Privacy Policy

1.1 When We Are the Data Controller

SurveyAnalytica acts as the Data Controller for personal data we collect directly from you, including:

• Account registration information (name, email, phone, organization)
• Billing and payment information
• Usage data and analytics about how you interact with the Platform
• Communication data (support requests, feedback, correspondence)
• Cookie and tracking data collected through the Platform website

1.2 When We Are the Data Processor

SurveyAnalytica acts as the Data Processor for Customer Data that you collect through the Platform, including:

• Survey and form responses submitted by your respondents
• Contact list data you upload or manage on the Platform
• Campaign and message data (email, SMS, WhatsApp communications)
• Analytics and insights derived from your survey data

As a Data Processor, we process this data solely on your instructions and in accordance with our Terms of Service and Data Processing Addendum (DPA). You, as the survey creator or data uploader, are the Data Controller for this data and are responsible for obtaining appropriate consent from respondents and data subjects.

1.3 Data Controller Contact

Cosmoneural Private Limited WeWork DLF Forum, Cybercity, Phase III Gurugram, Haryana 122002, India Data Protection Officer: privacy@surveyanalytica.com

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, organization name, job title, and profile picture when you register an account.
• Billing Information: Payment card details, billing address, and transaction history. Payment information is processed and stored by Stripe, our payment processor; we do not store full payment card numbers.
• Content: Surveys, forms, campaigns, templates, workflows, and other content you create on the Platform.
• Contact Lists: Contact data (names, email addresses, phone numbers, custom fields) that you upload or manage on the Platform.
• Communications: Information you provide when you contact support, submit feedback, or participate in research.

2.2 Information Collected Automatically

• Device Information: Device type, operating system, browser type and version, screen resolution, and language settings.
• Log Data: IP address, access timestamps, pages visited, referring URLs, and actions taken on the Platform.
• Usage Data: Features used, survey creation patterns, campaign performance metrics, and interaction data.
• Cookie Data: Information collected through cookies and similar technologies (see Section 8 for details).

2.3 Information from Third Parties

• Single Sign-On (SSO): When you register or log in using Google, Microsoft, or Apple, we receive your name, email address, and profile picture from these providers.
• Integrations: When you connect third-party services (e.g., Slack, HubSpot, Salesforce), we may receive data from those services as authorized by you.
• Payment Processor: Stripe provides us with transaction confirmation, payment status, and limited billing details.

2.4 Special Category Data

We do not intentionally collect special category or sensitive personal data (such as health information, racial or ethnic origin, political opinions, religious beliefs, biometric data, or sexual orientation). If you choose to collect such data through surveys or forms you create on the Platform, you are solely responsible for ensuring you have a valid legal basis and explicit consent from respondents.

3.1 To Provide and Operate the Platform

• Creating and managing your account
• Processing surveys, campaigns, and workflows
• Delivering analytics, reports, and insights
• Processing payments and managing subscriptions
• Providing customer support and responding to inquiries

3.2 To Improve and Develop the Platform

• Analyzing usage patterns to improve features and user experience
• Conducting internal research and development
• Generating aggregated, anonymized benchmarks and insights
• Testing new features and functionality

3.3 To Communicate with You

• Sending service-related notifications (billing, security, platform updates)
• Sending marketing communications (only with your explicit opt-in consent)
• Responding to your support requests and feedback

3.4 To Ensure Security and Compliance

• Detecting, preventing, and addressing fraud, abuse, and security threats
• Enforcing our Terms of Service and Acceptable Use Policy
• Complying with applicable legal obligations, court orders, and regulatory requirements

3.5 Legal Basis for Processing (GDPR Users)

For users in the EU/EEA/UK, we process your personal data on the following legal bases:

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Platform services you requested.
• Legitimate Interest (Art. 6(1)(f)): Processing for security, fraud prevention, service improvement, and internal analytics, where our interests do not override your rights.
• Consent (Art. 6(1)(a)): Processing for marketing communications and non-essential cookies, based on your explicit opt-in consent.
• Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws and regulations.

4.1 Sub-processors and Service Providers

We engage trusted sub-processors to help deliver the Platform. Each sub-processor is bound by data processing agreements requiring them to protect your data. A current list of sub-processors is available at surveyanalytica.com/legal/subprocessors. Key categories include:

• Cloud Infrastructure: Google Cloud Platform (data hosting and processing)
• Payment Processing: Stripe (payment transactions)
• Email Delivery: Third-party email service providers (campaign delivery)
• AI Services: Google Gemini, OpenAI (AI-powered features — data is not used to train their general models)
• Analytics: Google Analytics (website usage analytics, with IP anonymization enabled)
• Communication: Twilio (SMS and WhatsApp delivery)

4.2 Survey Creators and Respondents

Survey responses are shared with the survey creator who deployed the survey. SurveyAnalytica does not access, sell, or use survey response data except as required to provide the Services.

4.3 Legal Requirements

We may disclose your information when required by law, court order, subpoena, or governmental request, or when we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to detect and prevent fraud.

4.4 Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on the Platform before your data is subject to a different privacy policy.

5.1 Where We Store Data

Our primary infrastructure is hosted on Google Cloud Platform. Data may be stored and processed in data centers located in India, the United States, the European Union, and other regions where our infrastructure and sub-processors operate.

5.2 Transfer Safeguards

When we transfer personal data internationally, we implement appropriate safeguards as required by applicable law:

• European Commission Standard Contractual Clauses (SCCs) for transfers from the EU/EEA to countries without an adequacy decision.
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs for transfers from the UK.
• Data Processing Addendum (DPA) with all sub-processors, incorporating applicable transfer mechanisms.
• Supplementary technical and organizational measures (encryption, pseudonymization, access controls) to ensure adequate protection.

5.3 EU-US Data Privacy Framework

Where applicable, we rely on sub-processors that have certified their compliance with the EU-U.S. Data Privacy Framework (DPF) for transfers to the United States.

6.1 Retention Periods

• Account Data: Retained for as long as your account is active, plus 30 days after account closure to allow for data export and recovery.
• Customer Data (surveys, responses, contacts): Retained for as long as your account is active. Upon termination, you have 30 days to export your data, after which it is permanently deleted.
• Billing Records: Retained for 7 years as required by tax and accounting regulations.
• Log Data and Usage Analytics: Retained for up to 24 months, then automatically aggregated or deleted.
• Support Communications: Retained for up to 3 years after resolution for quality assurance and dispute resolution.
• Marketing Consent Records: Retained for as long as consent is valid, plus 3 years after withdrawal for compliance documentation.

6.2 Deletion

When data is deleted, we ensure it is removed from our active databases and backup systems within 90 days. Some data may be retained longer if required by law or for the resolution of disputes.

7.1 Rights Under GDPR (EU/EEA/UK)

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure (Right to be Forgotten): Request deletion of your personal data, subject to legal retention requirements.
• Right to Restrict Processing: Request that we temporarily or permanently stop processing your data in certain circumstances.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format (CSV, JSON).
• Right to Object: Object to processing based on legitimate interest or for direct marketing purposes.
• Right Not to be Subject to Automated Decision-Making: Request human review of decisions made solely by automated means that significantly affect you.
• Right to Withdraw Consent: Withdraw consent at any time for processing based on consent, without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: File a complaint with your local data protection supervisory authority.

7.2 Rights Under CCPA/CPRA (California, USA)

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
• Right to Delete: Request deletion of personal information we have collected.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
• Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information to what is necessary for providing the Services.

California residents may designate an authorized agent to make requests on their behalf. We may require verification of identity before processing requests.

7.3 Rights Under LGPD (Brazil)

• Confirmation and access to your personal data.
• Correction of incomplete, inaccurate, or outdated data.
• Anonymization, blocking, or deletion of unnecessary or excessive data.
• Data portability to another service or product provider.
• Deletion of data processed with your consent.
• Information about entities with which your data has been shared.
• Information about the possibility and consequences of denying consent.
• Revocation of consent.

7.4 Rights Under PIPEDA (Canada)

Canadian users have the right to access their personal information, request corrections, and withdraw consent for non-essential processing. To make a request, contact privacy@surveyanalytica.com.

7.5 Rights Under Other Regulations

If you are located in a jurisdiction with specific data protection rights not listed above (e.g., South Africa's POPIA, Singapore's PDPA, Japan's APPI, India's DPDP Act), you may exercise your rights under those laws by contacting privacy@surveyanalytica.com. We will respond in accordance with applicable law.

7.6 Response Timeframes

• GDPR requests: We will respond within 30 days. Complex requests may be extended by up to 60 additional days with notice.
• CCPA/CPRA requests: We will respond within 45 days. Complex requests may be extended by up to 45 additional days with notice.
• LGPD requests: We will respond within 15 days.
• All other requests: We will respond within 30 days or as required by applicable law.

8.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies and similar technologies (web beacons, pixels, local storage) to provide, secure, and improve the Platform.

8.2 Types of Cookies We Use

8.3 Cookie Consent

When you first visit our website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You may change your preferences at any time through the cookie settings link in the footer of our website. Strictly necessary cookies cannot be disabled as they are essential for the Platform to function.

8.4 Browser Controls

Most browsers allow you to manage cookies through settings. You can block or delete cookies, but this may affect your experience on the Platform. For more information, consult your browser's help documentation.

9.1 How AI Features Use Your Data

Our AI-powered features (survey design assistant, content generation, analytics insights, workflow automation) may process your data through third-party AI service providers. Important details:

• Data sent to AI services is used solely to generate the specific output you requested (e.g., suggested survey questions, analytical insights).
• We do not use your Customer Data to train, fine-tune, or improve any general-purpose AI models.
• AI service providers (Google Gemini, OpenAI) are contractually prohibited from using your data for model training.
• AI-processed data is subject to the same security and privacy protections as all other Customer Data.

9.2 Opting Out of AI Features

You are not required to use AI features. All AI-powered features are optional and clearly labeled. If you prefer not to have your data processed by AI services, simply do not use the AI features.

11.1 Security Measures

We implement robust technical and organizational measures to protect your data, including:

• Encryption in transit using TLS 1.2 or higher for all data transmission.
• Encryption at rest using AES-256 for all stored data.
• Role-based access controls with the principle of least privilege.
• Multi-factor authentication for internal systems.
• Regular security assessments, penetration testing, and vulnerability scanning.
• Audit logging and monitoring of all data access and system events.
• Secure software development lifecycle (SDLC) practices.
• Employee security training and background checks.

11.2 Data Breach Response

In the event of a confirmed personal data breach:

• We will notify affected Data Controllers (our customers) without undue delay and within 72 hours of becoming aware of the breach.
• We will provide details of the breach, including the nature of the data affected, the approximate number of data subjects, and the measures taken to mitigate the breach.
• We will cooperate with Data Controllers in fulfilling their notification obligations to supervisory authorities and affected individuals.
• We maintain an incident response plan that is regularly tested and updated.