Privacy Notice
Effective Date: March 14th, 2018

Your privacy is important to the Confirmit group of companies (“Confirmit”). This policy discloses the information practices for Confirmit web site www.confirmit.com and our mobile applications , including what type of information is gathered and tracked, how the information is used, and with whom the information is shared.

1. Introduction

Your privacy is important to the Confirmit group of companies (“Confirmit”). This privacy notice discloses the information practices for Confirmit-controlled web sites (www.confirmit.com) and for Confirmit-provided mobile applications (SODA, Mobile Panel, AskMe, and Confirmit CAPI), including what type of information is gathered and tracked, how the information is used, and with whom the information is shared.

2. Definitions

In this privacy notice, the term “personal data” includes:

  • Under the laws of the United States, personal data shall include any “non-public personal information” as that term is defined in the Gramm-Leach-Bliley Act found at 15 USC Subchapter 1 §6809(4), and "protected health information" as defined in the Health Insurance Portability and Accountability Act found at 45 CFR §160.103.
  • Under the laws of the countries in the European Economic Area (“EEA”), personal data shall have the meaning given to it in Directive 95/46/EC (the “EU Directive”) and in the General Data Protection Regulation (“GDPR”).
  • Under the laws of Australia, personal data shall include information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information is true or not; and (b) whether the information or opinion is recorded in a material form or not.

Data controller” means the party that determines the purposes or means of the processing of the personal data.

Data processor” means the party that processes the personal data on behalf of the data controller.

3. Confirmit’s two roles as data processor and data controller

3.A. For the first type, Confirmit acts as data processor and as a software-as-a-service (“SaaS”) provider for companies conducting data collection and reporting activities via the Internet or mobile apps. You may be submitting responses to web surveys or app surveys via mobile devices, and the template of the survey may state "Powered by Confirmit." Surveys launched by Confirmit’s customers may be hosted on Confirmit's SaaS environments, or alternatively they may be hosted on the customer's hosting environment on Internet other than Confirmit’s.
In any of these cases, please be aware that it is our customers as data controllers who are initiating or performing the data collection, who determine from whom to collect personal data, and who define how to use the collected personal data. Confirmit is acting as a data processor. For more details about how Confirmit’s customer intends to use your personal data, please refer to the privacy notice of the Confirmit customer from whom the email or the web survey originates. For more information related to Confirmit’s role as a data processor, please see Section 4 below, “Confirmit as a data processor.”

3.B. The second type of sites we manage is related to information offered by Confirmit to customers, prospects, and other visitors on the Confirmit website, the Confirmit extranet, and other sites we offer access to where Confirmit acts as the data controller.

4. Confirmit as a data processor

4.A. Our role as a processor

In relation to our roles as SaaS provider and data processor, Confirmit processes information under the instructions of its customers and has no direct relationship with the individuals whose personal data it collects or processes.

If you seek access  to correct, amend, or delete inaccurate personal data, or if you seek to invoke any other rights in respect to the personal data under applicable laws, you should direct your query to Confirmit’s customer as the data controller. If Confirmit is requested by Confirmit’s customer to remove personal data, we will respond within a reasonable timeframe in accordance with applicable laws.

If you would no longer like to be contacted by one of our customers that use our SaaS service, please contact the customer directly.

If you have reached out to our customer and are not getting a reply, you may approach Confirmit in accordance with section 6 below. 

4.B. Data storage, data access, data transfers, and data retention

Personal data that our customers collect from you may, subject to adequate confidentiality undertakings, and for the sole purpose of providing our customers with the services they have contracted from us, be transferred to or accessed by personnel of Confirmit-affiliated entities (see list here), and to or by third party companies  and subcontractors that help us provide our services. In any such case, the personnel granted access to your personal data will have been deemed by their managers to have a reasonable business need to do so. 

Where Confirmit transfers personal data to one of its affiliates, we will have legitimate transfer mechanisms in place. See more details in section 5.F. below. Transfers to subsequent third parties are covered by the service agreements with our customers.

Depending on which SaaS environment you have been invited to take a survey, your personal data will be stored on servers in London (survey.euro.confirmit.com), or Dallas (survey.confirmit.com), or Sydney (survey.confirmit.com.au). Other URLs may be used by our customers. The data center of the SaaS environments are managed under our control by Rackspace entities in the United States, in the United Kingdom, and in Australia. Confirmit is planning, throughout 2018, to leverage the Microsoft Azure Cloud to provide new SaaS environments in new regions. 

Where Confirmit transfers personal data to Rackspace or to other subcontractors as agreed in our contracts with our customer, we will have legitimate transfer mechanisms in place, and where the subcontractor processes the personal data outside of the EEA we are requiring the subcontractor to hold a Privacy Shield certification or to enter into Model Clauses with us.

We will retain personal data our customers have instructed us to process for them for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Our customers can at any time instruct for such personal data to be deleted. Confirmit will retain personal data as necessary to comply with our legal obligations, resolve disputes, and in accordance with our customer agreements (including secure encrypted off-site back-up retention for up to 52 weeks).

4.C. Security measures

Confirmit operates under a strong security and privacy regime. Confirmit has successfully undergone third party Service Organization Control auditing (SOC 2, based on ISAE3402 / SSAE18 / AT101) in relation to its SaaS operations. The SOC 2 report provides assurance that we have designed and implemented effective security controls as defined in the SOC 2 standards.  During the examination, the independent auditors evaluated and tested controls over the following domains:

  • Organization and management
  • Communications
  • Risk management, design, and implementation of controls
  • Monitoring of controls
  • Logical and physical access controls
  • Systems operation
  • Change Management

If your personal data is stored on Confirmit's SaaS environments, you are welcome to read more about how we protect your personal data by applying industry leading security measures and performing ongoing security tests and controls. Please refer to the PowerPoint file available for you to download from here.

4.D. Device information

In relation to the first type of Internet site discussed in section 3.A above, when you download and use mobile apps produced by Confirmit, we automatically collect information on the type of device you use, operating system version, and the device identifier (or "UDID").

The mobile apps do not require location permission in order to be used. However, our customers who are using our mobile apps in order to collect personal data from you may request that the mobile apps collect your precise geolocation. Should location be requested, you will be prompted by the operating system of your device with a message that the mobile app has requested to access the device location.  You can accept or reject that request. If permission has been granted, this permission can be later changed at any time under the operating system settings area.

Depending on our customer’s use of the mobile app, the mobile app may also use beacons or similar technologies as part of the survey taking.  

4.E. Cookies on the SaaS environment

For information about cookies when you provide personal data to our customers via our SaaS environment, please refer to our Cookie Policy. We do not use cookies in surveys you are invited to take via an email invitation with a clickable link or via pop-ups, but the party delivering the survey to you may.

5. Confirmit as a data controller

5.A. Our role as a data controller

The security of your personal data is important to us.  We follow generally recognized industry standards to protect the personal data submitted to us during transmission and once it is received. In general, you can visit Confirmit on the Internet without telling us who you are and without giving any personal data about yourself. There are times, however, when Confirmit or our partners may need information from you.

Where Confirmit acts as the data controller, you may choose to provide us with your personal data in a variety of situations. For example, you may want to give us information such as your name, physical address, email address, zip code, resume, phone number, and additional contact information.  We intend to let you know how we will use such information and seek your consent in accordance with applicable laws before we collect it from you. You may at any time revoke your consent or invoke rights in relation to the personal data provided to us in accordance with applicable laws. If you tell us that you do not want us to use this information to make further contact with you beyond fulfilling your requests, we will respect your wishes. If you give us personal data about somebody else such as a spouse or work colleague, we will assume that you have his or her permission to do so.

Confirmit does not request the disclosure of special categories of personal data or sensitive data.

You may contact Confirmit in order to invoke your rights as a data subject under applicable laws in accordance with section 19 below. 

5.B. Information provided in accordance with Article 13 of the GDPR

a. Confirmit is an entity acting as the data controller. A full list of Confirmit group entities is available here.

b. Contact details of the data protection officer are available in section 19 below.

c. The purposes of the processing are either stated in the consent note we obtain from you prior to processing your personal data., or alternatively:  

  • To fulfill your transaction request;
  • To provide you with a subscription;
  • To provide you with support and consulting services;
  • To verify your identity;
  • To provide information on products, services, or callback requests;
  • To send you specific marketing materials;
  • To allow our business partners to contact you for marketing purposes;
  • In connection with a job application or inquiry;
  • To contact you about employment consideration; and
  • To invite you to complete web surveys.

If you no longer wish to receive communications from us, you may opt-out by following the unsubscribe instructions located at the bottom of each communication.  If you no longer wish to allow us to share your information with third parties for marketing purposes, you may contact us at privacy@confirmit.com to opt-out.  If you wish to opt-out from marketing emails provided by third parties, you must contact that third party directly.

d. The recipients of your personal data will be selected Confirmit employees and third-party providers under contract with Confirmit ensuring data protection levels equivalent to those set forth in this privacy notice. Where personal data collected in the EEA is transferred to a subcontractor in a third country outside of the EEA and which country is not deemed to meet the adequacy standards of the EU Commission, Confirmit shall have ensured suitable safeguards with such subcontractor both technically and contractually.

e. We will retain your personal data for as long as reasonably necessary in accordance with the purpose of the processing as communicated to you as part of the consent or privacy notice.

  • We delete personal data relating to marketing activities where the data subject has a) opted out of marketing emails b) has invalid emails in the system or c) have been inactive for 9+ months.
  • We will retain personal data we process about our customers for as long as needed to provide services to our customers in accordance with the contractual terms in our agreements with them. Confirmit will retain such personal data as necessary to comply with our legal obligations and to resolve disputes.

f. You have the right to seek access to and rectification or erasure of your personal data in accordance with applicable laws as set forth in section 6 below.

g. Where our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time as set forth in section 6 below.

h. Where applicable laws so prescribe, you have the right to lodge a complaint to a supervisory authority.

5.C. Information for Confirmit business partners

If you represent a Confirmit business partner, you may visit a Confirmit website intended specifically for Confirmit business partners. We may use information provided on that site to administer and develop our business relationship with you, the business partner you represent, and Confirmit business partners generally.

5.D. Information for Confirmit customers

If you work for a Confirmit customer, you may visit a Confirmit website intended specifically for Confirmit customers. We may use information provided on that site to administer and develop our business relationship with you, the customer for which you work, and Confirmit customers generally.

We may also collect and process your personal data as necessary for the performance of the contract in place between the Confirmit customer and Confirmit in accordance with GDPR Article 6.

5.E Other Confirmit website notices

In some cases, specific Confirmit websites may contain other notices about their use and the information practices applicable to those sites.

5.F Cross-border flows of personal data

Confirmit is a global organization with legal entities, business processes, management structures, and technical systems that cross borders. See here for a full list.

Our privacy practices are designed to provide protection for your personal data in accordance with the laws applicable to each respective Confirmit affiliate.

We may share your personal data within Confirmit or with service providers and transfer it to countries in the world where we or our service providers do business.

Transfers of your personal data between Confirmit affiliates are made subject to our Confirmit Intra-group Personal Data Transfer Agreement (February 2018) which includes the use of EU approved standard contractual clauses (Model Clauses). Transfers of your personal data from Confirmit to its service providers will always be subject to adequate contractual terms including where relevant EU Model Clauses. 

Some countries may provide less legal protection for your information. In such countries Confirmit will handle information in the manner we describe in this privacy notice.

5.G. Sharing with Service Providers

We may share your information with third parties who provide services on our behalf to help with our business activities under contractual terms providing adequate protection to your information.  These companies are authorized to use your personal data only under our instructions and only as necessary to provide the contracted services to us.  These services may include:

  • Sending marketing communications
  • Fulfilling subscription services
  • Conducting research and analysis
  • Providing data center facilities

5.H. Passive collection

As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring and exit pages, the files viewed on our site (for example, HTML pages, graphics, or other), operating system, date and time stamp, and clickstream data to analyze trends in the aggregate and administer the site.

5.I. Tracking technologies

Confirmit and its partners use cookies or similar technologies to analyze trends, administer the website, track users’ movements around the website, and to keep track of the domains from which people visit. We may extract some information about your transactions in a non-identifiable format and combine it with other non-identifiable information such as clickstream data and gather demographic information about our user base as a whole. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service. To manage Flash cookies, please click here.

We partner with third parties to display advertising on our website or to manage our advertising on other sites. Our third party partners may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising click here, or if located in the European Union click here.  Please note that Confirmit has no relationship with the foregoing entities and we are therefore unable to confirm the efficacy of their services. You will in any event continue to receive generic ads.

5.J. Mobile analytics

We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record information such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and from where the application was downloaded. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.

5.K. Service quality monitoring

Certain web transactions may also involve you calling us or our calling you. Please be aware that it is Confirmit's general practice to monitor and in some cases record such calls for staff training or quality assurance purposes.

5.L. Personalized URL link

On occasion, we may personalize and customize websites for certain visitors. If you visit one of these sites, you may find it customized with references to products and services that we believe may be of interest to you based on your previous interactions with Confirmit and information you have provided to us. While you are visiting these websites, we may collect information about your visit to better tailor the site to your interests. An invitation to visit one of these websites is usually presented as a personalized URL in an email, a notice on a website registration page, or as a response to you logging on to a certain website.

5.M. Disclosures required by law or to fulfill a business transition

We may also disclose your personal data as required by law such as to comply with a subpoena or other legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. If Confirmit is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email or a prominent notice on our website of any change in ownership, uses of your personal data, and choices you may have regarding your personal data. We may also disclose your personal data to any other third party with your prior consent.

5.N. Links to non-Confirmit websites

Confirmit websites may contain links to other websites. Confirmit is not responsible for the privacy practices or the content of those other websites.

5.O. Notification of changes

We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

5.P. User data supplementation

We may receive information about you from other sources including publicly available databases or third parties from whom we have purchased data and combine this data with information we already have about you.  This helps us to update, expand, and analyze our records, identify new customers, and provide products and services that may be of interest to you.  If you provide us personal data about others or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

Examples of the types of personal data that may be obtained from public sources or purchased from third parties and combined with information we already have about you may include purchased marketing data about our customers from third parties that is combined with information we already have about you to create more tailored advertising and products.

6. Privacy questions, access rights, incident reporting

If you have any questions about how we use your personal data or about this privacy notice, you can send an email to privacy@confirmit.com. You can also contact us by mail at  300 Seventh Ave., 3rd Floor, New York, NY 10001, or you may contact us at the physical addresses of the office closest to you, see our list here.

If you would like to reach Confirmit’s Data Protection Officer (as defined under the GDPR) you can contact DataProtectionOfficer@confirmit.com or by phone at +47 21 50 25 00.

If you have an unresolved privacy or personal data use concern that we have not addressed satisfactorily, please contact our third-party dispute resolution provider free of charge at https://feedback-form.truste.com/watchdog/request.  

TRUSTe
 

Upon request, Confirmit will provide you with information about whether we control any of your personal data on our own behalf. If you wish to obtain a copy of particular information you provided to Confirmit, if you become aware that the information is incorrect and you would like us to correct it, update it, or delete it, if you would like to exercise any of your legal rights such as those in relation to updating your preferences regarding how we use your personal data, or to withdraw consent, contact us at privacy@confirmit.com.  We will respond to your access request within a reasonable timeframe within the timelines prescribed by applicable law.

If you are enquiring or exercising any of your legal rights or want to withdraw your consent on behalf of personal data we collect and process under the instructions of our customers (see section 4 above), please direct your query to our customer, which is the data controller. If you contact our company in relation to this, we are under obligation to refer your enquiry to the data controller.

Before Confirmit is able to assist you, provide you with any information, or correct any inaccuracies, we may ask you to verify your identity and to provide other details to help us to respond to your request. We will endeavor to respond within an appropriate timeframe.

Should you want to report an incident relating to Confirmit’s security, confidentiality, or privacy, you are welcome to file a report by entering required data at http://securityincident.confirmit.com. Alternatively, contact privacy@confirmit.com.

7. EU–U.S. Privacy Shield

Confirmit, Inc., based in the United States, participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.  Confirmit, Inc. is committed to subjecting all personal data received from EEA member countries and Switzerland respectively in reliance on the Privacy Shield Frameworks to the Framework’s applicable principles.  To learn more about the Privacy Shield Frameworks, visit the U.S. Department of Commerce’s Privacy Shield List.

 

Confirmit, Inc. is responsible for the processing of personal data it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf.  Confirmit, Inc. complies with the Privacy Shield Principles for all onward transfers of personal data from the EEA and Switzerland including the onward transfer liability provisions.

 

With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Confirmit, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.  In certain situations, Confirmit, Inc. may be required to disclose personal data in response to lawful requests by public authorities including to meet national security or law enforcement requirements.

Under certain conditions more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

8. Phishing emails that reference Confirmit

We have been informed that emails with the subject “Important Information Regarding Your XXXX Account,” or similar are being sent by parties not affiliated with Confirmit. These emails ask recipients to provide login information related to an account that might be held at the company referenced in the subject line. The emails may point to this webpage or Confirmit’s privacy policy for more information.

Confirmit is not responsible for the content of these emails. If you believe that you have been asked to provide personal data, please approach the company with whom you hold the account for more information and instructions. Confirmit does not engage in such practices.

Note that Confirmit as a provider of online survey software enables its customers to send emails to individuals asking them to participate in market research surveys or to provide customer and employee feedback. Confirmit does not authorize, approve, or in any other way bear responsibility for emails sent out by customers.

Subscribe to Our Newsletter