for which we disclose it to them, and to process the personal information with the same standards set out in this policy.

You are welcome to contact us to obtain further information about Company policies regarding service providers outside of Canada. See Contact Information. By submitting your personal information or engaging with the Website, you consent to this transfer, storage, or processing.

Other Disclosures of Your Personal Data

We may disclose your personal data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). If we have to disclose your personal data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.

We may also disclose your personal data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your personal data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal purpose. Such data does not include any personal data. The purposes may include analyzing usage trends or seeking compatible advertisers, sponsors, and customers.

Data Security

The security of your personal information is very important to us. We use physical, electronic, and administrative measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. We store all information you provide to us behind firewalls on our secure servers and use data encryption to the extent possible.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

Data Retention

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including to fulfill the services requested, as well as for the purposes of satisfying any legal, accounting, or reporting requirements. Under some circumstances we may anonymize your personal information so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

Children Under the Age of 16

Our Website is not intended for children under 16 years of age. No one under age 16 may provide any information to or on the Website. We do not knowingly collect personal information from children under 16, and we do not knowingly sell any personal information of any minor children under the age of 16. If you are under 16, do not use or provide any information on this Website or on or through any of its features/register on the Website, make any purchases through the Website, use any of the interactive or public comment features of this Website, or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us.

Accessing and Correcting Your Personal Information

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes. You have the right to obtain from us, including confirmation of whether or not we process personal information concerning you, and, where that is the case, a copy or access to the personal information and certain related information.

You also have the right to ask us to correct without undue delay anything that you think is wrong with the personal information we have on file about you (or your child), and to complete any incomplete personal information.By law you have the right to request access to and to correct the personal information that we hold about you.

If you want to access, review, verify, correct, or withdraw consent to the use of your personal information you may also send us an email at privacy@questionlab.com to request access to, correct, or delete any personal information that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect. We may charge you a fee to access your personal information, however, we will notify you of any fee in advance.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal information that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal information that we hold about you, or we may have destroyed, erased, or made your personal information anonymous in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal information, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

We will provide access to your personal information, subject to exceptions set out in applicable privacy legislation. Examples of such exceptions include:

• Information protected by solicitor-client privilege.
• Information that is part of a formal dispute resolution process.
• Information that is about another individual that would reveal their personal information or confidential commercial information.
• Information that is prohibitively expensive to provide.

If you are concerned about our response or would like to correct the information provided, you may contact our Privacy Officer.

The CCPA does not allow us to disclose Social Security numbers, driver’s license numbers or other government-issued identification numbers, financial account numbers, any health insurance or medical identification numbers, account passwords, or security questions and answers. We can inform you that we have this information generally, but we may not provide the specific numbers, passwords etc. to you for security and legal reasons.

Withdrawing Your Consent

Where you have provided your consent to the collection, use, and transfer of your personal information, you may have the legal right to withdraw your consent under certain circumstances. If you withdraw your consent, our use of your personal information before you withdraw is still lawful. To withdraw your consent, if applicable, contact our Privacy Officer - privacy@questionlab.com. Please note that if you withdraw your consent we may not be able to provide you with a particular product or service. We will explain the impact to you at the time to help you with your decision. Opt out requests are processed within a maximum of 10 days after receipt of the email to the support inbox.

Other Data Protection Rights

Apart from what is already set out in this privacy policy, see the below for other data protection rights you may have under applicable law with respect to your personal data:

• The right to be informed. If we are processing your data, we will make clear what we are processing, why, and who else the data may be passed to. Right to know requests include, but are not limited to, requests relating to: (i) the categories of personal information collected; (ii) specific pieces of personal information collected; (iii) the categories of sources from which we have collected personal information; (iv) the purposes for which we use the personal information; (v) the categories of third parties with whom we share the personal information; and (vi) the categories of information that we sell or disclose to third parties.
• The right to erasure. Under certain circumstances you can ask for your personal data to be deleted or erased. This is also called ‘the Right to be Forgotten’. This would apply if the personal data is no longer required for the purposes it was collected for, or your consent for the processing of that data has been withdrawn, or the personal data has been unlawfully processed. Sometimes we can delete your information, but other times it is not possible for either technical or legal reasons. If that is the case, we will consider if we can limit how we use it. We will also inform you of our reason for denying your deletion request.
• The right to restrict processing. This is the right to ask us to only use or store your personal information for certain purposes. You have this right in certain instances, such as where you believe the data is inaccurate or the processing activity is unlawful.
• The right to data portability. You have the right to ask for and receive a portable copy of your personal information that you have given us or that you have generated by using our services, so that you can move it; copy it; keep it for yourself; or transfer it to another organization. We will provide your personal information in a structured, commonly used, and machine-readable format. When you request this information electronically, we will provide you a copy in electronic format.
• The right to object. This is your right to tell us to stop using your personal information. You have this right where we rely on a legitimate interest of ours (or of a third party). You may also object at any time to the processing of your personal information for direct marketing purposes. We will stop processing the relevant personal information unless: (i) we have compelling legitimate grounds for the processing that override your interests, rights, or freedoms; or (ii) we need to continue processing your personal information to establish, exercise, or defend a legal claim.
• The right not to be discriminated against for exercising rights. The data subject has the right not to be discriminated against for having exercised their privacy rights. Unless the applicable data protection laws permit it, we will not:
  • Deny you goods or services
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits or imposing penalties
  • Provide you a different level or quality of goods or services
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
• Rights in relation to automated decision making and profiling. We may use automated decision-making in processing your personal information. Data subjects have the right not to be subject to a decision based solely on automated processing. You can request a manual review of the accuracy of an automated decision if you are unhappy with it.

Sometimes we will not be able to fulfill your request: if it prevents us from complying with our regulatory obligations or impacts other legal matters, if we cannot verify your identity, or if it requires extraordinary cost or effort, we will tell you in a reasonable time and give you an explanation.

How can you exercise your privacy rights?

To exercise any of the rights described above, please submit a request by either:

1. Calling us at +1(877) 886 8769

2. Contacting us by email at privacy@questionlab.com

3. Writing to us at 4711 Yonge Street, 10th Floor, Toronto, Ontario, M2N 6K8, Canada

Verification of Your Identity

In order to correctly respond to your privacy rights requests , we need to confirm that you made the request. Consequently, we may require additional information to confirm that you are who you say you are.

For requests submitted via password-protected accounts, your identity is already verified. For requests sent by other means, we will verify your identity by asking you for information that matches the information that we already hold about you.

We will only use the personal data you provide us in a request to verify your identity or authority to make the request.

If you are submitting a request on behalf of somebody else, we will need to verify your authority to act on behalf of that individual. When contacting us, please provide us with proof that the individual gave you signed permission to submit this request, a valid power of attorney on behalf of the individual, or proof of parental responsibility or legal guardianship. Alternatively, you may ask the individual to directly contact us by using the contact details above to verify their identity with us and confirm with us that they gave you permission to submit this request.

Response timing and format of our responses

We will confirm the receipt of your request within ten (10) business days and, in that communication, we will also describe our identity verification process (if needed) and when you should expect a response, unless we have already granted or denied the request.

Please allow us up to a month to reply to your requests (except requests to stop selling your personal data) from the day we received your request. If we need more time (up to 90 days in total), we will inform you of the reason why and the extension period in writing.

If we cannot satisfy a request, we will explain why in our response. For data portability requests, we will choose a format to provide your personal data that is readily useable and should allow you to transmit the information from one entity to another entity without difficulty.

We will not charge a fee for processing or responding to your requests. However, we may charge a fee if we determine that your request is excessive, repetitive, or manifestly unfounded. In those cases, we will tell you why we made that determination and provide you with a cost estimate before completing your request.

Your right to appeal

If we decline to take action regarding a request that you have submitted, we will inform you of our reason for doing so, and for Virginia, Colorado, and Connecticut residents, provide instructions for how to appeal the decision. If we decline to comply with a data subject rights request, residents of the above states will have the right to appeal our refusal within a reasonable period of time after receiving our decision. Within 60 days of the time provided by applicable U.S. state law, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, we will also provide you with an online mechanism, if available, or other method through which you may contact the your state’s regulatory authority to submit a complaint.

Legal Bases for Processing

We must have a valid reason to use your personal information. This is called the "lawful basis for processing".
When we process personal data, we may process your personal data on the basis of:

• your consent;
• the need to perform a contract with you;
• our legitimate interests or those of a third party, such as our interest in marketing our Services;
• the need to comply with the law; or
• any other ground, as required or permitted by law.

We rely on our legitimate interests when, for example, we process the personal data we collect from you to send you marketing communications, to communicate with you about changes to our services, to enhance the safety and security of our facilities, and to provide, secure, and improve our services.

Miscellaneous

Changes To Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the Website home page. If we make material changes to how we treat our users’ personal information, we will notify you by email to the email address specified in your account or through a notice on the Website home page.

We include the date the privacy policy was last revised at the top of the page. You are responsible for ensuring we have an up-to-date, active, and deliverable email address for you, and for periodically visiting our Website and this privacy policy to check for any changes.

Right to Lodge a Complaint With a Supervisory Authority

If the GDPR applies to our processing of your personal information, you have the right to lodge a complaint with a supervisory authority if you are not satisfied with how we process your personal data. Specifically, you can lodge a complaint in the Member State of the European Union of your habitual residence, place of work, or the alleged violation of the GDPR.

Contact Information

We welcome your questions, comments, and requests regarding this privacy policy and our privacy practices. Please contact our Privacy Officer at:
Ashwani Marwah
privacy@questionlab.com
+1(877) 886 8769
We have procedures in place to receive and respond to complaints or inquiries about our handling of personal information, our compliance with this policy, and with applicable privacy laws. To discuss our compliance with this policy please contact our Privacy Officer using the contact information listed above, or by contacting us at the address in the “Contact Us” section below.

Data Protection Officer

We have appointed VeraSafe as our Data Protection Officer (DPO). While you may contact us directly, VeraSafe can also be contacted on matters related to the processing of Personal Data. VeraSafe’s contact details are:
VeraSafe LLC
100 M Street S.E., Suite 600
Washington, D.C.
20003
USA
Email: experts@verasafe.com
Web: https://www.verasafe.com/about-verasafe/contact-us/