All data and contact information collected by KS&R are kept completely confidential and are used only for the purposes for which the data was collected. KS&R does not resell data and will never disclose the information to any other company.
We retain information for as long as reasonably necessary to deliver our Services to you or to fulfill the purposes described in this Policy or as required by law. For example, we may retain your information for as long as you maintain your User Interviews account so that you can participate in or post multiple research projects overtime. If you are a Participant and deactivate your account, we will delete your Personal Information after 90 days. If you are a Researcher and deactivate your account or end your agreement with us, we will delete all Researcher-Affiliated Participant Personal Information associated with your account after 90 days. However, we reserve the right to retain any information required under applicable law.
Information for California Residents
If you are a California resident, you have a right to request certain information with respect to the types of information we have shared with third parties for their direct marketing purposes, and the identities of those third parties, within the immediately preceding calendar year, subject to certain exceptions. This same California law permits us to provide you, in response to your written request, with a cost-free means to choose not to have your certain information shared rather than providing the above-described information. To that end, you may request that we do not disclose certain of your information to unaffiliated third parties for their own direct marketing purposes. All requests for such information must be made here.
If you are a California resident under 18 years of age and a registered user of our Services, you may request that we remove content and information that you post on our Services. To obtain removal of such content and information, please send us a request here. with a short description of the content or information you would like to have removed. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.
Information for Users Outside the United States
The information that we collect through the Website and in connection with the Services is transferred to and processed in the United States for the purposes described in this Policy. We may also subcontract the processing of such information to, or otherwise share information with, affiliates or third parties in the United States or countries other than your country of residence. The data-protection laws in these countries may be different from, and less stringent than, those in your country of residence. By using our Services or accepting our Policy, you expressly consent to such transfer and processing.
You may have the right, in accordance with applicable data protection laws: to request access to, rectification of, and/or erasure of your information; to seek restrictions on the processing of your information; to object to certain processing of your information; and to exercise a right of data portability.
Where any processing of information is solely dependent upon your consent, such as marketing to you, you have the right to withdraw such consent at any time.
Where you believe that we have not processed your information in accordance with the applicable data protection laws, you may lodge a complaint with the respective supervisory authority/data protection regulator.
The provision of information by you will be for contractual, marketing, or analytical purposes as referred to above. If we do not have access to such information from you, then we will not be able to undertake the above types of services for you.
We may withhold information where the search for that information would require extraordinary effort or have a disproportionate effect due to, for example, the cost of providing the information, the time it would take to retrieve the information, or how difficult it may be to obtain the information requested.
To inquire about or exercise your rights in accordance with applicable law, please contact us here.
If you are a resident of the European Economic Area, you have certain rights regarding our use of your Personal Information. Some of these rights, e.g., the right to be forgotten or the right to request that we transfer your Personal Information to another company, will only apply in certain circumstances. Generally, these rights will not be available if there is an outstanding agreement or ongoing business relationship between us, if we need that information to continue to provide the Services to you, if we are required by law to keep the information or if the information is relevant to a legal dispute.
UI is the data controller of Personal Information that you provide to us if you are a Researcher, Participant, User, or website visitor, but not if you are a Researcher-Affiliated Participant, and the purposes of our processing of Personal Information are described in this Policy, our Terms of Service and/or other commercial agreement you have entered into with us. In this context, we process Personal Information on the following bases: (i) when the processing is necessary for purposes of our legitimate business interest in conducting our business. We take into account any risks to your fundamental rights and freedoms in assessing these purposes (including your right to privacy); (ii) when the processing is necessary for us to comply with our legal obligations; (iii) when you give us consent to process your Personal Information; and (iv) when such processing is necessary in order to enter into or perform a contract you have entered into with us, such as providing the Services. We may also process Personal Information on other bases permitted by the GDPR and applicable laws.
If you are a Researcher-Affiliated Participant, we are a “processor” of your Personal Information only, and the purpose of our processing is to fulfill our contractual obligations with your respective Researcher.
We have listed the rights you have over your Personal Information and how you can use them below. These rights are subject to restrictions under European data protection law and, subject to the exemptions in that law, may only apply to certain types of information or processing.
- We need your consent for some of the ways we use your Personal Information, e.g., for marketing or processing special categories of information about you. You can remove that consent at any time.
- You can ask us to confirm if we are processing your Personal Information and if we are, you can ask for access to that information and details about such processing.
- You can ask us to correct your Personal Information if it’s wrong.
- You can ask us to delete some of your Personal Information.
- You can ask us to restrict how we use your Personal Information.
- You can ask us to help you move some of your Personal Information to other companies.
- You have a right to ask that we provide your Personal Information in an easily readable format to another company.
- You can ask us to stop using your Personal Information, but only in certain cases.
- You have the right to complain to the relevant supervisory authority.
You also have a right to object to us processing your Personal Information in certain circumstances. You can ask us to stop processing your Personal Information at any time. In certain circumstances, we may not be able to do this or may not be required to do this. For example, if we have an ongoing business relationship, if we required by law to keep it, or if it is relevant to a legal dispute, then we may not stop processing your Personal Information.
Contact us for any requests here.
If you are a Researcher-Affiliated Participant, please contact the applicable Researcher with requests related to your information. We are not a “controller” of the Personal Information of Researcher-Affiliated Participants, and will pass any requests along to the Researchers, but cannot respond to your requests directly. We do not control or own Personal Information of Researcher-Affiliated Participants, and only process such Personal Information on behalf of the Researcher with whom you are affiliated. In such cases, we process Personal Information in accordance with our agreements with Researchers and to the extent necessary to comply with applicable law. To the extent instructed by a Researcher and in accordance with applicable law, we will reasonably assist a Researcher to comply with Participant requests by providing relevant information and support to the Researcher to enable it to comply with the request.
ISO 27001 Certification
KS&R has completed an ISO 27001 audit certifying that we have the appropriate controls in place to mitigate risks related to security, confidentiality, integrity, and availability.
We use commercially reasonable physical, electronic, and procedural safeguards to protect your information against loss or unauthorized access, use, modification, or deletion. However, no security program is 100% secure, and thus we cannot guarantee the absolute security of your Personal or Other Information.
Automated Security Monitoring
We use Arctic Wolf to monitor all aspects of our network environment to detect and alert on any anomalies, audit our event logs, and help to identify and investigate any potential unauthorized activity.
A third-party cybersecurity firm conducts quarterly external network penetration testing and annual internal penetration testing to confirm there are no vulnerabilities in our network.
Employee Security Awareness Training
All employees who have access to customer data are required to undergo background checks, in accordance with local laws. We conduct company-wide information security awareness training annually and regularly reinforce security protocols through internal communication channels. All employees and contractors are required to sign confidentiality agreements prior to their start date. We use the principle of least privilege to define data access. Access is reviewed when employees change roles and is immediately terminated when employees leave the company.