Privacy Policy for Survey Back Office

Effective Date: 01-July-2024 | Last Updated: 01-July-2025

Introduction
Our Role Under Data Protection Law
Information We Collect and Process
How We Use Information
Lawful Basis for Processing
Data Sharing and Disclosure
Data Security
Data Retention
Your Data Protection Rights
International Data Transfers
Client's Legal Binded Agreement
Children's Privacy
Changes to This Privacy Policy
Jurdiction
Contact Us

1. Introduction

Welcome to Survey Back Office ("we," "us," or "our"). We provide a software-as-a-service (SaaS) platform (the "Service") to our customers ("Clients"), who are typically market research companies. This Privacy Policy explains how we collect, use, process, and disclose information, including personal data, in the context of providing our Service.

This policy covers two types of data subjects: our Clients who use our Service, and our Clients' end-users, the survey respondents ("Respondents").

2. Our Role Under Data Protection Law

It is crucial to understand the distinct roles we play under data protection laws like the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Data Controller (Our Clients): When our Clients use our Service to create and conduct surveys, they are the Data Controller. They determine the purposes and means of processing Respondent data. They are responsible for ensuring they have a lawful basis (e.g., obtaining valid consent) to collect and process Respondent data.
Data Processor (Survey Back Office): When we process Respondent data on behalf of our Clients, we act as a Data Processor. We only process this data according to the instructions of our Client, as outlined in our Terms and Conditions and our Data Processing Agreement (DPA).

This Privacy Policy applies to the data for which we are a Data Controller (i.e., information about our Clients) and also explains our data processing practices on behalf of our Clients.

3. Information We Collect and Process

3.1. Information We Collect from Our Clients (as a Data Controller)

Account Information: When a Client registers for our Service, we collect information such as name, company name, email address, and password.
Billing Information: We collect payment information, such as credit card details, which are securely processed by our third-party payment processors. We do not store full credit card numbers on our servers.
Communications: We collect information when you contact us for support or other inquiries.

3.2. Information We Process on Behalf of Our Clients (as a Data Processor)

Our Clients determine what information they collect from Respondents. We process the following categories of data as instructed by our Clients:

Survey Responses: Any information provided by a Respondent in a survey.
Technical and Device Information (for Fraud Prevention): To ensure the integrity of survey data and prevent fraudulent or duplicate submissions, our Service automatically collects technical information from the Respondent's device and browser. This may include:
- IP Address
- User-Agent String
- Browser Type and Version
- Operating System and Version
- Screen Resolution and Color Depth
- System Language and Timezone
- A unique identifier created by combining various browser and device attributes (also known as a "browser fingerprint").

4. How We Use Information

4.1. Use of Client Information

To provide, maintain, and improve our Service.
To process payments and manage accounts.
To communicate with our Clients about service updates, security alerts, and support messages.
To comply with legal obligations.

4.2. Use of Respondent Information

We only use Respondent information as directed by our Client, the Data Controller. Our use is strictly limited to:

Providing the Service to our Client as agreed in our contract.
Performing fraud detection, quality control, and preventing duplicate survey entries.
Generating aggregated and anonymized statistics for our Client.

We will never use Respondent data for our own marketing purposes or sell it to third parties.

5. Lawful Basis for Processing

For Client Information, our lawful basis for processing is the performance of our contract (our Terms and Conditions) with our Client. For Respondent Information, our Client, as the Data Controller, is responsible for establishing a lawful basis for processing, which is typically the explicit consent of the Respondent.

6. Data Sharing and Disclosure

We do not sell personal data. We may share information with third parties under the following circumstances:

Service Providers (Sub-processors): We use third-party vendors for services like cloud hosting (e.g., AWS), payment processing, and customer support. These providers are contractually obligated to protect the data and only use it for the services we request.
As Directed by Our Clients: We may share Respondent data as instructed by the respective Client (Data Controller).
Legal Compliance and Protection: We may disclose information if required by law, subpoena, or other legal process, or to protect our rights, property, or the safety of our users or the public.

7. Data Security

We implement reasonable technical and administrative security measures to protect the information we process from loss, misuse, and unauthorized access or disclosure. These measures include data encryption, access controls, and regular security assessments. However, no security system is impenetrable, and we cannot guarantee the absolute security of data.

8. Data Retention

We retain Client Information for as long as the Client's account is active or as needed to provide the Service and comply with our legal obligations. We retain Respondent Information according to the instructions of our Client. Clients may have the ability to set their own data retention policies within the Service.

9. Your Data Protection Rights

Depending on your location (such as the EU or California), you may have certain rights regarding your personal data.

For Clients: You may access, update, or request deletion of your account information by contacting us directly. You have rights including access, rectification, erasure, restriction of processing, and data portability concerning your personal data.

For Respondents: Since we are a Data Processor, you must direct any requests to exercise your data protection rights to the Data Controller, which is the company that sent you the survey. They are responsible for handling your request. If you contact us directly, we will forward your request to the relevant Client.

Your rights may include:

The right to access the personal data held about you.
The right to request correction of inaccurate data.
The right to request deletion of your data (the "right to be forgotten").
The right to withdraw your consent at any time.

10. International Data Transfers

Your information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ. For transfers of data from the European Economic Area (EEA), we rely on appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure the lawful transfer of data.

11. Client's Legal Binded Agreement

Data Controller: The "Market Research Company" agrees that they are solely responsible for ensuring that they have a lawful basis (i.e., valid consent) for collecting the data before they even they send a respondent to our platform. This contractually places the responsibility for consent on the research company.
Duties: We will only process the user's privacy data according to the client's instructions, and rest the Data Controller (company) will maintain a strong privacy security. We might assist the Data Controller (company) with data subject requests (access/deletion). In case of any privacy concerns lies on our side then the Data Controller (company) will have to send us an email before 14 days and notify us about data breach and if the issue persist on our side then we will fix it taking the appropriate time for fixing it.
Terms Of Use: The main Terms of Service state's that the use of these platform is conditional on agreeing to our "privacy policies" & our "terms & conditions". In case of legal matters, the Data Controller (company) also confirms that they will take legal actions and shall strictly manage & follow legal proceedings as per the below mentioned jurdiction only.

12. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that a child has provided us with personal data without parental consent, we will take steps to delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We may notify you of any changes by posting the new policy on this page. We encourage you to review this policy periodically.

14. Jurdiction

Subject To Surat Jurdiction Only.

15. Contact Us

If you have any questions about this Privacy Policy, please contact us at: support@surveybackoffice.com